Gartner estimates that by 2020, more than 25% of cyberattacks will involve commercial IoT devices.

Unfortunately,  traditional security tools and approaches such as endpoint detection and response (EDR) applications can’t be deployed on IoT devices since they are usually limited by processing power or memory—or may be completely closed by the vendor.

Yet the trend of IoT and even “Bring Your Own IoT” (resulting in devices unknown to IT) must be identified, and then policies must be established to determine what applications, systems, and devices they can communicate with. Finally, if an attack does occur, it must be contained so no harm comes to the rest of the organization.

There can be significant consequences to a hacked IoT device:

• Successful attacks against a power grid could cripple an entire city.  
• Attacks against a medical wearable, such as a pacemaker, could mean life or death.

A new IoT security solution

51±¬ÁĎÍř and Seceon have partnered to develop a joint solution to overcome these security vulnerabilities presented by IoT devices. By combining °äł§±Ęľ±â€™s ARIA SDS Packet Intelligence solution with Seceon’s industry-leading aiSIEM solution, this joint solution now provides incredibly powerful IoT security.

For example, the ARIA SDS solution deploys transparently in the network and allows all IoT devices to be detected and monitored by looking through the network data as it flows through each device. ARIA SDS successfully classifies this data on the fly without impacting its delivery to allow monitoring of various IoT devices in network aggregation points that are usually one step back in the wireline network.

On the Seceon side, its aiSIEM is one of the industry’s leading solutions for detecting and stopping threats. It takes the data fed by a variety of devices and applications, as well as NetFlow data, and runs it all through extensive threat models to detect threats of all kinds. Then, aiSIEM directs ARIA SDS through a simple API integration to stop threats while allowing critical applications and devices to continue to operate.

New high-value service to differentiate MSSPs  

Additionally, the combination of the aiSIEM/aiMSSP and the ARIA SDS solution gives both enterprises and managed security service providers (MSSPs) a powerful new managed detection and response (MDR) solution capable of stopping more threats within the network. This gives MSSPs valuable new service offerings, so they can better serve their clients—and stand apart from the competition.

Interested in learning more about Internet of Things security, including how this new joint solution overcomes IoT security vulnerabilities while maximizing performance? Download our new white paper, “” now.

The post How to Eliminate Security Vulnerabilities of IoT Devices appeared first on 51±¬ÁĎÍř.

Everything You Need to Know about Encryption Key Management

To provide effective data protection and application defense and remain in compliance, organizations today need to protect their most critical data as it is created, transmitted, and stored. This requires companies to successfully encrypt this data, a process that raises its own challenges related to encryption key management and effectively implementing a key management server (KMS) solution. This article examines the challenges associated with encryption key management while demonstrating how our ARIA KMS solution can overcome them.

Data encryption is growing in adoption, but has proven to be ineffective

So how does encryption work? Encryption, which may also be referred to as crypto, is a well-known technique to protect data, and is a fairly straightforward concept to understand: Users want to make data or content unreadable, except to those who are allowed to see it. To do this, a key scrambles the text into illegible ciphertext, and when prompted decrypts it, or translates it back, to the original format.

As encryption technologies have continued to evolve over the years, adoption is growing faster than ever. According to a 2016 Ponemon Institute survey, 41% of companies are now implementing data encryption. This represents a 7% increase from the prior year and the largest jump in the survey’s 11-year history.

All of this seems great, yet what is troubling is the fact that in a number of recent high profile attacks, the organization’s data actually was encrypted in some capacity, yet it was still compromised.

What is Encryption Key Management and KMS?

Key management servers (KMS) are used to administer the full lifecycle of cryptographic keys and protect them from loss or misuse. KMS solutions, and other Key Management Solutions, ultimately control the generation, usage, storage, archival, and deletion of encryption keys. Additionally, to fully protect their loss or misuse, companies must limit access to these keys, either by restricting physical access or controlling user access by creating clear and defined roles.

To think of it another way, here’s a quote about encryption key management from the NIST and its Recommendation for Key Management solutions technical report that puts KMS in a slightly different context:

“The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”

What are the critical components performed by key management servers?

To ensure that your online data remains protected, it’s critical to understand the different components of an encryption key management service, so that you know the right questions to ask when evaluating new and existing types of KMS technologies.

• Key storage: As a general principle, the person or company who stores your encrypted content should not also store the keys encrypting that content (unless you’re comfortable with them accessing your data).

• Policy management: While the primary role of encryption keys is to protect data, they can also deliver powerful capabilities to control encrypted information. Policy management is what allows an individual to add and adjust these capabilities. For example, by setting policies on encryption keys, a company can revoke, expire, or prevent the sharing of the keys, and thus of the unencrypted data, too.

• Authentication: This is needed to verify that the person given a decryption key should, in fact, be allowed to receive it. When encrypting digital content, there are several ways to achieve this.

• Authorization: Authorization is the step that verifies the actions that people can take on encrypted data once they’ve been authenticated. It’s the process that enforces encryption key policies and ensures that the encrypted content creator has control of the data that’s been shared.

• Key transmission: This is the final step in the overall encryption key management process and is related to how keys get transmitted to the people who need them yet still restrict access to those who don’t.

Related Resource: Easily Encrypt VMware vSphere Environments with ARIA KMS

Why is encryption key management so hard?

Digital information must remain readily accessible to the many people with whom it is shared. In order for that to effectively occur, encryption keys must be easily and safely distributable at scale. In a traditional key management model, whenever a key expires, employees (usually IT) are responsible for manually updating them—as well as managing the organization’s entire set of keys.

What’s more, the number of methods that we use to communicate online is constantly growing. Even though we create encrypted files on one storage application, we might also need to share those same files; for example, in an email attachment or by using a different storage tool. Encryption keys don’t always work when applied to different platforms, which means we often must manage multiple key exchanges for the same piece of data.

These efforts are usually extremely time-consuming and take valuable time away from employees who could use it to focus on higher value IT initiatives. Worse, a faulty key management practice can lead to the loss of keys, and may even result in a hacker obtaining them and using them to access confidential data.

Encryption key management misconceptions

Even beyond all of these challenges on how to securely implement an encryption key management system, there are also two common encryption misconceptions:

1. “If a vendor encrypts your data, they won’t be able to access it.” This is not true. Even if a third party vendors, like Amazon AWS or Microsoft Azure, promise to make your data unreadable to unauthorized parties, most vendors still retain access to your unencrypted content.
2. “If you encrypt, hackers cannot get access to your data.” Unfortunately, it’s virtually impossible to guarantee this, especially in today’s world.

