Cyber attacks are coming Amplify your security and risk management protect your data, customers, and future
Table of contents Clear vulnerabilities Time for MSS Innovations at the SOC level Benefits of the MSS model Managed security in action Security risk management as a business driver A secure bank transformation It s a question of when, not if 1 www.surveymonkey.com/r/ ProtectSOC 2 4 6 Enterprise-class cyber security and risk management is complex and requires specific tools and processes, and a significant level of organizational maturity. Yet many organizations are constrained in the skills and resources they can dedicate to this critical task. Have you ever considered letting someone else deal with this issue for you? Clear vulnerabilities The world, and particularly the business world, is evolving faster than ever before. At the strategic business level, organizations must meet more demanding user expectations, reduce risk, and control costs all while keeping the operational lights on and leveraging innovation to drive growth and performance. This accelerating pace makes it more difficult to evaluate technologies to secure a digital transformation, meet disruptive competition, and protect enterprise data and assets from a growing universe of cyber threats. At the information technology level, many organizations struggle to marshal the talent, resources, and budgets needed to create a reliable security environment. And obsolete IT may actually impede meaningful innovation and hinder creating a secure digital business. In its third annual State of Security Operations Report, DXC Technology highlighted key aspects of the current enterprise security environment: 1 Security is insufficient in most large organizations. As business faces increasingly volatile threat environments, security operations centers (SOCs) play a crucial role in protecting the digital enterprise. Yet in this report, DXC found that 8 percent of surveyed organizations fell below recommended maturity levels. 24x7x6 monitoring is a top priority. Today, however, the average SOC lacks basic security monitoring capabilities. In 201, 24 percent of assessed organizations only met minimum requirements for security monitoring. Access to security resources is limited. To address personnel shortages and a lack of expertise, enterprises implement hybrid staffing and security infrastructure models that leverage managed security services to support or augment in-house resources, while still delivering on detection capabilities. 2
In 201, the mean one-year loss to cybercrime at 22 organizations was $7.7 million. 2 The key take-away from that report: Organizations clearly cannot manage security themselves. They are turning to managed security services (MSS) models to replace or supplement those capabilities. Time for MSS Considering the substantial risk and cost of security failures, now is not the time for a go it alone approach. There are simply too many threats that are moving too fast. And the downside outcomes in time, money, and irreparable damage to brands and reputation are simply too great. To fully realize the promise of the digital business, you simply must have a more reliable and comprehensive way to protect your enterprise. That is why growing numbers of organizations are exploring the managed security service alternative. 146 The median amount of time attackers spent inside organizations before detection. What should you look for in a managed security services relationship? At the most basic level, an MSS provider should protect enterprise data, applications, IT infrastructure, and intellectual property and those capabilities should be integrated and supported by a unified cyber- reference architecture. It should do those things in a way that frees your organization to pursue its core strategic mission. The managed services model establishes a holistic, integrated view that can amplify security controls and effectiveness. Is your organization prepared for a cyber attack? Eighty-six percent are not. 4 In fact: Less than six percent of business and IT leaders surveyed believe their organization is extremely well prepared for security breaches involving serious information loss. Fully 99.9 percent of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposure industry standard was established. 6 Eighty percent of all targeted attacks exploit privileged accounts during the attack process. 7 Fifty-three percent of breach victims are notified by an external entity. 8 2 Global Cost of Cybercrime Study, The Ponemon Institute, sponsored by DXC, 201 M-Trends Report 2016, FireEye Inc. 4 DXC 2016 Cyber Risk Report Cyber security Challenges, Risks, Trends and Impacts Survey, MIT Technology Review, in partnership with DXC Security Services and FireEye Inc., 2016 6 Verizon DBIR Report, 201 7 CyberArk Security Report, 201 8 M-Trends 2016 Report, Mandiant Innovations at the SOC level Managed security services can also be a faster and more cost-efficient way to introduce innovation into your security operations center. Whether an organization out-tasks all security activities, or selects a hybrid approach, a fully-capable managed services provider should offer access to stateof-the-art capabilities. Those innovations can include intelligent analytics-driven capabilities, including use of Big Data analytics to detect emerging and currently unknown threats. Other methods might include use-case assessments, user behavior analytics and monitoring, and improvements in visualization and the user interface. Security orchestration can now measurably compress response and mitigation times. Autonomous remediation, which today is used mainly for lower-level tasks, will increasingly be used with some analyst intervention to handle more substantial events in the enterprise security setting.
