Client Overview: The client, a leading development company specializing in innovative software solutions, faced challenges in ensuring compliance and security best practices DevOps practices. Their projects involved Azure Data Lake, AI, machine learning, application testing and required secure developer access.

Client Challenge: The client sought to streamline their development processes while ensuring compliance with industry regulations and maintaining robust end-to-end security measures. They faced the following challenges:

1. Compliance Requirements: The company needed to adhere to stringent compliance standards such as GDPR, HIPAA, and PCI-DSS due to the sensitive nature of the data they handled.

2. Security Concerns: With the increasing complexity of their projects and the adoption of cloud technologies like Azure Data Lake, AI and machine learning, the client needed to bolster their security posture to safeguard against potential threats and data breaches.

3. DevOps Implementation: The client aimed to transition to a DevOps culture which included Agile methodologies to accelerate development cycles, improve collaboration, and enhance product quality. However, they lacked expertise in integrating security into their DevOps practices (DevSecOps).

Solution Provided: 

CyberSecOp, a Managed Security Service Provider (MSSP), partnered with Managed Compliance Organization to address the client's challenges comprehensively. The following solutions were implemented:

1. Compliance Assessment: CyberSecOp conducted a thorough assessment of the client's existing compliance posture and identified gaps. The output of the assessment included tailored recommendations and assistance to ensure adherence to relevant regulatory frameworks.

2. Security Architecture Design: CyberSecOp collaborated with the client's development team to design a robust security architecture that integrated seamlessly with their DevOps processes. This involved implementing security controls for Azure Data Lake, AI, machine learning environments, and application testing pipelines.

3. DevSecOps Integration: CyberSecOp assisted the client in embedding security practices into their DevOps workflows. This included implementing automated security testing tools, integrating security checkpoints into CI/CD pipelines, and establishing secure developer access controls.

4. Continuous Monitoring and Threat Detection: Managed Compliance Organization implemented continuous monitoring solutions to detect and respond to security threats in real-time. This included leveraging AI and machine learning algorithms for anomaly detection and proactive threat hunting.

5. Security Awareness Training: CyberSecOp conducted customized security awareness training sessions for the client's development team to educate them about best practices for secure coding, data handling, and incident response.

Outcome: 

Following the project completion, the collaboration between CyberSecOp and Managed Compliance Organization resulted in significant improvements for the client:

1. Enhanced Compliance: The client achieved compliance with industry regulations into their Devops best practices reducing the risk of regulatory fines and penalties, while also enhancing their end products

2. Improved Security Posture: By integrating security into their DevOps processes, the client strengthened their security posture and reduced the likelihood of data breaches and cyber-attacks.

1. Accelerated Development Cycles: The client's adoption of DevSecOps practices enabled them to streamline their development workflows, leading to faster release cycles and improved time to market for their products.

2. Secure Developer Access: Implementing secure developer access controls ensured that only authorized personnel could access sensitive resources, reducing the risk of both external and internal threats.

3. Increased Security Awareness: The security awareness training sessions provided by CyberSecOp empowered the client's development team to proactively identify and mitigate security risks in their code and applications.

Overall, the collaboration between CyberSecOp, Managed Compliance Organization, and the client resulted in a successful DevOps transformation that prioritized compliance and security without compromising on agility and innovation, while increasing the security posture of their end product.

The Challenge: A prominent financial institution, facing the twin pressures of growing cyber threats and aging on-premises infrastructure, sought a transformative solution to modernize its security posture and unlock data-driven risk management. Enter CyberSecOp, a leading cybersecurity services provider, armed with the power of Google Cloud Platform (GCP).

CyberSecOp's Approach:

CyberSecOp's team of security experts conducted a comprehensive assessment of the institution's IT environment, meticulously analyzing:

• Infrastructre Efficiency: Examining hardware, software, and network architecture to identify modernization opportunities and scalability bottlenecks.

• Data Fortress: Evaluating data governance, security controls, and compliance adherence, aiming to identify and fortify any vulnerabilities.

• Risk Radar: Assessing the effectiveness of existing risk analysis tools and processes, searching for blind spots and potential loopholes.

• Data Unleashed: Unveiling the potential of siloed data for proactive risk identification and informed decision-making.

• Cost Optimization: Identifying potential cost savings and resource allocation enhancements through migration to GCP.

Key Findings:

The assessment revealed critical limitations in the existing infrastructure, highlighting the need for a proactive response:

• Technical Lag: The ageing on-premises systems lacked the resilience and scalability necessary to meet the institution's growing data demands and evolving security landscape.

• Security Gaps: Manual security processes proved vulnerable to human error, while existing solutions failed to adequately address sophisticated cyber threats.

• Data Blindness: Fragmented data hampered comprehensive risk analysis and compliance efforts, leaving the institution exposed to potential threats.

The CyberSecOp Solution:

• CyberSecOp proposed a tailored multi-phased migration to GCP, designed to address the institution's specific needs and unlock its full potential:

• Infrastructure Transformation: Migrating core applications and databases to GCP, leveraging managed services like GKE for containerized deployments and Cloud SQL for secure, scalable databases.

• Fortress GCP: Implementing GCP's robust security features, including IAM for centralized access control, KMS for encryption key management, and SCC for comprehensive threat detection and incident response.

• Data-Driven Risk Management: Migrating data to BigQuery, empowering the institution to leverage advanced analytics for proactive risk identification, fraud detection, and regulatory compliance.

• Continuous Vigilance: Fostering a DevSecOps culture, integrating security throughout the software development lifecycle and utilizing machine learning for threat prediction and anomaly detection.

Expected Outcomes:

• The proposed GCP solution promises a transformative impact on the institution's security posture and risk management capabilities:

• Unbreakable Security: GCP's layered security features significantly enhance data protection, minimize attack surfaces, and streamline compliance audits.

• Data-Powered Insights: BigQuery equips the institution with actionable insights into risk patterns, enabling proactive mitigation strategies and informed business decisions.

• Operational Agility and Cost Optimization: GCP's pay-as-you-go model and managed services offer cost savings and enhanced IT agility, freeing up resources for innovation.

• Competitive Edge: The future-proofed infrastructure and data-driven approach empower the institution to stay ahead of evolving threats, deliver superior customer experiences, and maintain its competitive edge in the financial landscape.

CyberSecOp, through its expertise in cybersecurity and the power of GCP, has charted a path for the financial institution to transform its security posture, unlock data-driven insights, and navigate the challenges of the digital age with confidence.

Executive Summary

CyberSecOp was engaged by a financial institution to implement ISO 27001 and achieve GLBA compliance. CyberSecOp's VCISO led the compliance implementation and testing, working closely with the client team. The project included a security assessment, development of an ISO 27001 security program, build out of a secure environment in Microsoft Azure, and implementation of a Software Development Lifecycle (SDLC) process. CyberSecOp also provided ongoing support and management of the environment.

Challenges

The project faced a number of challenges, including:

• The client had a complex environment with a variety of legacy systems.

• The client had a limited understanding of ISO 27001 and GLBA compliance requirements.