Ineffective encryption key management can lead to compliance issues

Additionally, inefficient encryption key management practices may even lead to new security vulnerabilities, such as updating system certificates or locating those systems that need to be updated. It also makes it extremely difficult to comply with industry regulations.

For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches. PCI DSS has very specific guidance related to encryption keys and key management services.

For example, various subsections of PCI DSS call for organizations to maintain a “documented description of the cryptographic architecture” to protect data, and restrict “access to cryptographic keys to the fewest number of custodians possible.”

Keep in mind this is just one regulation. So many others, such as GDPR, HIPAA, and more all have specific requirements to make sure companies do all they can to protect data from theft, loss, or inappropriate access.

Yet too often, there is a lack of unified tools that can successfully overcome the issues related to management overhead and potential noncompliance.

Related Resource:

A new and better approach to key management: the ARIA SDS KMS Application

°äł§±Ęľ±â€™s ARIA SDS Key Management Server (KMS) application delivers intelligent key management functionality for the automatic generation and distribution of encryption keys. It also offers advanced capabilities such as intelligent key management, advanced policy controls, and enhanced access control.

ARIA SDS KMS provides an important advantage for those organizations that need to ensure the right encryption keys are in the right place at the right time all without impacting network or application performance.  It is an easy-to-deploy application that takes advantage of the widely accepted key management interoperability protocol (KMIP) for integration with other existing applications.

Today more vendors, are allowing users to use a Bring Your Own Key (BYOK) solution.  This includes VMware starting in vSphere 6.5 to encrypt the output of each virtual machine (VM) yet these users still need to provide their a KMIP-compliant KMS solution.

When ARIA KMS is deployed on the Myricom Secure Intelligent Adapter (SIA), organizations gain additional security and performance since a local secure zone-of-trust required to generate and store keys and even execute crypto operations based on those stored keys. When running the ARIA KMS application, utilizing its TrustZone TPM this shields the keys from exposure, even if the host server is breached.  It is deployable into the devices they are protecting, such as storage arrays, for a zero footprint implementation of a key management server solution.

Related Resource:

The ARIA SDS KMS application enables enterprise-wide encryption key management with the following capabilities:

• Complete integration with vSphere and other KMIP-based applications for fast, easy set-up and deployment.
• It generates thousands of unique keys per minute, enabling the encryption of all data and application transactions.
• This application is a highly available, secure key storage in a virtual server, on premises or in the cloud.
• Manages all policies across platforms through a single user interface.
• Zero-footprint deployment: ARIA SDS KMS can be deployed directly or built into a vSAN configuration, eliminating the need for connectivity.

Interested in learning more about encryption key management and °äł§±Ęľ±â€™s ARIA KMS solution? Watch our new now!

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

The post What is Encryption Key Management, and What Factors Should be Considered when Implementing a KMS Solution? appeared first on 51±¬ÁĎÍř.

What You Need to Know About the Texas Data Breach Notification Law

In March the Texas House of Representatives introduced two new bills pertaining to consumer privacy and data protection: HB 4518 cited as the Texas Consumer Privacy Act (TXCPA) and HB 4390, cited as the Texas Privacy Protection Act (TXPPA). While the two Texas data breach notification laws are similar, they were designed to improve consumer privacy and data protection.

The bills follow the trend of similar laws recently ratified in California, Washington, and Massachusetts. The following is what you need to know about both bills and how to prepare for the Texas data breach notification laws.

What is the Texas Consumer Privacy Act (TXCPA)?

Similar to California’s Consumer Privacy Act, also known as AB375, the Texas data breach notification laws will apply to companies that do business and collect consumer data in Texas and have a gross annual revenue in excess of $25 million. At the same time, companies that buy, sell or receive the personal information of 50,000 or more Texas consumers, households or devices, and/or can attribute 50% or more of annual revenue from selling Texas consumers’ personally identifiable information (PII) must comply.

Like the California data breach notification law, the Texas Consumer Privacy Act empowers the state Attorney General to enforce the requirements as needed. Consumer rights that make up the legislation include:

• The right to request disclosure of the PII businesses are collecting, including the source of information, the purpose of collecting and how it is being shared
• The right to have PII deleted with some business exceptions
• The right to know if PII has been sold, to whom it was sold, and to opt out of the future sale of personal information
• The requirement of businesses to disclose the type and purpose of PII being collected prior to collection

If passed, the Texas Consumer Privacy Act goes into effect on September 1, 2020. Violations come with a minimum penalty of $2,500 per violation and rise to $7,500 for violations deemed intentional by the Texas Attorney General.

Related: Everything You Need to Know About the Canada Data Breach Notification Law

What Is the Texas Privacy Protection Act (TXPPA)?

The Texas Consumer Privacy Act gives consumers control over the collection and use of their personal information. The Privacy Protection Act seeks to govern the processing and retention of PII in an effort to further mitigate consumer risk.

The bills share some similarities. The types of businesses governed by both Texas data breach notification laws are the same, and both bills empower the Texas Attorney General to enforce the requirements as he or she sees fit. Both bills also require businesses to disclose how personal information is collected and used prior to personal information being collected.

Beyond the similarities the Texas Privacy Protection Act includes these unique requirements:

• Protection of data that is collected via the Internet, digital network, or end-user device
• Consent for processing PII from the individual at hand
• Development and implementation of data security and accountability to ensure compliance with all the requirements set forth by the bill
• Ceasing of personal identifying information collection and processing when an individual closes his or her account within 30 days of closure unless additional retention periods are required by law

If passed, the Texas Privacy Protection Act will take effect on September 1, 2019, and carry a penalty of $10,000 per violation with a maximum penalty of $1 million.

Free Whitepaper:

How to be prepared for Texas data breach notification law with 51±¬ÁĎÍř

Now is the time to prepare for this pair of Texas data breach notification laws. With the Privacy Protection Act likely to take effect later this year, you’ll need to focus first on updating your organization’s current data security and incident response plan to not only make sure you know what precautions and remediation actions to take but also to comply with the compliance requirements set forth by the bills.

However, it is also likely that you will need to make better use or squeeze more effectiveness out of your network and data security tools, such as firewalls, UEBAs, or IDS. One of the main concerns with not only meeting but also proving industry compliance regulations with existing security tools is the complex nature associated with setting them up and managing them. Additionally, most security tools are still largely focused on the perimeter, traffic moving in and out of your network, and endpoint protection.  

