cyber maturity accelerator: introduction to dxc’s …...2018/11/14 · devops by 2020 5 * sources...

November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

Cyber Maturity Accelerator:Introduction to DXC’s Cyber Reference ArchitectureVersion 2.1DXC Security

For further information, please contact [email protected]

mailto:[email protected]


1. Context

2. Cyber Maturity Accelerator

Agenda

November 14, 2018 4© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

Risk surface is evolving and increasingly complex

The adversary is highly innovative and sophisticated

Regulatory pressures are rising in complexity, costs

Enterprise IT will continue to transform

Skills gap keeps widening

31BIoT devices will be connected to the internet by 20237

3.5M global shortfall of cyber security jobs by 20216

$11.5B global ransomware damage costs by 20192

$8T cost of cyber crime to global businesses by 20204

$3.62Maverage total cost of a data breach3

30xmore IT applications releases as a result of DevOps by 20205

* Sources listed in Notes

72 hours to report a breach mandated by GDPR1

Presenter

Presentation Notes

Security has seen an exponential rise to fame – regularly cited as the number 1 board priority across enterprise and governments around the world. There have been some highly publicized attacks and incidents on the global stage – with many organizations learning the hard way how not having the right security & cyber risk strategy can have catastrophic effects- resulting in loss of revenue and ultimate market capital For most clients, it comes down to four forces: Cyber threats are more sophisticated. In fact a recent report published by Ponemon Institute “Cost of Data Breach, June 2017” cited that $3.62M is the average total cost of a data breach Cyber threats are more sophisticated. In fact a recent report published by Juniper Research cited that there will be a huge $8 Trillion Cost from cybercrime to Global Business by 2020. In parallel, the bad guys are smart- well funded and cybercrime is now one of the most lucrative ‘industries’ in the black market. Fact. Second - the advance of Digital into all of our business models. The shift to a cloud and mobile first world is changing how business is done. The traditional perimeter has eroded exposing us to a much more dynamic risk landscape, amplified by the growing number of internet sensors and devices. Just think about the number of applications an organization now supports- in varying form factors on multiple devices. The third is regulatory pressures that in many cases are causing an increase in cost and complexity… just look at the heightened sensitivity surround the General Data Protection Regulation that comes into effect in Europe next year- all organizations that do business in Europe must ensure that personally identifiable information is protected and there are stringent processes to follow if data is ‘lost’- it’s a game changer for many reasons including finding the right personnel to manage such changes. Which leads me on the fourth area that organizations are grappling with- finding, hiring, training and retaining skilled employees. Simply put, there just aren’t enough cyber security professionals to keep up, 1- with the demand, and 2,- to keep abreast of the latest tools, tactics and techniques that the bad guys are creating. Sources: Regulation (EU) 2016/679 and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016; https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/ Ponemon Institute - Cost of Data Breach, June 2017 Juniper research , The Future of Cybercrime & Security: Enterprise Threats & Mitigation 2017-2022; ITProPortal - http://www.itproportal.com/features/why-devops-will-be-critical-to-your-organisation-in-2017/- By its nature, DevOps will make you more agile, more fluid and responsive as a business. A key outcome is the ability to speed up the frequency of releases, as less time is needed or testing and QA than siloed counterparts. High-performance IT organisations will deploy up to 30 times more frequently. Faster releases in turn mean businesses can deliver better and more features to customers, creating that improved user experience; Mitigating the Cyber Security Skills Shortage- https://www.csoonline.com/article/3258994/data-protection/cybersecurity-skills-shortage.html 3. Ericsson Mobility Report - https://www.ericsson.com/assets/local/mobility-report/documents/2018/ericsson-mobility-report-june-2018.pdf


Today’s enterprises require reliable security solutionsExperts to solve complex security challenges and propel transformation

Enhanced protection of digital assets

Holistic risk and cyber security strategy

Understand and measure IT security risk

Flexibility for multiple deployment options

• Identify and preempt threatsthrough internal and external views of the global security landscape

