PWC'S Advanced Threat and Vulnerability Management Services: Our Comprehensive Approach
PWC'S Advanced Threat and Vulnerability Management Services: Our Comprehensive Approach
PWC'S Advanced Threat and Vulnerability Management Services: Our Comprehensive Approach
ch
Vulnerability
Assessments (VA) Internal VA For Vulnerability Assessments and
reviews of security architectures and
Identify currently known External VA infrastructures PwC uses a global
vulnerabilites, which methodology and an tailored set of
might enable unauthorised Architectural and software that best matches the client
persons to gain access. Infrastructure Review environment.
We have both local and PwC Solution
Web application VA Centres resources for the necessary
(PwC Experts) expertise and optimal cost-effectiveness.
PwC’s Security
Assessment A cost-effective hybrid security
Web application VA and assessment solution for web application
vulnerability assessments and manual
PT (and Continuous
penetration testing with zero false-
Monitoring) positives using:
Prioritise
Report: A report Remediate: In cooperation
summarises our activities with our clients our team
and the most essential of experts remediates the
test results and makes them detected vulnerabilities.
tangible for a management
Test audience.
Threat and Vulnerability
Management Services
1
“We have approximately 6,000 vulnerabilities in our
applications. Every year we fix about 1,000 and we find
another 1,000. The question is: are we finding and fixing
the right ones?”
CIO, large financial services organisation
Remediate
Scan &
Detect
Tailored risk profile
Threat
Intelligence
Tailored
Risk
Every organisation has to identify and then protect its own information assets and also has to cope with specific
Profile
Report
Prioritise
Test cyber risks depending upon the industry in which it operates and the types of data it collects, processes and stores.
For example, this could cover all or any of the following: intellectual property, personal customer/business customer
records or credit/debit card data and manufacturing and production systems using industrial control systems.
Therefore, a “one size fits all” cybersecurity assessment will inevitably fail to address the real “value at risk” to the
organisation. A Cybersecurity Assessment has to take these differences between organisations and industries into
account.
To cope with the characteristics of each organisation and in order to provide the most value, our approach
includes tailoring the approach over threat and vulnerability management to be focused on the specific higher risk
information assets. This tailoring consists of the following phases:
Business impact
Scoping Threat Profile
assessment
• Develop an understanding of the • Assess potential business impact to • Profile and prioritise all threats that
characteristics of the organisation an organisation should information are relevant to the environment
as a whole and of the environment assets be compromised being assessed
to be assessed
• Identify the potential ways that
• Define and agree the scope of the the highest priority threats could
environment to be assessed manifest to cause harm to the
environment being assessed
Remediate
Scan &
Detect
Threat intelligence
Threat
Intelligence
Tailored
Risk
At the heart of our TVM Framework is our Threat Intelligence Fusion Centre (TIFC). Many companies are
Profile
Report
Prioritise
Test challenged to understand which threat actors might be targeting their resources, personnel, data, facilities,
partners, and other crown jewels. Our proactive, threat actor-focused approach can enable organisations to increase
their understanding of the threats they face and help them to rate their findings and prioritise their TVM activities.
Through our incident response engagements, full time research team, participation in invite-only trust groups and
private information sharing arrangements with select third parties, we collect, enrich and distil a significant volume
of technical data associated with targeted threat actors. In addition, we have the ability to identify the victims
associated with specific command and control domains via our sinkholing infrastructure.
Remediate
Scan &
Detect
Scan & detect vulnerabilities
Threat
Intelligence
Tailored
Risk
By using different vulnerability scanning approaches we help our clients to identify currently known vulnerability
Profile
Report
Prioritise
Test and configuration errors on network, operating system, database, and application level which might enable
unauthorized persons to gain access.