Looking at the largest and most costly intrusions, such as Saks, °Â±đ˛Ô»ĺ˛â’s or the city of Atlanta, these data breaches originated inside the network and once inside, the malicious actors were able to freely move about exfiltrating data or in other cases, locking out legitimate users.  

Considering that 80% of internal network traffic goes unmonitored, as noted in a recent Forrester report, this creates a big blind spot. Therefore, existing security tools are unable to perform effective, or accurate threat detection or prevention.  

Our ARIA Software-Defined Software (SDS) solution works with your existing security tools to help make them more effective by directing better, more relevant insights on network traffic. With ARIA SDS, all data traffic associated with your critical assets is monitored as it moves through the network, including laterally moving (east-west) traffic. As directed, either programmatically or through security resources, either full packet or unsampled netflow metadata of specified traffic can be directed to the security tool of choosing. Using this enhanced network insights, threat analytic tools can more easily identify and focus on the intrusions that matter.

In addition, for full data protection, ARIA KMS manages and generates encryption keys at up to thousands per minute, enough to handle transactions at a data and application level. This means that data is protected not only while at rest, but also the data used within applications or generated by. ĚýĚý 

In addition, our Myricom nVoy Series pairs seamlessly with ARIA, and can integrate with existing security tools, like cisco FirePower or Fortigate, and record specified traffic flows, at the packet-level. This data is used to conduct breach identification, notification and provide the reporting needed to prove compliance with regulations like this new Texas data breach notification law. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into all conversations between devices, enabled a complete analysis of any possible breach and its effect on critical data, such as PII or PHI.

With °äł§±Ęľ±â€™s ARIA SDS solution companies can achieve not only accelerated incident response, enhanced network security but also enterprise-wide data protection.  To learn more about how our solutions can help you meet compliance with the Texas data breach notification law, visit www.cspi.com.

Related:

Learn about the California Privacy Laws – AB 375

What is the Massachusetts Data Breach Notification Law and How Can You Comply with It?

To learn more about complying with new and emerging state regulations? Please download our today.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights.

°äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

The post What You Need to Know About the Texas Consumer Privacy (TXCPA) and Texas Privacy Protection Acts (TXPPA) appeared first on 51±¬ÁĎÍř.

Four Ways 51±¬ÁĎÍř Can Help Take Your SIEM Security Solutions’ Effectiveness to the Next Level

Security information and event management (SIEM) software, including Splunk, QRadar and those from other SIEM vendors, can be an extremely valuable tool in company’s overall threat detection and prevention stack. For many companies, SIEM security solutions can also be an important tool for application management, security, and industry compliance, and even offer additional components such as business and web analytics.

However, SIEMs still have some areas where performance and value could be improved.

For example, remember that any security tool that depends on the data it ingests is only as good as the information it is provided with. This can lead to two less-than-ideal scenarios:

• Ingesting too much data (or worse, the wrong data) increases operating costs and leads to a high number of false positive alerts.
• Yet if SIEM security solutions aren’t provided with the right data, threats will be missed.

The good news is that there are new ways to solve this SIEM “ingestion dilemma” and other related challenges. Let’s take a closer look at four unique ways that 51±¬ÁĎÍř cybersecurity solutions can make your SIEM even better by enhancing your network security resulting in accelerating your incident response capabilities

Tip #1:  Generate unsampled NetFlow data, not full packets

Using solutions such as the ARIA SDS Packet Intelligence application removes the need to send complete network packets into your SIEM. When you think about it, this decision makes sense because it is usually too much information, at too high a cost.

Instead, solutions such as ARIA SDS Packet Intelligence generates and sends lightweight NetFlow/IPFIX metadata for every packet crossing the network to the SIEM security solution. Even though this is lightweight data, this NetFlow still provides the details modern SIEMs require to detect network-born threats accurately.

Unlike network switch-generated NetFlow that is sampled at up to one flow record for every 10,000 packets, ARIA SDS Packet Intelligence provides metadata for every single packet. This means you don’t miss anything and can find possible threats much sooner.

Tip #2. Send only select data conversations (as requested) to find specific threats

The ARIA SDS Packet Intelligence application classifies all traffic as it crosses the network. It gives security teams the flexibility to take action against that traffic, including create copies, shunt, redirect, forward, or select various data conversations based on filters such as SRC/DST (source and destination) that can be ingested by the SIEM as requested.

For example, this can be part of the incident response process after an issue has been identified by the SIEM, especially if an incident response workflow requires that the actual data be reviewed for further investigation.

In this case, sending select data increases the effectiveness of the SIEM security solution by providing packet-level detail on malware or threat payloads, without having to ingest all packets to find them. Additionally, this may eliminate the need for further incident response and reduce related costs.

Related:

Tip #3. Stop east-west network-born threats immediately

Firewalls can only see and stop threats coming in from the Internet their specialty is north-south traffic. They typically don’t monitor east-west traffic within a network, and they don’t look inside trusted VPN tunnels running between sites or to a public cloud environment.

Endpoint security tools can only recognize threats once they land on a device, which means that they tend to miss many other forms of a breach, such as insider threats, compromised credentials, data leaks, data exfiltration, and more.

Good news: The same probes and intelligent network interface cards (NICs) that generated the metadata described above are already sitting in-line. They can be directed to intercept and stop threat conversations on the network as they are identified by the SIEM security solution or as instructed by a SOC team or with SOAR APIs. This ability to stop a potential threat conversation between two devices is a much better approach than taking critical devices or VMs off the network.

This provides a “surgical” means to stop threat conversations deeper within the network—covering east-west as well as north-south conversations. As a result, you’ll keep critical processes running safely by blocking potential threats and providing time to implement remediation action plans.  

Related: Improve the Threat Detection Performance of Splunk Enterprise Security Solution

Tip #4: Review previously recorded network activities to locate impacted devices and identify exposed records

By integrating our nVoy Series Recorder with your SIEM security solutions, any recorded metadata can be immediately revisitedin all of the impacted devices. Or, you can select captured data feeds to be replayed (such as those that may be recorded against important data assets that may contain PII or PHI data).

This integration helps to identify the exact records that may have been exposed, and provides historical information on all impacted devices to determine root cause and identify patient zero.

In summary, SIEMs are important security tools and should continue to be an important part of any company’s security infrastructure. Yet by following these four tips, any company can significantly improve their SIEM security solution’s performance and overall value.

51±¬ÁĎÍř understands theses challenges, and we have focused our efforts in areas that will make the most impact, such as accelerating incident response and data protection.