• The client had a tight deadline for achieving compliance.

Solution

CyberSecOp's team of experts worked closely with the client to overcome these challenges and deliver a successful project.

Security Assessment

CyberSecOp conducted a comprehensive security assessment of the client's environment. The assessment identified a number of vulnerabilities that needed to be addressed in order to achieve compliance.

ISO 27001 Security Program

CyberSecOp developed an ISO 27001 security program for the client. The program included a risk assessment, risk treatment plan, and implementation plan.

Microsoft Azure Environment Build Out

CyberSecOp built out a secure environment in Microsoft Azure for the client. The environment included all of the necessary security controls to protect the client's data and applications.

Software Development Lifecycle (SDLC)

CyberSecOp implemented an SDLC process for the client. The SDLC process included security requirements gathering, security testing, and security risk management.

Data Flow and Visualization

CyberSecOp implemented a data flow and visualization solution using Databricks and Pipeline. The solution allowed the client to visualize their data in real time and identify any potential security threats.

Microsoft Sentinel Security Tool

CyberSecOp implemented the Sentinel Security Tool for SIEM threat monitoring. The Sentinel Security Tool provides the client with a comprehensive view of their security posture and alerts them to any potential threats.

Risk Management

CyberSecOp implemented a risk management framework for the client. The framework identified, assessed, and treated all of the client's security risks.

Developer Access

CyberSecOp implemented strict access controls for developers. Developers were only granted access to the resources that they needed to perform their jobs.

Remote Access

CyberSecOp implemented strict access controls for remote access. Remote users were required to use MFA and their IP addresses were restricted.

Privilege Management

CyberSecOp implemented a privilege management solution for the client. The solution ensured that users were only granted the privileges that they needed to perform their jobs.

Application Testing

CyberSecOp implemented an application testing infrastructure. The infrastructure included all of the necessary tools and processes to test the client's applications for security vulnerabilities.

Mentoring of Client Team

CyberSecOp mentored the client team throughout the project. The mentoring helped the client team to develop the skills and knowledge necessary to manage the ISO 27001 security program and the secure environment in Microsoft Azure.

Ongoing Support and Management

CyberSecOp provides ongoing support and management of the client's environment. CyberSecOp monitors the environment for security threats and provides remediation guidance.

Process for Client Team Ongoing Training

CyberSecOp provides ongoing training to the client team on ISO 27001 compliance and security best practices. The training is tailored to the specific needs of the client team.

Project Management Section

The CyberSecOp ISO 27001 implementation project was managed using a hybrid project management approach. The approach combined elements of both agile and waterfall methodologies.

Agile Methodology

The agile methodology was used for the development of the secure environment in Microsoft Azure and the implementation of the SDLC process. The agile methodology allowed the team to quickly iterate on the environment and the SDLC process to ensure that they met the client's needs.

Waterfall Methodology

The waterfall methodology was used for the security assessment, the development of the ISO 27001 security program, and the implementation of the data flow and visualization solution. The waterfall methodology was used for these tasks because they required a more structured approach.

Weekly Meetings

The project team held weekly meetings to discuss progress, identify any challenges, and make necessary adjustments to the project plan. The meetings were attended by the CyberSecOp team, the client team, and other stakeholders.

Phase and Phase Deliverables

The project was divided into the following phases:

• Phase 1: Security Assessment and ISO 27001 Security Program Development

• Phase 2: Microsoft Azure Environment Build Out

• Phase 3: SDLC Process Implementation

• Phase 4: Data Flow and Visualization Solution Implementation

• Phase 5: Final Testing and Deployment

Benefits

The project delivered a number of benefits to the client, including:

• Improved security posture

• Increased compliance with ISO 27001 and GLBA requirements

• Reduced risk of data breaches and other security incidents

• Improved visibility into security threats

• Increased confidence in the security of the environment

Conclusion

CyberSecOp successfully implemented ISO 27001 and achieved GLBA compliance for a financial institution. The project overcame a number of challenges and delivered a number of benefits to the client.

Recommendations

CyberSecOp recommends that other financial institutions consider implementing ISO 27001 to improve their security posture and achieve compliance with GLBA requirements. CyberSecOp also recommends that financial institutions work with a qualified security partner to ensure the success of their ISO 27001 implementation.

Executive Summary

CyberSecOp was engaged by a manufacturing organization to implement ISO 27001 and achieve compliance with Good Pharmaceutical Practice (GxP) regulations in an on-premises environment. CyberSecOp's VCISO led the compliance implementation and testing, working closely with the client team. The project included a security assessment, development of an ISO 27001 security program, build out of a secure environment on-premises, and implementation of a variety of security controls to protect the client's data and systems.

Challenges

The project faced a number of challenges, including:

• The client had a complex environment with a variety of legacy systems.

• The client had a limited understanding of ISO 27001 and GxP compliance requirements.

• The client had a tight deadline for achieving compliance.

• The project needed to be implemented in an on-premises environment.

Solution

CyberSecOp's team of experts worked closely with the client to overcome these challenges and deliver a successful project.

Security Assessment

CyberSecOp conducted a comprehensive security assessment of the client's on-premises environment. The assessment identified a number of vulnerabilities that needed to be addressed in order to achieve compliance.

ISO 27001 Security Program

CyberSecOp developed an ISO 27001 security program for the client. The program included a risk assessment, risk treatment plan, and implementation plan.

On-premises Environment Build Out

CyberSecOp helped the client to build out a secure on-premises environment. This included implementing the necessary security controls to protect the client's data and systems, including:

• Access controls: CyberSecOp helped the client to implement strict access controls to ensure that only authorized users had access to the environment.

• Data protection: CyberSecOp helped the client to implement a variety of data protection measures, including encryption, access controls, and backup and recovery procedures.

• Security monitoring: CyberSecOp helped the client to implement a security monitoring solution to detect and respond to security threats in real time.

GxP Compliance

CyberSecOp worked with the client to ensure that its ISO 27001 implementation met all of the relevant GxP requirements. This included implementing controls for data integrity, data security, and system validation.

Other Security Controls

In addition to the controls listed above, CyberSecOp also helped the client to implement a variety of other security controls, including:

• Vulnerability management: CyberSecOp helped the client to implement a vulnerability management program to identify and patch vulnerabilities in the on-premises environment.

• Security awareness training: CyberSecOp provided security awareness training to the client's employees.

• Incident response: CyberSecOp developed an incident response plan to help the client respond to security incidents in a timely and effective manner.

Benefits

• The project delivered a number of benefits to the client, including:

• Improved security posture

• Increased compliance with ISO 27001 and GxP requirements

• Reduced risk of data breaches and other security incidents

• Improved visibility into security threats

• Increased confidence in the security of the on-premises environment

Conclusion

CyberSecOp successfully implemented ISO 27001 and achieved GxP compliance for a manufacturing organization in an on-premises environment. The project overcame a number of challenges and delivered a number of benefits to the client.

