The Aetna Entitlements, Identity, & Risk System (AEIRS)
Executive Sponsor: Kurt Lieber, Vice President, CISO, Global Security Aetna Core, Aetna
Team Members: Jon Backus (Product Manager), Candice Chang, Jason Cruces, Shazia Khan, Jeffrey Graff, Jeffrey Harris, Nathan Harris, Cheryl McCarthy, Angelique Nix, and Barbara Troutman
Location: Phoenix, AZ
The team at Aetna is using leading-edge technology that uses machine learning to provide early detection of anomalies in user behavior. The Aetna Entitlements, Identity, & Risk System (AEIRS), is a User and Entitlement Behavior Analytics (UEBA) program that evaluates millions of event records looking for anomalous or unusual behavior and alerts when detected. The analytics engine, AEIRS, determines and tracks normalized behavior for every Aetna user and then uses it to look for abnormal breaks from pattern, as well as rules-based criteria through behavior models. It also calculates a risk score for each individual user that has access to an Aetna system. The risk scores will change based on anomalous or unusual behavior detected by a model. The models and risk scores can then be used to trigger control changes in real-time.
PCI Submission Relief
Executive Sponsor: John Kirkwood, CISO, Albertsons Companies
Team Members: Frank Steele (Senior Manager Governance & Compliance), Charles Yap (Director InfoSec), Kent Lourenzo (Director InfoSec), Ezekiel Constantino (Risk and Compliance Manager), Jenny Kwok (IAM Manager), John Vaux (Security Architectural Engineer), Gary Zempich (P2PE Analyst), Philip Saint (InfoSec Engineer), Jose Abrain (Compliance Analyst), and Catherine Buerano (InfoSec Risk and Compliance Analyst)
Location: Phoenix, AZ
PCI, as a “point-in-time” assessment process can be extremely disruptive and costly to the business while not guaranteeing compliance. To tackle this issue, the Albertsons Companies team created The PCI Submission Relief program. As a result, while Albertsons must remain PCI compliant, they are no longer required to submit an annual Report of Compliance (ROC) for PCI. Rather than the “point-in-time” annual PCI compliance, Albertsons maintains a continuous compliance control program which ensures that PCI compliance can be continually demonstrated.
Kaiser Permanente’s Vendor Risk Management Program
Executive Sponsor: George DeCesare, Chief Technology Risk Officer & Senior Vice President, Kaiser Permanente
Team Members: Michelle Nix (Vice President), Chetana Sankhye (Director), Thanh-Thien Nguyen (Manager), Soula Moua (Manager), George Macaulay (Sr. Engagement Mgr), Mark Franklin (Sr. Engagement Mgr), Anu Deshpande (Sr. Engagement Mgr), Jim Bleasdell (Sr. Engagement Mgr), Peter VanDeMortel (Sr. Engagement Mgr), Nga Dang (Sr. Engagement Mgr), Derrick Oden (Sr. Engagement Mgr), Nathan Louie (Sr. Engagement Mgr), Brin Henderson (Engagement Mgr), Jose Karlo Pajota (Engagement Mgr), Sirak Medhane (Sr. Engagement Mgr), Anumeet Budwal (Sr. Engagement Mgr) and David Peterson (Executive Director)
Location: Oakland, CA
Kaiser Permanente’s Vendor Risk Management Program (VRM) established the capabilities necessary to effectively manage and prevent vendor control risks across the enterprise through a series of key elements. First, was the creation of an inventory of vendors for privacy and security risks to understand the vendor service locations, data types, data access, etc. through inherent risk assessments for thousands of existing vendor engagements. Next was the completion of controls assessment for high-risk new and existing vendors, and management of risk remediation and acceptance from controls assessment efforts. Finally, the team implemented automation, reporting, and process improvements to scale efforts enterprise-wide.
Global Monthly Patching
Executive Sponsor: Ian White, Vice President, Cloud, Hosting & Network Operations, Pearson
Team Members: Grant Strom (Senior Manager Hosting Operations), Steven Telfer (Global Patching Program Manager), Joseph Hobson (Business Analyst), Scott Ficek (Onboarding Project Manager), John Purvinis (Senior Systems Engineer), Sanjeewa Wijesinghe (Senior Systems Engineer), Cathy Pitt (Vice President Information Security), Dennis Stetzel (Vice President Engineering & Delivery), Ryan Munson (Vice President Service Operations), and Lahiru Perera (Senior Manager Hosting Operations)
Location: Centennial, CO
The Team at Pearson implemented this project to put together to build a single global monthly patching process across their global infrastructure. The process is designed to radically reduce security vulnerabilities across the company and improve security for their learner data. As their disparate technology teams joined together in late 2015, it was very clear they needed to create a single global process to ease the overhead on the teams doing the patching work, while minimizing any potential customer impact securing our estate.
SIE CloudPassage Halo Project
Executive Sponsor: Jason Harkins, Chief Security Officer, Sony Interactive Entertainment
Team Members: Derrell Jenkins (Senior Director, Security Operations), Josh Fisk (Security Engineering Manager), Josh Guite (Senior Security Operations Engineer) and Tim Shea (Principal Cloud Security Architect)
Location: San Diego, CA
Sony Interactive Entertainment (SIE) is the leader in digital entertainment and creator of the PlayStation platform. As an early adopter of Agile IT and public cloud infrastructure (AWS), SIE was one of the first enterprises to experience the benefits and challenges of moving workloads out of the datacenter and into the cloud. Specifically, SIE quickly realized that traditional security tools just weren’t designed to keep up with the complexity and scale of the cloud, and so they set out to find a solution that could. They found CloudPassage Halo and thus began the journey to automate security & compliance in the cloud.
Cybersecurity Transformation “Shifting Security LEFT”
Executive Sponsor: Sudharma Thikkavarapu, Senior Manager, Cybersecurity, T-Mobile, US Inc.
Team Members: Garrison Hu (Principle Engineer), Griffin Howlett (Associate Engineer), Tucker Sneed (Associate Tech-X Intern), and Ye Eun Chae (Intern)
Location: Bellevue, WA
The T-Mobile technology and engineering teams were developing and deploying solutions to support UnCarrier activities at accelerated speeds, and their security organization was not able to scale to support the demand for application security assessments. For example, the time taken to complete one single application security assessment was approximately seven working days, which was unreasonable and slowing their business. The team took this as a problem statement and reengineered all their processes and solutions to bring down service level agreements (SLA) from 7 working days to less than 30 minutes!