How do we go about doing this? Our ARIA Packet Intelligence application provides enhanced network security insights, so the SIEM and security teams can make better decisions, faster and more effectively.

Also, as an added measure of security, it makes sense to protect the data from the inside. 51±¬ÁĎÍř delivers with an easy-to-deploy Key Management Server application that can generate thousands of encryption keys per minute to secure per-data and application transactions.  ĚýĚý

To learn more, visit www.cspi.com.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is  a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

The post Four Ways 51±¬ÁĎÍř Can Help Take Your SIEM Security Solution’s Effectiveness to the Next Level appeared first on 51±¬ÁĎÍř.

Why the °Â±đ˛Ô»ĺ˛â’s Data Breach Settlement may be the Worst One Yet… And How the FTC may be Expanding its Breach Governance Approach

In 2015-2016 °Â±đ˛Ô»ĺ˛â’s discovered that their customers were victims of fraudulent charges that were traced back to transactions that occurred in °Â±đ˛Ô»ĺ˛â’s restaurants. This launched an incident response investigation where it was determined that certain franchise restaurants were indeed victims of a malware attack against their point of sale (POS) systems.

It turns out that more than 1,000 franchise-owned restaurants were breached by a RAM-scraping infection that hit in January 2016, with a second attack occurring in March 2016. The malware was able to gain access to 18 million payment cards, including personally identifiable information (PII), and related data such as credit/debit card numbers, names, expiration dates, and more. ĚýĚý

How did the °Â±đ˛Ô»ĺ˛â’s data breach happen? It was determined that third-party vendor credentials were compromised, enabling hackers to infiltrate each system and then move laterally across the network to access other systems and steal PII data.

The impact of the °Â±đ˛Ô»ĺ˛â’s data breach was severe, not only from a data loss perspective but also in the financial payout that °Â±đ˛Ô»ĺ˛â’s agreed to in order to settle the matter – over $53M. Two lawsuits were levied against the company: a first being a class-action lawsuit filed by impacted consumers, and the second by the financial institutions seeking to recover the costs related to re-issuing credit cards following the breach.

Over 7,500 credit unions and other banking institutions cited the fact that the organization had weak data security systems, which ultimately gave hackers access to the financial data. The °Â±đ˛Ô»ĺ˛â’s data breach settlement resulted in the total $50M amount with cyber insurance covering only a portion of this.

As part of the $3.4 million °Â±đ˛Ô»ĺ˛â’s data breach settlement to the consumer class-action lawsuit, victims were awarded up to $5,000 for expenses related to the data, including:

• Costs and expenses spent addressing identity theft or fraud.
• Losses caused by restricted access to funds; for example costs of taking out a loan, ATM withdrawal fees; and preventive costs. This also includes purchasing credit monitoring, placing security freezes on credit reports, or requesting copies of credit reports for review.
• Late fees, declined payment fees, overdraft fees, returned check fees, customer service fees, and/or card cancellation or replacement fees.
• Unauthorized charges on credit or debit cards that were not reimbursed.
• Up to five hours of documented time spent remedying issues relating the °Â±đ˛Ô»ĺ˛â’s data breach.

The story reinforces how vulnerable retail, healthcare, hotel, and tourism organizations are due to the high volumes of financial transactions. Complicating the matter is the fact that POS systems are often outsourced to third parties, and there is always the risk of an insider threat, even if unintended.

Related: The Top 3 Cyber Attack Threats that Cause a Financial CISO to Lose Sleep

The role of the FTC in the °Â±đ˛Ô»ĺ˛â’s Breach Settlement

Clearly, these are sizable penalties, and it is anticipated that the cost of the Wendy’s data breach will surpass the infamous Target and Home Depot breaches. Given the breadth of the breach, federal cybersecurity investigators were brought on board to determine the scope and impact. As we’ve discussed in our June 2018 blog, the enforcing federal agency for cybersecurity is the Federal Trade Commission. We thought this may be a good time to revisit the role FTC plays in enforcing fines following a data breach.

As we mentioned then, the FTC has assumed the role of the U.S.’s primary enforcer of privacy and data security regulations, with rulemaking power to address data privacy issues and industry-wide practices, particularly those focused on fraud that affects consumers. This became clear in the aftermath of the massive Target data breach just a few years ago.

At that time, the FTC demonstrated how far it will go to protect consumer interests — any business of any size and in any industry can be sued by any business, consumer or group, and the burden is on the business to prove it wasn’t negligent. A harsh lesson °Â±đ˛Ô»ĺ˛â’s has just learned.

While the FTC already has broad authority in breach oversite, however, the guidelines on what steps an organization must take to meet “reasonable standard of care” is unclear. However, based upon comments made in 2017, it seems that the FTC is looking to not only expand its authority but also to clarify the definition of breach impact that will be used to assess an organization’s responsibility.

For example, FTC chairwoman, Maureen Ohlhausen stated that the FTC should, and will, focus on “substantial consumer injury vs hypothetical injuries” in deciding which cases to pursue. For instance, health and safety risks, such as those posed by the sharing of real-time and highly accurate location data that may leave consumers vulnerable to stalking, could also constitute a substantial injury, as could the disclosure of sensitive medical information.

In protest, a host of pro-business groups, have all issued public comments urging the Commission to adopt a regulatory framework designed to regulate actual injuries, rather than conjectural ones. In contrast, several consumer groups have encouraged the FTC to focus on the rise in data breaches and the increased risk of identity theft.

Infographic: Why is Complying with Data Privacy Regulations So Hard?

How can 51±¬ÁĎÍř help

We understand the challenges organizations face today in implementing a comprehensive and effective network security and data protection infrastructure. While it may be challenging, the right security tools may save the business from devastating effects of a data breach. This is especially true when you consider that there are only a subset of companies that can absorb the costs that were described in the °Â±đ˛Ô»ĺ˛â’s data breach example above.

°äł§±Ęľ±â€™s suite of cybersecurity solutions can provide much-needed vigilance to not only recognize but also neutralize threats before they become a risk that impacts consumers. For instance, it seems that °Â±đ˛Ô»ĺ˛â’s did not have complete insight on what devices were accessing, or using, the PII data in their possession—especially data that moved east-west through the network. Utilizing our ARIA SDS solution, organizations have the tools and capabilities needed to not only enforce their security posture but gain the proof needed for legal and regulatory compliance.  

