Professional Services Overview

Similar documents
Assessing the Effectiveness of a Cybersecurity Program

PCI Compliance for Cloud Applications

How To Achieve Pca Compliance With Redhat Enterprise Linux

The Protection Mission a constant endeavor

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Top 20 Critical Security Controls

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Critical Controls for Cyber Security.

PCI Requirements Coverage Summary Table

CloudCheck Compliance Certification Program

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Payment Card Industry Data Security Standard

Information Security Services

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

SECURITY. Risk & Compliance Services

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

PCI Solution for Retail: Addressing Compliance and Security Best Practices

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

SCAC Annual Conference. Cybersecurity Demystified

NERC CIP VERSION 5 COMPLIANCE

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI Requirements Coverage Summary Table

Defending Against Data Beaches: Internal Controls for Cybersecurity

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Security Management. Keeping the IT Security Administrator Busy

How To Secure Your Store Data With Fortinet

74% 96 Action Items. Compliance

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Overcoming PCI Compliance Challenges

CONTENTS. PCI DSS Compliance Guide

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

The State of Security and Compliance for E- Commerce and Retail

Cybersecurity: What CFO s Need to Know

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Strategic Plan On-Demand Services April 2, 2015

Alcatel-Lucent Services

Jumpstarting Your Security Awareness Program

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Bellevue University Cybersecurity Programs & Courses

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Virtualization Impact on Compliance and Audit

Cisco Advanced Services for Network Security

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Goals. Understanding security testing

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Introduction to Cyber Security / Information Security

How To Protect Your Data From Being Stolen

PCI DSS 3.0 Compliance

Cybersecurity: Protecting Your Business. March 11, 2015

Chapter 1 The Principles of Auditing 1

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Thoughts on PCI DSS 3.0. September, 2014

PCI Data Security Standards (DSS)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

KEY TRENDS AND DRIVERS OF SECURITY

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

PCI Compliance 3.1. About Us

PCI DSS Requirements - Security Controls and Processes

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Becoming PCI Compliant

Cybersecurity Health Check At A Glance

Security Controls What Works. Southside Virginia Community College: Security Awareness

External Supplier Control Requirements

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

F G F O A A N N U A L C O N F E R E N C E

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cyber Exploits: Improving Defenses Against Penetration Attempts

QUESTIONS & RESPONSES #2

PCI DATA SECURITY STANDARD OVERVIEW

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

THE TOP 4 CONTROLS.

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Deploying Firewalls Throughout Your Organization

H.I.P.A.A. Compliance Made Easy Products and Services

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Looking at the SANS 20 Critical Security Controls

Sample Statement of Work

Enterprise Computing Solutions

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Italy. EY s Global Information Security Survey 2013

Maintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment

Transcription:

Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT

Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded Profitable since inception Financial Services High-Tech ATTRIBUTES Superior technical prowess Comprehensive reporting Trusted business acumen Advanced, time-tested methodologies Retail FOCUSED ON FORTUNE 1,000 & VENTURE-BACKED STARTUPS Oil & Gas PROPOSITION Praetorian provides a suite of security assessment and advisory services that help clients protect their most important assets from evolving cyber threats. Manufacturing Healthcare 2

An Established and Growing Services Firm When you're constantly advancing your industry and helping to secure today's leading organizations, people notice. ounded 1992 2001 3 Description A provider of a range of software security services including consulting, training in both instructor-led and elearning, mobile application security, and cloud services PRAETORIAN The company CONFIDENTIAL develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security

Our Consultants Are The Security Experts Top 5% of the industry Certified expertise includes: CISSP, CISA, CSSLP, CEH, GCIH, GSEC, GNSA, GCIH, GCFW, GWAPT, GAWN, GCFE Respected authors, researchers, federal security policy contributors, patent holders and open-source developers Speakers at major security conferences and professors at major universities Educational backgrounds in computer science, engineering, and information systems 4

Recognized by Industry and the Media Expertise and comment regularly leveraged by media Recently named one of the 20 Most Promising Security Companies by CIO Review Magazine Security research cited by major institutions, including NASDAQ and Dept. of Homeland Security 5

We Are Fanatical About Service Execution Project Management Timely communication and regular status updates Knowledge Transfer Close working relationship and always available by email/phone Comprehensive Reporting Digestible by executive and technical leadership Actionable strategic and tactical recommendations 6

