EDB Card Services AB Brings its HP NonStop™ Audit Into The Enterprise

SIMI VALLEY, California – XYPRO® today announced that, as part of its PCI-DSS project, EDB Card Services AB has successfully implemented its XYGATE Merged Audit (XMA) tool to integrate EBD’s HP NonStop™ servers with its RSA® enVision SIEM (Security Information and Event Management) system.

EDB Card Services AB, part of EDB ErgoGroup, is one of the leading payments services companies in Scandinavia. It provides a wide range of card-related services including issuing, acquiring, processing, switching, national card blocking etc. for banks and payment operators in Sweden, as well as greater Scandinavia and Europe.

XYGATE Merged Audit (XMA) gathers security audit data from various sources on HP NonStop systems (such as EMS, Safeguard, ODBC, BASE24, XYGATE tools, custom programs etc.) and intelligently merges the security audit data together to form a single SQL database. Log Adapters then export that data to almost any SIEM or central compliance repository. XMA provides extensive reporting capabilities as well as customisable real-time alerts.

“As part of our PCI-DSS (Payment Card Industry Data Security Standard) compliance project, we had to bring our HP NonStop security audit data into the enterprise” said Sissel Johnsen Head of Production & Operation at EDB Cards Services AB. “Our previous log tool wasn’t suitable, so we selected XYGATE Merged Audit, which has a far more user-friendly interface and gave us exactly what we needed in terms of collecting the necessary data from our NonStop systems.  XYPRO’s RSA Log Adapter  ensures all NonStop audit data feeds seamlessly to our RSA enVision SIEM.”

Barry Forbes, XYPRO’s VP of Sales and Marketing said, “We are very happy that EDB Card Services selected XMA as its PCI-DSS NonStop audit solution.  Since HP selected XMA in 2010 , as  the NonStop operating system recommended Audit Solution, we’ve seen a large expansion in our XMA customer base.  As our most recent European customer, we know that EDB Card Services will continue to enjoy the same security benefits and efficiencies XYGATE customers around the globe are accustomed to.”

About XYPRO

Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, FIPS-validated, cross-platform encryption, audit and compliance solutions.

www.xypro.com

Contacts

XYPRO Technology Corporation
Barry Forbes, 705-799-0247
VP-Sales and Marketing
barry_f@xypro.com

Cybercrime Costs Continue to Dramatically Rise

The recent HP-sponsored study on cybercrime costs (“The Second Annual Cost of Cybercrime Study”, conducted by the Ponemon Institute http://bit.ly/ql8JXP) produced a wealth of interesting and valuable data on the increasing costs of cybercrime.  Some of the key points of the study, which looked at a sample of 50 US organizations, included:

•         The average annualised cost of cybercrime to each company was $5.9M, ranging from $1.5M to $36.5M
•         These figures represent a 56% increase over the inaugural study conducted last year
•         The number of attacks increased by 45% from last year’s study.  The companies studied were affected by a total of 72 attacks each week – an average of 1.4 attacks per company per week
•         90% of all cybercrime costs were caused by malicious code, denial of service, stolen devices and web-based attacks
•         Average time to resolve cyber attacks was 18 days, with an average cost of $416,000 per attack – a 67% increase from 2010
•         Smaller companies are not immune from cyber attacks, and in fact these attacks cost smaller companies more on a per capita basis
•         Deploying SIEM solutions can mitigate the impact of cyber attacks.  Organizations with SIEM solutions in place realized a saving of 25% because of the ability to quickly detect and contain cybercrimes.
•         Companies that deployed a Governance, Risk and Compliance (GRC) program saw significantly reduced costs associated with cyber crime when companies that did not have a GRC program.  Average costs for the GRC group were $6.8M versus $9.4M for the non-GRC group

Perhaps the most interesting fact to come from the study was:

…recovery and detection are the most costly internal activities, highlighting a significant cost-reduction opportunity for organizations that are able to automate detection and recovery through enabling security technologies.

Reading between the lines of this summary, a few things come to light.  A large number of cyber attacks are “inside jobs”.  Malicious code, stolen devices and other forms of attack are only practical when conducted by insiders.  As such, putting controls in place within the enterprise is critical.  As mentioned in my last blog, ensuring that employees have the ability to do the tasks related to their jobs, and nothing more, is of utmost importance.  Tracking commands issued and security events at a granular level to allow for quick identification of cyber attacks is key to reducing the number and duration of attacks, and therefore the cost.  SIEM devices, whilst extremely useful, need to have data fed to them from all systems and applications in the enterprise to ensure early detection of issues. 