Recommendations

CyberSecOp recommends that other manufacturing organizations consider implementing ISO 27001 to improve their security posture and achieve compliance with GxP regulations, even if they are operating in an on-premises environment. CyberSecOp also recommends that manufacturing organizations work with a qualified security partner to ensure the success of their ISO 27001 implementation.Executive Summary

CyberSecOp was engaged by a manufacturing organization to implement ISO 27001 and achieve compliance with Good Pharmaceutical Practice (GxP) regulations in an on-premises environment. CyberSecOp's VCISO led the compliance implementation and testing, working closely with the client team. The project included a security assessment, development of an ISO 27001 security program, build out of a secure environment on-premises, and implementation of a variety of security controls to protect the client's data and systems.

Challenges

The project faced a number of challenges, including:

• The client had a complex environment with a variety of legacy systems.

• The client had a limited understanding of ISO 27001 and GxP compliance requirements.

• The client had a tight deadline for achieving compliance.

• The project needed to be implemented in an on-premises environment.

Solution

CyberSecOp's team of experts worked closely with the client to overcome these challenges and deliver a successful project.

Security Assessment

CyberSecOp conducted a comprehensive security assessment of the client's on-premises environment. The assessment identified a number of vulnerabilities that needed to be addressed in order to achieve compliance.

ISO 27001 Security Program

CyberSecOp developed an ISO 27001 security program for the client. The program included a risk assessment, risk treatment plan, and implementation plan.

On-premises Environment Build Out

CyberSecOp helped the client to build out a secure on-premises environment. This included implementing the necessary security controls to protect the client's data and systems, including:

• Access controls: CyberSecOp helped the client to implement strict access controls to ensure that only authorized users had access to the environment.

• Data protection: CyberSecOp helped the client to implement a variety of data protection measures, including encryption, access controls, and backup and recovery procedures.

• Security monitoring: CyberSecOp helped the client to implement a security monitoring solution to detect and respond to security threats in real time.

GxP Compliance

CyberSecOp worked with the client to ensure that its ISO 27001 implementation met all of the relevant GxP requirements. This included implementing controls for data integrity, data security, and system validation.

Other Security Controls

In addition to the controls listed above, CyberSecOp also helped the client to implement a variety of other security controls, including:

• Vulnerability management: CyberSecOp helped the client to implement a vulnerability management program to identify and patch vulnerabilities in the on-premises environment.

• Security awareness training: CyberSecOp provided security awareness training to the client's employees.

• Incident response: CyberSecOp developed an incident response plan to help the client respond to security incidents in a timely and effective manner.

Benefits

The project delivered a number of benefits to the client, including:

• Improved security posture

• Increased compliance with ISO 27001 and GxP requirements

• Reduced risk of data breaches and other security incidents

• Improved visibility into security threats

• Increased confidence in the security of the on-premises environment

Conclusion

CyberSecOp successfully implemented ISO 27001 and achieved GxP compliance for a manufacturing organization in an on-premises environment. The project overcame a number of challenges and delivered a number of benefits to the client.

Recommendations for Other manufacturing organizations

CyberSecOp recommends that other manufacturing organizations consider implementing ISO 27001 to improve their security posture and achieve compliance with GxP regulations, even if they are operating in an on-premises environment. CyberSecOp also recommends that manufacturing organizations work with a qualified security partner to ensure the success of their ISO 27001 implementation.

Background

CyberSecOp is a cybersecurity consulting firm that specializes in helping healthcare and ambulatory care organizations protect their patient records. The firm has been in business for over 10 years and has a team of experienced security professionals who have a deep understanding of the healthcare industry and the specific security challenges that healthcare organizations face.

Challenge

The healthcare industry is a prime target for cyberattacks with a 69% increase in cyber-attacks from 2020 to 2022. The most common security breaches include phishing, malware, ransomware, theft of patient data, insider threats and hacked IOT devices. Since patient records contain a wealth of sensitive information, including names, addresses, Social Security numbers and medical histories, threat actors are active in their efforts to commit identity theft, fraud and other crimes. 

In addition to the financial and reputational damage that can be caused by a cyberattack, healthcare organizations are also subject to a number of regulatory requirements, including HIPAA, HITRUST, and HiTech. These regulations impose strict requirements on how healthcare organizations must protect patient information.

Solution

CyberSecOp works with healthcare and ambulatory care organizations to develop and implement comprehensive cybersecurity solutions that meet the organization's specific needs and requirements. The firm's solutions include:

• Security assessments - CyberSecOp conducts security assessments to identify security vulnerabilities in an organization's IT infrastructure. These assessments can be used to identify areas where security needs to be improved as well as elevating the issue of cyber risk as an enterprise and strategic risk-management issue.

• Penetration testing - CyberSecOp conducts penetration tests to simulate a cyberattack on an organization's IT infrastructure. These tests are used to identify security vulnerabilities that could be exploited by attackers.
  

• Incident response - CyberSecOp provides incident response services to help organizations respond to cyberattacks. These services include:

• Incident containment

• Data breach notification

• Public relations support

• Security awareness training - CyberSecOp provides security awareness training to help employees understand the importance of security and how to protect patient information.

• Security consulting - CyberSecOp provides security consulting services to help organizations develop and implement security programs. These services include:

• Risk assessment

• Security policy development

• Security architecture design

• Security implementation

Benefits

CyberSecOp's cybersecurity solutions have helped healthcare and ambulatory care organizations to improve their security posture and protect their patient records. The firm's clients have reported a number of benefits, including:

• Reduced risk of cyberattacks.

• Improved compliance with regulations.

• Increased security awareness among employees.

• Reduced costs associated with security breaches. 

Conclusion

The best defense against cybercrime begins with elevating the issue of cyber risk as an enterprise and strategic risk-management issue.  CyberSecOp is a leading provider of cybersecurity consulting services to the healthcare and ambulatory care industry, available to assist your organization in uncovering strategic cyber risk and vulnerabilities along with risk mitigation strategies; incident response planning; vendor risk management and security awareness training to address the pragmatic realities that plague us every day.   Our team of experienced security professionals has a deep understanding of the healthcare industry and the specific security challenges that healthcare organizations face. CyberSecOp's cybersecurity solutions have helped healthcare and ambulatory care organizations to improve their security posture and protect their patient records.

Contact Us

If you are interested in learning more about CyberSecOp's cybersecurity solutions, please contact us today. We would be happy to discuss your needs and develop a plan to help you protect your organization.

CyberSecOp

Web: www.cybersecop.com

Phone: (866) 973-2677

ORGANIZATION

This organization was a well-established software development company that provided financial solutions.

The client employed 460+ IT and Software Development professionals. Their clients included high profile professional services, manufacturing companies, and government agencies who typically serviced clients in multiple industries.

The board of directors the and the executive team understood that based on their current business-critical need for their solutions and their client base, a high standard of cyber security needed to be maintained to ensure digital assets were always protected.

