Ness Cyber Security Services
This document contains Ness TSG proprietary information.
This document discloses subject matter in which Ness A.T. Ltd. has proprietary rights. Neither the furnishing, receipt nor possession thereof confers or transfers any right to reproduce or disclose the document, any part thereof, any information contained therein, except by written permission from, or within agreement with Ness A.T. Ltd.
Table of Content
1. About Ness ... 3
2. Ness Cyber Security Services ... 4
2.1. Security reviews ... 6
2.2. Cyber engineering ... 7
2.3. Technology & methodology... 8
2.4. Training & Drills ... 9
2.5. Intelligence ... 10
2.6. Forensics ... 12
2.7. Cyber Security Center ... 14
Appendix A – CSC Components ... 17
1. About Ness
Ness Technologies is a global provider of IT and business services and solutions with over 30 years of experience. Specializing in software product engineering; system integration, application development, consulting and software distribution.
With about 7,000 employees, Ness has operations in North America, Europe, Israel and India, customers in over 20 countries and partners with numerous software and
hardware vendors worldwide.
Ness TSG
Ness TSG is a global provider of advanced Command & Control, Communications, Computers, Intelligence, Surveillance and Cyber Security solutions.
The proven record of TSG’s deployed systems in the Defense, Cyber and HLS sector enables us to offer unique solutions and services that bridge effective intelligence processing, operational command and control and cyber, providing our customers with incomparable value.
The development of new concepts and innovative business models has been the basis of Ness TSG's strategy.
2. Ness Cyber Security Services
Cyber Security is not all about technology, and should be managed as part of a holistic plan. In today’s world, organizations and their limited resources are rich with
technologies but poor with security solutions. Staying one step ahead is critical for confidentiality, integrity and availability of your organization’s systems and data. Ness is a leading cyber security services provider, specializing in a wide spectrum of security fields. The company provides security services to global clients, financial institutes, telecom, manufacturing industries and government agencies.
Our employees originate from diverse backgrounds, such as government, critical infrastructure, telecom, banking, major municipalities and privately held companies. Our team has vast and comprehensive knowledge, based on years of hands-on experience.
Ness established its own Cyber Security Center (CSC) that provides cyber security services for the public and private sectors such as finance, insurance and retail.
Utilizing our vast experience and expertise we now also offer customers to build CSC of their own based on Ness’ field proven technology, tools and methods. Ness as a prime contractor and integrator is providing a comprehensive and cost-effective solution and help customers to face the ever growing threats and challenges in the cyber environment.
Ness offers wide range of cyber security services which provide our customer a comprehensive protection and operation suite.
• Security servey and "health check" • Vulnerability assessment
• Penetration tests and "Red team"
Security
Reviews
• Threats evaluation
• Vulnerabilities mitigation recommendations • System hardening
• Secured design - architecture, networks, development
Cyber
Engineering
• Installation, implementation and integration • Security solutions development
• New technology evaluation
• Procedures and methods of operation
Technology &
methodology
• Cyber security training - technology, operation, development, forensics • All levels of personnel - senior commanders, managers, officers and
operational level
• Cyber drills and simulation
Training &
Drills
• Gathering - Webint, OSint, DB & labraries, partners, internal sources • Data Fusion & Analysis
• Actions & alerts
Intelligence
• Identifying and investigating the nature of the attack and the amount of damage
• Pro forensics - for internal intelligence, checking the logs on continues basis and identify threats and suspicious anomaly's
Forensics
• All aspects unified center with enhanced cyber capabilities and protection from cyber-attacks during routine & emergency
• 24/7 situation room, incorporating intelligence, forensics, command and control, response and monitoring
Cyber
Security
2.1. Security reviews
The goal of the security reviews is to provide the customer an assessment and report regarding its security condition. The review is performed by Ness cyber professionals on the customer’s site or remote location with network access.
Security review main activities:
Learning the customer’s working environment – architecture, networks, systems and applications, servers, policies etc.
Analysis of the customer’s environment – finding vulnerabilities and weaknesses in all levels (physical, infrastructure, systems, applications, procedural) according to cyber engineering best practices and relevant threats.
Report – producing a full report to summarize the finding of the review with recommendations to the customer for mitigating the problems.
