Israeli startup Medigate today announced $5.35 million in seed funding from YL Ventures, with additional funding from Blumberg Capital. The Tel Aviv-based company says it will use the investment to advance development of its dedicated medical device security platform.

Medigate says its solution is a dedicated platform for securing networked medical devices that are connected to electronic medical records, device servers, other enterprise systems and the internet. It is said to fuse the knowledge and understanding of medical workflow and device identity and protocols with the reality of today’s cybersecurity threats.

Medigate claims it can provide visibility into all the medical devices connected to the network, fully identify these devices by type and personality and analyze and understand their specialized protocols, communications and behaviors. By using this knowledge to detect anomalies and suspicious activities, Medigate says it protects connected medical devices from network attacks and data exfiltration attempts.

“Sophisticated cyberthreat actors are increasingly targeting the ubiquitous medical devices used by healthcare providers. Recent examples include attempts to extort money by paralyzing healthcare delivery, but soon, attackers may seek to directly harm patients. In parallel, the installed base of connected medical devices lacks effective defenses as they implement limited and hard-to-update security capabilities and have long service lives. Protecting these medical devices requires solutions that speak their proprietary or unique languages with native fluency and block attacks without disrupting critical care delivery,” Tom Baltis, CISO of Delta Dental Insurance, said in a press release.

According to Jonathan Langer, Medigate CEO and co-founder, “It’s an imperative to connect devices to the network, both to manage and monitor devices in real time and to understand and analyze the large amounts of data generated from these devices. At the same time, we see backdoor attacks like MEDJACK and ransomware attacks like WannaCry and NotPetya successfully targeting healthcare providers. Connected devices are a ripe target for cybercriminals. The Medigate solution is designed to effectively protect medical devices from these attacks and eliminate this pandemic risk.”

The Medigate Security Platform is currently in limited availability. General availability will be in mid-2018.

The post Medical Device Security Startup Medigate Secures $5.35 Million in Seed Funding appeared first on Security Current.

The data security company Enveil today announced it has raised $4 million in strategic funding from key partners, including Thomson Reuters and a USAA affiliate as well as additional investment from Bloomberg Beta and DataTribe.

The company, based in Washington, D.C., says it will leverage this capital to enhance its platform, expand operations, and execute a go-to-market strategy that will increase availability of Enveil’s Never Decrypt computation capability.

According to Enveil, existing encryption capabilities have traditionally focused on protecting data while at rest or in transit, ignoring the security posture of users’ interactions with data, or data in use.

Enveil was founded in September 2016 to address what it claims is a security blind spot. Using technology initially spearheaded inside the National Security Agency, Enveil says it is the only scalable commercial solution specifically engineered to protect data while it is being processed. Enveil allows enterprises to securely operate on both encrypted and unencrypted data in the cloud, on premise, or anywhere in between.

“The inconvenient truth of data security is that securing data end-to-end requires meaningful protection at every step, and Enveil is the only company addressing the critical point of exposure that occurs when data is put to use,” Ellison Anne Williams, Enveil founder and CEO, said in a press release.

This new round of funding follows on the heels of $1 million in seed funding from DataTribe in late 2016.

The post Data Security Company Enveil Secures $4 Million in Strategic Funding appeared first on Security Current.

Israeli startup Axonius today announced $4 million in seed funding from YL Ventures, with participation from Vertex Ventures and Emerge Capital.

The Tel Aviv-based company said the investment would be used to secure and manage the billions of connected devices in use by businesses by allowing IT and security operations teams to enable the agile and secure adoption and usage of the widest variety of current and future devices on the network.

Dean Sysman, Axonius CEO and co-founder, said that IT environments have transitioned over the last decade from controlled, centralized architectures, to become decentralized and fragmented.

“It has become an almost impossible task for CIOs and CISOs to answer the simplest questions, such as, ‘How many devices are currently on your network?’ or ‘How many devices on your network shouldn’t be there?’ or ‘Are these devices secure?’” Sysman said in a press release. “This lack of visibility and control creates an unwanted speed limit on innovation. With the Axonius Platform, IT and security operations teams gain unprecedented visibility and control of the devices on their networks, allowing them to be innovation partners and enablers for the business.”

Axonius said it provides open APIs and simple graphical operational interfaces to connect new device types and tools to the platform via adaptors, and new controls via plug-ins. In addition, Axonius said it provides a modern and secure exchange and sharing infrastructure for these adaptors and plug-ins.

The Axonius Platform is slated to be generally available in early 2018 and currently available to what it says are qualified customers.

The post Cybersecurity Platform Company Axonius Secures $4 Million in Seed Funding appeared first on Security Current.

Attackers know that if they want to compromise an organization an email with a malicious link or attachment is often the path of least resistance.

Armed with a wealth of information freely shared online, attackers use social engineering as a means to entice employees into opening the message, and if the malware is successful, the endpoint is compromised and likely leads to further damage.

The  2014 Verizon Data Breach Investigations Report indicates email is the initial attack vector 67% of the time in organizations Verizon investigated for breaches.  Well-crafted spear phishing leaves the employee to decide if the link or attachment is malicious unless there’s a security solution that can take the guesswork out of the equation. With thousands of enterprise employees as a target, someone will be enticed—it is just a matter of time.

