ISE® Northeast Project Award Nominees 2019

Aarp
Layered Security Controls for Critical Data Stores
Executive Sponsor: Saffet Ozdemir, VP of Information Security
Project Team: Mary Nasatka (Director, Information Security, GRC), Duane Dunham (Director, Information Security), Qasim Jafary (Advisor, Information Security Digital Platform), Aliza Bailey (Senior Information Security Architect), Himanshu Jain (Senior Advisor, Information Security), Sharron West (Senior Advisor, GRC)
Location: Washington, D.C.

As stewards of AARP members’ trust, we seek to meet or exceed their expectations of security when engaging with our Association. In addition to traditional network segmentation of critical databases, we have instituted both 2FA and PAM for all user interactions with said databases. Furthermore, we implemented Database Activity Monitoring and User Behavioral Analytics to monitor all user and application activity to detect anomalous behavior. All activity is monitored by a MSSP dedicated to this environment. We obfuscated member PII from our lower environments -Development, Test, and QA databases - to lessen to blast radius should an intrusion occur.

ADP
S.A.F.E. (Security Ambassadors for Excellence)
Executive Sponsor: Roland Cloutier, Corporate Vice President & Global Chief Security Officer
Project Team: William O’Connell & Omar Prunera
Location: Roseland, NJ

As a global company providing human capital management (HCM) solutions and therefore handling sensitive information at every level, ADP is constantly and proactively looking for new and innovative ways to transform its culture of Security from something we say and do to something we are.

With that goal in mind, ADP’s Global Security Organization, launched the S.A.F.E initiative to push the company into that direction as S.A.F.E. is a program that uses technology to inform employees on security, train them, improve their knowledge and behavior but mostly keep ADP security posture at its highest.

ADP
Secure by Design
Executive Sponsor: V.Jay LaRosa, VP Global Security Architecture
Project Team: Owen Buckingham (Director Application Security Architecture), Oscar Arenas (Application Security Architect), Oleg Dulin (Software Architect), Andy Fortier (Application Security Architect), Gor Nazaryan (Application Security Architect), Mike Wiltshire (Application Security Architect)
Location: Roseland, NJ

The Secure by Design program was developed to help transform ADP’s Dev/Sec/Ops culture. The objectives were to: Develop/promote common architecture patterns and shared services the whole company can leverage; Develop a reusable and consistent threat modeling practice that is centrally shared across the whole company, while providing ongoing real time measurements as new threats evolve; Improve ADP’s security posture by distributing architects to deliver “in organization” security through a distributed governance process, essentially self-enabling the organizations to be accountable for security; and take a business centric approach providing global cyber security requirements aligned with enterprise technology standards through a distributed model.

Aetna
Adaptive Enablement in the Cloud
Executive Sponsor: Tim Tompkins, Executive Director and Chief Security Architect and Innovation, CVS Health
Project Team: Min-Hwei Liu (Director Information Security, Global Security and Resilience), Josh Atencio (Sr. Security Engineer), Jwan Campbell (Sr. Security Engineer), Kevin Karolefski (Security Engineer), Michael Graff (Security Advisor), Matt Weston (Security Advisor), Michael Casner (Security Engineer)
Location: Hartford, CT

Aetna’s Adaptive Enablement in the Cloud project reduces high risk behavior across cloud services by introducing friction when employees engage in risky behavior, making the safe path the easy path. In addition to reducing the risk of data exfiltration, this has enabled Aetna’s members to have a simpler and more secure way to access to their information and provides a world class user interface to interact with the organization while keeping Aetna’s business-critical sensitive PII and PHI data secure; allowing the business to focus on innovation and securely accelerating business. This strategy will expand into CVS Health as part of the acquisition of Aetna.

Amerisource Bergen
Cyber Incident Response Automation
Executive Sponsor: Umesh Yerram, Chief Data Protection Officer
Project Team: Jayaprakash Reddy Cheenepalli (Director -Cybersecurity Engineering), Brian Catherwood (Enterprise Security Architect), Tessa Kaye (Information Security Lead), Rama Krishna Naraharisetti (Information Security Lead), Michael Kaskey (Program Manager), Richard Eaton (Information Security Lead)
Location: Chesterbrook, PA

As cyber threats are getting more sophisticated with threat actors using very advanced threat vectors to gain access into AmerisourceBergen (ABC) systems and data, the ability to rapidly respond to those threats before they cause significant system outage or result in a substantial breach is very critical. We need to have a list of ABC owned & managed devices to ensure only those devices are connecting to our network to gain access to ABC systems & data. The ability to limit access to ABC network to only authorized ABC assets will significantly reduce cyber risk.