Security reviews and health checks are done ad-hoc according to customer’s
requirement and/or periodically as part of continuous assessment and/or regulation requirements (e.g. for financial institutes).
We offer verity of security reviews such as security health check, vulnerability assessment, penetration tests and “red team”.
2.2. Cyber engineering
In today world, where new technologies and threats emerge every day, organizations struggle to keep up with these rapid changes. Ness cyber engineering team is providing consulting services to help customers to face the threats and evaluate new technologies. Cyber engineering services:
Threats evaluation
Vulnerabilities mitigation recommendations System hardening
Secured design – architecture, networks, development
Our consulting team members are experts in the information security domain and have vast experience in performing security assessment.
The team members are up-to-date with evolving threats on one hand, and with the latest technological developments, on the other hand. Based on their in-depth knowledge, superb technological capabilities and invaluable experience, they advise creative, out-of-the-box tailored solutions optimally meeting the precise requirements of each client, in a manner that is cost-effective and supports the smooth daily
operation of the organization in question.
Since our team of consultants have extensive background in not only information security, but also: systems and application architecture, secure software development, database systems, and network infrastructures, we can provide actionable remediation guidance to quickly and effectively address threats identified during assessments.
2.3. Technology & methodology
Buying technologies and tools is easy however using it efficiently and integrating it to the organization environment might be a difficult task. Our offering supports the integration process of new technologies and tools and to optimize any existing technologies and tools used.
We offer a comprehensive support of the assimilation process, starting from choosing the right solution, through installation and integration, and finally training and
methods of operation. This process assure that the assimilation of the technology will be successful and the customer will be able to
fully utilize it in an efficient and professional manner. Ness experts are up-to-date with all latest technologies in the cyber security domain and are able to recommend on the best
solution according to customer’s requirements and our analysis. Our solutions are based on best-of-bread available tools, as well as tools developed by Ness and dedicated development and adjustments to any customer’s specific requirements. We also continuously evaluate new startups with new technologies and
integrate it into our solutions offering. Our solutions, based on reliable, field proven tools combined with innovative new
technologies and our vast experience and integration capabilities, providing a state of the art security suite.
• Security Survey • Security Testing • Risk Analysis • Evaluation Analysis • IT • Security Strategic Plan • Procedures • Processes • Governance Policy • Architecture • Project Plan Design • Management • Cyber Defense • Cyber Intelligence • Attack Investigation Implementation • Control • Monitor • Investigate • Research Operation
2.4. Training & Drills
Ness cyber security professionals offer wide verity of training and courses covering all cyber and information security aspects.
The courses are classified according to different subjects and aspects of cyber security such as development, forensics, warfare, and according to different levels of personnel – senior commanders, managers, officers and operational level.
Subsequently to the initial training and courses, our professionals continue to support the customer during the whole assimilation period. In addition, we execute practices and drills for the operational personnel and courses for new personnel.
Since our cyber professionals holds a vast knowledge, any cyber and information security aspect can be addressed as part of the courses and we adjust the content to each customer’s personnel and requirements.
For courses examples and its syllabus please refer to Appendix B – Training & Courses Ness training team also performs verity of drills and cyber-attack simulations. Each practice can simulate different threat and evaluate the organization readiness at all aspects – technical and procedural. The drills are pre-coordinate with the customer and can utilize various hacking tools, simulators and dedicated “malicious” code written by our specialists in order to safely execute cyber-attack.
As part of the drill, our “red team” attacks the organization while our “blue team” helps the organization to face the attack and provides recommendations and lessons during and after the drill for improving the customer’s capabilities.
The drills are scalable, and can be small or extensive, according to each customer requirements.
2.5. Intelligence
Cyber intelligence is the basis for any cyber security activity. An effective cyber
security apparatus must be based on effective intelligence which includes a thorough examination of the system, enabling a vulnerability and risk assessment, as well as intelligence regarding potential attackers and suspicious activities.
By identifying the relevant, current and emerging threats to your organization, you can proactively identify and mitigate cyber-attacks and protect your assets.
In today digital world, organizations are continuously exposed to cyber threats and need to protect their assets both from internal and global threats.