Many solutions on the market do well identifying known bad links and attachments. But what about zero-day exploits and other unknowns? There are simply too many exploits available for signature-based detection to be effective against targeted attacks.

Adobe Reader has been a favorite for attackers through the use of everyday PDFs. What about password-protected zip files that are used to hide the malware from detection? Businesses can choose to quarantine certain file types, but the most successful campaigns will use everyday attachments, which employees are accustomed to receiving and are more willing to open.

Inbound email containing attachments and links must go through more advanced analysis before reaching an inbox in order to stand a better chance of defending the business. The failure to raise the level of detection will only allow attackers to continue to have their way. This holds true for every sender of email, whether it is a trusted third-party, friend, vendor, or an attacker; delivering clean email to all entities is a necessity.

Once an endpoint has been compromised, non-public information, intellectual property and credentials are at risk as the attacker moves throughout the network and remains persistent in the pursuit of confidential data.

Votiro Identifies and Sanitizes

The senior security experts at Votiro have developed what they say is a military-grade file sanitizing solution. Votiro’s solution is delivered as a cloud-based managed service or as an on-premise Windows-based virtual  appliance.

Votiro’s security solution works on individual files attached to email, downloaded from the Internet, or taken off a removable device such as a thumb drive or CD-ROM. Votiro directs the files into Votiro’s Secure Data Sanitation Device (SDSD) where it then performs an active sanitation process on each file.

This process involves making micro changes to the file in order to interfere with and break any exploit code that might be hidden in the file. Votiro’s technique doesn’t harm the original file format to in order to preserve the message content integrity. When  the sanitization process is complete, the neutralized file is forwarded to the intended recipient.

Votiro’s SDSD solution analyzes and deconstructs every incoming file  since it’s unknown whether it is malicious.  The original artifacts of each deconstructed file (i.e., the headers, footers, file properties, and the file  content) are thoroughly analyzed to detect if exploit code is present. If it is, Votiro manipulates specific attributes to neutralize the exploit. The file artifacts are then reconstructed and the file is considered sanitized, which leaves the rest of the message working as originally intended.

Votiro says its advantage is that it doesn’t need to know anything about the exploit in advance in order to neutralize it. Instead, Votiro is confident with the makeup of legitimate file types so that it can readily identify when there is something in a file that shouldn’t be there.

Votiro says its solution works on 98% of the file types that are typically exchanged among companies and consumers, including:

• PDF files
• Microsoft Office files
• RTF files
• Image files
• Archives

Files passing through Votiro’s solution are not only neutralized of malware but also checked

for adherence to company policy as to which files are allowed to enter the organization’s network.

Votiro touts its scanning, which it says is performed in only a few seconds, minimizing latency and keeping user experience a priority.

With the continued uptick in email and web-borne malware as well as increased regulatory pressure, organizations are turning to these types of solutions to prevent attackers from using zero-day exploits to gain a foothold in a private network.

The post Votiro Neutralizes Zero-Day Malware Embedded in Files to Thwart Attacks appeared first on Security Current.

Two months since the news of the massive Target breach broke, reports are starting to reveal bits and pieces of how the perpetrators were able to get a foothold inside Target’s point of sale system to steal tens of millions of customer account records. In time, there will be a complete forensic analysis of the breach, with lessons for every IT security professional to take back to their own workplaces.

In the meantime, there is one lesson in security that everyone can take to heart: detecting and preventing (or at least stopping) sophisticated attacks requires a multi-dimensional approach that reaches all corners of an enterprise. It also requires looking outside an enterprise as well as within to understand the broader scope of modern threats.

This is the approach taken by the Israel-based security company Seculert as it moves away from its original offering of analyzing botnets to advanced threat protection as a cloud-based service. Seculert focuses on zero-day attacks, advanced malware, and advanced persistent threats (APTs).  According to Seculert, several characteristics set these types of attacks apart from “conventional” malware:

•They are designed to survive or persist over a period of time in order to collect as much information as possible, or in order to avoid detection until they are launched.

•They involve a network of hosts that are controlled by, or report back to, a Command and Control (C&C) server.

•They employ a constantly-changing variety of malware – including polymorphic malware that changes independently – in order to penetrate their targets and replicate.

•They are often targeted at a particular organization, individual or region as opposed to being random and opportunistic.

Threats that possess these characteristics are easily able to evade detection by traditional perimeter security defenses such as firewalls, intrusion detection/prevention systems, and anti-virus/anti-malware solutions. New advanced techniques are needed to supplement and complement the traditional defenses.

Seculert’s security platform is comprised of several core technologies that work together to comprehensively address advanced threats. Let’s have a look at each of these solution components.

Traffic Log Analysis

The first component of the Seculert solution is traffic log analysis which can be performed over an extended period of time and across multiple entities. This is important because threats are networked and typically not isolated to any one company and may occur over days, weeks or months.