We can perform an internal network vulnerability assessment of internal IP ranges provided by a client with
different tools and scanning applications. All internal based vulnerability assessment activity will be performed
from the point of the view of an unauthenticated user with the aim to only identify network level vulnerabilities
and issues. Such an assessment can also be completed from an external, and internal (DMZ, Intranet) point of view
as well as on applications, a WASA (a web application security assessment). We can do this with tools that PwC has
acquired, or help you to acquire and configure the tool you have selected.
To minimise the risks of vulnerable systems being compromised, vulnerability assessments should be run regularly.
Good practice is to deploy vulnerability scanning software and scan for vulnerabilities on a continuous basis. To help
our clients achieve this we can deploy the appropriate technology, processes and training to enable our clients to
perform ongoing vulnerability assessments.
ImmuniWeb® web security testing platform, from our business partner High-Tech Bridge, is an example of a hybrid
solution to carry out managed vulnerability scanning in parallel with advanced manual testing on continuous or
on-demand basis.
Remediate
Scan &
Detect
Prioritise vulnerabilities
Threat
Intelligence
Tailored
Risk
The prioritisation of vulnerabilities and elimination of false-positives is a critical step to focus further testing activities on vulnerabilities
Profile
Report
Prioritise
Test that are substantial and might represent a considerable risk for the business. The illustration below shows an example architecture using
Qualys for internal scanning and ImmuniWeb® for external penetration testing and managed vulnerability scanning. The incorporation
of our Threat Intelligence Fusion Centre (TIFC) service is essential for the prioritisation of the obtained vulnerability data and means
we can enrich your vulnerability exposure picture by basing the findings on risk, not just severity.
Client
Open
Govt. source
Future
sources JBRs &
alliances External sources
Vulnerability Internal sources Vulnerability
Corp. Global
data TIFC IT Ops
PwC operations data
intel
Future sources
Global Engage-
insights ments
Critical
High
Low
Remediate
Scan &
Detect
Security testing
Threat
Intelligence
Tailored
Risk
Traditional penetration tests “attack the front door” – by scanning and attacking your public internet addresses. This
Profile
Report
Prioritise
Test could provide an acceptable comfort level against ‘traditional’ attacks, but will not assess your vulnerability to more
sophisticated attacks (known as Advanced Persistent Threats or APT).
Our penetration testing solutions are tailored to your specific needs. We use intelligence and experience from
previous attacks to simulate what happens during a real cyber-attack. We take into account specific situations as well
as environmental variables to build up a threat scenario. Outlined below is a schematic of the penetration testing
services offered by our Swiss Penetration Testing team.
Infrastructure Application
Host based reviews Social engineering
penetration testing penetration testing
Prioritise
Test
Can a user (authenticated or unauthenticated) perform Are your staff aware of security and related threats?
functions that they should not be able to, in order to escalate
their assigned level of privilege? Could they be easily tricked into handing out sensitive
information or access credentials?
Real life example: While performing penetration testing
on an e-Banking application, we identified several Real life example: While performing a penetration
weaknesses allowing to transfer money from testing by using social engineering methods,
an account to another account without we were able to obtain sufficient credential
authentication controls. allowing us to access the internal network
Application and sensitive strategy data.
Social
penetration
engineering
testing
Is your main financial planning system Is the access to your financial planning
and its supporting infrastructure ERP penetration system and information technology
vulnerable to manipulation? Mobile infrastructure adequately secured?
testing (SAP and
security Are you storing sensitive data on
Oracle)
Can it be easily exploited to make mobile devices?
fraudulent payments or misrepresent your
financial position? Real life example: While performing a
penetration testing on a mobile device, we were
Real life example: While performing penetration able to access sensitive data stored on the mobile,
testing on a SAP environment, several vulnerabilities related which included business strategic data as well as user personal
to the Operating system and the database were identified. A full passwords.
control over the SAP application (SAP_ALL) was obtained by
exploiting identified vulnerabilities.