Additional methods of detection should also be considered – have critical files had attributes changed?  Have users been given access that they previously did not have? Have privileged programs, that may be malicious, been installed?

In the NonStop environment, only the XYGATE security suite from XYPRO provides all these capabilities, in an integrated, centrally managed solution.  XYGATE Access Control ensures that only the necessary levels of access to system resources are granted.  All commands and subcommands are audited.  XYGATE Merged Audit integrates consolidated audit data on the NonStop, to give a unified view of all security activity.  It optionally feeds that data to SIEM devices, allowing the NonStop to participate in the single view of the enterprise. 

Perhaps most importantly, XYGATE Compliance PRO monitors a wide range of data on your NonStop, and alerts you when aspects of your system configuration fall outside previously defined boundaries, including unauthorised PROGID’ed programs, users with unauthorized access and unauthorized files on system volumes. Compliance PRO can also compare files from one scan to another, alerting the security administrator if the file size changes, or if the security configuration from two systems that previously matched are now different.  

So, as the incidence and costs of cybercrime continue to rise, it becomes even more important to pay attention to your critical data and applications, and the users who are able to access them.  Automating as much of this process as possible is important in reducing the time for detection, and therefore the costs of these incidents.   XYPRO can help with this – please contact me at andrew_p@xypro.com or your local XYPRO representative for more information.

Andrew Price

Director, Product Management

XYPRO Technology Corporation        

www.xypro.com

*Be sure to complete our updated survey! You’ll be automatically entered for a chance to win a TouchPad. 

Please note that you’re still eligible to win even if you completed the survey last quarter. 

Simply click here : http://www.xypro.com/survey

Hard on the outside, soft and chewy on the inside…

The title refers to a great quote from a recent Tom Kemp article on Forbes.com http://blogs.forbes.com/tomkemp/2011/07/05/as-hacks-proliferate-new-security-technology-emerges-to-monitor-privileged-it-users/, explaining that the old way of securing a computer system (let only trusted people logon, then let them do whatever they want), no longer suffices.  Of course, on NonStop we’ve always had more control over our users than that, but it’s worth considering whether further improvements to security are in order. 

These days, with SOX, HIPAA and PCI regulations insisting that we more closely monitor all actions performed by all users, the “hard on the outside, chewy on the inside” approach is not enough.  Guardian and Safeguard allow some level of control over file access, and utility program execution, but do not give the fine-grained access control, nor the necessary level of auditing, that is required. 

The XYGATE Access PRO suite, and the Access Control module it includes, greatly extend the basic access control capabilities providing by the native NonStop security subsystem.  NonStop security administrators can control the specific commands and subcommands that each user can issue from any NonStop utility program.  Users can also be granted access to specific commands that would normally be outside their capabilities, meaning that shared access to Super and Manager IDs is no longer required for those users to be able to do their job.  All commands are audited, and full keystroke logging is also supported.

Once you have implemented more granular access control, the next step in securing your system is to put a good level of auditing in place.  The PCI Data Security Standard (DSS) requirement 10, for example, states “Track and monitor all access to network resources and cardholder data”.  What this means will be specific to your application and environment, but again, it will require more than the standard Guardian/Safeguard levels of security to achieve compliance. 

XYGATE Access PRO supports all this functionality, and has done so since 1990, back when PCI was just a glimmer in someone’s eye.  Whilst the NonStop has always had an enviable security record, my new colleagues at XYPRO have constantly been thinking of ways to ensure that our customers reduce their risk of finding themselves on the front page due to a security incident.  For more information on XYGATE Access PRO, see https://www.xypro.com/index.php?id=24 or contact me at andrew_p@xypro.com.

Andrew Price

Director, Product Management

XYPRO Technology Corporation

Large European Payment Processor Selects XYPRO to Meet its HP NonStop Server Security and PCI-DSS Requirements.

(July 6, 2011) Simi Valley, CA – XYPRO today announced that Equens SE has successfully implemented its XYGATE suite of security and compliance solutions. Equens will leverage XYGATE to improve its HP NonStop security and achieve PCI-DSS (Payment Card Industry Data Security Standard) compliance.

Equens is one of the largest pan-European payment processors, leading the market for future-proof payments and card processing solutions. With clients and partnerships in multiple European countries and an annual processing volume of 9.7 billion payments and 3.9 billion POS and ATM transactions, Equens SE has a European market share of more than 12.5%.

“When our security team started its PCI-DSS compliance project, we faced the same dilemma as many other large firms,” said, Stefan Dusée, Equens’ Security and Control Manager.  “We needed a solution that would allow us to meet PCI-DSS as cost-effectively as possible, but also went well above the minimum standards set out by PCI-DSS, thus potentially future-proofing our security standards.”