The board of directors and the executive team wanted to ensure that all software development followed best practices. The board of directors the and the executive team engaged CyberSecOp to review their entire development lifecycle with the following requirements:

·        Protection of Intellectual Property 

·        Reduce potential for supply chain attacks

·        Identify gaps in the current development lifecycle

CHALLENGE

With ongoing cyber-attacks against the financial industry, the client was concerned that this may cause widespread disruption and potential business interruption, which may affect software update releases. They need to deliver secure solutions without the risk of harm to their clients.

The client had identified risks in the development lifecycle in regard to Intellectual Property, since 20% of their development team works remotely using unmanaged workstation and servers.   

APPROACH

CyberSecOp completed a DevOps Assessment to gain an understanding around the current DevOps approach, by looking at the following elements:

•  Process Review

• Technology and automation

• Measurement

• Strategy and Flexibility

• Secure Development Environment

• Compromise Assessment

• Report Gaps

• Redesign Development Environment

PROCESS

CyberSecOp IT development and risk management team identified that risk to security was being considered at all stages of a project lifecycle, for a new system or changes to an existing system.  CyberSecOp IT development also take into consideration the confidentiality, integrity, and availability at a minimum.

• CyberSecOp team performed a full assessment of DevOps processes and tooling.

• CyberSecOp utilize ISO Methodology ISO/IEC/IEEE 90003:2018 - Software engineering and ISO 27001 – Annex A.14: System Acquisition, Development & Maintenance.

KEY FINDINGS 

• No multi factor authentication was in place to access development environment

• Malware was found on multiple systems

• Development infrastructure was not air gapped and segregated based on development, test, and production.

• Live data was used for testing and not sample data.

• No centralized location for code validation

• No validation for publicly available codes downloaded

• Codes were not peer reviewed before production

• Codes could be checked in remotely from unmanaged system without verification

• Multiple cases of out of work schedule unauthorized remote access to software code via a developer’s workstation.

• Multiple cases of open administrative sessions between various servers 

SOLUTIONS

• Provided gaps and recommendation

• Road map and diagram proposed environment

• Designed new development infrastructure

  • Create new VDI Environment (Segregated environment)

  • Implement security controls

  • Implement Jenkins (Slave and Master) and SVN plugin

  • Ensure that Jenkins securely authenticate with SVN using username and SSL certificate

  • Worked with the development team to configure Jenkins Pipeline to trigger polling via Subversion

  • Worked with the development team on checkout process.

  • View revision number variables

• Technical documentation of DevOps environment

• Develop security development lifecycle policy based on the process. 

SOC-as-a-platform (SOCaaP) Case Study

Cyber Security Operations Consulting (CyberSecOp) is an award-winning independent information security and compliance services provider.

CyberSecOp works with global customers across industries ranging from financial services, health care and higher education to aerospace, defense and government contractors. CyberSecOp was founded by leading experts in cybersecurity and managed information technology (IT) services. The firm takes a holistic approach to devising innovative strategies and solutions, believing integrated security frameworks provide stronger and more cohesive protection, and that all businesses need enterprise-grade information security programs.

CyberSecOp offers managed security services, including staffing, consulting, security operations support and incident response, as well as breach management and board level strategic leadership consulting through its virtual chief information security officer (vCISO) program. The company’s vision is to empower its customers to focus on their core business competencies by proving best-of-breed IT and secure business process outsourcing.

CHALLENGE

Strategic partnerships with leading manufacturers and vendors in the cybersecurity and IT infrastructure space are what enable CyberSecOp to accomplish its core mission.

“We focus on the customer experience, delivering what our customers want, when they want it,” says Jeffrey Walker, Chief Information Security Officer of CyberSecOp. “That is our commitment and we take it seriously.”

In the face of growing demand from customers, CyberSecOp needed to expand its security operations. They sought new security operations center (SOC) support in order to expand their managed detection and response (MDR) offering to help customers meet compliance requirements, protect their endpoints and networks and fully resolve incidents at speed. CyberSecOp was looking for a cost-effective, fully-managed solution that would support the rapid growth of its services portfolio. This would replace an offering from a major national enterprise provider.

THE SOLUTION

 CyberSecOp partnered with Comodo to take advantage of its unique next-generation SOC-as-a-platform (SOCaaP) offering.

The platform is fully integrated with Comodo’s patented auto-containment technology, enabling customers to enjoy benefits from the world’s only active breach protection solution which renders ransomware, malware and other types of cyberattacks useless.

It also provides all the SOC capabilities an expanding managed security service provider (MSSP) needs, such as integrating the people, processes and technology essential for threat detection, analysis and active incident response in real time 24 hours a day, seven days a week.

Comodo has the only truly comprehensive SOCaaP offering that’s currently available. Relying on this platform-based approach will save MSSP partners time and money, with zero initial capital outlay. It would also give CyberSecOp a competitive advantage in its market.

“Occasionally, we have a partnership that our firm can’t survive without,” says Walker. “We are confident that this is the relationship that we’re building with Comodo.”

CyberSecOp will also benefit from Comodo’s strong focus on partner relationships.
“Our partners and the channel are in our DNA. Comodo is a partner-centric company and our goal is to make sure our MSSP partners and their clients are secure and happy,” says Alan Knepfer, President and Chief Revenue Officer at Comodo. “Our partners expect the best from us, and this allows us both to take our high standards to the next level.”

RESULTS

• Response times have been reduced.

• Attacker dwell times have shrunk from minutes to mere seconds.

• Time to resolution is quicker.

• Zero false positives while running in a customer environment, or full-eliminated false positives.

CONCLUSION

CyberSecOp chose Comodo because the company offers services and solutions that simply aren’t available anywhere else. With Comodo’s new SOCaaP up and running in customer environments, CyberSecOp is able to respond to incidents more quickly and achieve full resolution in a fraction of the time, greatly reducing attackers’ possible dwell times and customers’ risk of a breach.

What’s more, their team is seeing zero false-positive alerts, saving time and labor, which allows them to stay focused on the highest value activities. It’s a truly innovative solution that will keep CyberSecOp and its customers secure and satisfied for the long term.

Cyber Security Threat Hunting Case Study

The Client was a Financial Services Institution (FSI) with 2031 networked windows. 216 were in a central office, with another 1815 in-satellite offices.

EXECUTIVE SUMMARY 

1) The Engagement with the Client: Threat Hunting at an FSI that suspected a breach

2) The Tools and Services: How we assisted the Client with our toolset and services

3) The Client Outcome: The benefits the Client reaped, including continued services

 This report does not discuss the essentials of cybersecurity awareness training, though we do cover the value of using training to mitigate vishing threats in a separate whitepaper.

THE CLIENT

The Client was a Financial Services Institution (FSI) with 2031 networked windows. 216 were in a central office, with another 1815 in-satellite offices. The Client’s IT/IS Team informed CyberSecOp of the system requirements and the shape of the network so that our threat hunting solution could be installed into the client’s environment without issue.

THE ENGAGEMENT

The Client employed CyberSecOp to deliver managed security services in the form of a Compromise Assessment on the critical infrastructure of the bank following suspicion that there may be threat actors on the network.

THE PARTNER (CyberSecOp)

CyberSecOp is a fast-growing MSSP that has hunted threats for some of the biggest financial institutions in the region.

