Upload
enterprisegrc-solutions-inc
View
180
Download
0
Embed Size (px)
Citation preview
2
AGENDA
About Cavirin
What we do
CISO Challenges
Use Cases
Cavirin Automated Risk Analysis Platform (ARAP)
Solving for the road ahead
1
2
3
4
5
6
3
Founded: 2012HQ: Santa Clara, CAEmployees: 60 +
Cavirin enables companies to proactively manage IT
security and compliance risk in the datacenter, the
cloud and container.
Cavirin is Backed by SRA, Inc.,
a $700m Annual Revenue Public Company.
Investors
ABOUT CAVIRIN
Industry AlliancesKey Partners In the News
COPYRIGHT © 2016 CAVIRIN SYSTEMS
4
WHAT WE DO
IAAS
Cloud Security PAAS
SAAS
ContainersData Centers
Private Cloud
Hybrid
Cavirin provides real-time risk scoring and continuous compliance through remediation guidance, resulting in your improved enterprise security posture, reduction in attack surface and expanded compliance readiness.
Automated Risk Analysis drives continuous security and compliance improvement
across Datacenter, Cloud, and Containers
COPYRIGHT © 2016 CAVIRIN SYSTEMS
5
MULTI CLOUD SOLUTION
• Native Cloud solution is designed specifically for both legacy and cloud computing architecture
• Discovers all major clouds
• Assesses relative to Cloud and other Security Benchmarks
• Provides output against major assessment models such as HITRUST, PCI DSS 3.2, SOC 2, NIST 800-53, ISO 27002, Cybersecurity Framework, CIS CSC 6.1 Top Twenty
• Leverages the DISA STIG and CIS Benchmark NIST SCAP protocols as well as expert custom scripted policies
• CIS Benchmarks are CIS Certified
MSP & CSP
COPYRIGHT © 2016 CAVIRIN SYSTEMS
6
SIMPLIFY AND AUTOMATE SECURITY & COMPLIANCE
AWS, AZURE, Service
Providers & MSP
CLOUDS
Minutes to Install
Quickly deploy across your data center and cloud
(AGENTLESS)
Cloud & Container AwareSupport bursting of instances without
losing security and compliance
Immediate Value
Out-of-the box policies for
CIS, NIST, PCI, HIPAA, ISO,
and much more
Customize & Extend
Easily author and deploy
your own policies
Cavirin Automated Risk Analysis Platform
COPYRIGHT © 2016 CAVIRIN SYSTEMS
7
CISO CHALLENGES
• Increased Risk of Breach and Exposure
– Driving increased audit and compliance pressure
• Cloud and DevOps Automation
– Lack of risk visibility across complex hybrid IT infrastructures
– DevOps automation breaks legacy security and compliance tools
• Manual Security and Compliance Processes
– Automated Security, Risk and Compliance Tools Required
• Cybersecurity Increasingly About Risk Management
– Legacy security solutions failing to keep pace with new technology
“Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.” GARTNER INC.
COPYRIGHT © 2016 CAVIRIN SYSTEMS
8
USE CASES
• Cloud Security and Compliance– Across On-Premises, Cloud, and Containers
– Continuous Improvement of Security Posture
• IT Risk Management – Real-Time, Automated Risk & Compliance Scorecard
– 3rd Party Vendor and M&A Risk
• Compliance Automation – Automated Audit Reporting for PCI, HIPAA, NIST & all major
frameworks
• DevSecOps– Integration with CI / CD Processes and DevOps Toolchains
COPYRIGHT © 2016 CAVIRIN SYSTEMS
10
GET COMPLIANT – STAY COMPLIANT
Ongoing Business
Requirements
CIS Benchmark
DISA STIGS
NIST 800-53 r4 &
Appendix J
PCI DSS 3.2
SOC2 2016
HIPAA HITECH
CSF
CSF Cyber Security
FrameworkISO27002
CIS CSC Top 20
UK Cyber Essentials
CJIS
FedRamp
COPYRIGHT © 2016 CAVIRIN SYSTEMS
11
CLOUD CAPABILITIES
CLOUD SECURITY OUT OF BOX COVERAGE
CO
MP
LIA
NC
E –
Un
ifie
d A
sse
ssm
ent
Mo
de
ls
AWSAzure
PCI DSS 3.2
HIPAA - HITRUST
NIST 800-53 r4
ISO 27002:2013
DISA STIGS
SOC 2 + Privacy
CSC 6.1 Top 20
CIS BENCHMARKSPublic CloudSaasOn Premise Private Cloud Hybrid & Containers
FedRamp (NIST 800-53 r4)
Cybersecurity Framework (CSF)
CJIS
UK Cyber Essentials
More environments, more assessments, more policies 150,000 instance of system policy to control mapping and 250K+ by 2017
COPYRIGHT © 2016 CAVIRIN SYSTEMS
12
ASSESSMENT MODELS, OS, CIS BENCHMARK AND STIGS
Operating System or Environment
Scoring
authority
Model
Organic
Policies
Scored
CIS CSC
Center for
Internet
Security
Critical
Security
Controls
Version 6.1
Criminal
Justice
Information
Services
(CJIS)
Security
Policy*
CSF
Framework
for
Improving
Critical
Infrastructu
re
Cybersecuri
ty
HITRUST
CSF 2015
ISO/IEC
27002:2013
€
NIST 800-53
r4 and
Appendix J
Privacy
FedRamp*
uses NIST
800-53 r4
guidance
PCI DSS
V3.2
Trust
Services
Principles