Seculert’s traffic log analysis is powered by statistical analysis and Big Data analytics. First the vendor defines a malware profile, which it calls a vector derived from a “learning set” of behaviors. The Elastic Sandbox and Botnet Interception modules (described below) are able to represent a thorough picture of how the malware behaves in a variety of situations, such as uploading data, performing remote access and sending email. Then machine learning algorithms use that profile and other means to analyze the traffic logs and look for anomalous behavior and “outliers” that are only created by malware.

Botnet Interception

A botnet is a network of compromised devices that are controlled by a series of Command and Control servers. Simple botnet monitoring services provide a list of known C&C servers in order to block them. Attackers are aware of this so they are constantly shifting from one C&C server to another, which forces the need for more sophisticated detection techniques.

Seculert operates a farm of devices that are intentionally infected with malware in order to gain a position inside a botnet. By going into the tiger’s den, Seculert can gather all sorts of intelligence about the botnet, including the transmissions between infected devices and the C&C servers. Seculert uses various techniques to intercept and analyze this traffic, and determine if its customers have any devices that are part of the net.

According to Seculert, the solution can identify users and endpoints up to the machine name, both inside and outside a corporate network, including remote workers and business partners—even those who are using their own devices (BYOD). Customers provide Seculert with keywords or IP address ranges which allows the vendor to search the botnet data for information that correlates with a customer’s network.  Seculert acts on this information by updating customer dashboards, sending email alerts, and through an API, informing proxies and firewalls of which users and devices to block.

For example, if an enterprise is using off-network access to allow a remote employee to read his emails from home, and the home device is infected, the malware will send a string of information to the C&C server that is identifiable by Seculert. When Seculert intercepts this string, the security vendor can notify the enterprise that the employee’s home machine is compromised and needs to be remediated.

The Elastic Sandbox

There are plenty of security solutions that use a sandbox to isolate and then execute suspicious code to see what it does. Seculert uses what it calls an elastic sandbox in the cloud to study and profile malware. What makes this sandbox unique is that it has the capability to do long-term analysis over a period of days, not just minutes. This is critical because attacks in the past have used malware that sits idle for days to avoid detection before beginning its nefarious work.

Similar to many threat analysis vendors, such as ThreatGrid and Lastline, Seculert’s sandbox analyzes more than 40,000 new malware samples every day. These samples come from customers who upload suspicious code; from the Log Analysis module; and from partner companies. Seculert studies the malware behavior and uses machine learning algorithms to create malware profiles that are used in the Seculert Traffic Log Analysis and Botnet Interception modules.

Protection API

Seculert offers integration with existing perimeter security solutions through an API, bolstering their value to an enterprise. The API can be used to:

•Enable an organization’s proxies and firewalls to pull information about Command and Control servers that must be blocked as well as users and endpoints that have been compromised

•Enable a company’s SIEM platform to pull information about users and devices that have been compromised along with deep-dive information for forensics

•Upload suspicious code to the Elastic Sandbox for analysis and receive results in the dashboard

Tying It All Together and Delivering It through the Cloud

The various modules of the Seculert platform are quite powerful on their own. However, the combination of all of Seculert’s technologies working together, along with the sharing of information from multiple organizations and security vendors, increases the benefits.

Seculert describes these benefits in a scenario involving several customers. Suppose that one customer, Acme Corporation, uploads its traffic log files to the Seculert cloud solution for analysis. Big Data analytics identify malware and go back in time within the logs until the original infection is detected. Through the API and the customer’s dashboard, Acme is alerted to the infection and begins blocking and remediating.

The malware that was found is automatically uploaded to the Elastic Sandbox and executed over time until the botnet is detected along with its C&C servers. Botnet Interception is used to read the traffic and identify the users and devices that are infected. Additional remote users at Acme Corporation were found to be infected, and Acme was alerted. But another Seculert customer, Big Anvil Company, also had users and devices in the botnet, and this company also was alerted.

Through the API, Acme and Big Anvil both pull information about the infected users and devices and block their communication to the C&C servers. Both companies undertake the steps to remediate the devices. On an ongoing basis, each company’s dashboard continuously provides information about threat detection as well as deep-dive data for forensic investigations.

All of this is delivered through the cloud as a service, with nothing to install or maintain locally or on premise. It is a simple and cost effective solution that provides full coverage for all sites and users—even remote and guest users and those workers who are using their personally owned devices.

The post Seculert Delivers Advanced Threat Protection as a Cloud-based Solution appeared first on Security Current.

The healthcare market has been generating much attention lately.  Everyone from individuals to corporate executives is focused on the changes and provisions as they relate to health insurance.

Well, almost everyone. The information security professionals in the healthcare industry are still focused on data security and how to best protect sensitive patient records from exposure through data breaches. Since 2009, there have been more than 700 breaches of unsecured protected health information affecting 500 or more individuals. Unintended data exposure is likely to continue as more healthcare service providers transform their paper-based records into digital form in order to qualify for Medicare/Medicaid payment incentives.

The exposure of Protected Health Information (PHI) and especially detailed electronic health records (EHRs) is a serious concern. According to Larry Ponemon, president of the Ponemon Institute, “All of the evidence suggests that a healthcare record is in fact much, much more valuable than a financial record. It can be used for financial ID theft crimes, or a medical ID theft or both. It provides a dossier of personal information so bad guys can do more and better stuff like create passports, and visas, and because they have physical characteristics as well as information, it’s a big deal. And I see in a number of our studies that it is substantially more valuable than other types of records.”

