Ness Cyber Security Services

Transcription

1 Ness Cyber Security Services. This document discloses subject matter in which Ness A.T. Ltd. has proprietary rights. Neither the furnishing, receipt nor possession thereof confers or transfers any right to reproduce or disclose the document, any part thereof, any information contained therein, except by written permission from, or within agreement with Ness A.T. Ltd.

2 Table of Content 1. About Ness Ness Cyber Security Services Security reviews Cyber engineering Technology & methodology Training & Drills Intelligence Forensics Cyber Security Center Appendix A CSC Components Appendix B Training & Courses Page 2 of 34

3 1. About Ness Ness Technologies is a global provider of IT and business services and solutions with over 30 years of experience. Specializing in software product engineering; system integration, application development, consulting and software distribution. With about 7,000 employees, Ness has operations in North America, Europe, Israel and India, customers in over 20 countries and partners with numerous software and hardware vendors worldwide. Ness TSG Ness TSG is a global provider of advanced Command & Control, Communications, Computers, Intelligence, Surveillance and Cyber Security solutions. The proven record of TSG s deployed systems in the Defense, Cyber and HLS sector enables us to offer unique solutions and services that bridge effective intelligence processing, operational command and control and cyber, providing our customers with incomparable value. The development of new concepts and innovative business models has been the basis of Ness TSG's strategy. Page 3 of 34

4 2. Ness Cyber Security Services Cyber Security is not all about technology, and should be managed as part of a holistic plan. In today s world, organizations and their limited resources are rich with technologies but poor with security solutions. Staying one step ahead is critical for confidentiality, integrity and availability of your organization s systems and data. Ness is a leading cyber security services provider, specializing in a wide spectrum of security fields. The company provides security services to global clients, financial institutes, telecom, manufacturing industries and government agencies. Our employees originate from diverse backgrounds, such as government, critical infrastructure, telecom, banking, major municipalities and privately held companies. Our team has vast and comprehensive knowledge, based on years of hands-on experience. Ness established its own Cyber Security Center (CSC) that provides cyber security services for the public and private sectors such as finance, insurance and retail. Utilizing our vast experience and expertise we now also offer customers to build CSC of their own based on Ness field proven technology, tools and methods. Ness as a prime contractor and integrator is providing a comprehensive and cost-effective solution and help customers to face the ever growing threats and challenges in the cyber environment. Page 4 of 34

5 Ness offers wide range of cyber security services which provide our customer a comprehensive protection and operation suite. Security Reviews Security servey and "health check" Vulnerability assessment Penetration tests and "Red team" Cyber Engineering Threats evaluation Vulnerabilities mitigation recommendations System hardening Secured design - architecture, networks, development Technology & methodology Installation, implementation and integration Security solutions development New technology evaluation Procedures and methods of operation Training & Drills Cyber security training - technology, operation, development, forensics All levels of personnel - senior commanders, managers, officers and operational level Cyber drills and simulation Intelligence Gathering - Webint, OSint, DB & labraries, partners, internal sources Data Fusion & Analysis Actions & alerts Forensics Identifying and investigating the nature of the attack and the amount of damage Pro forensics - for internal intelligence, checking the logs on continues basis and identify threats and suspicious anomaly's Cyber Security Center All aspects unified center with enhanced cyber capabilities and protection from cyber-attacks during routine & emergency 24/7 situation room, incorporating intelligence, forensics, command and control, response and monitoring Page 5 of 34

6 2.1. Security reviews The goal of the security reviews is to provide the customer an assessment and report regarding its security condition. The review is performed by Ness cyber professionals on the customer s site or remote location with network access. Security review main activities: Learning the customer s working environment architecture, networks, systems and applications, servers, policies etc. Analysis of the customer s environment finding vulnerabilities and weaknesses in all levels (physical, infrastructure, systems, applications, procedural) according to cyber engineering best practices and relevant threats. Report producing a full report to summarize the finding of the review with recommendations to the customer for mitigating the problems. Security reviews and health checks are done ad-hoc according to customer s requirement and/or periodically as part of continuous assessment and/or regulation requirements (e.g. for financial institutes). We offer verity of security reviews such as security health check, vulnerability assessment, penetration tests and red team. Page 6 of 34