Equens created a detailed list of requirements, prioritised from “essential” to “desired” and developed a comprehensive RFP. Equens determined that XYPRO’s XYGATE security, compliance and auditing suite offered the best solution to meet their existing and future security and audit needs.

The XYGATE security suite includes role-based access control (RBAC), keystroke audit, user management, real-time alerts, user authentication and the most comprehensive audit and compliance software available for the NonStop server. Equens is using XYGATE security software not only to make its systems as secure as possible, but also for essential, time/labor-saving functionality.

 “We’re confident we made the right choice in selecting XYPRO for our HP NonStop security and compliance enhancements,” said Dusée. “Configuring such an extensive range of products presented quite a challenge, but XYPRO has provided excellent support and training services and the new tools are proving to be worthy investments.”

Barry Forbes, XYPRO’s VP of Sales and Marketing said “We are thrilled to announce Equens’ selection of XYGATE for its PCI-DSS security requirements.  As a valued customer, we know that Equens will continue to enjoy the same security benefits and efficiencies all XYGATE customers are accustomed to.”

About XYPRO

Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, encryption, audit and compliance solutions.

www.xypro.com

www.equens.com


Barry Forbes, XYPRO VP of Sales and Marketing 

XYPRO Recent Events: Mobility, Passion, Sir Paul, NFC

HP Discover '11

HP Discover opened with a bang – over 12,000 attendees together in the first general session.  We heard Leo Apothekar’s views on mobility, WebOS, and the cloud – a recurring topic for the week.  Those of us coming to the show from a NonStop background were wondering how much airplay the NonStop would get in the general sessions, and with at least four mentions in the keynotes, along with almost forty NonStop-specific sessions, most of us left feeling pretty good about the platform and its future.  From my perspective, coming back to the NonStop after a few years away, I was impressed at the continuing passion and enthusiasm within the group, and levels of NonStop representation at the show from HP, ISVs and users.  Of course, it’s easy to feel good about participating in such a large show when one of the side benefits is a concert by Paul McCartney, just for conference attendees!

XYPRO had an extremely positive conference, with many good meetings with our customers and our partners at HP.  A number of the NonStop-focussed sessions spent time on the importance of security, auditing and compliance, and the role that the XYGATE product suite can help in these critical areas.  Our VP of Sales and Marketing, Barry Forbes, is now officially famous, having been video interviewed by one of the bloggers at the show – see http://bit.ly/jgJ91L for more.

The show finished in an even bigger way than it started, with that incredible show from Sir Paul.  There was hardly a single person in the MGM Grand Garden Arena remaining in their seats for the two encores that Paul and his band played.  Simply awesome.

Andrew Price

Director, Product Management

ACE 2011

XYPRO Technology attended ACE, the ACI User Groups Conference at the Del Coronado Hotel (The Del) in San Diego in June.  The conference boasted more than 200 attendees representing more than 70 companies.   Exhibitors represented 22 companies.

The conference began with introductory presentations by the product managers of the various ACI products, followed by a Q&A session.   ACI confirmed that BASE24 will be sunset in November,  however only 80 customers out of approximately 300 BASE24 users have migrated or are transitioning to BASE24-eps.   An interesting statistic is that out of 2,185 employees, ACI has 700 developers & 600 people dedicated to services.

The keynote speaker, Brett King, gave a very interesting presentation affirming the notion that the future of banking is mobile.  He stressed that banks need to change their approach regarding checking accounts, advertising, and local branches due to younger generations' expectations of mobile transactions. Mr King also stressed the importance of social media for banks.  No amount of advertising can overcome bad experiences recorded on Facebook, Twitter, and other social media sites.

There is a new trend to use NFC (Near Field Communication) devices in the industry.   These devices are contactless and passive as their function is triggered by an Initiator sending a RF signal that powers the Target device, which does not require batteries.   The Initiator can read the contents of the Target and in some cases write to it.

Nick Puetz from Fishnet Security and Gregory Rosenberg from Trustware gave an valuable presentation covering PCI Best Practices & Securing Sensitive Data, two topics of the utmost importance for the financial industry. Greg Brett from Opera Solutions explained the statistical techniques used to detect credit/debit card fraud on-line prior to a transaction’s approval.   These techniques, which are used with BASE24 and BASE24-eps, are helping reduce the amount of fraud experienced by financial institutions running those solutions.

