Cavirin corp q4-extended

1

COMPANY OVERVIEW

2

AGENDA

About Cavirin

What we do

CISO Challenges

Use Cases

Cavirin Automated Risk Analysis Platform (ARAP)

Solving for the road ahead

1

2

3

4

5

6

3

Founded: 2012HQ: Santa Clara, CAEmployees: 60 +

Cavirin enables companies to proactively manage IT

security and compliance risk in the datacenter, the

cloud and container.

Cavirin is Backed by SRA, Inc.,

a $700m Annual Revenue Public Company.

Investors

ABOUT CAVIRIN

Industry AlliancesKey Partners In the News

COPYRIGHT © 2016 CAVIRIN SYSTEMS

4

WHAT WE DO

IAAS

Cloud Security PAAS

SAAS

ContainersData Centers

Private Cloud

Hybrid

Cavirin provides real-time risk scoring and continuous compliance through remediation guidance, resulting in your improved enterprise security posture, reduction in attack surface and expanded compliance readiness.

Automated Risk Analysis drives continuous security and compliance improvement

across Datacenter, Cloud, and Containers


5

MULTI CLOUD SOLUTION

• Native Cloud solution is designed specifically for both legacy and cloud computing architecture

• Discovers all major clouds

• Assesses relative to Cloud and other Security Benchmarks

• Provides output against major assessment models such as HITRUST, PCI DSS 3.2, SOC 2, NIST 800-53, ISO 27002, Cybersecurity Framework, CIS CSC 6.1 Top Twenty

• Leverages the DISA STIG and CIS Benchmark NIST SCAP protocols as well as expert custom scripted policies

• CIS Benchmarks are CIS Certified

MSP & CSP


6

SIMPLIFY AND AUTOMATE SECURITY & COMPLIANCE

AWS, AZURE, Service

Providers & MSP

CLOUDS

Minutes to Install

Quickly deploy across your data center and cloud

(AGENTLESS)

Cloud & Container AwareSupport bursting of instances without

losing security and compliance

Immediate Value

Out-of-the box policies for

CIS, NIST, PCI, HIPAA, ISO,

and much more

Customize & Extend

Easily author and deploy

your own policies

Cavirin Automated Risk Analysis Platform


7

CISO CHALLENGES

• Increased Risk of Breach and Exposure

– Driving increased audit and compliance pressure

• Cloud and DevOps Automation

– Lack of risk visibility across complex hybrid IT infrastructures

– DevOps automation breaks legacy security and compliance tools

• Manual Security and Compliance Processes

– Automated Security, Risk and Compliance Tools Required

• Cybersecurity Increasingly About Risk Management

– Legacy security solutions failing to keep pace with new technology

“Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.” GARTNER INC.


8

USE CASES

• Cloud Security and Compliance– Across On-Premises, Cloud, and Containers

– Continuous Improvement of Security Posture

• IT Risk Management – Real-Time, Automated Risk & Compliance Scorecard

– 3rd Party Vendor and M&A Risk

• Compliance Automation – Automated Audit Reporting for PCI, HIPAA, NIST & all major

frameworks

• DevSecOps– Integration with CI / CD Processes and DevOps Toolchains


9

RISK MANAGEMENT - RIGHT SIZED AND PROACTIVE


10

GET COMPLIANT – STAY COMPLIANT

Ongoing Business

Requirements

CIS Benchmark

DISA STIGS

NIST 800-53 r4 &

Appendix J

PCI DSS 3.2

SOC2 2016

HIPAA HITECH

CSF

CSF Cyber Security

FrameworkISO27002

CIS CSC Top 20

UK Cyber Essentials

CJIS

FedRamp


11

CLOUD CAPABILITIES

CLOUD SECURITY OUT OF BOX COVERAGE

CO

MP

LIA

NC

E –

Un

ifie

d A

sse

ssm

ent

Mo

de

ls

AWSAzure

Google

PCI DSS 3.2

HIPAA - HITRUST

NIST 800-53 r4

ISO 27002:2013

DISA STIGS

SOC 2 + Privacy

CSC 6.1 Top 20

CIS BENCHMARKSPublic CloudSaasOn Premise Private Cloud Hybrid & Containers

FedRamp (NIST 800-53 r4)

Cybersecurity Framework (CSF)

CJIS

UK Cyber Essentials

More environments, more assessments, more policies 150,000 instance of system policy to control mapping and 250K+ by 2017


12

ASSESSMENT MODELS, OS, CIS BENCHMARK AND STIGS

Operating System or Environment

Scoring

authority

Model

Organic

Policies

Scored

CIS CSC

Center for

Internet

Security

Critical

Security

Controls

Version 6.1

Criminal

Justice

Information

Services

(CJIS)