Given the vagueness on what the FTC parameters are on “taking reasonable steps” to prevent and/or protect PII for data breaches, organizations need exact reporting. Our breach response solutions provide the details needed to conduct a focused forensic analysis to understand the scope and impact of any breach, or potential breach, in hours. ĚýĚý 

These are just two examples of how 51±¬ÁĎÍř solutions are transforming security approaches and results. To learn more, please visit www.cspi.com.

Or to learn more about how our solutions can help improve security and compliance, be sure to check our today.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

The post Why the °Â±đ˛Ô»ĺ˛â’s Data Breach Settlement may be the Worst One Yet… And how the FTC may be Expanding its Breach Governance Approach appeared first on 51±¬ÁĎÍř.

What is the Massachusetts Data Breach Notification Law and How Should You Prepare for It?

Massachusetts recently created some big changes to its , and it’s imperative that every company knows how to fully comply with it before it comes into effect on April 11, 2019. Learning about it and preparing for it could potentially save you from many headaches and legal repercussions down the line.

What is the Massachusetts data breach notification law?

The Massachusetts data protection law is legislation that stipulates security requirements for just about any company that handles the private data of residents. The law is more formally known as “Standards for The Protection of Personal Information of Residents of the Commonwealth” (or 201 CMR 17.00). Similar legislation is under consideration in most other states.

The Massachusetts data breach notification law includes requirements for:

• Encryption of personal data.
• Retention and storage of both digital and physical records.
• Network security controls (firewalls, for example).
• Risk management policies and practices.
• Employee training.
• Adequate documentation of data breaches.
• Adequate documentation of any policy changes.
• Ensuring that any associated third-party providers who have access to the data maintain the same standards.

The Massachusetts data breach notification law replaces earlier legislation requiring organizations to notify individuals when a security breach put their data at risk. According to Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation, “Breach-notification laws deal with what happens after the horse leaves the barn.” Crane says that 201 CMR 17.00 is intended “to prevent the horse from getting out of the barn in the first place.”

What is changing about the new Massachusetts data breach law?

While there are several changes being made to the Massachusetts data breach notification law, there are two in particular that will end up impacting companies considerably.

1. The first of which is that any company who has a data breach will need to offer victims of the breach free credit freezes and credit monitoring. This credit monitoring service must last for at least 18 months for most companies while consumer reporting agencies who experience a data breach must offer credit monitoring services for a minimum of 42 months.

When you consider that most credit monitoring services charge between $15-$25 a month per individual, it’s clear that this could add up very quickly.

1. The organization that experienced the data breach will also need to file a report that will show that the credit monitoring services being offered comply with the new statute. This is to ensure that those affected by the breach receive adequate monitoring.

There is an additional change, which is really an update to what information is required in a breach notification.

Currently, any company that experiences a data breach must notify both the Director of the Office of Consumer Affairs and Business Regulation (OCABR) as well as the Massachusetts Attorney General. This notification must be “as soon as practicable and without unreasonable delay” and must include the nature of the data breach, the number of Massachusetts residents that were affected by it, and what the company is doing about the breach.

But now the notifications will now also need to include the following content:

• Name and address of the organization that experienced the security breach
• Name and title of the one reporting the data breach, the type of person or agency they are, and how they’re related to the organization that experienced the breach
• What kinds of personal information were compromised by the security breach
• If known, the person or entity who was at fault for the data breach occurring
• If the organization has a written information security program and if they are updating it

You’ll note that these Massachusetts data breach notification law requirements are very similar to GDPR, which is further proof that new regulations recently enacted including the Canada data breach law, California AB 375, and now Massachusetts are all adopting similar guidelines.

Related:

On top of this, the Massachusetts law is being changed to disallow an organization from delaying their breach notice by claiming that the number of individuals affected hasn’t been determined yet. Instead, the organization will need to send the notice regardless of whether they know how many people were affected by the breach.

Finally, the OCABR will be required to create an electronic copy of the notice sent to consumers and make it available on its website. Furthermore, the OCABR will also need to provide consumers with instructions on how to request a copy of the notice that was provided to the OCABR and the Attorney General by the organization that had its data breached.

Even if your company isn’t located in Massachusetts, you could still be affected by these impending changes. If your company experiences a data breach and if any of your customers reside in Massachusetts, then you will be required to comply with these changes.

Related: Learn about the California Privacy Laws – AB 375

How to Prepare with 51±¬ÁĎÍř

While the law isn’t far off, you do still have time to prepare for the Massachusetts Data Breach Notification Law before it goes into effect. First and most importantly, you will need to update your organization’s current intrusion response and data breach response plan to not only make sure you know what actions to take but also to comply with these latest amendments to Massachusetts’ data breach notification law.

However, it is also likely that you will need to make better use, or squeeze more effectiveness out, of your network and data security tools.  One of the main concerns with meeting industry compliance regulations with existing security tools is that their focus is largely on perimeter protection.

In fact, a recent Forrester survey put forth that up to 80% of east-west traffic today may be unmonitored, leaving a sizable gap on what activities are taking place across the network. However, to comply with these data privacy regulations, you need a strong and real-time grasp on the impact of any intrusion (real or not) against your critical assets.

Our ARIA Software-Defined Software (SDS) solution provides not only complete enterprise-wide network security but also protection of your high-value critical assets, like PII or PHI. With ARIA SDS all data traffic associated with your critical assets is monitored, and recorded as it moves through the network, including east-west traffic. In addition, data encryption keys are centrally managed and can be generated up to thousands per minute, protecting not only data-at-rest, but also the data used within applications or generated by. ĚýĚýĚýĚý

In addition, our Myricom nVoy Series pairs seamlessly with ARIA to conduct breach identification, notification and provide the reporting needed to prove compliance with regulations like this new Massachusetts data breach notification law. Security teams can take advantage of packet-level recordings of all conversations between critical devices and data. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into the possible breach and its effect on critical data, such as PII or PHI.

With the level of intelligence provided by °äł§±Ęľ±â€™s suite of Cybersecurity solutions security teams can complete a tightly focused breach investigation in mere hours—not days, weeks, or months – a dramatic improvement in breach response.

Want to know more about complying with regulations such as the Massachusetts data breach notification law? Please download our today.

To learn more, visit www.cspi.com.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights.

°äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

The post What is the Massachusetts Data Breach Notification Law, and How Should You Prepare for It? appeared first on 51±¬ÁĎÍř.

Last month Dark Reading published from the likes of Gartner, Forrester, and InformationWeek.¹

In general, they all agree that there are three drivers for cyber-security spending: (1) security risks; (2) business needs; and (3) industry changes. Data privacy concerns are also becoming a key factor, driving market demand for security services through 2019. Additionally, data privacy will impact a variety of segments, such as identity and access management (IAM), identity governance and administration (IGA), and data loss prevention (DLP).