Protect only what’s important

When it comes to protecting sensitive files from loss or theft, many healthcare providers are taking a sledgehammer approach: full disk encryption of the hard drives where files are stored. While this is a vast improvement over storing PHI in the clear, it’s a pretty generalized and expensive approach to a specific kind of problem.

In the healthcare arena and other industries as well, only specific files must be protected; not everything on the hard disk is considered sensitive. What’s more, full disk encryption may not protect sensitive files when they leave the originating organization or circulate among colleagues. For example, when hospitals have to send confidential patient files to local doctors, they have no idea who actually has access to the files in the doctors’ offices. This is a big problem in the face of patient privacy laws.

Covertix is attacking this problem from a different angle. Rather than taking the tack of “encrypt everything,” Covertix simply assigns permanent security to a company’s most sensitive files. An analogy the company makes is that full disk encryption is like guarding the gate, whereas the Covertix solution is like assigning a bodyguard to any type of file where the bodyguard never leaves its post.  This approach allows organizations to confidently send sensitive private information knowing that only the intended recipients can have access to it.

Covertix is one of many Information Rights Management (IRM) companies. Microsoft’s suite of IRM tools will provide similar protections for Office Documents. EMC’s Documentum IRM is another such set of tools.

Covertix has developed technology it calls SmartCipher. The technology attaches a set of user-defined policies to any type of file, including digital diagnostic images and even videos. The policies stay with the file for life, no matter how it is transmitted, where it goes, or where it is stored—inside or outside of the originating organization. The policies allow the file to be shared among colleagues or third-parties with confidence and control by setting who can do things like open, view, edit, print, and copy from or paste to the file.

SmartCipher permits 22 types of activities that can be monitored and controlled after the file leaves the originating organization. What’s more, use of the file can be tied to a specific domain, location, device and/or context, and there are unique watermarks for each person who views the file.

Protection is embedded into the file

The Covertix technology embeds a small 16k set of policies in any type of file. Even though the original file is now “genetically modified,” it can still travel under the radar of antivirus programs so that it’s not considered to be a Trojan horse or malicious file. When the file is sent to an authorized third-party recipient and the person tries to use it, the allowable uses and privileges about the file itself are defined within this set of policies.

For instance, a medical lab could simply attach a secure file containing test results to an email message and only the authorized recipient – perhaps the patient or his doctor – could view the file based on the policy.

Hospitals occasionally have an issue with famous or wealthy patients that come into the hospital and expect their sensitive files to be protected against prying eyes. There have been instances where hospital staff snooped through the files of famous patients and then turned around and sold the information to the tabloids. Covertix’s solutions prevent those occurrences from happening and keep the hospital out of the limelight and out of the courtroom.

Implementation options

To protect files using Covertix’s solutions, administrators can select the best way to implement IT policy—whether it would be by creating rules for specific users, groups of users, keywords found in the data or domain names. The file protection process is transparent to the file creator; the attributes are simply assigned without any intervention on the user’s part.

Covertix offers a hospital or a network of hospitals the ability to control and protect any type of file. Only authorized users can access the files according to specified policy embedded within the file, whereas unauthorized users cannot access the files at all. Covertix’s solutions prevent viewing/copying/pasting/printing any kind of file and the restrictions can be location specific. So for example if an authorized hospital employee wants to print a file pertaining to a patient who was admitted to that location, they can. But if they want to print the patient’s file from the hospital’s remote location, they cannot. Even if the file is stored in the cloud, the cloud provider cannot access the file.

Reduce exposure of sensitive data

Using Covertix in a healthcare setting can reduce the likelihood of exposure of sensitive data in the event of a breach. Suppose a medical facility’s laptop is lost or stolen, or a hacker breaks into a facility’s server. In these instances, the most sensitive files are locked down with the strength of encryption as well as the policies defined per file. Moreover, the policies are enforced on the files no matter where they go or who has authorization to accesses them.

Healthcare providers using this level of file security meet the requirements of both the Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, and the Health Insurance Portability and Accountability Act (HIPAA). With stiff penalties for violations of these laws, healthcare providers need to ensure strong protection for their most sensitive files.

The post Covertix SmartCipher Protects Key Confidential Files appeared first on Security Current.

What is the top threat to web applications today? According to the Open Web Application Security Project (OWASP), it’s SQL injection. The problem is so pervasive that it has topped the OWASP Top 10 list of software security issues for several years in a row, and for good reason. Hundreds of millions of database records have been stolen using SQL injection techniques.

Attacks of this nature can be launched very easily, and there are so many websites that are vulnerable to them. Attackers often use Google dorks or botnets to locate vulnerable websites with poor defenses, and there are numerous tools available to construct attacks. Consequently, attacks utilizing SQL injection are on the rise.

Recently, an abject example of a SQL injection attempt was easily viewable on the troubled healthcare.gov website. When a semi colon was typed into the search box the auto complete function revealed frequent attempts by visitors to exploit SQL injection. After a flurry of Tweets within the security community the auto complete was fixed.

