AT&T Security Consulting Services
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Security Consulting Services
Security Strategy
& Roadmap
Secure Infrastructure
Services
Vulnerability
& Threat
Management
Governance, Risk,
Compliance
Application
Security Services
Payment Card
Industry Solutions
S e c u r i t y
2
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Who We Are
AT&T Consulting Solutions At A Glance
Our Mission
Our Scope
• To build trusted advisor customer
relationships by delivering forward thinking,
world-class infrastructure consulting services
• Pure play consulting services – independent
and objective solutions
Our Customers
• Life cycle capabilities: Plan, Architect,
Integrate, Optimize
• Strategic clientele with large scale, complex
& custom infrastructure needs
• Project-based engagement model aligned to
specific business outcomes
• Public and private sector, domestic and
multinational presence
Our Team
• Part of AT&T Business Services
• Seasoned consultants averaging 12 years
industry experience
• Executive team averaging 20 years leading
global professional services
• 11 offices across the U.S. & UK
3
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Security Business Drivers
Evolving threats, increasing complexity
• Evolution of Malware / Botnets
• Insider Attacks
• Cyber Protests / Events
• Ipv4/Ipv6 Attacks
• Mobile Device Security
• Compliance
• Re-emergence of Old Attacks
• Security In The Cloud
• Advanced Persistent Threats
• Logical Attacks Against Physical
Infrastructure
• Social Media and Geolocation
4
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
AT&T Security Consulting Practice Towers
Protecting business assets & enhancing enterprise Governance
Security Strategy
& Roadmap
Governance, Risk
& Compliance
Advisory and development services
providing programmatic frameworks
for operational alignment, advanced
technology deployments (mobility and
cloud) and a life cycle approach to
security and risk
management.
Security assessment services addressing
regulatory requirements and/or industry
standards, as well as security program
development with an
emphasis on usable
frameworks for
policy and security
management aligned with the adoption
of emerging technologies such as
mobility, cloud.
Secure Infrastructure
Services
Vulnerability & Threat
Management
Application
Security Services
A suite of life cycle offerings aligned
with planning, architecting,
integrating, and optimizing
a secure network
and infrastructure
aligned with
business and
security goals.
Services designed to provide an
independent baseline and validation
of the overall security posture from
within or outside of
the enterprise .
Strategic and tactical security services
focused on the applications supporting
critical business processes such as
mobile , web based. Includes technical
assessments,
secure development
life cycle reviews and
program management
consulting.
5
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Payment Card Industry Solutions
A range of comprehensive PCI
compliance services that objectively
help achieve and maintain PCI
compliance including PCI assessments,
readiness assessments,
remediation assistance,
and other
related solutions.
Security Strategy & Roadmap
An advisory service to assist with the development of comprehensive information
security strategies that are effective, manageable and offering maximum return
on your security investments while addressing any emerging threats/risks specific
to your business operations.
Strategy Development
• Develop a comprehensive information
security framework that can address the
organization’s requirements for
information protection, incident
prevention, detection and response based
on the organization’s risk and alignment
with industry best practice frameworks
6
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Security Roadmap
• Develop customized roadmap with
detailed project plans, identifying
ownership, timelines and resource
allocation for the effective
implementation of the security strategies
Governance, Risk & Compliance
End-to-end consulting and advisory services for Information Security, Governance,
Risk Management, Compliance and Implementation of standards, regulatory,
contractual and internal security requirements.