• Operationalize security controls across data, user, network, endpoint

• Global scale but with local reach and client context

• Transformation expertise to“secure the digital transformation”

• Integrated solutions driven from risks down to controls

• Knowledge and experience across architecture and technical domains

• Visibility of IT security risk• Demonstrate compliance

both internally and externally• Compliance expertise and

industry-certified personnel

• Vendor agnostic • Consumable in a way suited to

business needs• Tiered solutions and services • Flexibility in delivery model:

SaaS – hybrid – customized


Agenda

1. Context

2. Cyber Maturity Accelerator


We need a new protection philosophy:Digital resilience

Traditional Digital ResilienceUltimate State • Impregnable • Assume compromise

• Stop exfiltration and business disruptionMessaging • Fear, uncertainty and doubt

• Users as problems• Confidence, assurance, visibility, ready to respond• Users as partners

Business Proximity • None • Enables business outcomesAccountability and Leadership • IT department • C-suite and boardFocus • Perimeter; enterprise devices only

• Sporadic maturity improvement• Protect assets regardless of device or location• Risk-based approach to addressing maturity gaps

Approach • Complicate, obstruct, say no• Technology viewed as primary solution• Encrypt data in transit• Development and security separate

• Lean and agile• People and process amplify technology• Encrypt data throughout life cycle• Developers and security partnership

Security Operations Center(SOC)

• Regional• Manual operations• Isolated, silos• Traditional infrastructure and devices• Reactive

• Global, full situational awareness• Orchestrated and automated• Collaborative• All devices, including IoT/operational technology (OT)/

mobile• Intelligence-driven and proactive


Cyber Maturity Accelerator: Combining DXC’s diagnostics and cyber reference architecture

• Cyber Maturity Review (CMR) to define a baseline capability measurement

• Identify maturity gaps to prioritize investment• Add other diagnostics to achieve a 360-degree view

Phase 1

Phase 2

Phase 3

As-Is

Diagnostics Cyber Maturity Accelerator

To-Be

CRA

Assess your Security Posture1

• Encyclopedia of To-Be models providing solutions to complex security problems

• Leverages the best practice and solutions implemented by DXC worldwide

• No need to reinvent the wheel; lowers cost, time and risk

DXC Cyber Reference Architecture (CRA)2


Cyber Maturity Accelerator

4 weeks 8 weeks Several months

Cyber Maturity Review• Core diagnostic – 500 questions• Baseline and quantify security posture• Benchmark cyber maturity against peers• Identify maturity gaps and prioritize

investment

1

6 optional diagnostics• Cyber Attack Simulation• Ransomware Diagnostic• CMR Deep Dive: GDPR Readiness• Advanced Compromise Assessment• CMR Deep Dive: Security Operations

(SecOps)• Privileged Account Security Diagnostic

DXC Cyber Reference Architecture• Use blueprints to accelerate To-Be definition • Recommendations cost/benefit analysis• Customize solutions with DXC’s experts• Time estimations on project duration• Reference architecture• Prioritized roadmap

As-Is

As-Is

To-Be

Cyber Maturity Accelerator• Security improvement program• Addresses lack of maturity• Improves security posture• Delivers efficient change• Reduces risk

+

3

2

=


Cyber Maturity Accelerator1) Diagnostics


Cyber Maturity Review• Core diagnostic – 500 questions• Baseline and quantify security posture• Benchmark cyber maturity against peers• Identify maturity gaps and prioritize

investment

1

6 optional diagnostics• Cyber Attack Simulation• Ransomware Diagnostic• CMR Deep Dive: GDPR Readiness• Advanced Compromise Assessment• CMR Deep Dive: Security Operations

(SecOps)• Privileged Account Security Diagnostic

DXC Cyber Reference Architecture• Use Blueprints to accelerate To-Be definition • Recommendations cost/benefit analysis• Customize solutions with DXC’s experts• Time estimations on project duration• Reference architecture• Prioritized roadmap