Ness professionals have vast experience in intelligence, combined with our expertise in the cyber security domain we created cyber intelligence operating concept based on technology and field proven methodology.
Based on deep learning our customers, we can find and deliver only the relevant and actionable intelligence out of the endless ocean of information out there, along with recommendations and action items to mitigate the risk and reduce threat level.
Operation Concept
The intelligence operation concept is based on our vast experience in intelligence operations as a lead supplier of intelligence systems.
The concept is consist of the following steps:
Since the amount of information is limitless automatic tools are used to continuously gather information from verity of sources. Some of the information (such as
unstructured text in social networks) needs to be processed for extracting the data entities prior to the correlation and data fusion step. The gathered data is being
indexed and then processed by big data analysis tools for finding correlations between the data, and with EEI (Essential elements of information) defined by the intelligence officers, the result is intelligence items and reports. Further analysis is being made by analysts to determine the classification and level of threat of the items, if required, specific items are being sent for further investigation such as malware analysis and reverse engineering done by experts teams.
The final step is to understand and implement the proper actions in order to protect the organization assets according to the threats, as well as taking prevention measures if required, and publish a report and instructions to all relevant personnel for
implementing protection measures in their units and systems and for awareness and further caution.
Gathering
• Multiple sources • Automatic tools • Public, open source, hiddenData
Fusion
• Correlation • Integration • Data extractionAnalysis
• Classification • Automatic tools • Human analyst • InvestigationAction
• Protection • Prevention • Awareness2.6. Forensics
Cyber Security aims to protect information and services through various mechanisms and methodologies. It’s an ongoing race between hackers and security experts, a race in which at times the hackers take the lead. The next step in such a scenario is to investigate in order to have a better understanding of how to protect ourselves in the future.
Cyber Forensics is the art of discovering what happened once there is a suspicion or an actual incident.
Ness believes that there is much more to Cyber Forensics. Our unique approach offers a 3 stage solution to your organization:
Proactive Forensics
Dedicated mechanism for aggregation of critical intelligence from your systems, as an indicator for a potential cyber incident.
Incident Management
Based on our proven methodology and years of experience, we will assist your
organization in the handling of cyber threats and incidents, in a dedicated and
professional approach.
Forensic Investigation
Our experts will conduct a thorough analysis of the compromised systems followed up with a full and detailed report and recommendations on how to protect your
organization from cyber incidents.
By implementing our methodology, you will insure a complete cyber incident management solution for your organization.
Proactive Forensics Dedicated Forensic Investigation Incident Managment
Post-incident
Forensics
(Ad-hoc Digital Forensic Investigations)Incident
Management
Our Services: On-site CERT CERT management Security incident analysis
CERT training
Proactive
(Real-time)
Forensics
Training
Our Solutions: Forensics Lab Design and implementation
Maintenance and audit
Enhancement
Proactive Forensics Systems:
Aggregation and analysis of the customer's logs
An automated system for incident detection
Smart data harvesting for potential real-time incident discovery (pre-incident)
Post-incident: Database for post-mortem incident analysis
Training Offering:
Forensic data mining
Mobile forensics (with/without official Cellebrite certification)
Cyber forensics essentials
Network forensics
Customized training sessions and workshops
Our Services:
On-site forensics services
eDiscovery
Covert investigations
Legal assistance (evidence preparation, court presentations, etc.)
Mobile forensics
Malware discovery and analysis
Pre-incident Preparation During a Cyber Incident Post-incident Analysis
2.7. Cyber Security Center
The cyber security center (CSC) provides an all aspects unified center to protect the customer in the Cyberspace. The CSC provides organizations enhanced cyber
capabilities and protection from cyber-attacks during routine & emergency. The CSC offers an innovative technology and operational concept, incorporating intelligence, forensics, command and control, response and monitoring capabilities, along with methods, procedures and our experienced and professionally trained personnel. More details about CSC components available in Appendix A – CSC Components
CSC added value
One stop shop – all cyber security aspects and services
24/7 Cyber security awareness and Control Room – Routine & Emergency
Overall operating concept combining an innovative Response team, Intelligence,
Forensics, Monitoring, Command & Control, integrated all aspects together State of the art technologies
Knowledge, professionalism and quality Flexibility and responsiveness
Readiness for regulation Advanced training and drills
Figure 1 – Cyber Security Center Architecture
Cyber
Security
Center
Monitor & Report Intel Response Team Training and Drills Tech Center ForensicsCSC establishment
The establishment of a CSC is based on 4 main activities:
Design – this phase consist of all engineering required for the project including
security surveys, architecture analysis and design. In this phase Ness cyber
professionals are learning the organization architecture, systems, networks, policies and procedures, and formulating a complete deployment plan for the CSC according to the customer’s requirements.