Web application firewalls (WAF) have been one of the more popular technologies deployed for SQL injection defense. However, they have some limitations. For one thing, they tend to sit at the perimeter in front of web and application servers and they inspect HTTP traffic. If anything gets past these firewalls, it is assumed to be OK to pass on through to the web and app servers and eventually to the backend database. Unfortunately, there are plenty of readily available tools that practically anyone can use to simply overload or bypass these types of firewalls. One penetration testing company advertises that it takes, on average, only an hour to hack a WAF.

DB Networks is taking a different tactic to combat SQL injection attacks. The company has just announced its next-generation core IDS. What does that phrase means?

“Next-generation” according to DB Networks means that the solution uses behavioral analysis instead of signatures to detect attacks. “Core” refers to where the device sits: between the web or app server and the backend database. This is not a perimeter device. “IDS” of course stands for intrusion detection system, but DB Networks said it focused this device to detect one type of intrusion and that is malicious SQL code. It doesn’t need to be scrutinizing HTTP or other protocols because the communication between the web/app server and the database is strictly SQL.

This next-gen core IDS is not inline between the web/app server and the database. Instead it is passively attached, connecting with a tap or a span port. The product today handles the two most dominant databases – Oracle and Microsoft SQL Server – and the vendor said it intends to add more databases over time.

The solution uses a multi-modal detector to scrutinize the SQL code going into the database. There are at least five dimensions to the way the code is analyzed, and some dimensions are more complex than others. For example, the IDS looks at the incoming statement and compares it to a series of models it has built up during a learning phase. The IDS asks, is it likely that this incoming statement is an external attack or just a variation of the legitimate application? Have I seen this code before? Does it match patterns that are typically involved in an attack?

The IDS uses numerous algorithms and techniques to discern if the code is likely to be an attack or not. Steve Hunt, president and COO of DB Networks, claims the IDS is highly accurate and produces very few false positives. “We look at statements from a syntax perspective and we try to understand the meaning of the statement,” says Hunt. “We have a parser that understands the meaning of SQL statements. We ask if new statements are consistent with the normal variations the application has expressed in the past from a syntactical viewpoint. If it is, then it is most likely a variation that has come from the application, but if it is varying in a different way, then it is less likely to have come from inside the application.”

When the DB Networks IDS comes across a SQL statement that it considers malicious or even suspicious, the device sends the incident to the company’s regular security systems (such as a SIEM), Hunt said. The alert includes information about the suspicious statement, including the content and the context and how it was done.

“Because we don’t send out false alarms – they are very rare – it turns out that when we send out an alarm, they act on it very quickly,” said DB Networks CEO Brett Helm. “When it hits the SIEM and they know it came from our system, they know it’s real. Also customers don’t want us taking any action on our own—at least not right now. We could shut down the connection but if we did, that could potentially have bad effects upstream. So our customers have consistent policies on how they want attacks to be remediated. One company makes their database read-only until they get a handle on what is going on with the attack.”

Helm described some of the product features that his company considers to be unique. “We discover databases on the fly so you don’t have to do anything. We have installed our product before and the customer has said, ‘We have about 15 databases.’ All of a sudden 57 databases show up and it is a surprise to them. We find what we see on the wire. Hackers sometimes install and spin up a database in a virtual environment, so they can spin up a VM and a database in your network and you would never know it. Once an attacker is inside it is hard to detect him, and he can move from one database to another with impunity. But we can see all of this activity.”

Another key feature, Helm said, is the ability to identify flaws in the legitimate SQL statements that are generated by the application. Helm said this allows a developer to see exactly where he needs to fix the flawed code to improve the performance and behavior of the application.

While IDS has been much maligned for generating false positives and a management burden, deploying IDS internally may not bear the same onus since traffic between application servers and database servers is much more predictable.

Helm pointed out that underlying frameworks upon which web applications are built can sometimes have vulnerabilities. For example, last May hackers were actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise web servers and create a botnet. The Adobe ColdFusion application server platform has had its vulnerabilities too. “If the underlying framework is vulnerable, the applications built on it are vulnerable as well,” said Helm. “Even so, companies can’t patch the vulnerability as soon as it’s discovered. They have to do QA testing before the patch can go live. In the mean time, we have the ability to monitor it and if someone gets close to the vulnerability, we can alert immediately and they can do something about it.”

In addition to DB Networks’ new core IDS, there are other solutions that help prevent SQL injection attacks. Among them are the Acunetix Web Vulnerability Scanner; the Barracuda Web Application Firewall; the Percona Toolkit for MySQL; Imperva’s series of products for Web Application Security; and numerous other tools and products. Application Security Inc, recently acquired by TrustWave uses a positive security approach to block known attacks on SQL databases as does Israel based GreenSQL.

The post Prevent SQL Injection Attacks with DB Networks’ New Core IDS appeared first on Security Current.

Insurance fraud. Identity theft. Financial fraud. These are just a few of the risks associated with storing personal healthcare information online. Healthcare organizations hold some of the most private and sensitive information, and if it were to be comprised, a breach of this data could have serious repercussions for individuals and organizations alike.