Lack of skills, resources, and threat visibility make existing security investments ineffective. Perhaps the greatest MSS impact will come from the eventual refinement of softwaredefined networking (SDN) and network functions virtualization (NFV), which enable providers to provision and manage security and responses much like any other network service. Benefits of the MSS model 24x7x6 real-time monitoring turns random events into actionable intelligence around the clock so your resources can focus on critical activities. Access to advanced toolsets, specialized skills, strategic expertise, and other security resources enhance your defensive capabilities beyond that of a standalone enterprise. Detection and recovery make up percent of internal activity costs, followed closely by containment and investigation all processes that are often managed by security operations. 9 Robust protection at a lower cost Subscription-based fees transform capital expenditures (CAPEX) spending into predictable operating expenses (OPEX). Flexible security Options and bundled service packages let you deploy the exact protections you need. Continual innovation and advancement of Managed Security Services exceeds the benefits of an internal security program to collectively augment everyone s defenses. Proactive security posture minimizes your risk of being one of the 1.9 companies successfully breached per week by actively hunting and countering emerging threats. A global view shows the threat landscape across industries, organizations, and geographies so you can prioritize resources and save costs based on 60-degree visibility. Avoid compliance risks and fines by adopting regulatory and legislative compliant managed services backed by global and local expertise. Faster security response gives an edge on global adversaries, with more rapid threat detection and real-time event notifications. 9 Ponemon 201 Cost of Cyber Crime Report, http://www.hp.com/go/ ponemon 4
HPE s (now DXC) ability to deliver the cyber security project on time and within the budget was an important plus. They were able to meet what was a challenging program schedule. Christoph Strizik, head of IT risk and information security, Origin Energy Managed security in action Origin Energy is Australia s leading integrated energy company, serving 4.2 million customers in Australia and New Zealand with power generation, energy wholesaling and retailing, and gas exploration and production. As a forward-looking organization, Origin Energy leverages a number of advanced technologies from smart meters and mobile communications that give customers greater visibility into their energy usage to the digitizing of key assets in the company s upstream operations. Not surprisingly, as data becomes more crucial to its everyday activities, top managers sought to ensure the security of the company s IT assets. DXC responded by supporting a Security Transformation Program designed to give Origin Energy greater visibility and protection across all of its business units. Specific DXC solutions included DXC Managed Security Services, Information and Event Management, Managed Network Security, and Endpoint Security Services. Security risk management as a business driver In a recent survey, only 28 percent of organizations said they monitored their internal applications for security- related events, and 4 percent reported monitoring their external-facing applications. 10 How do you protect one of the world s largest consumer beverage companies from data breaches and other security threats? If you are FEMSA, a leading independent Coca-Cola bottling group that runs the biggest chain of convenience stores in Mexico, you turn to DXC for managed security services. FEMSA needed a security posture that would identify and mitigate technical security risks. It wanted a solution that would drive growth by enabling faster, safer integration of acquired companies. The company sought to reduce costs, improve web responses, and enhance customer satisfaction. They turned to DXC to deploy a combined services model to address applications, infrastructure, and endpoint security in a managed, proactive environment. FEMSA saw customer satisfaction scores increase to 92 percent, reduced costs, and improved maintenance and governance. The company is now prepared to prevent, detect, and react in case of a security breach or incident. So they can focus on growth, innovation, and transformation. A secure bank transformation Security is always important but protecting customers and key assets is absolutely crucial during periods of restructuring and transformation. When Hypo Alpe Adria Bank undertook a major reprivatization effort, and the move to a core banking technology platform, company leaders did not want to make the journey alone. This growth-oriented financial services firm wanted one-stop capabilities for application service requests. It sought secure, ITIL-based banking with robust governance and maintenance, which had to meet new and more stringent local and international banking regulations. 10 www.surveymonkey.com/r/ ProtectSOC DXC, their partner, deployed a shared IT services environment to address applications, network, server, and security management requirements. The DXC approach provided robust support for local banking subsidiaries. Consumption-
With HPE (now DXC), we found a service provider with an international reputation and capabilities whose local presence ideally positions them to work in close cooperation with client banks and to carry forward the competency that we have built. Rainer Sichert, chief operations and market officer, Hypo Alpe Adria-Bank International AG Learn more at www.dxc.technology/ security based pricing enabled Hypo Alpe Adria to transform CAPEX into more flexible OPEX. Managed services took the IT burden off the bank, enabling leadership to focus on a major business digital transformation. It s a question of when, not if Dangerous, well-funded opponents work diligently to penetrate and damage your organization. Most enterprises are breached on a regular basis. Many don t even know bad actors are already inside their extended business ecosystem. The question is no longer if but when will it happen; how hard will it be to fix; and how much a security incident will cost you in time, money, and lost brand equity. Given the speed and sophistication of those adversaries, you really should be asking: Are we prepared to face these threats alone? Can we afford to build and operate our own world-class security risk management? The logical answers fall somewhere between possibly and maybe. But a real alternative has emerged. A best-in-class managed security services partner can offer cutting-edge, cost-effective, innovative services and amplify your scale, reach, and security effectiveness. Flexible in nature, with a variety of consumption models from full on-site integration to SaaS, they offer a credible alternative that exceeds the collective sum of parts. Proven outcomes and predictable costs allow you to focus your security and risk management resources where they are needed most. For a growing number of growth- and innovation- oriented organizations, it s a rational alternative to interleave managed security services from a trusted partner. One that gives you best-practices security while simplifying regulatory compliance. Protecting your enterprise so you can focus on your business. The attacks are coming. Get ready. About DXC DXC Technology (NYSE: DXC) is the world s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology. www.dxc.technoloy 2017 DXC Technology Company. All rights reserved. DXC_4AA6-7400ENW. September 2016