Implementation – in this phase the CSC is being built according to the
deployment plan.
Training – during and after the CSC deployment, Ness cyber professionals are
training the customer’s personnel. The comprehensive training includes a wide coverage of subjects and all levels training which in its end the customer can fully operate the CSC and all its capabilities autonomously.
Operation – fully operational CSC operated by the customer’s personnel.
Ness has developed the CSC in order to face the rapidly evolving and growing cyber threats. The CSC is based on our vast experience along with innovative concepts and state of the art technology. The CSC components consist of technologies and tools developed by Ness together with best of breed solutions and tools available in the market integrated into a complete suit.
Combining these solutions with the extensive training and support provided by our highly professional personnel, along with field proven methodologies, our customers gain a comprehensive solution to face cyber threats and protect their assets.
Innovative Operation Concept
Unified, Proactive Cyber Security Center, with the following capabilities:
External and internal Intelligence integrated with information sharing with other sources, combining with analytics over big data and human analyst
Monitoring the overall situation picture including Cyber Command & Control, SIEM (Security Information and Event Management) and other monitoring systems. Response teams
Forensics – Identifying and investigating the nature of the attack and the amount of damage
Pro Forensics – checking the logs routinely with forensics tools, and identifying threats and suspicious anomalies which need to be further investigated (this process is also referred as Internal Intelligence).
Recovery process support
Frequent Vulnerability Assessment and "Red Team" tests Periodic training and drills
Appendix A – CSC Components
1. General
The Cyber Security Center is based on all our capabilities and services as detailed above and consolidating it into overall suite and service.
The CSC provides an all aspects unified center for Cyberspace protection during routine & emergency.
The CSC offers an innovative technology and operational concept, incorporating intelligence, forensics, command and control, response and monitoring capabilities, along with methods, procedures and our experienced and professionally trained personnel.
Figure 3 – Cyber Security Center Architecture
Central
Command
Post
Monitor & Report Intel Response Team Training and Drills Tech Center Forensics2. Central Command Post
Goal
Cyber Security Center command
Capabilities
Command post functional 24/7
Management and integration of all the center aspects Cyber commanding officer
Daily/weekly assessment of threat level and DEFCON level.
Technology
Command and Control tools
3. Intelligence
Goal
Intelligence awareness for the center and alerting potential threats.
Capabilities
Continual gathering of intelligence from different sources (Webint, OSint, internal sources, partners and industry leaders’ libraries).
Alerts – formation and distribution of alerts in real time.
Periodic reports – dissemination of periodic assessments to relevant population (executive summary or detailed report).
Ad-hoc reports – regarding a specific threats and the preventing actions needed.
Internal intelligence – using pro-forensics method as an internal intelligence, using the forensics tools for an ongoing pre incidence investigation.
Analysis and sharing of feedback for effective response processes and prevention.
Technology and tools:
Sources – Webint, OSint, internal sources, industry leaders’ libraries. Big data search engine and correlation tools
Semantic analysis tools Data fusion tools
Human analysis Pro-forensics
4. Monitoring & Reporting
Goal
Prevention, detection and identification of events in cyberspace.
Collection and dissemination of information to relevant branches and units.
Capabilities
Monitoring SIEM and other customer’s systems. 24/7 operation.
Creating a unified Situation Awareness picture.
Dissemination of information on threats, incidents, assaults and methods of
response in real-time.
Dissemination of guidelines for the prevention and defense against emerging threats
Distribution of intelligence information.
Technology and Tools:
SIEM
Cyber Command & Control
Secured platform providing information sharing capabilities such as documents, portal, blogs etc.
5. Forensics
Goal
To identify the attack and to map the nature of the supposed damage.