To address the need for qualified healthcare IT professionals, the International Information Systems Security Certification Consortium, Inc., (ISC)² , has launched a new certification, the HealthCare Information Security and Privacy Practitioner (HCISPP).

The global, not-for-profit leader in educating and certifying information security professionals, the (ISC)² HCISSP is the first foundational global standard for assessing information security expertise within the healthcare industry. The credential, now available worldwide, is a demonstration of knowledge by security and privacy practitioners regarding the proper controls to protect the privacy and security of sensitive patient health information as well as their commitment to the healthcare privacy profession.

The certification is aimed at practitioners who are responsible for safeguarding their organizations and sensitive patient data known as Protected Health Information (PHI) against emerging threats and breaches. This would include people in roles such as Medical Records Supervisor, Information Technology Manager, Privacy & Security Consultant, and Compliance Officer.

This is not an entry-level certification. To attain the HCISPP credential, applicants must have a minimum of two years of experience in one knowledge area of the credential that includes security, compliance and privacy. Legal experience may be substituted for compliance and information management experience may be substituted for privacy. One of the two years of experience must be in the healthcare industry. All candidates must be able to demonstrate competencies in each of the following six common body of knowledge (CBK) domains in order to achieve HCISPP:

• Healthcare Industry
• Regulatory Environment
• Privacy and Security in Healthcare
• Information Governance and Risk Management
• Information Risk Assessment
• Third Party Risk Management

The exam for the certification is available worldwide. Educational materials are currently being developed and will be ready in early 2014. The exam outline provides a self-study aid. It contains an overview of each domain and a list of key knowledge areas in each of the domains, as well as a list of references to aid candidates in studying the domains in depth.

Candidates may find more information about HCISPP, download the exam outline, and register for the exam at https://www.isc2.org/hcispp/default.aspx

The post New Certification Launched for Healthcare Information Security and Privacy Professionals appeared first on Security Current.

One day last summer I was in a bank branch, standing in line waiting to conduct my business. Bored, I studied my surroundings and took note of a security camera directed toward the teller station ahead of me. No doubt it was capturing video of each person that approached the teller window and especially of the teller herself who was dispensing cash as customers made withdrawals.

Just two days later, that bank branch was robbed at gunpoint. The evening news had a fairly clear picture of the robber standing in about the same spot I was standing. I guess he didn’t notice (or didn’t care about) the camera that caught the image of him that was flashed on the news and used in a Crime Stoppers press release. A week later I read in the newspaper that the robber had been identified by his photo, apprehended at home and charged with bank robbery.

What if you could put that level of video surveillance to work for you to protect your network? It’s not that you suspect your work colleagues are perpetrating cyber crimes or corporate espionage, but perhaps you need to keep a detailed log of what privileged users are doing on your systems. At the very least, you probably operate under regulatory mandates that dictate the need to audit who is doing what with sensitive data on your network.

Instead of pointing a physical camera toward someone’s face, the view is metaphorically pointed over a user’s shoulder to capture the screen images for everything the person is doing online. In other words, there is no camera at all but rather a series of screen captures that completely document the user interface as someone goes about his work. Strung together, these screen images are like having a high definition surveillance video of what the person is doing online.

This is what ObserveIT does. Whenever someone has access to servers in your organization – for example, system administrators, database administrators or remote contractors – this solution can watch and record what they do. It also can be used to watch what high profile employees do online. Consider the financial services company that wants to record the precise actions of people who execute high value trades or wire transfers. This is an effective way to capture every pull-down menu, every option selected, every button clicked upon, every data value entered, and so on.

A complement to traditional logs

ObserveIT differs from traditional logs in that they capture what is happening with machines and systems, and they are technical. ObserveIT captures what’s happening with the user and the applications they use. This user audit trail doesn’t replace traditional logs but complements them by providing visibility into what a user was doing at a given time. This can be helpful in troubleshooting situations when you are trying to discern the root cause of a problem. Machine logs alone may not tell the story, but replaying a video of the configuration changes a system administrator made could pinpoint the problem.

Who has time to watch and analyze hours of screen videos to find a needle in the haystack? With ObserveIT, they say you don’t have to. It turns the user interface video into an English-language transcript of sorts so you can quickly read the sequence of activities someone performed.  What’s more, the transcript log is searchable, so you can enter key words to help you find a specific action or command. Content also can integrate with most of the leading SIEM tools and log management tools like Splunk.

Simple deployment

ObserveIT is a software solution, and there are two typical deployments. The first method is to install an agent on a server and then ObserveIT records every time that someone has access to that machine. The user can be physically logged into the server, or going in through remote access or via a server console. The second deployment method is a gateway solution. This is a popular approach, they say, for companies that want to capture the activities of external vendors like managed service providers, outsourcing firms or third party vendors. In this approach, you set up a single terminal server or Citrix server in your DMZ and you route all of your external parties over a VPN to that single machine. Once they login to that gateway, they do a secondary hop using a RDP or a SSH to the target servers they want to manage.