7 2.2. Cyber engineering In today world, where new technologies and threats emerge every day, organizations struggle to keep up with these rapid changes. Ness cyber engineering team is providing consulting services to help customers to face the threats and evaluate new technologies. Cyber engineering services: Threats evaluation Vulnerabilities mitigation recommendations System hardening Secured design architecture, networks, development Our consulting team members are experts in the information security domain and have vast experience in performing security assessment. The team members are up-to-date with evolving threats on one hand, and with the latest technological developments, on the other hand. Based on their in-depth knowledge, superb technological capabilities and invaluable experience, they advise creative, out-of-the-box tailored solutions optimally meeting the precise requirements of each client, in a manner that is cost-effective and supports the smooth daily operation of the organization in question. Since our team of consultants have extensive background in not only information security, but also: systems and application architecture, secure software development, database systems, and network infrastructures, we can provide actionable remediation guidance to quickly and effectively address threats identified during assessments. Page 7 of 34

8 2.3. Technology & methodology Buying technologies and tools is easy however using it efficiently and integrating it to the organization environment might be a difficult task. Our offering supports the integration process of new technologies and tools and to optimize any existing technologies and tools used. We offer a comprehensive support of the assimilation process, starting from choosing the right solution, through installation and integration, and finally training and methods of operation. This process assure that the assimilation of the technology will be successful and the customer will be able to fully utilize it in an efficient and professional manner. Ness experts are up-to-date with all latest technologies in the cyber security domain and are able to recommend on the best solution according to customer s requirements and our analysis. Our solutions are based on best-of-bread available tools, as well as tools developed by Ness and dedicated development and adjustments to any customer s specific requirements. We also continuously evaluate new startups with new technologies and integrate it into our solutions offering. Our solutions, based on reliable, field proven tools combined with innovative new technologies and our vast experience and integration capabilities, providing a state of the art security suite. Strategic Plan Design Analysis Policy Implementation Operation IT Security Security Survey Security Testing Risk Analysis Evaluation Procedures Processes Governance Architecture Project Plan Control Monitor Investigate Research Management Cyber Defense Cyber Intelligence Attack Investigation Page 8 of 34

9 2.4. Training & Drills Ness cyber security professionals offer wide verity of training and courses covering all cyber and information security aspects. The courses are classified according to different subjects and aspects of cyber security such as development, forensics, warfare, and according to different levels of personnel senior commanders, managers, officers and operational level. Subsequently to the initial training and courses, our professionals continue to support the customer during the whole assimilation period. In addition, we execute practices and drills for the operational personnel and courses for new personnel. Since our cyber professionals holds a vast knowledge, any cyber and information security aspect can be addressed as part of the courses and we adjust the content to each customer s personnel and requirements. For courses examples and its syllabus please refer to Appendix B Training & Courses Ness training team also performs verity of drills and cyber-attack simulations. Each practice can simulate different threat and evaluate the organization readiness at all aspects technical and procedural. The drills are pre-coordinate with the customer and can utilize various hacking tools, simulators and dedicated malicious code written by our specialists in order to safely execute cyber-attack. As part of the drill, our red team attacks the organization while our blue team helps the organization to face the attack and provides recommendations and lessons during and after the drill for improving the customer s capabilities. The drills are scalable, and can be small or extensive, according to each customer requirements. Page 9 of 34

10 2.5. Intelligence Cyber intelligence is the basis for any cyber security activity. An effective cyber security apparatus must be based on effective intelligence which includes a thorough examination of the system, enabling a vulnerability and risk assessment, as well as intelligence regarding potential attackers and suspicious activities. By identifying the relevant, current and emerging threats to your organization, you can proactively identify and mitigate cyber-attacks and protect your assets. In today digital world, organizations are continuously exposed to cyber threats and need to protect their assets both from internal and global threats. Ness professionals have vast experience in intelligence, combined with our expertise in the cyber security domain we created cyber intelligence operating concept based on technology and field proven methodology. Based on deep learning our customers, we can find and deliver only the relevant and actionable intelligence out of the endless ocean of information out there, along with recommendations and action items to mitigate the risk and reduce threat level. Page 10 of 34