Capabilities
Identifying and investigating the nature of the attack and the amount of damage. Pro forensics – checking the logs on continues basis with the same tools and identifies threats and suspicious anomaly's that need to be checked – internal intelligence.
Supporting the response team in real-time and / or during a later investigation. Gathering legal evidence.
Technology
Use of "Best of Breed" products based on knowledge/experience.
6. Technological Center
Goal
Professional and up-to-date knowledge base of all Cyber Security aspects.
Capabilities
CTO
Consulting
Study, analysis and recommendations for future technology implementation among customers and within the center
Recommendation of a technological solution to a new threat Vulnerability assessment and "red team"
Knowledge management and organizational long term memory
Technology
Utilizing various VA tools for continuous assessment combining with proactive forensics approach and tools.
7. Response Team
Goal
Response, neutralization, prevention and reduction of damage during an incident.
Capabilities
Response and intervention
Activation of the entire CSC in the interest of handling with the current challenge
Work practice and procedure during incident. BCP
Technology
Deployable and fix tools
8. Training and Drills
Goal
Training and drills in order to assess and improve the customer's cyber security capabilities.
Capabilities
Courses and training – Cyber awareness, configuration and operation
optimization for specific tools and systems (used by the customer), forensics, secured development (.NET, Java, C++, HTML 5, Mobile) and more.
Periodic drills – scalable, small or large Monitoring and feedback
Examination of application and tools, technologies, and new concepts Joining practices and drills at the national level
Technology
Appendix B – Training & Courses
1. National cyber security for commanders
About the course
National cyber security briefing is a unique executive technical and operational training, reviewing current and evolving strategic cyber threats, countermeasures and case studies, intended for national security executives setting organizational roadmaps in terms of technological research, development and policies. This training reviews cyber warfare tools and tactics vs. national level cyber security concepts, technologies and architectures, emphasizing commonly exploited gaps and pitfalls in national level cyber security suites. Those pitfalls are used by adversaries to gather information or cripple IT based operational facilities and processes.
Attendees will acquire a broad understanding of organizational cyber security planning considerations, as well as known attack vectors used by national-level adversaries
The goals of the course
Understand the cyber domain
Understand the various threat elements inside the cyber domain Grasp the technological background of attacks
Understand the considerations and aspects of building a cyber-policy
Who should attend this training
The training is designed for executives who set the organizational roadmap in terms of technological research, development and policies.
Course length
Course Syllabus
Introduction and history of cyber space Introduction to cyber warfare
Cyber as a platform for psychological warfare Introduction to cyber defense
Technological building blocks
Security regulations, standards and procedures BCP & DRP
Secure Development Lifecycle The Human Factor
Cyber Intelligence Hardware malware Incident response Cyber Range Mobile security
2. Incident Management and Response
About the course
In today’s world, every organization depend on their computer systems. As a direct outcome, the organizations and companies face many security and cyber incidents. It is of great importance to know and understand how to manage such incidents.
Incident management course will provide the participants with the theory and the practice of managing cyber security incidents. The participants will understand the theory behind a successful management, and will have an opportunity to practice the learned concepts. The emphasis of the course will be on one of a kind, “live” incident response workshop.
The course is relevant, and was designed to address both the security managers, and the technical staff.
Pre-Requisites
Experience in information security, 2 years minimum
Comprehensive experience with operating systems (Windows and Linux). Comprehensive knowledge of cyber security concepts (according to Q-101
training syllabus).
Comprehensive knowledge of computer network protocols.
Experience with programming tools and environments - an advantage. Experience with IDS/IPS/SIEM/SOC - an advantage.
The Goals of the course
Graduates will be able to:
Define incidents in their environments
Create the needed procedures for incident management Evaluate the incidents severity
Analyze and manage an incident
Course length
5 days of 8 academic hours
Course syllabus
What is an incident?
Understanding the different kinds of incidents Understanding and implementing security sensors Concepts of controlling and managing an incident Creating key procedures for incident management
3. Introduction to Access and Identity Control
About the course
Some of the challenges that today’s organizations are facing, include the need to allow personnel to work in the field and outside the office, allow access internal resources and to implement single-sign-on (SSO) solutions so users will not need to provide their credentials over and over again…
The course is relevant, and was designed to address both the security and infrastructure managers, and the technical staff.