As-Is

As-Is

To-Be


+

3

2

=


1) Diagnostics: Assess your security posture

Diagnostic Suite

CMR Deep Dive: GDPR

CMR Deep Dive: SecOps

Ransomware Diagnostic

Privileged Account Security

Advanced Compromise Assessment

Cyber Attack

Simulation

CMR

Assess GDPR readiness Measure SecOps maturity

Learn if your enterprise is compromised

Understand if your enterprise can resist ransomwareDiscover privileged accounts and assess risk

Test defenses and recommend remediation with hacking simulation

Define a baseline for measuring and improving cyber maturity


1) CMR: Cyber maturity levels

Cyber Maturity Levels (based in CMMI)5 Optimized Thought leaders; highly mature; continuously improving and influencing best practice4 Measured Quantitatively controlled against best practice; has leading service components and procedures3 Defined Services well defined and subjectively evaluated; alignment with best practice2 Managed Planned, tracked and repeatable; business requirements met; limited resources available1 Performed Performed informally, minimum service levels0 None No capability

0 1 2 3 4 5

Incomplete Performed Managed Defined Measured Optimized

Current

Target

3.0

1.50


1) CMR: Deliverables (1/3)Results summary

People Process Technology Individual Domain MaturityDomain Category Maturity

1.20

1.90 1.55

SecurityStrategy & RiskManagement

Cyber DefenseOperational &

TechnicalSecurity

Current Maturity Target

Process

Technology

People

2.1

1.31.1

Security Domain Maturity Maturity 1.55 People/Process/Technology View

The 3 lowest scoring domain


1) CMR: Deliverables (2/3)Benchmark

Benchmarks cyber maturity vs. peers

Compares security investment with industry peers

Are we getting a tangible return on investment from our security investment?

Indu

stry

Ave

rage

(mea

n)

Midpoint

Median

Med

ian

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

5.0

234567891011121314

Cyb

er S

ecur

ity M

atur

ity

% IT security spend vs. total IT spend


1) CMR: Deliverables (3/3)Roadmap

1 2 3

Performed Managed Defined

3.0

1.1

Current Target2.0

Q1 Q2 Q3 Q4

Phase I

Phase II

Security strategy

Update security policies

Review security architecture

Security foundations

Security awareness

ISO and PCI compliance

Monitoring SOC

Advanced threat protection

Data loss prevention

Threat intelligence

Database vault

• Cost Benefit Analysis

• Baseline security maturity

• Assess capability gaps

Prioritized Roadmap

HighMediumLow

Hig

hM

ediu

mLo

w

Cost

Ben

efit

109

3

12

4

5 6 7

8


Cyber Maturity Accelerator2) CRA


Cyber Maturity Review• Core Diagnostic – 500 questions• Baseline and quantify security posture• Benchmark cyber maturity against peers• Identify maturity gaps & prioritize investment

1

6 optional diagnostics• Cyber Attack Simulation• Ransomware Diagnostic• CMR Deep Dive: GDPR Readiness• Advanced Compromise Assessment• CMR Deep Dive: Security Operations• Privileged Account Security Diagnostic

DXC Cyber Reference Architecture• Use blueprints to accelerate To-Be definition • Recommendations cost/benefit analysis• Customize solutions with DXC’s experts• Time estimations on project duration• Reference architecture• Prioritized roadmap

As-Is

As-Is

To-Be


+

3

2

=


2) CRAAn encyclopedia of resilience best practice

Cyber Reference Architecture

Advise, transform and manage

World-class security solutions

Framework

• Taxonomy and nomenclature

• Strategic to technical

10 blueprints

• Focused on solving specific architecture challenges

Use

d to

deve

lop

• Aligned to security architectures: NIST, ISO 27001, SANS critical controls• Captures DXC’s vast expertise in advisory and architecture• Technology agnostic

