presentation update
ACME BANK PRIORITIES
1
| Leading Customer Experience | Digitising the group | Maximising Group Capabilities | Transforming ways of working |
| Driving stronger relationships through best-in-class propositions while continuing to provide our customers with brilliant service and a seamless experience across all channels | Deploying new technology to improve our efficiency and make banking simpler and easier for customers | Aligning the Bank’s capability to deepen customer relationships and grow in targeted segments | Enhancing employee skills and processes, investing in agile working practices and embracing new technology to drive better outcomes for customers |
USE CASES
2
| Title | Description | Status | |
| F1 | McAfee AV | Find McAfee AV running or stopped across workstations and servers. Potential to drill down where necessary | |
| F2 | Malicious Indicators | Using IOC Detect (later Detect3 and Signals) to find MD5 Hash, IP address, URL domain for specific IOC provided by threat intelligence. | |
| F3 | Malware Persistence | Find malware persistence (suspicious file reference in an unmanaged schedule task) using file creation, deletion, rename sensors and show entries if the parent process is powershell, WMI, cmd, CScript or WScript | |
| F4 | Lateral Movement | Combining the command line, scheduled tasks, and WMI sensors to find remote logins, remotely executed commands and executed malware | |
| F5 | C2 Connection Attempts | Find Command and Control (C2) connection attempts by searching for services listening for inbound connections on systems exposed to the Internet | |
| F6 | File Shares | Find shares a user should not be connect to. Use Connect to pull a user’s privileges from AD, then correlate with Tanium to list of open public network shares | Thread Response needed |
| F7 | Rogue Device Connection | Rogue device detection for high-risk endpoints. Use “connected USB storage device” sensor to Payments, C-Level, SWIFT machines containing sensitive date. Dependent on Trace for historical information | Need Computer Groups & Trace |
| F8 | Privileged Account Attempts | Find attempts to break into highly privileged accounts. Restrict Windows Security Event log sensor for login failures to static list of critical administrator accounts | Need Privileged Account & Trace |
| F9 | Malicious Processes | Identify rare, malicious processes. Use the running processes + file path, loaded libraries (DLL) and loaded drivers sensors and sort by count. Send hashes to VirusTotal via Connect | Thread Response needed |
| F10 | Infection Attempts | Search for unusual parent processes such as Outlook, Word, notepad, cmd to detect malicious process execution and file creations | Thread Response needed |
Tanium SQ (Auto)
Into Splunk
Apply Logic
Create JIRA
24/7 SOC
Into Hadoop
FIRe
Needs work
Ready
Future
Above based on guidance from FIRe team
USE CASES (Continued)
Current Status (Security Tools Team, VM, Other)
3
| Title | Description | Status | |
| E1 | Agent Identification | Identification of presence of Security Tools Team managed agents (beginning with syslog, Titus, Encase) and eventually others (McAfee) | |
| E2 | Agent Health Check | Identify where an agent may be disabled, require a reboot, or where a version or config file may need updating | |
| E3 | Agent Fix | Via appropriate actions and packages, ensuring any issues identified with agents are rectified quickly and efficiently |
Security Tools Team
| Title | Description | Status | |
| V1 | Patch Assurance | If and where a patch has been deployed (Windows Security Patch) | |
| V2 | Vulnerable Assets | Identification of vulnerable asset based off Cyber Threat Intelligence | |
| V3 | Host Security Applications | Ability to see where vulnerable machines do not have compensating controls in place to mitigate vulnerabilities (eg McAfee HIPS) | |
| V4 | Host Configuration | Ability to view the configuration/policy settings across the estate on a per-host basis to ensure that appropriate policy and configuration settings are in place | |
| V5 | Threat Modelling | Translating industry attack frameworks (MITRE Att&ck) into questions to proactively secure the environment |
VM
| Title | Description | Status | |
| X1 | IT Asset Mgt | SAP, Tableau footprint, general SW, HW asset management | |
| X2 | Privileged Accounts | Assisting wider Privileged Accounts project to identify quick wins in Tanium (eg listing Windows services and scheduled tasks) | |
| X3 | NYC Office | Patching and general IT security and operations use cases (TBD) | |
| X4 | M&A | Using Tanium to assess and improve the health of machines from acquired companies | |
| X5 | Win10 | Using Tanium to determine appropriateness of specs for Win10 migration | |
| X6 | Venafi / SSH Key | TBD | |
| X7 | Unauthorised Software | TBD | |
| X8 | Divestiture Machines | Using Tanium to quickly and efficiently wipe (‘brick’) ex-Divestiture machines |
Other
Needs work
Ready
Future
Above based on guidance from Security Tools Team
Above based on guidance from VM
Above based on numerous sources
ACCOUNT TEAM ACTIONS / GOALS
4
| ID | Title | Description | Owner | Status |
| 1 | Partner Planning Day | Hold a day planning session (Account Team) plus key Partner (IT Experts Ltd) to plan a joint ‘art of the possible’ roadmap session | AM | Overdue |
| 2 | Enhance Account Plan | Describe use cases, resources, sales campaigns | AM / TPM | |
| 3 | Demo for Pete | Complete demo for Pete | AM / TAM | Overdue |
| 4 | Complete Operating Model | Work with Taylor’s team to complete RACI and Comms plan | TPM | |
| 5 | Complete 1 IT Ops 1 pager | Describe 20 key IT Operations industry level pain points in a 1 pager | AM / TAM / TPM | |
| 6 | 7.3 upgrade session | Set up 7.3 upgrade planning session with Taylor and team | TAM | Overdue |
| 7 | Centre of Execellence | Drive CoE planning and launch in 3 months time | TPM | At Risk |
| 8 | 12 month plan | Build 12 months plan for account | TPM / AM | Overdue |
Goals
Strategic partner for ACME to help achieve their goals
Secure renewal of contract
Upsell Asset
Maintain account referencability
Flagship ROI account