Using Efficiencies Built from the Ground Up Builders make the best breakers Our engineering culture drives powerful efficiencies that enable us to deliver more for less Our time tested methodologies are paired with a unique suite of custom tools, which delivers more value across every engagement { } Advanced Reporting System Custom reporting tools and capabilities reduce reporting time by up to 50% allowing more effort to be spent on technical testing. Proprietary Tools & Software Our security engineers are equipped with a suite of custom tools and software. If a new solution is needed to solve a unique problem, we build it. ipentest Device Custom plug-and-play technology allows our team to perform onsite work remotely. This minimizes logistics and travel costs for clients, while extending testing time. We are obsessed with efficiencies and continuous improvements And that just scratches the surface of our unique capabilities 7

Trusted by Today s Leading Organizations 8

Just Ask Our Extraordinary Clients QUALITY OF REPORTS The content is top notch, the presentation is complete and clear. AGILE & EFFICIENT [Your consultants] are available at all times of the day, and are all over the assessments. TECHNICAL TALENT ACCOMMODATING HIGHLY ENGAGED PRODUCT AGNOSTIC EASE OF WORKING TOGETHER You and your team have always been very supportive [of] the broader set of enterprise services that we have here at Qualcomm so that the reports can be actionable by the people who are getting them. CONSISTENCY You have the same people over time. When we come back after time we get people who were on our past contracts and we ve already developed a level of comfort with. 9

Services That Address Your Specific Needs BALANCED SUITE OF SECURITY SERVICES NETWORK SECURITY CLOUD SECURITY PRODUCT / APPLIANCE SECURITY APPLICATION SECURITY MOBILE SECURITY INTERNET OF THINGS SECURITY MOTIVATIONS PROTECTING CRITICAL ASSETS INCREASING REGULATORY PRESSURE ADDRESSING EVOLVING THREATS Customer Data Intellectual Property Financial Data Brand / Reputation PCI 3.0 SOX HIPAA and many more Cyber Crime Insider Threats Corporate Espionage Hacktivism Ensure data confidentiality, integrity, & availability Address regulatory requirements, avoid penalties Defend against evolving/adaptive threat landscape 10

Network Security Services Overview Demonstrate Risk by Simulating Real-world Attacks PENETRATION TESTING External Penetration Testing Internal Penetration Testing Wireless Penetration Testing SUPPLEMENTAL SERVICES Evasion & Detection Exercises Spear Phishing Campaign Social Engineering Test Denial of Service (DoS) Test Sensitive Data Flow Analysis COMPLIANCE GAP ANALYSIS POLICY & PROCEDURE REVIEW FULL NETWORK COVERAGE POLICIES / PROCEDURES / AWARENESS EXTERNAL NETWORK NETWORK PERIMETER INTERNAL NETWORK HOST / OS APPLICATION DATA IT SECURITY AUDITING DESIGN SECURITY REVIEWS Network Architecture Review Active Directory Review Mobile Device Review VoIP Review Wireless Review HOST & DEVICE REVIEWS Firewall Review VPN Review Router/Switch Review Critical Server Review Virtualization Review Defensive components and security controls should be tested at all levels to ensure they are effectively working together to protect critical assets.

PCI DSS 3.0 Security Assessment PCI Data Security Standard High Level Overview PCI 3.0 DSS SERVICES Build and Maintain a Secure Network and Systems 1 2 Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters PENETRATION TESTING External Penetration testing Protect Cardholder Data 3 4 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Internal Penetration Testing Wireless Penetration Testing Maintain a Vulnerability Management Program 5 6 Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications Web App Penetration Testing SECURITY REVIEWS Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 7 8 9 10 11 Restrict access to cardholder data by business need to know Identify and authenticate access to system components Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes 12 Maintain a policy that addresses information security for all personnel Network Architecture Review Sensitive Data Flow Analysis Firewall Review VPN Review Router/Switch Review Critical Server Review Virtualization Review Obtain an accurate understanding of your security and risk posture, while ensuring compliance with industry regulators and information security best practices. 12

Establishing or Improving a Cybersecurity Program TOP 20 SECURITY CONTROLS 1. Asset Inventory 2. Software Inventory 3. Secure Hardware and Software Configurations 4. Continuous Vulnerability Assessment & Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability 9. Procedures and Tools 10. Secure Configurations for Network Devices (FW, Routers, Switches) 12. Controlled use of admin privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access based on Need to Know 16. Account Monitoring and Control 17. Data Protection 18. Incident Response and Management 19. Secure Network Engineering (Network Architecture) 20. Penetration Tests and Red Team Exercises National Institute of Standards an Technology (NIST) has identified the five major functions of a Cybersecurity Program SANS/CSC has mapped the top 20 security controls to these functions implemented 11. Limitation and Control of Network Ports, Protocols, and Services IDENTIFY PROTECT DETECT RESPOND RECOVER FUNCTIONS Asset management Business environment Governance Risk assessment Risk management strategy Access control Awareness and training Data security Info protection and procedures Maintenance Protective technology Anomalies and events Security continuous monitoring Detection process Response planning Communications Analysis Mitigation Improvements Recover planning Improvements Communications 13