THE PROCESS

CyberSecOp was able to configure the evidence collection system and scan the network without causing any downtime to the customer’s servers or services. The full assessment took approximately 10 days, with multiple scanning rounds completed within that time to optimize the client’s opportunity for remediation of the first layer of findings. We performed the Compromise Assessment, identifying the breach of the client’s network and discovering that it happened 3-4 months ago based on the evidence we identified. Upon discovering a breach, CyberSecOp initiated a containment phase, effectively isolating the malicious content, and then coordinated with the FSI’s IT team to investigate and discover any other remedial actions that needed to be taken. Following the breach CyberSecOp advised on how to communicate the results of the discovery to the Client’s users and conducted a Breach Postmortem during which CyberSecOp reviewed the report and findings with management at the FSI.

Steps in CyberSecOp’s Compromise Assessment included

REMEDIATION

CyberSecOp performed the following services as a part of the breach remediation:

-       Forensics and Threat Hunting, detailed reporting, and data gathering/tagging

-       Deploying CyberSecOp Managed Detection Response system to ensure any future breach was discovered much sooner than this one.

-       Perform vulnerability and penetration scan to identify and remove vulnerabilities. 

-       A complete analysis of the malicious software the threat actor left on the Client server, including insights into what would have happened if the software had been activated.

-       Worked with the client’s technical team to purge the system and ensure that there were no remaining backdoors for the threat actor to sneak back in through.

OUTCOME

-       Threat actor’s access and malicious software were removed from the multiple devices, and vulnerability where remediation 

-       The Client now has an active contract with CyberSecOp for Managed Detection and Response and quarter compromised assessments

-       The Client servers and all endpoints continue to be scanned periodically to validate that the remediation is complete and that no further threat actors have breached the network

IN CONCLUSION

Threat hunting and backups are critical, keeping a copy of your data in reserve is one of the best ways of reducing financial risk. It is highly recommended to use a security team that can analyze any provided decryption tool, to ensure there is no further threat present. 

It’s also critical to ensure your organization takes step to ensure security of all systems, through implementation of Managed SOC, MDR services, and Employee Security Awareness Training.

Security Architecture for Financial Services Case Study

The Financial Services Sector encompasses a wide variety of commercial concerns, from traditional depository banking operations, to exotic investment funds and cryptocurrency exchanges.  Yet, for all of their diversity of purpose each of these concerns will pursue a common goal of maximizing returns on their information security architecture - an increasingly important institutional discipline in today’s environment of proliferating threat actor assaults. 

The purpose of this analysis is to provide a step-by-step roadmap exploring some of our sample engagements, client requirements, and solutions provided. 

Engagement

Client requested that CyberSecOp assist with an information security breach response, and provide a subsequent analysis of its information security architecture along with present risks and vulnerabilities together with a comprehensive remediation roadmap.

Procedures

CyberSecOp was engaged to perform the following procedures as an outgrowth of the incident response:

·         Breach response risk mitigation – Diagnose source and method of breach, immediately cure the vulnerability and ascertain the status of data loss (if any)

·         Post-Mortem – Provide the client with a formal report addressing our findings

·         Information Security Architecture Risk Assessment – Perform a comprehensive risk assessment of the client’s information security architecture in accordance with industry best practices and standards, providing a formal written report for the client’s review

·         Information Security Program – Formulate a security program complete with monthly reporting to ensure the ongoing integrity of the client’s information security environment

·         Implement 24 hour, 7 day per week Managed Detection and Response, covering all client networked resources through CyberSecOp’s Security Operations Center; integrate client’s information security reporting tools to CyberSecOp’s SIEM service via the Security Operations Center; recommend and implement a centrally monitored Advanced Endpoint Protection solution.

·         Design and implement a cybersecurity dashboard solution, using the client’s preferred cloud-based information security reporting software.

Solutions

Breach Response and Risk Mitigation

CyberSecOp maintains a dedicated team of information security breach response professionals (‘Blue Team’) that stand ready and able to assist clients at a moment’s notice.  CyberSecOp’s Blue Team professionals are some of the most skilled and best informed in the industry.  Our Blue Team professionals will also provide formal documentation detailing the particulars of breach causality, as well as make recommendations to mitigate future information security risks.

Risk Assessment and Security Program Services

CyberSecOp risk management professional will provide the client with formal, written documentation discussing the state of the client’s information security architecture and detailing any vulnerabilities revealed in the data gathering, testing and discovery process.  Our risk management professionals will then devise a comprehensive information security program designed to ensure that the client’s information security environment maintains integrity and that all covered systems and endpoints are updated with the most recent industry leading security features.

The CSO Security Operations Center (‘SOC’)

CSO’s Security Operations Centre service can be integrated with a customer’s own Security Operations Centers, should a shared, collaborative architecture be preferred. Partner Security Operations Centers may focus on areas within the customer’s own security domain or, if its business boundaries are extended by extensive collaboration with third party organizations which operate to different technology standards, monitor devices in such domains through the ‘Internet of Things’.

CSO’s Cyber Security Dashboard Service

CyberSecOp’s Security Portal and Dashboard service will provides reports and visibility on the implemented security services, including pre-defined views covering:

• Security news, campaigns and threat information from external Threat Intelligence sources

• Security incidents in the form of generated ‘trouble ticket’ information from analyzed security incidents

• Security warnings, incident and alert information automatically generated by Security Incident and Event Management systems

CSO’s Security Incident and Event Management (‘SIEM’) and Managed Detection and Response (‘MDR’) Service

CSO’s SIEM Services comprise ‘always-on’ basic security analytics based on static, predefined correlation rules and are included with CyberSecOp’s Security Operation Center service.  Clients can leverage CyberSecOp’s SIEM data collectors to provide a more robust picture of threat actor behavioral analytics, as described below.

Behavioral Analytics

CSO’s SIEM Behavioral Analytics monitors use threat actor behavior to identify anomalies. During that time the service learns what the normal activities of a customer’s end user are, so that the system is then able to identify anomalies whether a compromised account, infected host, account misuse or lateral movement.

Advanced Endpoint Protection (‘AEP’)

CyberSecOp provides a comprehensive suite of AEP solutions through our Security Operations Center.  Advanced Endpoint Protection involves deploying sophisticated data protection software on all firm endpoints, including desktops, laptops, mobile devices and ‘Internet of Things’ devices.  AEP software ensures threat actors are not able to access the client environment through one or more exploitable connected devices.

 The CyberSecOp Advantage

Today’s information security environment is becoming ever more complex by the day. Concerned commercial businesses are increasingly finding themselves subject to seemingly random attacks from threat actors, who in reality select their targets carefully after extended observation and deploy tools to hold the target completely inoperable pending response to their demands. While following the steps set forth above can help inoculate the firm against such attacks and ensure that the client’s operating environment remains undisturbed, providing a competitive advantage in today’s marketplace is vital.  Here at CyberSecOp, our professionals can assist in implementing the recommended framework, providing our clients white-glove service with all of their information security needs.