Field proven and aligned with best practice

• The CRA is the home of DXC’s security wisdom• Best-practice security library• Built from hundreds of security engagements by thousands of advisors• Delivers world-class architectures, including for SecOps

DXC’s strategic secret weapon

• Complete, exhaustive and very detailed; people, process and technology• Covers strategic, tactical and operational concerns• Constantly updated by DXC’s experts

Granular, detailed and updated


2) DXC’s CRA delivers resilience (1/3)

• Define strategy• Manage risks and compliance• Defining enterprise security architecture• Address prioritized risks and enable the business

Strategic level

• Security monitoring• Breach response• Orchestrate intelligent SecOps

Tactical and operational level

• Design, size, implement and run • Technical security solutions• Physical security

Technical level

Physical Security (PS)

Security ResilientArchitecture (SRA)

Cyber Defense (CD)

Identity & Access

Management (IAM)

Infrastructure & Endpoint

Security (IES)Applications Security (AS)

Data Protection &

Privacy (DPP)

Converged Security (CS)

Risk & Compliance Management (RCM)

Resilient Workforce (RW)

Security Orchestration (SO)

Strategy,Leadership

& Governance (SLG)

Technical Security (TS)

Cyber Defense & Orchestration (CDO)

Security Strategy & Risk Management

(SSRM)


Define a strategy aligned to business objectives

Manage risk and ensure compliance

Translation of business strategies into security solutions

Security-conscious culture and knowledge management

Security monitoring, incident management and response

Processes, including management and measurement

Management of identities and access controls

IT and OT security integration

Data classification, modeling and protection

Secure development and maintenance of software

Protect assets from physical threats

Enterprise threat detection and prevention

SLGSLG

RCM

SRA

RW

SLGCD

SO

SLGIAM

IES

AS

DPP

SLGCS

PS




Cyber Defense (CD)

Identity & Access

Management (IAM)



Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



6 total56 total

Monitoring

Analytics

Log correlation

Use cases

Anomaly detect

User behavior

Cyber defense

12 total

55 total

347 total

Subdomain

Subdomain

Capability

Capability

Capability

Capability

Domain

CRA structure

Cyber defense example



Identity & Access

Management (IAM)



Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Cyber Defense (CD)


2) CRA: Blueprints solve specific security challenges

Cyber defense blueprint

Identity and access management

blueprint

Infrastructure and endpoint

security blueprint

Data protection and privacy security

blueprint

Resilient workforce blueprint

Risk and compliance management

blueprint

Cloud security blueprint

GDPR security blueprint

OT security blueprint

Singledomain

Multi-domain

Remediation blueprint

10 Blueprints



Cyber Defense (CD)

Identity & Access

Management (IAM)



Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


2) CRA: Blueprints solve specific security challenges

Cyber defense blueprint

Identity and access management

blueprint

Infrastructure and endpoint

security blueprint

Data protection and privacy security

blueprint

Resilient workforce blueprint

Risk and compliance management

blueprint

Cloud security blueprint

GDPR security blueprint

OT security blueprint

SingleDomain

MultiDomain

Remediation blueprint

10 Blueprints



Identity & Access

Management (IAM)



Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Cyber Defense (CD)


2) CRA: Cyber defense blueprint (1/8)Cyber defense capabilities

Threat intelligence and profiling

Security incident response and remediation management

Security analytics

Vulnerability management

Digital investigation and

forensics

Definition of a corporate policy related to log generation, with the necessary level of requested logs per component, where each component security standard should include technical log setting, which may include logs containing user activities, security violations and other security event information

Activities to ensure proper log setting configuration on each hardware and software component according to the corresponding component security standard; collecting and aggregating logs to a central repository through collectors or agents from any device, source or format

Ability to discover and apply logical associations among disparate log events and within a large volume of events from different log sources in order to highlight important events and identify suspicious activities

Ensuring logs cannot be modified so that integrity is maintained throughout and evidence of integrity can be provided