Security

Policy*

CSF

Framework

for

Improving

Critical

Infrastructu

re

Cybersecuri

ty

HITRUST

CSF 2015

ISO/IEC

27002:2013

€

NIST 800-53

r4 and

Appendix J

Privacy

FedRamp*

uses NIST

800-53 r4

guidance

PCI DSS

V3.2

Trust

Services

Principles

and Criteria

2016 AICPA -

SOC 2

UK Cyber

Essentials*

Total Control Universe 20 65 22 45 35 266 266 13 63 5

Amazon Linux CIS 215 1993 430 860 1924 1692 1644 1644 981 1604 215

CentOS 7 CIS 211 1985 422 861 1916 1704 1636 1636 976 1608 211

Red Hat Enterprise Linux 7 CIS 224 906 448 906 2016 1775 1726 1726 1027 1681 224

CentOS 5 (custom, EOL) DISA 399 399

CentOS 6 CIS 207 1958 414 859 1894 1694 1617 1617 966 1594 207

Red Hat Enterprise Linux 6 CIS 211 3461 422 883 1930 1715 1649 1649 986 1618 211

Red Hat Enterprise Linux 6 DISA 174 312 348 52 364 181 174 174 207 258 174

Windows Server 2012 R1 CIS 312 3509 624 2438 3864 3927 4234 4234 2126 3701 312

Windows Server R2 Domain Controller 2008 DISA 276 630 552 156 756 520 414 414 327 523 276

Windows Server R2 Member Server 2008 DISA 267 402 534 150 469 338 267 267 206 331 267

Windows Server R2 Domain Controller 2012 DISA 299 477 598 177 531 417 299 299 250 382 299

Windows Server R2 Member Server 2012 DISA 290 460 580 162 505 389 290 290 237 369 290

Ubuntu 12* CIS 92 276 184 276 368 276 368 368 184 276 92

Ubuntu 14.04* CIS 233 699 466 699 932 699 932 932 466 699 233

Docker AWS Linux CIS 40 120 80 120 160 120 160 160 80 120 40

Docker Ubuntu 14.04 CIS 40 120 80 120 160 120 160 160 80 120 40

ESX 5.5* CIS 53 159 106 159 212 159 212 212 106 159 53

Windows Desktop Enterprise 7* CIS 342 1026 684 1026 1368 1026 1368 1368 684 1026 342

Windows Desktop Enterprise 10* CIS 405 1215 810 1215 1620 1215 1620 1620 810 1215 405

*limited publication - not in general release till Q4 2016 total 151,668


13

MITIGATE YOUR SECURITY & COMPLIANCE EXPERTISE RISK

• Security and Compliance experts map compliance process and testing to specific assertions of best practice across operating systems, environments, and devices.

• When best practice criteria are not met, an aggregate score is presented with exact steps for remediation

CAVIRIN MITIGATES EXPERTISE RISK BY PROVING EXISTENCE OF IT SECURITY PROGRAM AT OS, ENVIRONMENT, DEVICE LEVELS


14

FROM RISK TO REMEDIATION AND CYBER RESILIENCE

Deep Asset Discovery

Agentless Device Scan

Risk Analysis Detailed

Remediation Guidance

One Button Risk Score & Assessment

Cavirin Continuous

Improvement Process


16

SOLVING FOR NOW AND THE FUTURE

Scalable to 100K devices with minimal footprint and

setup

API integration

Pre-built connectors facilitate popular 3rd party scanning and data driven

workflow

DevOps style Security Operations

Intuitive UI and Rich dashboard reporting

Risk Signaling Engine

Rapid adoption across all RegTech requirements – maintaining your compliance readiness


17

COMPLIANCE REPORTING DASHBOARD


18

REDUCING COMPLIANCE SPEND

18

Manual Testing

Average number of hours

for entire process

Automated Testing

Average hours per process –

consider duplicate work savings

Compliance Standard

Avg # servers in Mid - Large

Enterprise

PCI Audit Process (+50 servers)

NIST 800-53 (+200 servers)

DISA Hardening BP (+50 servers)

SOC 2 (+80 servers)

HIPAA Guidelines (20 – 30 servers)

CIS Benchmarks (400 - 500 servers)

AICPA SOC2 (800 – 1200 servers)

Vulnerability Checks (+500 servers)

450 – 520 hours

860 – 1200 hours

320 - 480 hours

600 – 800 hours

280 – 400 hours

600 – 800 hours

920 – 1280 hours

640 – 800 hours

20 -35 hours

28 – 40 hours

20 – 30 hours

20 – 34 hours

20 – 30 hours

30 – 42 hours

30 – 40 hours

24 – 35 hours

Imagine hours to monitor all

servers for all conditions


19

WHAT CUSTOMERS ARE SAYING…

“Cavirin has saved my team weeks of manual audits. ARAP’s continuous scanning functionality allows for us to watch for policy drift that may occur, as well as any misconfiguration or malicious intent. Having direct access to this information helps ease the burden of audit compliance.” – Ray Espinoza, Director of Security, Gainsight

“ I didn’t want a blind spot in my production system from where we are in terms of

compliance. I wanted to reduce the overhead of the audit burden, both from financial and

time perspective, and automate this process as much as possible."

– Kim Green, CISO, Zephyr Health

“I’m able to see changes that display risk at the click of a button.” – Kip James, CISO, Service Source


20

SELECT CUSTOMERS


21

KEY PARTNERS

Technology Alliance

Managed Service Provider

Solution Provider


22

THANK YOU

Cavirin corp q4-extended

Technology

Transcript of Cavirin corp q4-extended