Education Case Studies & Forensics Analysis - Security Program Development

CyberSecOp engaged with multiple educational institutions to implement a security program, our team proceed by conducting a comprehensive assessment of the schools to review existing physical security technologies, security personnel, emergency plans, and the associated policies, procedures, and processes.  

A thorough walk of the campus then lead to interviews of administration, faculty, staff, and parents.  These interviews helped us understand security concerns on the campus as well as garner an understanding of the overall perception of security.  Emergency management and large event planning and processes were reviewed.  Interviews with local first responders gave us an inside look into their capabilities with assisting the school in case of an emergency situation.

RECOMMENDATIONS INCLUDED:

• Implement comprehensive security program covering physical security technologies, security personnel, emergency plans, and the associated policies, procedures, and processes.

• Reducing the number of entry points, and to us camaras to improve visibility of the parameter.

• Implementing a visitor management program that would require all non-affiliates of the school to register at a central point.

• Upgrading the technology associated with the school’s public-address system to improve the likelihood that emergency announcements would be heard at all points on campus.

• Reviewing and modifying the emergency management manual to allow for a Run-Hide-Fight plan in association with an active shooter event.

• Developing a Security Technology Master Plan and standardizing technology across the campus.

CYBER SECURITY SERVICES PROVIDED 

• Cyber Security Digital forensics services

• Cyber Security Vulnerability and Risk assessments

• Cyber Security Policy and plan development

• Cyber Compliance Operations

• Cyber Security Consulting Engineering and architecture design

• Cyber Security Consulting Operations management

Insurance Security Case Studies & Forensics Analysis

The following Case Study & Forensics Analysis is for a global International Insurance company

• Client: Major International Insurance Firm

• Incident: At 11:00 pm the corporate network went down.

  • Users could not log onto the network via SSO and Active Directory

  • The entire corporate central authentication systems where not working

  • Without a way to authenticate email services where inaccessible

• Additional information shared:

  • The client is a large insurance firm with a prominent public profile.

  • The breach was initially suspected to be a targeted attack.

  • Multiple media sources had written accounts of a specific group’s sophisticated hacking capabilities.

• Actions taken during the Forensics Analysis:

  • An Incident Response and Forensics Analysis Team was deployed to the client site within 4 hours.

  • All available evidence was imaged and backed up.

  • Logs were gathered from the internal/external web servers, firewall, routers, IDS/IPS, Windows event logs.

  • Evidence files obtained from server hard drives were analyzed.

  • All collected logs were correlated and analyzed.

  • Services and processes on the effected computers were analyzed.

  • Windows Server, Router and firewall configurations were analyzed.

  • Every step of the investigation was documented in detail.

• Results:

  • The CyberSecOP team discovered a sophisticated botnet with command and control software installed.

  • The botnet changed the security policies on the servers preventing authorized users from logging in.

  • The botnet was a brand new form of malware, and no public information was available until 12 days later.

  • The root cause of the vulnerability was determined by the CyberSecOP team to be due to a mis-configuration of the firewall.

  • The CyberSecOP Team provided an analysis report and recommendation on root cause remediation.

  • The CyberSecOP Team assisted the client with the root cause remediation process and restored the network and email operation.

  • Based on the evaluation, The CyberSecOP team concluded this instance was not the result of a targeted attack.

CYBER SECURITY CISO SERVICES 

• Cyber Security CISO Digital forensics services

• Cyber Security CISO Vulnerability and risk assessments

• Cyber Security CISO Internal and external penetration testing

• Cyber Security CISO Policy and plan development

• Cyber Security CISO Configuration management, design, and remediation

• Cyber Security Consulting Enterprise security architecture design and re-design

• Cyber Security CISO Malicious code review

• Cyber Security CISO Computer Security incident response

• Cyber Compliance Operations

• Cyber Security Consulting Engineering and architecture design

• Cyber Security Consulting Operations management

• Cyber Security Consulting Application and software security assurance

• Cyber Security Consulting Insider threat and APT assessment

• Cyber Security Consulting Social engineering (targeted phishing)

• Cyber Security Consulting IT risk management and compliance

• Cyber Security CISO IT Network Security Consulting

Financial Services Security Case Studies & Forensics Analysis

The IT organization of Bank (original name withheld) was facing a great deal of challenges with day-to-day IT service delivery. While critical activities, such as end-of-day, backup and restore functions, and scheduled server reboot for certain critical servers were documented on paper for regulatory compliance reasons, most processes were at best documented in individual employees’ heads.

There was poor change control; something broke every other day and it was perfectly acceptable to have unplanned downtime of banking services for a few hours every month. Often, the unplanned downtime was due to, for example, failed system upgrades or security configuration modifications by the security administrators without proper impact assessments. Fortunately, the enterprise’s internal control department had some oversight over the critical banking infrastructure; otherwise, banking operations could have suffered a total systemic failure.

In the marketplace, relatively smaller banks were recording better performance and were perceived as more reputable than Bank. Within the bank, the business executives did not trust IT’s ability to effectively and efficiently support business objectives, and IT was obviously overwhelmed with the challenges.

A turning point came when the chief executive officer (CEO) was stranded in the US on a business trip. His debit card did not work for the entire three days that he was away nor did those of the other senior executive who had accompanied him. Unfortunately, it was the policy of the bank that middle to senior management staff were not permitted to hold bank accounts with other financial institutions; thus, they were stranded with little means to help themselves.

On return, the CEO initiated a process that resulted in the hiring of a chief information officer (CIO)—a very experienced CIO. His objectives were very clear:

• Stabilize the IT organization to effectively and efficiently support the business objectives.

• Minimize business disruptions caused by unplanned IT operations.

• Justify any (every) further investment in IT.

The CIO commenced meetings with new and existing consultants of the organization, the outcome of which culminated in the selection of COBIT 4.1 as the most rounded approach to achieving the desired outcomes. Additionally, the project was bundled with a security assessment exercise.

The CEO was clear on the results he desired and why he hired a CIO so he was taken by surprise when, after committing to giving whatever was required as a sign of support, the first thing the CIO asked for was his active participation in the transformational changes in the IT organization. The lesson was: Active and sustained senior management commitment is very important for the successful implementation of the desired organizational changes.

THE ASSESSMENT

The project kicked off with interview sessions to clearly document senior business management’s view and expectations of IT, followed by similar sessions with the CIO and IT management, to get IT goals and a view of the IT organization. These were documented using the COBIT 4.1 Implementation Tool Kit

Following the determination of business and IT goals, the core of the gap assessment exercise commenced. The focus was on the 34 processes, not on the 210 controls. Several interviews and process review sessions then followed from Plan and Organize (PO) all the way to Monitor and Evaluate (ME), although not necessarily in order as sessions were based on available resources.

PROCESS SPOTLIGHT: ASSESS AND MANAGE IT RISKS

A good example was the risk management process (PO9), which was assessed as nonexistent, even though there was an operational risk (Ops Risk) department in place with a well-developed financial risk management practices around credit, loans, etc. The issues found included:

• No risk assessment framework in place

• No definition of impact ratings nor probability ratings

• No risk rankings

• No periodic risk assessment exercises as part of the organizational culture. IT managers generally used high, medium and low informally in approval memos.

