AT&T Security Consulting Services © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Security Consulting Services Security Strategy & Roadmap Secure Infrastructure Services Vulnerability & Threat Management Governance, Risk, Compliance Application Security Services Payment Card Industry Solutions S e c u r i t y 2 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Who We Are AT&T Consulting Solutions At A Glance Our Mission Our Scope • To build trusted advisor customer relationships by delivering forward thinking, world-class infrastructure consulting services • Pure play consulting services – independent and objective solutions Our Customers • Life cycle capabilities: Plan, Architect, Integrate, Optimize • Strategic clientele with large scale, complex & custom infrastructure needs • Project-based engagement model aligned to specific business outcomes • Public and private sector, domestic and multinational presence Our Team • Part of AT&T Business Services • Seasoned consultants averaging 12 years industry experience • Executive team averaging 20 years leading global professional services • 11 offices across the U.S. & UK 3 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Security Business Drivers Evolving threats, increasing complexity • Evolution of Malware / Botnets • Insider Attacks • Cyber Protests / Events • Ipv4/Ipv6 Attacks • Mobile Device Security • Compliance • Re-emergence of Old Attacks • Security In The Cloud • Advanced Persistent Threats • Logical Attacks Against Physical Infrastructure • Social Media and Geolocation 4 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. AT&T Security Consulting Practice Towers Protecting business assets & enhancing enterprise Governance Security Strategy & Roadmap Governance, Risk & Compliance Advisory and development services providing programmatic frameworks for operational alignment, advanced technology deployments (mobility and cloud) and a life cycle approach to security and risk management. Security assessment services addressing regulatory requirements and/or industry standards, as well as security program development with an emphasis on usable frameworks for policy and security management aligned with the adoption of emerging technologies such as mobility, cloud. Secure Infrastructure Services Vulnerability & Threat Management Application Security Services A suite of life cycle offerings aligned with planning, architecting, integrating, and optimizing a secure network and infrastructure aligned with business and security goals. Services designed to provide an independent baseline and validation of the overall security posture from within or outside of the enterprise . Strategic and tactical security services focused on the applications supporting critical business processes such as mobile , web based. Includes technical assessments, secure development life cycle reviews and program management consulting. 5 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Payment Card Industry Solutions A range of comprehensive PCI compliance services that objectively help achieve and maintain PCI compliance including PCI assessments, readiness assessments, remediation assistance, and other related solutions. Security Strategy & Roadmap An advisory service to assist with the development of comprehensive information security strategies that are effective, manageable and offering maximum return on your security investments while addressing any emerging threats/risks specific to your business operations. Strategy Development • Develop a comprehensive information security framework that can address the organization’s requirements for information protection, incident prevention, detection and response based on the organization’s risk and alignment with industry best practice frameworks 6 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Security Roadmap • Develop customized roadmap with detailed project plans, identifying ownership, timelines and resource allocation for the effective implementation of the security strategies Governance, Risk & Compliance End-to-end consulting and advisory services for Information Security, Governance, Risk Management, Compliance and Implementation of standards, regulatory, contractual and internal security requirements. Mobility and Cloud Security Risk Assessments • Risk Analysis • Remediation Roadmap • Implementation Regulatory and Industry Standards-based Assessments • HIPAA, HITECH, HITRUST • GLBA • State Privacy Law 7 FTC Mandated Assessments Business Continuity Planning • Security Assessments • Initial & biennial • Planning & Remediation • Business Impact Analysis • Strategy & Plan • Training & Testing ISO 27001/2 Assessments & Certification AT&T SureSeal Security Certified • Readiness Assessment • Planning & Implementation • Certification • Trust & Assurance • Security Assessment • Remediation Roadmap © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Payment Card Industry Service Offerings Annual Security Assessment Readiness Assessment Remediation Services • Performed by QSAs on-site for Level 1 and Level 2 entities (i.e. merchants) • Pre-assessment service that helps clients identify gaps prior to the actual assessment • Work with our clients to close gaps between the PCI Data Security Standard requirements and their current state Payment Application Assessments Vulnerability & Threat Management Approved Scanning Vendor (ASV) • For clients who develop and resell payment applications to more than one entity, we can perform assessments per requirements of PCI’s Payment Application Data Security Standard • Design and implement programmatic controls and processes to maintain compliance throughout the year Qualified Forensic Investigator 8 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Secure Infrastructure Services Networks have become complex and fragmented due to rapid growth and acquisitions. An enterprise-based network security approach can provide tangible reduction in TCO, and enable a business to be more agile and competitive. 9 Secure Network Architecture Firewall Assessment Services • • • • • Implementation and administration • Migration and consolidation • Tuning (performance and compliance) Planning, design and segmentation Configuration reviews Data center management Mobile Security / Cloud Computing Security Event Management (SEM/SIM/SIEM) Data Discovery & Data Loss Prevention • Log consolidation, alerting and reporting • Intrusion Detection / Prevention / NAC placement and tuning • Know where the data resides and traverses • Preventing data escaping the organization © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Vulnerability and Threat Management Provides an independent baseline and validation of the organization’s security posture. AT&T Consulting can simulate real-world attacks to identify vulnerabilities in the network, evaluate risks, and develop remediation plans that are tailored to unique business requirements and security needs • • • • Vulnerability Management VoIP Penetration Testing Wi-Fi Penetration Testing War Dial • • • • Social Engineering Mobile Security Assessments Denial of Service based testing Virtualization Security Vulnerability Assessments • Remote Access Assessment • Breach/Incident Response Testing Penetration Testing (aka Ethical Hacking) • Scanning of the target infrastructure, establishing a baseline and making compliance easier by validating external posture • Takes Vulnerability Assessment to the next level • Providing an overall security picture at a lower cost with repeatable exercises • Taken from the perspective of a malicious external entity, or rogue internal resource • Periodically verifying assets are properly protected; evaluating recurring differentials and managing vulnerabilities • Manual testing and exploits, in addition to false positive reduction of automated results • Verifying that defense in depth and response capabilities are working as designed, along with security controls validation • Required by many industry regulations and standards 10 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Application Security The Application Security solution portfolio consists of tactical and strategic services to help organizations assess, manage, and reduce security risks arising from unsafe software development practices. Application Security Assessments Security Code Review • Automated and manual testing designed to circumvent the logic of the application in order to gain elevated access to systems or information • Industry common practice and PCI requirement • PCI DSS v1.2, section 6.3.7: Review of custom code prior to release to production or customers in order identify any potential coding vulnerability • OWASP Orizon Code Review, and Top 10 – Web Based – Mobile Applications Application Security Program Management PCI PA-QSA Application Security Assessment • Application inventory, identification and assignment of risk classification, development of testing plans, management and execution of program • Visa & MasterCard encourage application development companies to certify their payment applications in accordance with the PCI Payment Application Best Practices program • Applications that meet these standards can be listed on the Visa web site as PCI-approved payment applications 11 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Trusted Advisors Helping our customers navigate complex IT Transformation Technology Strategy Compliance & Risk Reduction Technology roadmap, refresh, migrations In deployments, upgrades, operations, and security Governance and Sourcing Process Frameworks & Sourcing Strategies 12 © 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Cost Performance Reduce CapEx/OpEx Consolidation Shared Services CIO Agenda Revenue Growth Rapidly introduce new services into production