Use case definition: modeling of attack scenarios or a sequence of events and associated rule definition, which if occurring within a certain period of time represents a suspicious activity that needs to be analyzed

Log policy definition

Log management

Log correlation

Log integrity

Use case management

Security monitoring


2) CRA: Cyber defense blueprint (2/8)Cyber defense capabilities


Security incident response and remediation management

Security analytics


Digital investigation and

forensics

The process of observing, checking and tracing (recording) generated alerts defined in use case implementations to initiate incident triage and response when needed

Ability to query for a particular event or a sequence of events which occurred in the past

Logs and events management report: events and logs collected and recorded, use cases management, altering and monitoring activities (numbers of alerts, actions undertaken, etc.)

The process to manage SOC analysts and operators’ shift handover

The process to manage SOC daily operations (console monitoring, ticket management, etc.)

Monitoring and alerting processes

Event query

Log reporting

Shift-handover process

Daily operations meeting procedure

Security monitoring


2) CRA: Cyber defense blueprint (3/8)



Identity & Access

Management (IAM)



Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Cyber Defense (CD)

Security analytics

Context and behavior layer


Digital investigation and forensics

Intelligence layer


Vulnerability layer

Security monitoringSecurity incident

response and remediation

management

Forensic analysis and response

Operations layer

Controls layer

Strategic layer

Asset management

Actionable security and threat intelligence

Correlated events

Containment, clean-up, eradication, disruption, remediation Physical

eventsIT

eventsOT

events




Correlated events


eventsIT

eventsOT

events

Security analytics




Intelligence layer


Vulnerability layer



management


Operations layer

Controls layer

Strategic layer

Asset management

SOC foundation key work packages

Infrastructure security monitoring

Centralized storage of normalized data; detect security incidents quickly based on use cases

Comprehensive breadth and depth of collection of events across the infrastructure




Actionable securityand threat intelligence

Correlated events


eventsIT

eventsOT

events

Security analytics Threat intelligence and profiling


Intelligence layer


Vulnerability layer



management


Operations layer

Controls layer

Strategic layer

Asset management


Assess/define SOC processes Monitor and analyze security events 24x7x365






Actionable securityand threat intelligence

Correlated events


eventsIT

eventsOT

events



Intelligence layer


Vulnerability layer



management


Operations layer

Controls layer

Strategic layer

Asset management

SecOps managementInfrastructure

security monitoring

Assess/define SOC processes

Security incident management

process

Monitor and analyze security events 24x7x365

Manage security incidents quickly







Correlated events


eventsIT

eventsOT

events



Intelligence layer


Vulnerability layer



management


Operations layer

Controls layer

Strategic layer

Asset management

SecOps managementInfrastructure

security monitoring



process

Crisis management

process update



Ensure security and privacy requirements are covered in the crisis management process







Correlated events


eventsIT

eventsOT

events

Security analytics Threat Intelligence and profiling


Intelligence layer


Vulnerability layer



management


Operations layer

Controls layer

Strategic layer

Asset management




process

Establish a digital investigation and forensics service

Crisis management

process update



Ensure security and privacy requirements are covered in the crisis management process

Digital investigation and forensics service for rapid security incident response




2) CRA: Initiative template (1/2)Establish a digital investigation and forensicsservice Duration

Business impact/disruption

Cost

CD.4.1 ; CD.4.2 ; CD.4.3Capabilities addressed

L

L

L

Name: Establish a Digital Investigation & Forensics Service Work Package ID: CD.4.aPurpose and high-level description:• Understand and define the requirements for an organization-wide digital investigation and forensics service, including rapid security incident response as well as legal and

regulatory aspects in any geography to conduct threat actor profiling and tracking.• Analyze the most restrictive data privacy policy to use as an authoritative basis for all regions and business units.• Define the scope, goals and expectations of the relevant business units and organizations to this investigation and forensics service.• Describe the vision and scope that articulates the requirements for recovery of digital evidence such as a binary image of a system, raw logs, traffic capture, etc.:

– If and how must workers council and legal be involved in such processes?– What are the primary goals of such activities (e.g., knowledge gain to better enhance detective and reactive controls, enablement of criminal prosecution)?– How is the investigation team to be designed, centrally or locally? What legal aspects, if any, are involved in data transfer, recovery of digital evidence, storage and

processing of restricted data such as HDD images, personally identifiable information (PII), etc.?– Who will lead this investigation, and which systems, assets, entities and services are the most important and business critical so that resources can be focused on them?– How are key performance indicators measured, and how are they verified and on which intervals?– Which tools are used, and is information handled in a centralized or decentralized fashion? Are the various tools compatible and do interfaces need to be defined?– What does the organization-wide governance process look like?

• Design the technical architecture of the solution/s to support the goals and strategies that have been defined in the vision and scope.• Create architecture design, describing which technical principles are used, which tools are preferred and how the various infrastructures are combined to form a holistic

solution (network forensic toolkit, sandboxing and IOC assessment toolkit, etc.)• Create a deployment guide that describes the technical concepts and enumerates the implementation steps in detail. In addition, describe typical patterns to look for and how

the forensic approaches are integrated into processes (SOC processes, incident management and incident response processes, etc.) and tools. Finally, plan the deployment following project management and technical best practices.

Staffing requirements:• DXC roles:

– 1 x security principal (2 days)– n x security architect (5 days)– 1 x account security officer (1 day)– 1 x program director (1 day)– 1 x project manager (2 days per toolkit)– n x network operations engineers and SMEs (5

days per toolkit)• Customer roles:

– 1 x head of security (1 day)– n x network operations engineers and SMEs if

network managed by the customer (5 days per toolkit)

Key activities:(1) Agree on scope and service type with key customer stakeholders and document the service description accordingly (in particular, define the key performance indicators and governance); (2) define and agree on vision and scope of the digital investigation and forensics requirements and design the solution; (3) prioritize the essential systems, networks and entities to start the deployment in a prioritized order; (4) define the necessary security processes adaptation and changes in existing processes; (5) define an implementation plan for delivering the digital investigation and forensics service; and (6) train personnel in the solution approaches and their required activities involve the team in the solution build process.Deliverables:• Statement of Work for digital investigation and forensics service, project plan and schedule, architecture

documentation, implementation guide, test guide, processes definition and update, standard service documentation; communication through the organization

• Infrastructure installation and configuration, update of existing processes

Workload estimation:• Estimated project duration = 1 month• Estimated number of man days effort for DXC = 23 man days (for two toolkits)• Estimated number of man days effort for customer = 11 man days• Hardware and software costs not included

Business benefits and outcomes:• More awareness of cyber risk in the organization• Better visibility into the most relevant infrastructure areas and systems• Improvement on the quality, speed and availability of operational practices • Better understanding the organization’s threat profile and preliminary and proactive repeatable processes• Ability to achieve faster identification of new malware and threats; reduction of cyber risks

Business challenges and problems foregoing commitment:• More time required to identify threat actors already in place• Less digital investigation and forensics capability to address breaches of information security (e.g., loss of

confidentiality, integrity and availability) and protect intellectual property (IP) (trade secrets, competitive information, IP theft, secured collaboration)

• Less visibility of malicious software on workstations and servers• Less visibility of events and hack attempts across the entire estate


2) CRA: Initiative template (2/2)Establish a digital investigation and forensicsservice Duration

Business impact/disruption

Cost

CD.4.1 ; CD.4.2 ; CD.4.3Capabilities addressed

L

L

L

Name: Establish a Digital Investigation & Forensics Service Work Package ID: CD.4.aPurpose and High Level Description:• Understand and define the requirements for an organization wide Digital Investigation & Forensics Service including Rapid Security Incident Response as well as legal and

regulatory aspects in any geography in order to conduct Threat Actor Profiling & Tracking.• Analyze the most restrictive data privacy policy to use this as authoritative basis for all regions and business units.• Define the scope, goals and expectations of the relevant business units and organizations to this investigation and forensic service.• Describe the vision and scope that articulates the requirements for recovery of digital evidence such as a binary image of a system, raw logs, traffic capture, etc. :