Pre-Requisites
Basic knowledge of System Administration and security concepts.
The Goals of the course
In the end of the course you will be familiar with general Remote Access, Identity and Federation concepts.
Course length
2 days of 8 academic hours
Course syllabus
Remote Access methods
o VPN, SSL-VPN, Site-To-Site VPN o Remote Desktop, VDI
o Proxy and Reverse-proxy o Direct-Access
Authentication and Single-Sign-On
o Form-Base authentication o Basic authentication o NTLM o Kerberos Multi-Factor authentication o OTP o PKI Federation concepts o Claim-Based authentication o ADFS
4. Secure Application Development Lifecycle
About the course
It is common knowledge nowadays that application security is not only preventing SQL or code injection on organizational web sites, but rather an on-going process of guiding the development projects, starting from the characterization phase and all the way up to system assimilation and final operational capability.
During this course we will review the various development phases (architecture, design, coding, testing, deployment) and understand exactly how security
considerations and methodologies combine in each development phase. This course is intended both for application developers, and for information security professionals escorting the development process. Attendees will acquire secure application development lifecycle skills, tools and methodologies which they will be able to assimilate in existing organizational application development processes.
This workshop also covers all professional materials required by Certified Secure Software Lifecycle Professional (CSSLP) international certification.
Pre-Requisites
Good understanding of application development concepts and technologies. Confirmed knowledge of cyber security concepts, and application level
Page 31 of 34
Workshop Goals
Attendees will successfully complete all training hands-on challenges and pass final exam.
Graduates will be able to:
Understand the Secure Development Lifecycle (SDL) process phases and activities
Implement SDL in organizational application development projects Determine which application security testing technologies can be most
effective in their organizations
Provide SDL awareness training for application developers
Workshop Length
5 days of 8 academic hours
Workshop Syllabus
Introduction to application security Principals of securing an application Common application technologies review Common application infrastructure
Common threats Web2.0 Security
Secure Development Process Security Testing
Best Practices and techniques for secure application development Authentication and Authorization
5. Cyber War gaming: Red team – blue team workshop
About the course
Every organization needs “battle-tested” IT personnel in order to defend its networks against attacks. The most effective way to provide this experience is to recreate the exact scenarios they will see in the real world.
Cyber War gaming course will give those "cyber warriors" the tools and
experience they need for their job. In a lab containing infrastructures of servers, network equipment, SCADA and control systems, web application, telephony systems and other common infrastructures the attendees will have a rare chance to think like hacker on one hand and understand the defensive consideration on the other hand.
The unique format of the course includes 3 parts:
3 days of theoretical seminars to make the attendees familiar with offensive and defensive tools and considerations.
3 days of hands-on training. During those days attendees will be divided to two teams: attack team, which simulates group of hackers which tries to hack different kinds of systems, and a defensive team who tries to protect its networks, handle cyber events in real time and prevent the attack team from succeeding in their mission.
The workshop is built as competition between the teams. The winner team is the team that gets the highest score.
Each team will have the chance to play both attacker and defender roles. 1 day of summery and drawing conclusions from the simulation.
Pre-Requisites
Experience in information security field, 2 years minimum
Experience with operating Windows and Linux operating systems.
Confirm knowledge of cyber security concepts (according to Q-101 training syllabus).
Confirm knowledge of computer network protocols.
Experience with programming tools and environment is an advantage.
Workshop goals
Graduates will be able to:
Identify and analyze risks in their environments Build security plans to their networks
Understand the considerations and ways of actions of the attackers Response and protect from cyber war attack
Workshop length
7 days of 8 academic hours
Workshop syllabus
The different kind of attackers – their motives, their abilities, etc. Common Threats – what do we protect
Attack considerations Common ways of attacks Simple attack tools
Basic safeguards
Risk analysis and choosing countermeasures Red team – Blue team workshop
Cyberspace security is full of significant multidimensional challenges, Ness has
developed an innovative concepts and capabilities to meet the challenges. Our
capabilities are based on knowledge and professionalism and help our customers to protect their assets and reduce threat level.