Mobility and Cloud Security
Risk Assessments
• Risk Analysis
• Remediation Roadmap
• Implementation
Regulatory and Industry
Standards-based
Assessments
• HIPAA, HITECH, HITRUST
• GLBA
• State Privacy Law
7
FTC Mandated Assessments
Business Continuity Planning
• Security Assessments
• Initial & biennial
• Planning & Remediation
• Business Impact Analysis
• Strategy & Plan
• Training & Testing
ISO 27001/2 Assessments
& Certification
AT&T SureSeal Security
Certified
• Readiness Assessment
• Planning
& Implementation
• Certification
• Trust & Assurance
• Security
Assessment
• Remediation
Roadmap
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Payment Card Industry Service Offerings
Annual Security
Assessment
Readiness Assessment
Remediation Services
• Performed by QSAs on-site
for Level 1 and Level 2
entities (i.e. merchants)
• Pre-assessment service
that helps clients identify
gaps prior to the actual
assessment
• Work with our clients to
close gaps between the
PCI Data Security
Standard requirements
and their current state
Payment Application
Assessments
Vulnerability & Threat
Management
Approved Scanning
Vendor (ASV)
• For clients who develop
and resell payment
applications to more than
one entity, we can
perform assessments per
requirements of PCI’s
Payment Application Data
Security Standard
• Design and implement
programmatic
controls and processes
to maintain compliance
throughout the year
Qualified Forensic
Investigator
8
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Secure Infrastructure Services
Networks have become complex and fragmented due to rapid growth and
acquisitions. An enterprise-based network security approach can provide tangible
reduction in TCO, and enable a business to be more agile and competitive.
9
Secure Network Architecture
Firewall Assessment Services
•
•
•
•
• Implementation and administration
• Migration and consolidation
• Tuning (performance and compliance)
Planning, design and segmentation
Configuration reviews
Data center management
Mobile Security / Cloud Computing
Security Event Management
(SEM/SIM/SIEM)
Data Discovery & Data Loss
Prevention
• Log consolidation, alerting and reporting
• Intrusion Detection / Prevention /
NAC placement and tuning
• Know where the data resides
and traverses
• Preventing data escaping the organization
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Vulnerability and Threat Management
Provides an independent baseline and validation of the organization’s security posture.
AT&T Consulting can simulate real-world attacks to identify vulnerabilities in the network,
evaluate risks, and develop remediation plans that are tailored to unique business
requirements and security needs
•
•
•
•
Vulnerability Management
VoIP Penetration Testing
Wi-Fi Penetration Testing
War Dial
•
•
•
•
Social Engineering
Mobile Security Assessments
Denial of Service based testing
Virtualization Security
Vulnerability Assessments
• Remote Access Assessment
• Breach/Incident
Response Testing
Penetration Testing (aka Ethical Hacking)
• Scanning of the target infrastructure, establishing a
baseline and making compliance easier by validating
external posture
• Takes Vulnerability Assessment to the next level
• Providing an overall security picture at a lower cost with
repeatable exercises
• Taken from the perspective of a malicious external
entity, or rogue internal resource
• Periodically verifying assets are properly protected;
evaluating recurring differentials and managing
vulnerabilities
• Manual testing and exploits, in addition to false positive
reduction of automated results
• Verifying that defense in depth and response
capabilities are working as designed, along with security
controls validation
• Required by many industry regulations and standards
10
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Application Security
The Application Security solution portfolio consists of tactical and strategic services to help
organizations assess, manage, and reduce security risks arising from unsafe software development
practices.
Application Security Assessments
Security Code Review
• Automated and manual testing designed to
circumvent the logic of the application
in order to gain elevated access to systems
or information
• Industry common practice and PCI requirement
• PCI DSS v1.2, section 6.3.7: Review of custom
code prior to release to production or customers
in order identify any potential coding
vulnerability
• OWASP Orizon Code Review, and Top 10
–
Web Based
–
Mobile Applications
Application Security
Program Management
PCI PA-QSA Application
Security Assessment
• Application inventory, identification and
assignment of risk classification, development
of testing plans, management and execution
of program
• Visa & MasterCard encourage application
development companies to certify their payment
applications in accordance with the PCI Payment
Application Best Practices program
• Applications that meet these standards can be
listed on the Visa web site as PCI-approved
payment applications
11
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Trusted Advisors
Helping our customers navigate complex IT Transformation
Technology
Strategy
Compliance &
Risk Reduction
Technology
roadmap,
refresh,
migrations
In deployments,
upgrades,
operations, and
security
Governance
and Sourcing
Process
Frameworks &
Sourcing
Strategies
12
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T
marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated
companies. All other marks contained herein are the property of their respective owners.
Cost
Performance
Reduce CapEx/OpEx
Consolidation
Shared Services
CIO
Agenda
Revenue
Growth
Rapidly introduce
new services into
production