Barry Forbes

Vice President, Sales & Marketing

XYGATE Compliance Pro Now Available from HP

XYGATE Compliance PRO simplifies compliance of HP Integrity NonStop server environments

Simi Valley, Calif. – May 26, 2011 – XYPRO Technology Corporation, a leading provider of security software and services for HP NonStop server environments, today announced its security and policy compliance solution, XYGATE Compliance PRO, is now available directly from HP on HP Integrity NonStop servers – including the recently released, HP Integrity NonStop BladeSystem NB54000c.

With Compliance PRO, HP NonStop customers can effectively manage aspects of security compliance on their HP NonStop server systems. XYGATE Compliance PRO is a powerful and sophisticated software solution specifically designed for the NonStop platform to better monitor the state of mission-critical systems.  It enables enterprises to:

·       Analyze system security settings and configurations;

·       Gather extensive system data to compare changes in the system from different points in time;

·       Track and audit security settings to address risks and protect valuable mission-critical data and intellectual property; 

·       Build an efficient governance, risk and compliance program that can address regulations, such as PCI, SOX, and HIPAA, across NonStop systems.

“Around the world there are more than 20,000 security and compliance regulations that businesses must meet and more are emerging every year,” said Barry Forbes, vice president, Sales and Marketing at XYPRO. “Organizations today are looking for solutions that simplify risk management and increase the effectiveness of system monitoring in complex information security environments. Compliance PRO does just that, and with this solution now available we have made it even easier to implement security solutions that meet mandated compliance requirements such as PCI.”

“For enterprises, complying with government and commercial regulations while protecting valuable mission-critical data is imperative,” said Bob Kossler, director, strategy and planning, NonStop Business Division, Business Critical Systems at HP. “XYGATE Compliance PRO on NonStop environments help clients adhere to these regulations and safeguard the data that keeps their businesses up and running.”

Customers who purchase XYGATE Compliance PRO license and support contracts through HP will receive product support from HP.  In addition, XYGATE Compliance PRO is available for individual purchase and direct support from XYPRO.

About XYPRO
XYPRO Technology offers more than 27 years of knowledge, experience and success in providing HP NonStop information systems tools and services.  Businesses that manage and transport business-critical data turn to XYPRO for a variety of solutions. XYPRO helps businesses to better manage security risks, protect assets and gain a competitive edge through compliance while improving efficiency.  www.xypro.com

XYPRO Technology’s XYGATE/ESDK Achieves NIST Validation for FIPS 140-2 Government Standard

Simi Valley, California, USA – May 18, 2011 - XYPRO Technology Corporation, a leading provider of security software and services for HP NonStop server environments, today announced the XYGATE Encryption Library (XEL)  module XYGATE/ESDK achieved Federal Information Processing Standards Publications (FIPS) 140-2 Validation: Security Requirements for Cryptographic Modules.

FIPS 140-2 validation is mandatory for any cryptographic product that is used in a U.S. government agency network.  The standard is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. FIPS 140-2 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency. 

To expedite the FIPS 140-2 validation process, XYPRO partnered with Corsec Security, Inc., a consulting firm with over 13 years of validation experience.  "Corsec is delighted to work with XYPRO on their latest FIPS 140-2 validation," said Matthew Appler, CEO of Corsec. "The FIPS 140-2 process is very detailed and time consuming and only well designed products can make it through validation.  This clearly demonstrates XYPRO’s devotion to provide its customers with a higher level of security assurance."

“Over the past several years, XYPRO has expanded the number of platforms on which we received FIPS validation for our encryption library,” said Lisa Partridge, XYPRO President.  “This most recent validation is a testament to our unwavering commitment to security and compliance. FIPS 140-2 validation of the XEL  XYGATE/ ESDK demonstrates XYPRO’s determination to continue providing customers with a secure and dependable solution.”

The FIPS standard, which is mandated by law in the U.S. and strictly enforced in Canada, is also being reviewed by ISO to become an international standard. FIPS 140-2 is gaining worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. 

About XYPRO

XYPRO Technology offers more than 27 years of knowledge, experience and success in providing HP NonStop information systems tools and services. Businesses that manage and transport business-critical data turn to XYPRO for a variety of solutions. XYPRO helps businesses to better manage security risks, protect assets and gain a competitive edge through compliance while improving efficiency. www.xypro.com

ABOUT CORSEC SECURITY, INC.

Corsec Security, Inc. specializes in helping companies navigate through the complex process of receiving FIPS 140 and Common Criteria (CC) certifications.  Corsec’s consulting, document creation, and laboratory services deliver unmatched expertise in achieving government validation efforts at a firm, fixed price.  Corsec partners with companies around the world to achieve local and international certification and to add security functionality to a wide range of products. Corsec minimizes the time, effort and money a vendor needs to invest in validation while ultimately maximizing the return on that investment. For further information, please visit www.corsec.com.