– If and how must workers council and legal be involved in such processes– What are the primary goal of such activities (Knowledge gain to better enhance detective and reactive controls?, Enablement of Criminal prosecution?)– How is the investigation team to be designed? Centrally or locally? Any legal aspects that are involved in data transfer, recovery of digital evidence, storage and processing

of restricted data such as HDD Images, PII information etc.)– Who will lead this investigations, which systems, assets, entities, services are the most important and business critical so that the resources can be most focus on them– How are key performance indicators are measured and how they are verified and on which intervals?– Which tools are used, are those information are handled in a centralized or de-centralized fashion? Are the various tools compatible are interfaces required to be defined?– How does the organization wide governance process look like

• Design the technical architecture of the solution/s to support the goals and strategies that have been defined in the vision and scope• Create Architecture Design, describing which technical principles are used which tools are preferred and how the various infrastructures are melted together to a holistic

solution approach (network forensic toolkit, sandboxing and IOC assessment toolkit, etc.)• Create Deployment Guide that describes the technical fine concept describing the implementation steps in details. Additionally describing what are typical patterns to look for

and how the forensic approaches integrated into processes (SOC processes, Incident Management and Incident Response processes, etc.) and tools and finally plan the deployment following project management and technical best practices

Staffing Requirements:• DXC Roles:

– 1 x Security Principal (2 days)– n x security architect (5 days)– 1 x account security officer (1 day)– 1 x program director (1 day)– 1 x project manager (2 days per toolkit)– n x network operations engineers and SMEs (5

days per toolkit)• Customer Roles:

– 1 x head of security (1 day)– n x network operations engineers and SMEs if

network managed by the customer (5 days per toolkit)

Key Activities:1) Agree scope and service type with key customer stakeholders and document the service description accordingly especially define the key performance indicators and governance 2) Define and Agree on Vision and Scope of the Digital Investigation & Forensics requirements and design the solution 3) Prioritize the most important essential systems, networks and Entities to start the deployment in a prioritized order 4) Define the necessary security processes adaptation and changes in existing processes 5) Define an implementation plan for delivering the Digital Investigation & Forensics Service 6) Train the personal in the solution approaches and their required tasks and activities involve the team in the solution build process.Deliverables:• Statement of Work for Digital Investigation & Forensics Service, Project Plan & Schedule, Architecture

documentation, Implementation guide, Test guide, Processes definition and update, Standard Service documentation. Communication through the organization

• Infrastructure installation and configuration, update of existing processes

Workload estimation:• Estimated project duration = 1 month• Estimated number of man days effort for DXC = 23 man days (for 2 toolkits)• Estimated number of man days effort for Customer = 11 man days• Hardware and Software costs not included

Business Benefits and Outcomes:• More awareness of cyber risk in the organization• Better visibility into the most relevant infrastructure areas and systems• Improvement on the quality, speed and availability of operational practices • Better understanding the organizations threat profile and preliminary and proactive repeatable processes• Ability to achieve faster identification of new malware and threats. Reduction of cyber risks

Business Challenges and Problems Foregoing Commitment:• More time required to identify threat actors already in place• Less Digital Investigation & Forensics capability to address breaches of information security (e.g. loss of

confidentiality, integrity and availability) and to protect intellectual property (trade secrets, competitive information, IP theft, secured collaboration)

• Less visibility of malicious software on workstations and servers• Less visibility of events and hack attempts across the entire estate