In line with the COBIT guidelines, the first line of action to address these issues was to review the available options for risk management frameworks (for ease of standardization). NIST Risk Management Framework was identified and readily adopted.

The organization focused on the primary goals of confidentiality, integrity and availability as well as one important secondary goal: reliability.

Within four weeks, the organization had concluded a comprehensive risk assessment exercise, had a clear view into the organization’s information risk posture and had easily adopted the parameters used by the Ops Risk department. Risk management started influencing change management and information security controls implementation (two high-risk areas identified during the risk assessment exercise).

The assessment resulted in implementation of some quick-win initiatives, starting with instituting and enforcing a formalized change management process (COBIT 4.1 AI6) to move from maturity level 3 to maturity level 4.

Measurements and metrics were set and business units were mandated to be formally involved in the change management process.

The business units immediately felt some benefits. The resulting change accountability and communication made the business even more interested in other COBIT initiatives. And, the business unit heads felt a great deal of ownership, as the changes were occurring only with their consent.

By the time the exercise was concluded, the enterprise had good insight into its maturity for all 34 COBIT processes plotted against short- and long-term goals.

OBSERVATIONS AND RECOMMENDATIONS

It was a little challenging to get the noncore IT areas (e.g., procurement, financial control [responsible for budget], human resources [HR]) to understand the importance of their functions to the success of the IT organization. As part of CyberSecOp (Manage IT human resources), HR, as a case in point, did not consider IT resource career paths and training requirements as important enough; hence, IT trainings were often cancelled for cost savings or resource demands. This disconnect was initially extended to the COBIT implementation exercise and it required some escalation to the CIO to get HR to cooperate with the assessment exercise.

PRIORITIZING AND PLANS OF ACTION

Once the assessment exercise was concluded, the enterprise set out to commence remediation initiatives. Activities were prioritized according to three categories:

• Quick wins—Achievable within one month and with minimal/no budgetary implications

• Key business goal initiatives—Initiatives aligned with achievement of business goals rated.

• Other gap items—All other gap items that could be delayed until completion of those items in categories 1 and 2.

MONITORING AND MEASURING

Responsible, Accountable, Consulted and Informed (RACI) charts were developed for all 34 processes, and the CIO was not willing to accept excuses for noncompliance to newly developed practices. Metrics and measurements were evolving and these were aligned with performance metrics and appraisal systems for the entire IT organization.

Initiatives such as updating scorecards to reflect performance metrics and IT organizational key performance indicators (KPIs), as well as rewards and sanctions, were key to getting operational staff to accept the cultural changes that came with the remediation activities.

Within 18 months, the results were clearly visible; as such, it was not difficult for X-Bank to achieve ISO 27001 certification status shortly thereafter (though as a separate initiative).

CYBER SECURITY CISO SERVICES 

• Cyber Security CISO Digital forensics services

• Cyber Security CISO Vulnerability and risk assessments

• Cyber Security CISO Internal and external penetration testing

• Cyber Security CISO Policy and plan development

• Cyber Security CISO Configuration management, design, and remediation

• Cyber Security Consulting Enterprise security architecture design and re-design

• Cyber Security CISO Malicious code review

• Cyber Security CISO Computer Security incident response

• Cyber Compliance Operations

• Cyber Security Consulting Engineering and architecture design

• Cyber Security Consulting Operations management

• Cyber Security Consulting Application and software security assurance

• Cyber Security Consulting Insider threat and APT assessment

• Cyber Security Consulting Social engineering (targeted phishing)

• Cyber Security Consulting IT risk management and compliance

• Cyber Security CISO IT Network Security Consulting

Healthcare Security Case Studies & Forensics Analysis

The IT organization of healthcare (original name withheld) was facing a great deal of challenges with day-to-day IT service delivery. While critical activities, such as end-of-day, backup and restore functions, and scheduled server reboot for certain critical servers were documented on paper for regulatory compliance reasons, most processes were at best documented in individual employees’ heads.

There was poor change control; something broke every other day and it was perfectly acceptable to have unplanned downtime of Healthcare services for a few hours every month. Often, the unplanned downtime was due to, for example, failed system upgrades or security configuration modifications by the security administrators without proper impact assessments. Fortunately, the enterprise’s internal control department had some oversight over the critical banking infrastructure; otherwise, medical operations could have suffered a total systemic failure.

Healthcare Medical Center, has agreed to pay a $218,400 settlement to federal authorities for what the government is calling “potential violations” of data privacy and security breach notifications rules under HIPAA, including in a relatively rare enforcement area, Internet-based file-sharing services.

The Office for Civil Rights at HHS, which has federal HIPAA privacy and security rule enforcement authority, first received a complaint in November 2012 that members of organization’s workforce used an Internet-based document-sharing application “to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice.”

In a separate incident, in August 2014, the hospital reported to HHS that a former workforce member had stored patient-identifiable health records of 595 individuals on a stolen personal laptop and USB flash drive.

According to a recent report on employee Internet usage by the Campbell, Calif.-based security firm Skyhigh Networks, employees at an average healthcare organization use a total of 928 cloud services, many without the knowledge of their IT departments. File-sharing services were among the top five uses of cloud services by healthcare workers in the report.

“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document-sharing applications,” said Office for Civil Rights Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

In addition to the payment, the settlement includes a corrective action plan “to cure gaps in the organization’s HIPAA compliance program raised by both the complaint and the breach.” organization has also reported to the civil rights office a breach of 6,831 lost patients’ identifiable records on paper or film, according to the “wall of shame” list kept by the office for breaches involving 500 or more individuals.

In April, 2012, a five-physician medical practice, Phoenix Cardiac Surgery, agreed to a $100,000 settlement for failing to have HIPAA-required business associate agreements with providers of their Internet-based calendar and e-mail service.

“Between these two cases,”, “what it stands for is OCR’s expectation you’re going to have to have a business associate agreement with any cloud-based (service) providers. And you need a risk analysis.”

“So, there appears to be a whistle-blower,”  “It shows the importance of having a process for hearing concerns from your employees about addressing HIPAA, or they might go to the government instead.”

Since September 2009, when the civil rights office started keeping a public list of breaches involving 500 or more individuals, 1,265 breaches have been reported exposing the records of nearly 135 million people, equal to the populations of California, Florida, Illinois, New Jersey, New York, Pennsylvania and Texas combined.