Remediate
Scan &
Detect
Reporting
Threat
Intelligence
Tailored
Risk
Our high quality business focused reports provide you with market leading, tailored, and valuable information that will meet
Profile
Report
Prioritise
Test your unique requirement of improving the overall control environment through implementing and sustaining cost effective,
programmatic and relevant solutions to address risks. Crucially, we will understand the root cause of issues, allowing you to
implement solutions and embed robust controls throughout the business.
From vulnerability assessments and penetration testing, organisations identify many hundreds and thousands
Profile
Report
Prioritise
Test of vulnerabilities. Many organisations struggle to drive remediation of the vulnerabilities. We have considerable
experience assisting organisations implement and drive vulnerability remediation using the 4 stage process outlined
below:
0
Vulnerability Remediation Team Mobilisation
• Analyse the current vulnerability data and create a vulnerability remediation plan
• Define the required processes to implement a remediation program
• Implement / update the solution to identify vulnerabilities
1 2 3
Reduce the number
Drive the remediation Ensure new systems do
vulnerabilities in existing
programme not have vulnerabilities
systems
2
About PwC
PwC helps organizations and individuals create the value they’re looking for.
We’re a network of firms in 157 countries with more than 195,000 people who
are committed to delivering quality in assurance, tax and advisory services.
PwC’s member firms operate locally in countries around the world. By working
together, member firms also comprise a vigorous global network similar in
some respect to the IFRC. This provides our clients with the flexibility of the
most local and the most global of businesses.
PwC Switzerland has offices in 15 of the country’s largest cities with its main
offices in Geneva and Zurich. On 30 June 2015, PwC Switzerland employed
2,676 people.
PwC brings a multi-disciplinary approach to information and cyber security,
addressing the key components of strategy, governance, risk and compliance, and people, processes and
technology. PwC’s approach to information security blends business insight with a broader view of risk.
We help clients to pursue opportunities by understanding their business drivers and threats and building
in appropriate security enablers. We operate 55 forensic laboratories in 42 countries and support major
incidents with a ‘follow the sun’ model.
Why PwC?
• Technical resources that have a business focus: • High quality and consistent reporting: our reports
we invest in our technical resources developing will provide you with customised reporting and root
their technical and business skills, enabling them to cause analysis, including working closely with you
relate technical findings to business risks and utilise to understand the impact of any findings identified
business language in the reporting. in accordance with our clients risk management
• Consistency and quality in approach: we adopt methodology. Crucially, we will understand the root
a consistent approach and tools for all penetration cause of issues, allowing you to implement solutions
services performed globally, overseen by a central and embed robust controls throughout the business.
Quality Assurance and coordination team. • Highly skilled consultants who are experienced
• Tailored and tested methodology: through our operating at the CxO level: Our consultants are
industry leading research and development and our used to working and communicating with CxO ‘s,
extensive experience in the marketplace over at least translating technical findings into business language.
15 years, we have developed a proprietary penetration • Research and Development: our investment in
testing methodology. research and development into emerging threats is
• Global reach: we operate globally providing one of the highest and most advanced in the industry.
local language capabilities and understanding of • Global automated portal solution: we have
culture with 50+ testers around the world, part of developed a market leading, distinctive online
a security team of 3,200+ using a shared approach, portal solution for testing reporting and overall
methodology and knowledge. This allows us to engagement management that we provide for global
provide both on-site and remote testing capabilities to arrangements. Specifically, the ‘portal’ provides an
deliver the most cost effective and flexible solution. integrated view of all penetration testing undertaken
for your businesses globally providing customisable
reports that can be tailored to address the varying
needs of stakeholders.
Our strengths
We offer numerous solutions that help organisations understand their dynamic cyber challenges, adapt and respond
to the risks inherent in their business ecosystem, and protect the assets most critical to their brand, competitive
advantage and shareholder value.
© 2016 PwC. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers AG
which is a member firm of PricewaterhouseCoopers International Limited, each member firm of
which is a separate legal entity.