NIST Cybersecurity Framework Benchmark IDENTIFY PROTECT DETECT BENCHMARKING A Tiered rating system measures the extent to which these controls have been implemented RESPOND RECOVER 1 2 3 4 PARTIAL RISK INFORMED REPEATABLE ADAPTIVE TIER 1 2 3 4 CURRENT STATE TARGET STATE Source: http://www.nist.gov/cyberframework/index.cfm Leverage the NIST Cybersecurity Framework as an overlay for your organization s existing practices and Praetorian s recent assessment activities. 14

Application Security Assessment Services WEB MOBILE IOT DESKTOP APPLIANCE TACTICAL ACTIVITIES Penetration Testing Security Code Review Developer Interviews Threat Modeling Requirements Mapping STRATEGIC INITIATIVES Software Development Lifecycle Review Software Assurance Maturity Modeling Secure SDLC Program Development Developer Security Training Based on IEEE Computer Society estimates Identify and remediate software vulnerabilities early and often to generate software maintenance savings that reduce overall development costs. 15

Application Security Assessment Services WEB MOBILE IOT DESKTOP APPLIANCE Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application. TACTICAL ACTIVITIES Penetration Testing Security Code Review Developer Interviews Threat Modeling Requirements Mapping LEVEL 0 Cursory LEVEL 1 Opportunistic Level 0 (or Cursory) is an optional certification, indicating that the application has passed some type of verification. Level 1 (or Opportunistic) certified applications adequately defend against security vulnerabilities that are easy to discover. STRATEGIC INITIATIVES Software Development Lifecycle Review Software Assurance Maturity Modeling Secure SDLC Program Development Developer Security Training LEVEL 2 Standard LEVEL 3 Advanced Level 2 (or Standard) verified applications adequately defend against prevalent security vulnerabilities whose existence poses moderate-to-serious risk. Level 3 (or Advanced) certified applications adequately defend against advanced security vulnerabilities, and demonstrate principles of good security design. Identify and remediate software vulnerabilities early and often to generate software maintenance savings that reduce overall development costs. 16

Application Security Assessment Services WEB MOBILE IOT DESKTOP APPLIANCE Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application. TACTICAL ACTIVITIES OWASP ASVS defines the following security requirements areas: Penetration Testing Security Code Review Developer Interviews Threat Modeling Requirements Mapping Authentication Session Management Access Control Communications Security HTTP Security Malicious Controls STRATEGIC INITIATIVES Software Development Lifecycle Review Software Assurance Maturity Modeling Secure SDLC Program Development Developer Security Training Malicious Input Handling Cryptography at Rest Error Handling and Logging Data Protection Business Logic File and Resource Mobile Identify and remediate software vulnerabilities early and often to generate software maintenance savings that reduce overall development costs. 17

Cloud Security Assessment Services Customer Data CLOUD SECURITY CONTROL REVIEWS Platform, Application, Identity & Access Management Operating System, Network and Firewall Configuration Client-Side Data Encryption & Data Integrity Authentication Server-Side Encryption (FileSystem and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Network Firewall Review Web Application Firewall Load Balancers Remote VPN Open DNS SIEM Intrusion Detection System Intrusion Prevention System Threat Prevention Cryptographic Accelerators Hardware Security Modules Deployment and Management Compute Database Storage AWS Networking Services MANY CLOUD PROVIDERS OWN THE RESPONSIBILITY OF DELIVERING A GLOBAL SECURE INFRASTRUCTURE AND SERVICES AWS Global Infrastructure Availability Zones/Regions Edge Locations Under a cloud provider s shared responsibility model you are responsible for protecting the confidentiality, integrity, and availability of your data. 18

Praetorian Engagement Workflow ONBOARDING ENGAGEMENT POST ENGAGEMENT RFP Scoping Pre-engagement Kick Off Call Report Deliverable Generated No Proposal Submitted / Accepted MSA, NDA, SOW Submitted Assessment / Audit Performed Daily Status Draft Accepted? Yes Closeout Meeting Yes Revisions Requested? Report Deliverable Generated NET 30 on Invoice No Scheduling & Resource Allocation Pre-engagement Kick Off Call CONTINUOUS KNOWLEDGE SHARE AND ADVISORY SUPPORT 19

Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information