Amerisource Bergen
Project Omniscient Eye – Data Protection
Executive Sponsor: Umesh Yerram, Chief Data Protection Officer
Project Team: Arvin Bansal (Senior Director, Cyber, Risk and Governance), Jose Boac (Manager, Data Security), Kathleen Romualdo (Data Security Analyst), Tumaini Ryoba (Cloud Security), Raju Amin (Data Discovery and Analyst Leader), Ritu Sharada (Data Discovery Analyst), JP Cheenepalli (Security Architect), Brian Catherwood (Lead Security Architect), 12 other contractors and consultants
Location: Chesterbrook, PA

While cloud computing has allowed businesses to be more flexible and agile, data protection has been the biggest challenge. Especially for AmerisourceBergen (ABC) that houses confidential and, in some cases, intimate data like health information, any unauthorized disclosure could not only have financial impacts, but more importantly, have undesired life-altering impact to patients. Omniscient Eye is a one-of-a-kind project that discovers and classifies 2 million protected documents of ABCs confidential data, provides visibility to the 3TB of cloud data including 3,000 cloud services, and ensures protection to 8 billion PHI records through data masking and encryption solutions. It doesn’t matter what you are doing, we have our omniscient eyes on you.

AT&T
The Storm Threat Analytics Platform
Executive Sponsor: Brian Rexroad, VP, Security Platforms
Project Team: Cynthia Cama (AVP, Technology Security), Joe Harten (Director, Technology Security), Dan Sheleheda (Lead, Technology Security), James Pace (Principal Member of Tech Staff), Josh Anderton (Principal Technology Security), Steven Buznitsky (Principal Member of Tech Staff)
Location: Bedminster, NJ

The Storm threat analytics platform collects, processes and stores security data for AT&T’s internal enterprise. Its mission is to protect AT&T’s networks, employees and assets through security analysis. The Distributed Streaming Analytics (DSA) component provided the ability for Storm to use Open Source streaming technology to ingest and alarm on key security data in near-real time.

Bentley Systems
The New Web Application Firewall Project
Executive Sponsor: Chris Thompson, Director, IT Security
Project Team: Mike Brim (Senior Director, IT Operations), Fatima Alli (Project Manager), Bob Benner (Systems Administrator), Gerald Robinson (Systems Analyst), Brett Yeagley (Senior Manager, IT Infrastructure), Louis Nadeau (Director, Product Security), Tom Cibelli (IT Security Operations Manager), Dave Craig (Senior Manager, Networking)
Location: Exton, PA

Bentley needed to identify and implement a Web Application Firewall (WAF) that supported its several different architectural models for corporate and customer-facing systems. This technology needed to support traditional network-centric WAF architectures, as well as provide protection for hosted virtual systems and cloud-native applications designed by Bentley for use by its customers. Bentley’s diverse product line required protection for varied and distinctly different technologies, while the IT Infrastructure and Security teams desired the consolidation of security tools to simplify operations.

City of Boston
City of Boston’s Identity Governance Program - Access Boston
Executive Sponsor: Greg McCarthy, CISO
Project Team: Gretchen Grozier (Project Manager for Identity and Access Management)
Location: Boston, MA

The City of Boston’s identity program was operating on a partially completed Oracle IDM infrastructure. A lot of customization had been done making upgrades too difficult to complete and the product was nearing end of life support. Outages and a lack of dedicated staff meant the city needed a secure and stable identity governance platform.

The city chose SailPoint for its new identity management platform to help enhance user experience, minimize the duplication of effort through streamlined provisioning and deprovisioning, and improve the security posture through effective and efficient identity lifecycle management, access control and account auditing.