While these analysts and publications share different opinions on the priorities in 2019 budgets, they all agree security spending is on the rise and will continue to be an urgent focus this year and beyond.

So, how much do companies spend on cyber-security? After reviewing the roundup, we thought it would be valuable to summarize our key takeaways and observations. Let’s dive in and see how your 2019 cyber-security spending compares.

Cyber-Security spending is outpacing general IT spending

And by a lot. According to Gartner cyber-security experts, worldwide spending on IT security will jump 8.7% this year, up $124 billion.² Compare that to general IT spending, which Gartner expects to grow by only 3.2% this year.

Of course, the main driver of this spending is cybersecurity concerns as well as changes in regulations. Research support this: 56% of companies report that they have increased security concerns while 37% report they must focus on recent changes to regulations. All of this results in the need to invest more in detection and response capabilities, especially innovative solutions that overcome traditional challenges and address digital business risks.

Compliance is also a major factor as companies must meet privacy regulations such as GDPR. A recent Spiceworks survey shows IT leaders agree with the Gartner cyber-security findings, as two of the top five factors leading to increased IT budgets are increased security concerns and changes in regulations.³ The Spiceworks survey also noted an increase in spending on managed security services, a topic we’ll cover in an upcoming blog.

A recent Forrester cyber-security research report noted that, while overall cyber-security spending is on the rise, it is skewed toward certain industries.  

• Critical infrastructure firms will be 2019’s big spenders. A full 32%  of respondents at utilities and telecommunications firms are in the highest security spending bracket — the highest percentage across the industries we studied. In contrast, just 18% of respondents at manufacturers are in the highest security spending bracket.
• Healthcare and financial services lag. Despite having hordes of personal data to protect, 31% of respondents in the healthcare and financial services industries spend 0% to 10% on security. A key risk for organizations with lower spending is that a lack of monitoring capabilities gives them a false sense of security; however, regulatory pressure in these industries helps to counter some of that risk.

To learn more, today.

Security is a top consideration in digital transformation

When business and IT leaders talk about digital transformation in their organizations, the focus is frequently on cloud computing, artificial intelligence, IoT, and mobile solutions—those technologies that could potentially transform the larger business.

Yet a recent Altimeter survey showed that decision makers not only include cybersecurity among their top considerations when it comes to digital transformation, but it is also their second biggest investment priority, just below the cloud.⁴ Yet is important to note that organizations can invest in all the transformative technologies in the world, but it is all meaningless if they can’t protect the business, its customers, or other vital assets.

A growing number of CIOs, CEOs, and even board members are focusing on digital transformation, evidence that they now view digital initiatives as more than cost centers or projects that may prevent employees from driving value through the organization.  

Again, it comes back to compliance. A major driver of the cyber-security spending for digital transformation is the importance of regulatory and compliance standards. This trend is up 102% over 2018 and can easily be attributed to (as well as the continued growth of cyber-threats and data breaches). To address this, cybersecurity technologies now comprise nearly 35% of companies’ highest priority technology investments. Only cloud technologies ranked higher at 37%.

2019 is the year of security services

A recent Forrester security report showed that last year spending on security services overtook product investments, and the cyber-security spending trend is expected to increase in 2019.⁵ And Gartner predicts that security services are expected to represent at least 50% of security software delivery by 2020. Why? Many large and mid-size businesses are recognizing security requires more than just a technology investment. Service organizations bring technology, expertise, and resources to the table in a way that may be a more cost-effective alternative to trying to manage all of this internally. Security services also enable client organizations to share accountability with experienced partners.

Organizations with midrange security budgets tend to spend more on services. Given that these organizations are more likely to report multiple breaches, it appears there is value seen in services as a means to improve the company’s overall security posture and ability to respond to threats.  

Another reason for services is the extreme lack of security talent and or talent without the right skills. Over 22% of security decision-makers cite lack of resources as a major challenge. Finally, keeping up with advancements in cybersecurity technology is also a key consideration in using outside service providers rather than hire, retain, and manage staff.

How organizations measure cyber-security ROI is evolving

Not surprisingly, security leaders are recognizing a product’s ability to lower risk and help organizations remain in compliance as critical areas of investment. For many, these are now top metrics. One out of three organizations says they use external third-party audits to validate the efficacy of their security investments.

Forty-three percent of the organizations polled said they evaluate the effectiveness of their cyber-security spending based on their ability to reduce risk, and 40% cited their ability to remain in compliance with legal and regulatory requirements. This is a shift in attitude toward cyber-security spending, which historically has been motivated by operational and tactical considerations like breach mitigation, IP protection, and incident response.

While organizations said they are measuring the value of security investments based on the ability to reduce risk, many do not have the mechanisms in place to measure either their exposure to risk or the effectiveness of their controls for reducing that exposure. Only 41% believe they have an effective process for measuring cyber-risk in the coming year, and 59% do not have any risk assessment or risk analysis practice at all currently. Less than half (48%) said they can effectively measure how well their security strategy is working. The investments in security controls have not helped alleviate some other concerns.

The survey findings on security operations center trends in a SANS cyber-security report from 2017 highlights the fact that those organizations that leverage a NOC that is separate from the SOC will need to consider different ROI measures. One of the biggest challenges is the lack of visibility between the two functions: 80% of SANS cyber-security report respondents indicated that they experienced barriers in effective reporting and full visibility into risk posture. These two groups will need to focus on coordination and effectiveness as well as being able to detect previously unknown threats.  

How 51±¬ÁĎÍř can help

If your top priorities for cyber-security spending align with these takeaways from Dark Reading’s summary, consider how 51±¬ÁĎÍř can help. We too recognize what a critical value reduced risk and compliance are to your organization’s bottom line.

51±¬ÁĎÍř cybersecurity solutions represent a different approach to threat detection and prevention, stemming from the company’s deep expertise in hardened, failsafe technology solutions for network surveillance and intelligence initiatives for the U.S. Department of Defense and other Western intelligence agencies.

To improve their overall security posture and accelerate incident response times, organizations must have a way to identify, stop, and quickly mitigate potential threats. But even more importantly, they need the capability to rapidly identify the threats that matter the most, such as those targeting high-value business assets and applications. This is a critical advantage, enabling them to take rapid, precise actions against a potential breach to reduce the cost of cyber attacks. Doing so requires enhanced network security capabilities, such as complete visibility into network traffic across the entire enterprise. Success also depends on the ability to capture and direct better intelligence on suspicious conversations to feed existing security tools, like firewalls or SIEMs, to detect and disrupt such threats.  