Purpose and high-level description

Key activities

Deliverables

Business benefits and outcomes

Staffing requirements

Workload estimation

Business challenges and problems foregoing commitment


Cyber Maturity Accelerator (1/2)3) Cyber Maturity Accelerator


Cyber Maturity Review• Core Diagnostic – 500 questions• Baseline and quantify security posture• Benchmark cyber maturity against peers• Identify maturity gaps & prioritize investment

1

6 optional diagnostics• Cyber Attack Simulation• Ransomware Diagnostic• CMR Deep Dive: GDPR Readiness• Advanced Compromise Assessment• CMR Deep Dive: Security Operations• Privileged Account Security Diagnostic

DXC Cyber Reference Architecture• Use Blueprints to accelerate To-Be definition • Recommendations cost/benefit analysis• Customize solutions with DXC’s experts• Time estimations on project duration• Reference architecture• Prioritized roadmap

As-Is

As-Is

To-Be


+

3

2

=


Cyber Maturity Accelerator (2/2)Modular transformation

0,00,51,01,52,02,53,03,54,04,55,0

Security StrategyAsset management, Governance,

Policy and Risk Management

Legal and RegulatoryCompliance, Security…

Reference EnterpriseSecurity Architecture

Identity and AccessManagement

Infrastructure Security

Endpoint SecurityCyber Defense

Data Security

Business Continuity &Disaster Recovery

Physical Security

Managed Security & ServiceDelivery

Cultural Change

Overall Current State and Future StateCurrent Target

CMR and

diagnostics

List of initiatives

Initiative’s scope and deliverables’ description = Work Packages (WPs) Transformation plan

Initiatives identification and

validation

Maturity assessmentdiscovery

Initiatives/WPs definition

Transformation plan

Delivery ensuring traceability

Objectives

Benefits


Security Resilient Architecture (SRA)

Cyber Defense (CD)

Identity & Access

Management (IAM)



Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

CRA framework CRA blueprints

WP name Sub-Domain WP description WP outcomes Objective TimescaleCD.1.a – InfrastructureSecurity Monitoring

Security Monitoring • Define SIEM Use Cases• Define the corresponding requirements for log policy, log generation

(setting) and log storage, for critical IT security infrastructure• Define or revisit SIEM architecture requirements to support

additional requirements and to support new use cases• Define and execute the corresponding transformation plan

• Log analysis• Targeted and accurate alerting• Ability to quickly identify when the threat

actor is in the environment, then quarantine and remove such actor

• Ensuring the service is performing as expected

VISIBILITY 9 months

CD.2.a – Assess / Define Security Operation Center processes

Security Incident Response & Remediation Management

• Define core SOC processes or review the current SOC processes • Validate the overall maturity of SOC processes• Define the future state transformation plan of SOC processes

• Efficient security operations allowing an attack to be quickly identified, quarantined and removed

RESPONSE 3 months

CD.2.b – Security Incident Management Process


• Define or review the current Security Incident Management process and validate this overall maturity

• Define an interim solution if necessary for Security Incident Management process including support materials for delivery.

• Define the future state transformation plan of the process

• Robust service for managing security incidents

RESPONSE 3 months

CD.2.c – Crisis Management Process update


• Ensure security and privacy requirements are covered in the Crisis management process to deal with serious, disruptive or catastrophic event impacting and harming the organization and its businesses.

• Robust service for managing security incidents

RESPONSE 2 months

CD.3.a – Threat Intelligence Platform development

Threat Intelligence & Profiling

• Develop Threat Intelligence Platform supporting collection, validation, storage, and automated use of threat intelligence:

• Provide custom scripting flexibility and programing language options,

• Allow automated enrichment via community feeds and sources,• Allow automated triage, allowing automated application of IOCs,

Scripts, customized signatures on endpoint IR tooling, etc.

• Intelligence lead alerting and identification of security breach

VISIBILITY

INTELLIGENCE

2 months

Strategy = Vision and Direction

© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

For further information, please contact [email protected]

cyber maturity accelerator: introduction to dxc’s …...2018/11/14 · devops by 2020 5 * sources...

Documents