11 Operation Concept The intelligence operation concept is based on our vast experience in intelligence operations as a lead supplier of intelligence systems. The concept is consist of the following steps: Gathering Data Fusion Analysis Action Multiple sources Automatic tools Public, open source, hidden Correlation Integration Data extraction Classification Automatic tools Human analyst Investigation Protection Prevention Awareness Since the amount of information is limitless automatic tools are used to continuously gather information from verity of sources. Some of the information (such as unstructured text in social networks) needs to be processed for extracting the data entities prior to the correlation and data fusion step. The gathered data is being indexed and then processed by big data analysis tools for finding correlations between the data, and with EEI (Essential elements of information) defined by the intelligence officers, the result is intelligence items and reports. Further analysis is being made by analysts to determine the classification and level of threat of the items, if required, specific items are being sent for further investigation such as malware analysis and reverse engineering done by experts teams. The final step is to understand and implement the proper actions in order to protect the organization assets according to the threats, as well as taking prevention measures if required, and publish a report and instructions to all relevant personnel for implementing protection measures in their units and systems and for awareness and further caution. Page 11 of 34

12 2.6. Forensics Cyber Security aims to protect information and services through various mechanisms and methodologies. It s an ongoing race between hackers and security experts, a race in which at times the hackers take the lead. The next step in such a scenario is to investigate in order to have a better understanding of how to protect ourselves in the future. Cyber Forensics is the art of discovering what happened once there is a suspicion or an actual incident. Ness believes that there is much more to Cyber Forensics. Our unique approach offers a 3 stage solution to your organization: Proactive Forensics Dedicated mechanism for aggregation of critical intelligence from your systems, as an indicator for a potential cyber incident. Incident Management Based on our proven methodology and years of experience, we will assist your organization in the handling of cyber threats and incidents, in a dedicated and professional approach. Proactive Forensics Dedicated Forensic Investigation Incident Managment Forensic Investigation Our experts will conduct a thorough analysis of the compromised systems followed up with a full and detailed report and recommendations on how to protect your organization from cyber incidents. By implementing our methodology, you will insure a complete cyber incident management solution for your organization. Page 12 of 34

13 Proactive (Real-time) Forensics Our Solutions: Forensics Lab Design and implementation Maintenance and audit Enhancement Proactive Forensics Systems: Aggregation and analysis of the customer's logs An automated system for incident detection Smart data harvesting for potential real-time incident discovery (pre-incident) Post-incident: Database for post-mortem incident analysis Training Offering: Pre-incident Preparation Training Forensic data mining Mobile forensics (with/without official Cellebrite certification) Cyber forensics essentials Network forensics Customized training sessions and workshops Incident Management Our Services: On-site CERT CERT management Security incident analysis CERT training During a Cyber Incident Post-incident Forensics (Ad-hoc Digital Forensic Investigations) Our Services: On-site forensics services ediscovery Covert investigations Legal assistance (evidence preparation, court presentations, etc.) Mobile forensics Malware discovery and analysis Post-incident Analysis Page 13 of 34

14 2.7. Cyber Security Center The cyber security center (CSC) provides an all aspects unified center to protect the customer in the Cyberspace. The CSC provides organizations enhanced cyber capabilities and protection from cyber-attacks during routine & emergency. The CSC offers an innovative technology and operational concept, incorporating intelligence, forensics, command and control, response and monitoring capabilities, along with methods, procedures and our experienced and professionally trained personnel. More details about CSC components available in Appendix A CSC Components CSC added value One stop shop all cyber security aspects and services 24/7 Cyber security awareness and Control Room Routine & Emergency Overall operating concept combining an innovative Response team, Intelligence, Forensics, Monitoring, Command & Control, integrated all aspects together State of the art technologies Knowledge, professionalism and quality Flexibility and responsiveness Readiness for regulation Monitor & Report Advanced training and drills Forensics Intel Cyber Security Center Tech Center Response Team Training and Drills Figure 1 Cyber Security Center Architecture Page 14 of 34