To meet increasingly stringent data privacy compliance requirements organizations must be able to prove not only the exact impact of the breach (if any) but also the steps taken to protect assets, along with the timeframe when all of this transpired. To achieve all of these goals, organizations need to show that they captured all network traffic and demonstrate that it was stored for additional forensics and auditing. In addition, if organizations can improve their data protection and application security through encryption techniques and secure key management, their critical assets are protected no matter where they reside, if they’re in motion, or where they are used. Not only does this provide irrefutable proof for compliance purposes, but also makes breaches irrelevant.

°äł§±Ęľ±â€™s cybersecurity solutions provide these capabilities, helping to provide full insight into an organization’s enterprise (including east-west traffic), separate real threat alerts from false positives and enable security professionals to conduct faster, more effective incident response to validate potential threats.

To learn more, visit www.cspi.com.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

Sources:
¹Dark Reading, “,” Ericka Chickowski, February 12, 2019.
²Gartner, “2019 Worldwide Security Spending Projection.”
³Spiceworks, “The ,” 2019.
⁴Altimeter, “,” 2019.
⁵Forrester, “,” December 17, 2018.

The post A Look at Cyber-Security Spending in 2019: Where Budgets are Increasing and Why appeared first on 51±¬ÁĎÍř.

Everything You Need to Know About a New Canada Data Breach Notification Law—and How 51±¬ÁĎÍř Can Help Improve Compliance

Past 51±¬ÁĎÍř blog articles have provided a closer look at various data privacy regulations, and now there’s yet one more that you should be aware of. On November 1, 2018, a new Canada data breach notification law went into effect, requiring businesses to record all breaches and notify Canada’s Office of the Privacy Commissioner as well as those affected by breaches, of incidents that “pose a real risk of significant harm to individuals” (their words).

As we’ve noted in blogs before, this type of requirement follows similar laws in place, not only in other Canadian provinces but also at the international level, by following the precedent set by GDPR.

Yet it is important to note that, unlike some European regulations, Canada’s new data breach notification law does not shift data breach responsibility to outside vendors if a breach occurs. Instead, it pushes the obligation to the companies themselves to make sure they have adequate controls in place.

What does this new Canada data breach notification law mean for you?

Even if you are not a Canadian company or do business in Canada, it is still worth thinking about its implications and your overall security strategies. Especially since these new requirements are likely to be part of a regulation that does affect you, and may influence better security practices.

For example, the new Canada data protection law requires the recording of all breaches, even if a minor breach doesn’t meet the “real risk of significant harm” threshold. Yet, as we’ve described before, it’s impossible to record a breach unless you know it’s happening, and the vast majority of breaches are not discovered until weeks or months (or longer!) after they happened. Traditional security approaches make it difficult, if not impossible, to comply with this requirement.

Even still, this regulation calls for a minimum amount of recordkeeping that must include the date or estimated date of the breach, the nature of the breach, a general description of the incident’s circumstances, and whether or not it was reported (both to Canada’s privacy commissioner and affected individuals). Companies must keep these records for two years.

The Canada data breach notification law also requires that the record contain sufficient details about the breach. This information is needed to let the privacy commissioner assess whether the organization has correctly applied the “real risk of significant harm” standard, and in turn, met its obligation to report breaches.

This information could include a brief explanation of why the organization determined that there was no real risk of significant harm. This highlights the need for a security solution that can prove that the data was encrypted, record all evidence of the breach, and perform very focused forensic analysis.

Related: Everything You Need to Know Data Breach Notification Laws in California

A better way to achieve compliance with the Canada data breach notification law

At 51±¬ÁĎÍř, we understand the need for this information and have developed our solutions to give companies the tools and capabilities needed to improve compliance.

Our ARIA Software-Defined Software (SDS) solution provides complete security of high-value data and other critical assets no matter where they are stored, used, or accessed. This approach of focusing on PII data is a departure from typical breach prevention and detection solutions. With ARIA SDS, all data traffic is monitored as it moves through the network, including east-west traffic. This enhanced network security capability is important because of the fact that up to 80% of east-west traffic may be unmonitored as most security tools are set up to inspect north-south traffic.

Going further, ARIA SDS also provides automatic policy enforcement, ensuring not only that data is protected but that applications are accessed by only those authorized to do so; however, if unauthorized access is detection, it is immediately flagged for investigation.

In addition, our Myricom nVoy Series pairs seamlessly with ARIA to provide the reporting needed to prove compliance with regulations like the Canada data breach notification law. With our 10Gb recorder, security teams can take advantage of packet-level recordings of all conversations between critical devices and data. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into the possible effect on critical data, such as PII or PHI. It delivers automated breach verification and notification using intrusion alerts generated by a company’s existing security tools. With this information in hand, the nVoy Series enables security teams to complete tightly focused breach investigation in mere hours—not days, weeks, or months – a dramatic improvement in breach response.

These capabilities help comply with the requirements of the new Canadian data breach notification law and many others. For example, the new Canadian law requires notification to affected individuals “as soon as feasible” after the company determined a breach occurred. While the law doesn’t provide a specific timeframe—a compliance inconsistency and challenge we pointed out in our —it seems that this is designed to give companies time to thoroughly detect what information was hacked.

While this is intended to give companies the right amount of time to research what happened before reporting it, such ambiguity could lead to possible compliance issues down the road. For example, companies may believe they have more time that the regulation intended.

Again, the Myricom ARIA SDS platform and nVoy Series could help avoid such an issue. It provides auditable proof of the exact impact of the data breach, including when it started/ended, what devices were affected, what critical databases or files were accessed, and more—all can be completed within hours of a verified breach.

With 51±¬ÁĎÍř solutions, organizations are successfully accelerating incident response times and improving their breach response capabilities and ensuring compliance with increasingly stringent data privacy regulations, including the Canada data breach notification law.

Interested in learning more? Visit our nVoy Series page or download today.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC Intelligent Adapters.

The post Everything You Need to Know About a New Canada Data Breach Notification Law—and How 51±¬ÁĎÍř Can Help Improve Compliance appeared first on 51±¬ÁĎÍř.

A Revolutionary Approach to HIPAA Compliance

We all know that meeting the requirements set forth in the HIPAA compliance policy is mandatory for any healthcare, medical records, insurance, or other healthcare-related business. Securing individuals’ electronic protected health information (ePHI) is the most critical step to complying with HIPAA.