There are means to prevent a privileged user from uninstalling or disabling the solution. If it’s installed on a gateway machine, you don’t allow the external users to have administrative access to the gateway. If an agent is installed directly on a server, there is a watchdog that sounds the alarm and restarts the software if the agent is killed. A built-in health check system monitors the watchdog and agent as well. Even if there is downtime between the agent and the application server, there is local caching that will continue to record user activity.

According to ObserveIT the solution also can be used with cloud applications. Some cloud providers are beginning to offer their customers reporting from ObserveIT so that customers know what is going on with their cloud-based infrastructure, and to help the customers achieve regulatory compliance. The solution also works with cloud-based applications like Salesforce if you want to record what people are doing in those applications. For example, you can play back a video script that would take you to the exact point in Salesforce where you can observe what somebody did within that application. Let’s say there is a contact within Salesforce named John Doe. You can search on all activity that users have done pertaining to John Doe’s records.

Put activities in context

Unlike tradition system logs ObserveIT says its recordings give context. Most organizations today set up policies and rules of who can do what, but policies don’t provide context. For example, if somebody is opening a confidential file like a financial report that may be fine for that particular user to do. However, if he also is using WebEx or GoToMeeting at the time when he opens the file, and there are outsiders on the meeting site that now can view the confidential report, this may be a violation of company policy. The logs are aimed at providing context.

ObserveIT also provides insight in the event that a hacker breaks into your server. With the agent on that server, it will record what a hacker does—what he opens, what he sees, what he downloads, etc. A traditional log is not constructed to provide this level of detail.

The video files and transcripts generated by ObserveIT are stored in a database. Currently they support Microsoft SQL Server but plans to add Oracle by the end of this year. The data is encrypted and digitally signed when it is stored. The video files reportedly are relatively small because they are triggered by mouse movement and keystroke and not by time interval. Idle time is not recorded so the videos are only of the actual user interaction with the screen and not the entire length of the session when the user was logged in. This significantly reduces the size of the videos. According to ObserveIT CTO Gaby Friedlander, 1,000 servers that are recorded generate about 700 GB of data per year.

The session recording market

Other approaches to recording network traffic include CA’s Session Recording, XSuite from Xceedium,  Shell Control Box from BalaBit, Timeline from Wild Packets, SilentRunner from AccessData and DeepSee Black Box Recorder from Blue Coat’s Solera Networks.

The post Why Select “Video Surveillance” for your IT Systems? appeared first on Security Current.

At the start of the year, Wisegate, the networking organization for IT and InfoSec professionals, issued a report on the Top IT Security Threats of 2013. The report opens with what these leaders say is the root cause of this year’s most concerning security threats within their organizations:

According to the report, the consumerization of IT means that employees often use technologies and solutions with weak (or even non-existent) security controls to accomplish their work objectives. For example, workers use consumer-oriented data storage services because they are readily available and easy to use.

The use of these types of cloud applications – from storage and file transfer to collaboration and productivity – can put a company at risk for data loss, privacy issues, and non-compliance with regulations and governance controls. However, that doesn’t mean there isn’t value in using these applications. Workers are going to use whatever tools without compromising on security, help them do their jobs—whether the tools are endorsed by the IT department or not. This is often referred to as Shadow IT.

The startup company Skyhigh Networks aims to solve the dilemma of cloud services that have insufficient security controls. Skyhigh calls itself a “cloud access security company.” With services to discover, analyze and secure cloud applications, Skyhigh enables companies to embrace cloud services by applying the appropriate levels of security, compliance and governance that a business needs. So, rather than blocking workers from using cloud services that help them increase their productivity, the IT department can support the use of such tools, according to Skyhigh without compromising on security. By leveraging capabilities from Skyhigh, the security controls that are more commonly found with on-premise applications can be added.

Skyhigh’s services are themselves cloud based, so they are easy to deploy and manage. Let’s take a look at the three main functions – discover, analyze, secure – that Skyhigh provides, and how they help to bring cloud applications under control.

Skyhigh Discover

The use of cloud today, in general, is so ad hoc and outside of the security controls and mechanisms that the IT organization has put in place. IT leaders have completely lost their visibility into what applications are actually being used, and where their data is going outside of the traditional data center.

Rajiv Gupta, Skyhigh’s CEO, says when he talks to prospective customers, they tell him their employees are using between 25 and 40 different cloud services. In reality, the average is between 400 and 500 cloud services, and in some cases it is more than 1,000, according to Gupta. Many CIOs are shocked to learn how many services are really in use. In almost every category of cloud service, employees are using many disparate and incompatible providers. While CISOs are concerned about the loss of control and visibility and the increase in data risk, CIOs are concerned about the roadblocks to collaboration and economies of scale engendered by this incompatible mess.

The Skyhigh Discover service uses an organization’s web traffic logs to determine the cloud services that employees are using. In less than an hour, according to Gupta, an administrator can view a dashboard that reveals precisely which cloud services are being used; which IP addresses are accessing them; how many people within the organization access each service, and how often and when. It’s a real eye-opener for IT administrators who want to regain control over where corporate data is going and how it is being protected.