15 CSC establishment The establishment of a CSC is based on 4 main activities: Design this phase consist of all engineering required for the project including security surveys, architecture analysis and design. In this phase Ness cyber professionals are learning the organization architecture, systems, networks, policies and procedures, and formulating a complete deployment plan for the CSC according to the customer s requirements. Implementation in this phase the CSC is being built according to the deployment plan. Training during and after the CSC deployment, Ness cyber professionals are training the customer s personnel. The comprehensive training includes a wide coverage of subjects and all levels training which in its end the customer can fully operate the CSC and all its capabilities autonomously. Operation fully operational CSC operated by the customer s personnel. Ness has developed the CSC in order to face the rapidly evolving and growing cyber threats. The CSC is based on our vast experience along with innovative concepts and state of the art technology. The CSC components consist of technologies and tools developed by Ness together with best of breed solutions and tools available in the market integrated into a complete suit. Combining these solutions with the extensive training and support provided by our highly professional personnel, along with field proven methodologies, our customers gain a comprehensive solution to face cyber threats and protect their assets. Figure 2 Ness Cyber Methodology Page 15 of 34

16 Innovative Operation Concept Unified, Proactive Cyber Security Center, with the following capabilities: External and internal Intelligence integrated with information sharing with other sources, combining with analytics over big data and human analyst Monitoring the overall situation picture including Cyber Command & Control, SIEM (Security Information and Event Management) and other monitoring systems. Response teams Forensics Identifying and investigating the nature of the attack and the amount of damage Pro Forensics checking the logs routinely with forensics tools, and identifying threats and suspicious anomalies which need to be further investigated (this process is also referred as Internal Intelligence). Recovery process support Frequent Vulnerability Assessment and "Red Team" tests Periodic training and drills Page 16 of 34

17 Appendix A CSC Components 1. General The Cyber Security Center is based on all our capabilities and services as detailed above and consolidating it into overall suite and service. The CSC provides an all aspects unified center for Cyberspace protection during routine & emergency. The CSC offers an innovative technology and operational concept, incorporating intelligence, forensics, command and control, response and monitoring capabilities, along with methods, procedures and our experienced and professionally trained personnel. Monitor & Report Forensics Intel Central Command Post Tech Center Response Team Training and Drills Figure 3 Cyber Security Center Architecture Page 17 of 34

18 2. Central Command Post Goal Cyber Security Center command Capabilities Command post functional 24/7 Management and integration of all the center aspects Cyber commanding officer Daily/weekly assessment of threat level and DEFCON level. Technology Command and Control tools Integration of all the CSC components Page 18 of 34

19 3. Intelligence Goal Intelligence awareness for the center and alerting potential threats. Capabilities Continual gathering of intelligence from different sources (Webint, OSint, internal sources, partners and industry leaders libraries). Alerts formation and distribution of alerts in real time. Periodic reports dissemination of periodic assessments to relevant population (executive summary or detailed report). Ad-hoc reports regarding a specific threats and the preventing actions needed. Internal intelligence using pro-forensics method as an internal intelligence, using the forensics tools for an ongoing pre incidence investigation. Analysis and sharing of feedback for effective response processes and prevention. Technology and tools: Sources Webint, OSint, internal sources, industry leaders libraries. Big data search engine and correlation tools Semantic analysis tools Data fusion tools Human analysis Pro-forensics Page 19 of 34

20 4. Monitoring & Reporting Goal Prevention, detection and identification of events in cyberspace. Collection and dissemination of information to relevant branches and units. Capabilities Monitoring SIEM and other customer s systems. 24/7 operation. Creating a unified Situation Awareness picture. Dissemination of information on threats, incidents, assaults and methods of response in real-time. Dissemination of guidelines for the prevention and defense against emerging threats Distribution of intelligence information. Technology and Tools: SIEM Cyber Command & Control Secured platform providing information sharing capabilities such as documents, portal, blogs etc. Figure 4 Security information and event management (SIEM) Page 20 of 34

21 5. Forensics Goal To identify the attack and to map the nature of the supposed damage. Capabilities Identifying and investigating the nature of the attack and the amount of damage. Pro forensics checking the logs on continues basis with the same tools and identifies threats and suspicious anomaly's that need to be checked internal intelligence. Supporting the response team in real-time and / or during a later investigation. Gathering legal evidence. Technology Use of "Best of Breed" products based on knowledge/experience. Page 21 of 34