Comcast
CyberSplash
Executive Sponsor: Joseph Gallagher, Sr. Director, Cybersecurity Governance, Risk and Compliance
Project Team: Patrick McGranaghan (Manager, Cybersecurity Awareness and Education), Matthew Markowitz (Sr. Analyst, Cybersecurity Awareness and Education), Laurence Ginsburg (Project Manager, Cybersecurity), Jayson Hurd (Principal Architect), Eric Sundberg (Sr. Architect), Brad Hein (Sr. Manager, Security Development), Alex Wheeldon (Security Developer), Teague Reese (Analyst 3, Cybersecurity Awareness and Education), Siva Ramalingam (MongoDBA Engineer)
Location: Philadelphia, PA

CyberSplash is a cybersecurity education game that's transforming Comcast security at the employee level. The game provides fun, bite-sized, incentivized daily training to help employees better understand and remember cybersecurity concepts and practices. Employees can play on their company-issued computers and mobile devices. Each day, players face a new one-minute challenge. Correct answers earn badges, higher rankings on the leaderboard, and the opportunity to play for Splash Cash (in-game currency that can be redeemed for game enhancements). CyberSplash uses game elements to reward people for educating themselves and is revolutionizing Comcast's information security posture.

Horizon BCBSNJ
Email Authentication and Reporting Process
Executive Sponsor: Douglas Falduto, VP, Admin & Chief Security Officer
Location: Newark, NJ

It’s reasonable to expect that one can trust the legitimacy of an email sent from a recognized company if the 'From' field matches the company's domain name along with a familiar logo, slogan, and URL. However, this scenario is becoming increasingly unlikely in the age of cybercrime. A 2019 Agari Cyber Security report estimated that 22.9 phishing attacks are launched every minute of the day and are the conduit of 90% of all breaches. Horizon-BCBSNJ proactively deployed a robust email authentication process, leveraging the Domain Message Authentication Reporting & Conformance (DMARC) standard to safeguard our members from email domain spoofing.

IAC
Enterprise SOC (Security Operations Center)
Executive Sponsor: Mehan Kasinath, Director of Information Security
Project Team: Fabian Moreno (Security Analyst), Pedro DeJesus (Security Analyst), Akhil Kumar (Security Analyst), Vishon Ganesh (Security Analyst)
Location: New York, NY

IAC’s Enterprise SOC is a custom-built security information analysis platform that has AI & machine-learning capabilities, custom alerts, built on MITRE ATT&CK framework, and leverages Threat Intelligence Feeds from ITISAC, Crowdstrike, CyberInt etc., that ingest and correlate logs across multiple businesses and log sources from a wide variety of platforms to identify potential threats. This effectively centralizes SOC management as a shared service offered to IAC’s many businesses so that they can focus on the business that they’re good at while still benefiting from a mature security program.

Regeneron
Cyber-Immune Project
Executive Sponsor: Mark Leary, CISO
Project Team: Enoch Long (Cyber Ops Director), Shah Nawaz (Cloud & Data Center Engineering Director), Bhawesh Choudhary (Solution Design & Architecture Director)
Location: Tarrytown, NY

Regeneron’s “Cyber-Immune” project is the use of Robotic Process Automation to orchestrate defensive actions against cyber-attacks. In an increasingly interconnected world, infectious diseases can spread more quickly than in the past, seriously affect our health, and require new treatments that are safe, effective and easily deployed. Much like Regeneron’s focus to treat human infections, Cyber-Immune’s objective is to quickly identify, treat, and resolve malware attacks, such as viruses, with a solution that is automatic and can scale to address even the largest infections. The idea is a cyber-immune infrastructure is a self-healing system that adapts to environmental threats.

Regeneron
Cybersecurity Service Transformation Project
Executive Sponsor: Mark Leary, CISO
Project Team: Enoch Long (Cyber Operations Director), Diarmuid O’Sullivan (Cyber IR Manager), David Glosser (Threat & Vulnerability Manager), Keith Keimig (Security Monitoring Manager)
Location: Tarrytown, NY

Cybersecurity Service Transformation was a rapid capability building effort that transformed disparate, best effort security activities into an integrated, threat-driven, services-based cyber operational model. In the past, the company’s information security operations were a set of activities that were loosely interrelated, informationally siloed, and only based on measuring compliance to IT standards. The project’s objectives were: establish a new operational model that focused on cyber threats, rationalize a set of cyber services based on retained staff and managed security services mix, and optimize these cybersecurity services by measured performance and demonstrated value