Skyhigh Analyze

Skyhigh has analyzed more than 4,300 cloud services in detail to understand the risks they pose to user organizations. Once a company has discovered what services its workers use, the dashboard displays a composite risk score for each service. For example, there might be ten different data storage services in use, but some are better than others for enterprise use because they offer features such as encryption and user authentication. Skyhigh can recommend alternative services to replace high risk ones. Then the IT department can evaluate the lower risk services, set a company standard and block the use of the high risk services.

Skyhigh also analyzes cloud service usage for anomalous behavior. Consider the company that discovers an employee is downloading 500 contacts a day from its Salesforce.com database. With little context around this behavior, the company can’t know if 500 daily downloads are good or bad. However, Skyhigh can notify the company that the behavior is anomalous when compared to other users of Salesforce.com, where 20 downloads per day is the norm. The company can now explore the suspicious behavior to determine if data theft is a possibility.

The analysis tools in the Skyhigh service help companies make reasonable decisions based on real insight—the kind of insight that they otherwise can’t get from disparate cloud services. Take trends, for example. Skyhigh customers can watch the growth of its users’ cloud services over time. Once the penetration of a specific service reaches a certain level – say 10% of all employees now use this service – the company can leverage this information to negotiate an enterprise license agreement with the service provider in order to reduce costs.

Skyhigh Secure

The Skyhigh Secure service offerings help to build enterprise security controls into cloud services that otherwise wouldn’t have them. This includes features such as application auditing, data encryption, data loss prevention, contextual access control, and consistent enforcement of corporate policies as data moves from mobile-to-cloud, premise-to-cloud, and cloud-to-cloud.

Skyhigh appears to have a very unique and utterly frictionless way to enforce security policies when end users are accessing cloud apps from their mobile devices (i.e., BYOD). In the absence of Skyhigh, companies that want to enforce controls as workers access cloud services from their own smart phones and tablets typically require those people to utilize a VPN. Traffic from the devices is back hauled through the corporate network, and then sent to applications such as Office 365 or Salesforce.com, which can result in slow performance and a bad user experience.

Gupta says that Skyhigh can take the traffic from mobile devices to the cloud application without requiring a VPN or any agent or download on the device, or any back haul through the corporate network. He said Skyhigh makes use of the Internet’s DNS infrastructure and traffic rerouting that takes a cloud application’s intended traffic through Skyhigh where corporate policies are applied before the traffic is sent back to the cloud app. An end user is authenticated and then through Skyhigh corporate policies are applied. Following this, the user gets forwarded on for normal use of the cloud application—all in the background without any delay or other friction. Optionally the company can require the user to register their device at Skyhigh before allowing access to the cloud application—again without any download, agent, or other friction to the end user.

Another important security and governance feature Skyhigh says it provides is application auditing. Many regulations (think SOX, HIPAA, etc.) require companies to keep precise logs of important transactions—who has done what, and when. This is easy enough to do when all the transactions are behind the corporate firewall, but it’s a real challenge when they take place in a cloud application. Skyhigh says it brings the ability to audit and log all transactions, including reads and downloads from the cloud application, so if the data from a cloud application gets compromised, there is an audit trail to know who did what.

Many cloud applications – especially those designed for consumer use – don’t have the ability to encrypt data with keys held by the customer, so Skyhigh adds that capability. For example, workers may choose to use Hightail (formerly called YouSendIt) for cloud based data sharing. If Hightail gets compromised or if there is a blind subpoena by the federal government, the data can be disclosed without the owner’s knowledge. Skyhigh can encrypt data in this service to make it more palatable for enterprise use. Skyhigh provides cloud application encryption capabilities that do not break the functionality or the native user experience of the cloud application.

Many companies have deployed data loss prevention (DLP) solutions on-premise, and now Skyhigh can add DLP capabilities to cloud applications. For example, two employees are using Salesforce Chatter to converse about a client. The organization wants to make sure that no sensitive data such as Social Security numbers or credit card numbers get revealed in the conversation. Skyhigh can look for sensitive data and block it, encrypt it, or send alerts about it.

The Skyhigh Secure capabilities are available today for some of the most popular cloud applications (Salesforce, ServiceNow, Jive, Workday, Office 365, and others) and the company says will continue to add more cloud applications as customers request them.

About Skyhigh Networks

The Cupertino-based company Skyhigh Networks was founded in March 2012 and launched in April 2013. It is backed by Greylock Partners and Sequoia Capital. Skyhigh says it already has a number of customers in the financial services, healthcare, high technology, media, manufacturing and legal industries. The company has partnerships with ISVs such as Salesforce, Workday, Microsoft, Egnyte, Hightail, Dropbox, Box, NetSuite, Google, Jive and Amazon.

“As we were building our company and our solution set,” says Gupta, “we talked to a number of CIOs and CSOs about their pain points. ‘Cloud’ came up over and over again, in terms of increasing agility while reducing costs, but there’s also a concern about the perils of cloud. They were used to having their IT environments under their control, and now with cloud computing it is out of their control. Skyhigh Networks helps organizations get visibility into and control of their employees’ use of third-party cloud services.”

The post Skyhigh Networks Brings Discovery, Analysis and Security to Cloud Services appeared first on Security Current.