22 6. Technological Center Goal Professional and up-to-date knowledge base of all Cyber Security aspects. Capabilities CTO Consulting Study, analysis and recommendations for future technology implementation among customers and within the center Recommendation of a technological solution to a new threat Vulnerability assessment and "red team" Knowledge management and organizational long term memory Technology Utilizing various VA tools for continuous assessment combining with proactive forensics approach and tools. Page 22 of 34

23 7. Response Team Goal Response, neutralization, prevention and reduction of damage during an incident. Capabilities Response and intervention Activation of the entire CSC in the interest of handling with the current challenge Work practice and procedure during incident. BCP Technology Deployable and fix tools Combination of all different capabilities, such as forensics and intelligence Page 23 of 34

24 8. Training and Drills Goal Training and drills in order to assess and improve the customer's cyber security capabilities. Capabilities Courses and training Cyber awareness, configuration and operation optimization for specific tools and systems (used by the customer), forensics, secured development (.NET, Java, C++, HTML 5, Mobile) and more. Periodic drills scalable, small or large Monitoring and feedback Examination of application and tools, technologies, and new concepts Joining practices and drills at the national level Technology Simulator combined with human operators and instructors. Page 24 of 34

25 Appendix B Training & Courses 1. National cyber security for commanders About the course National cyber security briefing is a unique executive technical and operational training, reviewing current and evolving strategic cyber threats, countermeasures and case studies, intended for national security executives setting organizational roadmaps in terms of technological research, development and policies. This training reviews cyber warfare tools and tactics vs. national level cyber security concepts, technologies and architectures, emphasizing commonly exploited gaps and pitfalls in national level cyber security suites. Those pitfalls are used by adversaries to gather information or cripple IT based operational facilities and processes. Attendees will acquire a broad understanding of organizational cyber security planning considerations, as well as known attack vectors used by national-level adversaries The goals of the course Understand the cyber domain Understand the various threat elements inside the cyber domain Grasp the technological background of attacks Understand the considerations and aspects of building a cyber-policy Who should attend this training The training is designed for executives who set the organizational roadmap in terms of technological research, development and policies. Course length 3 days of 8 academic hours Page 25 of 34

26 Course Syllabus Introduction and history of cyber space Introduction to cyber warfare Cyber as a platform for psychological warfare Introduction to cyber defense Technological building blocks Security regulations, standards and procedures BCP & DRP Secure Development Lifecycle The Human Factor Cyber Intelligence Hardware malware Incident response Cyber Range Mobile security Page 26 of 34

27 2. Incident Management and Response About the course In today s world, every organization depend on their computer systems. As a direct outcome, the organizations and companies face many security and cyber incidents. It is of great importance to know and understand how to manage such incidents. Incident management course will provide the participants with the theory and the practice of managing cyber security incidents. The participants will understand the theory behind a successful management, and will have an opportunity to practice the learned concepts. The emphasis of the course will be on one of a kind, live incident response workshop. The course is relevant, and was designed to address both the security managers, and the technical staff. Pre-Requisites Experience in information security, 2 years minimum Comprehensive experience with operating systems (Windows and Linux). Comprehensive knowledge of cyber security concepts (according to Q-101 training syllabus). Comprehensive knowledge of computer network protocols. Experience with programming tools and environments - an advantage. Experience with IDS/IPS/SIEM/SOC - an advantage. Information security team management - an advantage. Page 27 of 34

28 The Goals of the course Graduates will be able to: Define incidents in their environments Create the needed procedures for incident management Evaluate the incidents severity Analyze and manage an incident Course length 5 days of 8 academic hours Course syllabus What is an incident? Understanding the different kinds of incidents Understanding and implementing security sensors Concepts of controlling and managing an incident Creating key procedures for incident management Incident management workshop planning and managing Page 28 of 34