CYBER SECURITY CISO SERVICES 

• Cyber Security CISO Digital forensics services

• Cyber Security CISO Vulnerability and risk assessments

• Cyber Security CISO Internal and external penetration testing

• Cyber Security CISO Policy and plan development

• Cyber Security CISO Configuration management, design, and remediation

• Cyber Security Consulting Enterprise security architecture design and re-design

• Cyber Security CISO Malicious code review

• Cyber Security CISO Computer Security incident response

• Cyber Compliance Operations

• Cyber Security Consulting Engineering and architecture design

• Cyber Security Consulting Operations management

• Cyber Security Consulting Application and software security assurance

• Cyber Security Consulting Insider threat and APT assessment

• Cyber Security Consulting Social engineering (targeted phishing)

• Cyber Security Consulting IT risk management and compliance

• Cyber Security CISO IT Network Security Consulting

Ransomware Case Studies & Forensics Analysis

A particularly insidious type of malware is ransomware, which is secretly installed on your windows systems and locks the system down. That lockdown is inevitably accompanied by a message demanding payment if the systems owner ever wants to access the files again. Unless you are very lucky (or the hacker spectacularly incompetent), everything important on your hard drive will be effectively lost to you, unless you pay up.

Although earlier versions of ransomware sometimes had flawed encryption, recent iterations are better designed. Although you could pay the ransom, that’s not a guarantee that things will work out, as Hospital in Massachusetts discovered when hackers demanded a second ransom after locking down files.

THE CASE

The victim: Hospital with 680 networked windows 380 in a central office, with another 300 in a satellite offices. Upon arrival of the incident response team, we identify that the client had no protection in place. The network administrators had no idea has to what is going on in the network, no security tool, no forensic tool, and the perimeter had no IPS/IDS system in place.

WE THEN

All the orgainization’s endpoint systems are Windows 7, and Windows 10. Employees operate using Windows email systems which operates on Office 365 and MS Outlook. CyberSecOp team identified that the infection started with a phishing email.

THE MALWARE

The ransomware was identified has RYUK, specifically a newer variant that resisted efforts by utility programs such as SpyHunter to remove it. the client also checked the registry settings as described by Malwarebytes, hoping to isolate the exact nature of the threat, but had no luck. RYUK has a nasty habit of deleting key files in its wake in order to confound attempts to stop it.

The company decided to restart the software and see how things went. While the server was down, though, the firm had to write down new orders on little slips of paper. It was chaos.

Each infected folder contained a three files: # Decrypt Read Me file, .txt. The ransomware encrypted any file on the target extension list, giving it a random filename with the .RYUK extension.

The malware infected all PCs at the central office and all the systems at satellite offices; The damage to these infected PCs was okay since they could be reimaged. The 26 servers hosting health information and databases was a big problem, since the client found out the backups has been failing: the log files (.log) were all encrypted, config files, as well as group polices files.

THE DEMAND

The# Decrypt Read Me file contained a message asking for 150 Bitcoins (about $1,734,000) to recover the organization systems, including details on how to pay. The firm Managing Director decided that they have no other avenue but to pay the ransom.

CyberSecOp first tried to recover files from the physical servers but had no luck, due most of the flies where corrupted. The team proceed with forensic and ransomware negotiation, and was able to get the threat actor down to 3.9793 bitcoin.

RANSOMWARE PAYMENT

• All communication with the client is covered by with attorney-client privilege

• Before the ransomware negotiating, we request proof of life

• We understand that ransomware negotiation is big deal to your business

• We negotiation and collaborate you he client like any other business deal

• We quick try to understand the ransomware attacker, then start the ransom negotiation

• Our ransomware negotiation experts understand classic rules of hostage negotiation

REMEDIATION

• Forensics data gathering

• Deploy CyberSecOp MDR

• Pay the threat actor 3.9793 bitcoin

• Received decryption tool from the threat actor

• Complete malware analyst on the decryption tool

• Work with the client technical team to decrypt the systems

PROTECTING YOURSELF

• Large companies often have disaster plans in place that include ransomware infections. But what should individuals or small businesses do when confronted with this issue? Crossing your fingers is probably not the best option.

• Frequent offsite backups are the obvious first step, although the automation comes with a downside: if your files are maliciously encrypted, the encrypted files might accidentally get backed up, as well. If you take this route, make sure that the backup vendor offers a 30-day recovery period or versioning, so you can get your backed-up files intact.

• For individuals, even something as simple as copying files to an external memory stick or drive is better than nothing. If you take this route, keep your USB storage unplugged from your machines when not copying to it.

• As email attachments are a prime source of infections, having an email scanner is probably the best way to eliminate that particular vector of attack.

• Security training awareness to help them stop phishing email

CONCLUSION

Backup are critical, if the client had maintain there backups, the client would be able to recover, won’t pay the demand our expert can reduce the financial risk. Let the professional handle the case, the client should have loss all there data while trying to remove the ransomware before the don’t know how it works. It is highly recommended to uses a security team that that can analyze the decryption tool to ensure there is no logic boom being dropped.

It is also critical to ensure your organization takes step to ensure security of all system, implementation of Managed SOC, MDR services, and Employee Security Training awareness

CYBER SECURITY AND DIGITAL FORENSIC SERVICES

• Ransomware Recovery

• Ransomware Payment

• Ransomware Negotiation

• Digital forensics services

• Vulnerability and risk assessments

• Internal and external penetration testing

• Policy and plan development

• Configuration management, design, and remediation

• Cyber Security Consulting Enterprise security architecture design and re-design

• Malicious code review

• Computer Security incident response

• Cyber Compliance Operations

  
  

Retail Security Compliance & Incident Response

CyberSecOp works with some of the top retailers around the world. Our aim is to help our customers reduce risk, save time, and save money. One of our most recent success stories comes from our work with the big box US department store chain faced with compliance requirements for CCPA, PCI DSS, also in scope is Shield Act with is pending approval for New York.

Their footprint consisted of hundreds of retail stores and several corporate. Their IT organization was significantly understaffed given the large geographic presence, thereby creating inefficient processes and establishing a greater risk profile for potential threats. Added to the current situation, they had purchased Security hardware and software that wasn’t being utilized which reduced the credibility of the IT team and their ability to push for additional network and security enhancements that would better position the business for future growth.

When during out discovery phase CyberSecOp team uncover multiple suspicious events, missing system logs, infected system, system without antivirus, external remote access without multifactor authentication, and evidence 19 compromised systems communicating with malicious IP addresses and domains.

The project quickly turned into a incident response, CyberSecOp risk management team put a quick playbook together for the operation.

Detailing the intricacies of the incident response, CyberSecOp risk management team involved individuals form accounting, forensics, risk management, CISO level resource to provide guidance, fraud detection, human behavior analysis, and interview/interrogation skills.

RECCOMENDATIONS INCLUDED:

• Implement CyberSecOp SIEM and Managed Detection and Response Toolset

• CyberSecOp provide 24/7 monitoring, threat hunting and incident response services

• Create and implement a incident plan and playbook

• Assess and Implement a comprehensive security program covering physical security, security personnel, emergency plans, and the associated policies, procedures, and processes in compliance with PCI/CCPA.

CYBER SECURITY SERVICES PROVIDED

• Cyber Security Digital forensics services

• Cyber Incident Response Services

• Cyber Security Vulnerability and Risk Assessments

• Cyber Security Policy and plan development

• Cyber Compliance Operations

• Cyber Security Consulting Engineering and architecture design

• Cyber Security Consulting Operations management