and Criteria
2016 AICPA -
SOC 2
UK Cyber
Essentials*
Total Control Universe 20 65 22 45 35 266 266 13 63 5
Amazon Linux CIS 215 1993 430 860 1924 1692 1644 1644 981 1604 215
CentOS 7 CIS 211 1985 422 861 1916 1704 1636 1636 976 1608 211
Red Hat Enterprise Linux 7 CIS 224 906 448 906 2016 1775 1726 1726 1027 1681 224
CentOS 5 (custom, EOL) DISA 399 399
CentOS 6 CIS 207 1958 414 859 1894 1694 1617 1617 966 1594 207
Red Hat Enterprise Linux 6 CIS 211 3461 422 883 1930 1715 1649 1649 986 1618 211
Red Hat Enterprise Linux 6 DISA 174 312 348 52 364 181 174 174 207 258 174
Windows Server 2012 R1 CIS 312 3509 624 2438 3864 3927 4234 4234 2126 3701 312
Windows Server R2 Domain Controller 2008 DISA 276 630 552 156 756 520 414 414 327 523 276
Windows Server R2 Member Server 2008 DISA 267 402 534 150 469 338 267 267 206 331 267
Windows Server R2 Domain Controller 2012 DISA 299 477 598 177 531 417 299 299 250 382 299
Windows Server R2 Member Server 2012 DISA 290 460 580 162 505 389 290 290 237 369 290
Ubuntu 12* CIS 92 276 184 276 368 276 368 368 184 276 92
Ubuntu 14.04* CIS 233 699 466 699 932 699 932 932 466 699 233
Docker AWS Linux CIS 40 120 80 120 160 120 160 160 80 120 40
Docker Ubuntu 14.04 CIS 40 120 80 120 160 120 160 160 80 120 40
ESX 5.5* CIS 53 159 106 159 212 159 212 212 106 159 53
Windows Desktop Enterprise 7* CIS 342 1026 684 1026 1368 1026 1368 1368 684 1026 342
Windows Desktop Enterprise 10* CIS 405 1215 810 1215 1620 1215 1620 1620 810 1215 405
*limited publication - not in general release till Q4 2016 total 151,668
COPYRIGHT © 2016 CAVIRIN SYSTEMS
13
MITIGATE YOUR SECURITY & COMPLIANCE EXPERTISE RISK
• Security and Compliance experts map compliance process and testing to specific assertions of best practice across operating systems, environments, and devices.
• When best practice criteria are not met, an aggregate score is presented with exact steps for remediation
CAVIRIN MITIGATES EXPERTISE RISK BY PROVING EXISTENCE OF IT SECURITY PROGRAM AT OS, ENVIRONMENT, DEVICE LEVELS
COPYRIGHT © 2016 CAVIRIN SYSTEMS
14
FROM RISK TO REMEDIATION AND CYBER RESILIENCE
Deep Asset Discovery
Agentless Device Scan
Risk Analysis Detailed
Remediation Guidance
One Button Risk Score & Assessment
Cavirin Continuous
Improvement Process
COPYRIGHT © 2016 CAVIRIN SYSTEMS
16
SOLVING FOR NOW AND THE FUTURE
Scalable to 100K devices with minimal footprint and
setup
API integration
Pre-built connectors facilitate popular 3rd party scanning and data driven
workflow
DevOps style Security Operations
Intuitive UI and Rich dashboard reporting
Risk Signaling Engine
Rapid adoption across all RegTech requirements – maintaining your compliance readiness
COPYRIGHT © 2016 CAVIRIN SYSTEMS
18
REDUCING COMPLIANCE SPEND
18
Manual Testing
Average number of hours
for entire process
Automated Testing
Average hours per process –
consider duplicate work savings
Compliance Standard
Avg # servers in Mid - Large
Enterprise
PCI Audit Process (+50 servers)
NIST 800-53 (+200 servers)
DISA Hardening BP (+50 servers)
SOC 2 (+80 servers)
HIPAA Guidelines (20 – 30 servers)
CIS Benchmarks (400 - 500 servers)
AICPA SOC2 (800 – 1200 servers)
Vulnerability Checks (+500 servers)
450 – 520 hours
860 – 1200 hours
320 - 480 hours
600 – 800 hours
280 – 400 hours
600 – 800 hours
920 – 1280 hours
640 – 800 hours
20 -35 hours
28 – 40 hours
20 – 30 hours
20 – 34 hours
20 – 30 hours
30 – 42 hours
30 – 40 hours
24 – 35 hours
Imagine hours to monitor all
servers for all conditions
COPYRIGHT © 2016 CAVIRIN SYSTEMS
19
WHAT CUSTOMERS ARE SAYING…
“Cavirin has saved my team weeks of manual audits. ARAP’s continuous scanning functionality allows for us to watch for policy drift that may occur, as well as any misconfiguration or malicious intent. Having direct access to this information helps ease the burden of audit compliance.” – Ray Espinoza, Director of Security, Gainsight
“ I didn’t want a blind spot in my production system from where we are in terms of
compliance. I wanted to reduce the overhead of the audit burden, both from financial and
time perspective, and automate this process as much as possible."
– Kim Green, CISO, Zephyr Health
“I’m able to see changes that display risk at the click of a button.” – Kip James, CISO, Service Source
COPYRIGHT © 2016 CAVIRIN SYSTEMS
21
KEY PARTNERS
Technology Alliance
Managed Service Provider
Solution Provider
COPYRIGHT © 2016 CAVIRIN SYSTEMS