29 3. Introduction to Access and Identity Control About the course Some of the challenges that today s organizations are facing, include the need to allow personnel to work in the field and outside the office, allow access internal resources and to implement single-sign-on (SSO) solutions so users will not need to provide their credentials over and over again The course is relevant, and was designed to address both the security and infrastructure managers, and the technical staff. Pre-Requisites Basic knowledge of System Administration and security concepts. The Goals of the course In the end of the course you will be familiar with general Remote Access, Identity and Federation concepts. Course length 2 days of 8 academic hours Course syllabus Remote Access methods o VPN, SSL-VPN, Site-To-Site VPN o Remote Desktop, VDI o Proxy and Reverse-proxy o Direct-Access Authentication and Single-Sign-On o Form-Base authentication o Basic authentication o NTLM o Kerberos Multi-Factor authentication o OTP o PKI Federation concepts o Claim-Based authentication o ADFS Page 29 of 34

30 4. Secure Application Development Lifecycle About the course It is common knowledge nowadays that application security is not only preventing SQL or code injection on organizational web sites, but rather an on-going process of guiding the development projects, starting from the characterization phase and all the way up to system assimilation and final operational capability. During this course we will review the various development phases (architecture, design, coding, testing, deployment) and understand exactly how security considerations and methodologies combine in each development phase. This course is intended both for application developers, and for information security professionals escorting the development process. Attendees will acquire secure application development lifecycle skills, tools and methodologies which they will be able to assimilate in existing organizational application development processes. This workshop also covers all professional materials required by Certified Secure Software Lifecycle Professional (CSSLP) international certification. Pre-Requisites Good understanding of application development concepts and technologies. Confirmed knowledge of cyber security concepts, and application level vulnerabilities. Page 30 of 34

31 Workshop Goals Attendees will successfully complete all training hands-on challenges and pass final exam. Graduates will be able to: Understand the Secure Development Lifecycle (SDL) process phases and activities Implement SDL in organizational application development projects Determine which application security testing technologies can be most effective in their organizations Provide SDL awareness training for application developers Workshop Length 5 days of 8 academic hours Workshop Syllabus Introduction to application security Principals of securing an application Common application technologies review Common application infrastructure Common threats Web2.0 Security Secure Development Process Security Testing Best Practices and techniques for secure application development Authentication and Authorization Page 31 of 34

32 5. Cyber War gaming: Red team blue team workshop About the course Every organization needs battle-tested IT personnel in order to defend its networks against attacks. The most effective way to provide this experience is to recreate the exact scenarios they will see in the real world. Cyber War gaming course will give those "cyber warriors" the tools and experience they need for their job. In a lab containing infrastructures of servers, network equipment, SCADA and control systems, web application, telephony systems and other common infrastructures the attendees will have a rare chance to think like hacker on one hand and understand the defensive consideration on the other hand. The unique format of the course includes 3 parts: 3 days of theoretical seminars to make the attendees familiar with offensive and defensive tools and considerations. 3 days of hands-on training. During those days attendees will be divided to two teams: attack team, which simulates group of hackers which tries to hack different kinds of systems, and a defensive team who tries to protect its networks, handle cyber events in real time and prevent the attack team from succeeding in their mission. The workshop is built as competition between the teams. The winner team is the team that gets the highest score. Each team will have the chance to play both attacker and defender roles. 1 day of summery and drawing conclusions from the simulation. Page 32 of 34

33 Pre-Requisites Experience in information security field, 2 years minimum Experience with operating Windows and Linux operating systems. Confirm knowledge of cyber security concepts (according to Q-101 training syllabus). Confirm knowledge of computer network protocols. Experience with programming tools and environment is an advantage. Workshop goals Graduates will be able to: Identify and analyze risks in their environments Build security plans to their networks Understand the considerations and ways of actions of the attackers Response and protect from cyber war attack Workshop length 7 days of 8 academic hours Workshop syllabus The different kind of attackers their motives, their abilities, etc. Common Threats what do we protect Attack considerations Common ways of attacks Simple attack tools Basic safeguards Risk analysis and choosing countermeasures Red team Blue team workshop Page 33 of 34

34 Cyberspace security is full of significant multidimensional challenges, Ness has developed an innovative concepts and capabilities to meet the challenges. Our capabilities are based on knowledge and professionalism and help our customers to protect their assets and reduce threat level. P.O.B 58180, Tel-Aviv 61581, Israel TSG@ness.com Ness Technologies & Systems Group Page 34 of 34