Yet this is often easier said than done, especially when you consider the high number of complex requirements that must be met in order to prove compliance.

The challenges of abiding by the “Security Rule”

For example, one of the most critical items on any HIPAA compliance checklist is meeting the Security Standards for the Protection of Electronic Health Information. Commonly referred to as the “Security Rule,” this requirement establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule addresses the technical and non-technical safeguards that organizations referred to “covered entities” must put in place to secure individuals’ ePHI. All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule, and document every security compliance measure.

Related: Sorry for the Inconvenience – The Breaches Just Keep Coming (and so do the Ramifications)

°äł§±Ęľ±â€™s HIPAA compliance solutions

If all of this sounds intimidating, we have some good news: °äł§±Ęľ±â€™s security solutions are uniquely suited to address the requirements specified in the Security Rule (and in turn, to help you stay HIPAA compliant).

Our ARIA Software-Defined Security (SDS) solution and applications help healthcare organizations protect the security of individuals’ ePHI information with powerful tools and capabilities required to:

• Know and prove what ePHI records were accessed (if any) through:

• • The automatic detection of intrusion or unauthorized access.
  • Continual and complete monitoring of ePHI data as it moves through the network (including east-west traffic), and is accessed throughout the environment.
  • The ability to stop or disrupt incidents that could lead to potential disclosure.
  • Block or redirect identified data conversations with ePHI repositories and provide the auditable documented detail of measures take to maintain HIPAA compliance.
  • Prevent unauthorized access of customer data through the use of encryption that can be applied on a per-customer basis.

Working in conjunction with ARIA, our nVoy Series provides additional proof of HIPAA compliance with:

• Automated breach verification and notification, critical to giving healthcare organizations a better way to comply.
• Detailed and complete HIPAA compliance reports, including recordings of all conversations involving ePHI.
• Auditable proof of the exact impact of data breach, including:
  • What devices are involved and to what degree?
  • When did the breach start and when did it end?
  • What critical databases or files were accessed?
  • Who did the intruder talk to?

Visit 51±¬ÁĎÍř at HIMSS19 in the Cybersecurity Command Center Booth 400, Kiosk 91.

Interested in learning more about 51±¬ÁĎÍř, including how our innovative security tools are helping today’s healthcare leaders achieve compliance with HIPAA? Make your plans to visit with us at the upcoming HIMSS conference, or visit www.cspi.com, to learn more about our HIPAA compliance programs.

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters. To learn more about how our cybersecurity products can help you with data privacy regulation compliance, check out our how-to guide,

The post A Revolutionary Approach to HIPAA Compliance appeared first on 51±¬ÁĎÍř.

In our previous blog article, “Why a Whole Brain Approach to Secure DevOps is Critical,” we explained why a “whole brain” approach is critical to achieving a secure DevOps model. We examined the right-brain versus left-brain analogy — noting that the DevOps role and responsibilities are driven by the need to be creative and innovative when building applications designed to drive the business forward.

On the other hand, InfoSec teams are analytical and prefer to adhere to carefully managed processes with the goal of safeguarding the organization’s infrastructure and data. In the end, both teams’ objectives are good for the company, so they must be empowered to do what they do best. Yet there also needs to be a way forward to achieve SecDevOps.

Related: Download our white paper on the subject,

Designing a Whole Brain Approach to SecDevOps is Challenging but Not Impossible 

The need to integrate information security and application development is undeniable. Yet, it is naive to think that a change as major as this will occur with just a series of meetings or a handful of management touch points. In this article, we’ll look at five specific best practices successful  DevOps teams are using to address the need for data security while maintaining rapid application development.

• Ensure that open source code is secure.

A key component of verifying the composition of an application comes down to controlling what source code libraries can be used when building it.

Leveraging open source code is great for speed and flexibility, but it may not always be well-tested or created with security in mind. For example, adding nginx to the application is great, as its function set is already well-proven in the industry, and it’s as simple as connecting it in with other functions that make a working application. However, you want to be very sure that it’s a sanctioned version – not the latest unverified version found on GitHub.

• Plan for security throughout the application lifecycle.

This means securing the application as built, as deployed, and throughout its life. Securing code from vulnerabilities includes anything from a set of processes completed by the security team to tying in software routines that run within the application.

• Know and control what connects to the application as well as what it connects to, especially in the development phase.

Governing application access and what connects to it is first and foremost about applying policy. This covers the types and levels of access that are allowed by authentication. Ideally, this is provided within the application or in conjunction with third-party directories. It is also possible that it can be delivered by multi-factor authentication applications, allowing verified humans access to an application.  

Governing application-level connection determines what in the network should be allowed to send network data to the application in the first place. Often known as micro-segmentation, it can be done at the underlying host level, or out in the network.

• Protect the data – inside and outside – the application.

Securing the application alone isn’t enough, you also need to account for the data it produces, as well as the data it accesses. Securing the application and its output protects you from threats that may have infiltrated the network or underlying systems, including storage and backup systems.

Another dimension is properly encrypting the data output in motion, such as east-west traffic, as well as data at rest, according to specified policies. Similarly, the application itself may need access to protected data and should only access that data under proper conditions specified by a policy.

Related: For even more information, read our blog article on “Five Tips for DevOps Application Security.”

• Eliminate the human factor.

Consider the example of a modern factory. As with any proper factory, automation is critical to ensure the proper execution of these steps in the most effective and efficient manner. Ironically, this is also the answer to creating harmony between application developers and InfoSec teams.

These best practices are about making it easier for developers to add security functions into the applications as they are built and allowing security teams to come in as the application goes live and to set the proper configurations according to the organization’s policies.

°äł§±Ęľ±â€™s solutions help today’s organizations to:

• secure and protect their most critical data, such as PII,
• enhance network security to make traditional security tools more effective, by providing a full intelligence on network traffic, including east-west,
• easily and cost-effectively achieve a secure DevOps environment,
• give developers and InfoSec teams an automated and plug and play approach to application and data security,
• and finally, automatically verify and notify of data breaches, while they are ongoing to mitigate or disrupt the attack.

If you would like to learn more about °äł§±Ęľ±â€™s approach to achieving a Secure DevOps model, check out our white paper on Secure DevOps best practices,

About 51±¬ÁĎÍř

51±¬ÁĎÍř is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. °äł§±Ę±ő’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

The post Five Best Practices to Achieving a Secure DevOps Model appeared first on 51±¬ÁĎÍř.