Tuesday, December 13, 2011

XYPRO Opens New Headquarters

XYPRO Technology Corporation proudly announces the grand opening of its new, larger Headquarters located at 4100 Guardian Street, Suite 100, Simi Valley, California, 93063 USA.


XYPRO Technology has experienced tremendous growth over the past few years and is forecasting a continued positive growth rate for the next 5 years and beyond. We had been at our original Cochran Street location since 1986.

After expanding as much as we could there, we are excited to work every day in our new home. It was more than a great street name that prompted us to choose this particular new location, XYPRO employees enjoy the benefit of a modern, 15,000 sq. ft, ground floor suite, a larger datacenter capable of supporting accelerated growth with redundant power and connectivity. Our new digs also offer enhanced telecommunications and wireless infrastructure, expanded training/education and conference room facilities and room to grow……

The property at 4100 Guardian St. is a beautifully maintained, two-story, 136,000-square-foot office building built in 1999, on 10.3 acres in the foothills of Simi Valley, California.








Posted by at No comments:

Tuesday, November 29, 2011

XYPRO Presents: A Witham Laboratories Presentation:

PCI DSS - Lessons from the Field

If you were unable to attend our webinar on November 1st, please visit our website to view the recorded presentation featuring Dr. Sajal Islam, a Qualified Security Assessor (QSA) from Witham Laboratories, that focuses on what QSAs look for in a  when assessing PCI DSS compliance in a NonStop environment.  Witham Laboratories is a leading independent provider of information security evaluations, offering specialist consultancy and advice in payment industry security.

This Webinar provides specific scenarios from the field and covers the following:
•           Views and experiences gathered by Witham Laboratories from numerous PCI DSS assessments for NonStop clients.
•           A detailed breakdown of the PCI DSS with specific focus on how the PCI DSS requirements apply to the NonStop.
•           What issues and areas QSAs typically look for when performing PCI DSS assessments on NonStop.

Achieving PCI Data Security Standard (PCI DSS) compliance is critical for every organization that stores, processes, or transmits card holder data, from the smallest merchants to the largest card issuers.  In short, this Webinar will give you valuable information to help you with your next PCI DSS assessment.

View our recorded webinars here: https://www.xypro.com/xypro/webinars

Representatives from XYPRO are available after your viewing to help explain how XYPRO’s XYGATE suite of security solutions assist you in meeting your PCI DSS obligations.
                                                                                                                                                                                          
Barry Forbes
Posted by at No comments:

Monday, October 17, 2011

Verizon 2011 Data Breach Investigation Report – breaches down, or are they?

The 2011 Data Breach Investigation Report (DBIR) from Verizon (http://bit.ly/pt5xV9 ) now incorporates data from the United States Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s own data.  It is a comprehensive report, extensively covering data breach activity in 2010, and it draws some interesting, and sometimes almost contradictory, conclusions.

2008 saw a record number of 361 million records compromised, 2009 saw a reduction to 144 million, and in 2010 that number dropped to 4 million.  Hang on, 144 million -> 4 million?  As the report says, that’s almost a rounding error!  Not to say that 4 million records compromised is good, that’s still 4 million more than we’d ideally have to deal with, but it’s a pretty radical reduction.  So, one question might be “Why?”.  As it turns out, the main reason is that, for some reason, 2010 had virtually no “mega” attacks, which typically bump the numbers up by a million or more.  But let’s continue to look…

In actual fact, now that we are more than 9 months through this year, we know enough to determine whether 2010 was part of a long term trend of data breach reduction, or an anomaly.  And with Sony, Espilon, RSA and Citi breaches already behind us in 2011, the unfortunate news is that the numbers this year are likely to be back up.  In fact, numerous industry observers are now saying that 2011 is likely to be the worst year on record, in terms of number of records compromised.

So perhaps a better idea is to look at the trends indicated by the Verizon report, along with the knowledge of the 2011 breaches, to identify what we could and should be doing better.

One of the interesting facts from the Verizon report is that, even though total number of records compromised was (WAY) down, the actual number of breaches was up (761 in 2010, versus a total from 2004-2009 of 900).  This is partly due to the inclusion of the Dutch data, but it also shows that cybercriminals are now willing to perform their exploits for smaller returns, which itself is a little worrying.

Another interesting statistic - 83% of all attacks were opportunistic, meaning the victim was identified because they exhibited a weakness or vulnerability that the attacker could exploit.  Often these were due to POS and other systems being installed with default user information, which became known within the criminal community.  Put another way, closing down these relatively simple (and obvious) loopholes could drastically reduce the occurrence of data breaches.

The other 17% of attacks were targeted, meaning that the victim was first chosen as the target, then a method of exploitation was determined.  Unfortunately, but not surprisingly, the financial industry was most represented in the ranks of the targeted attack victims.

Following on from the targeted attack point, 96% of all records compromised were card numbers and/or card data, a truly worrying figure.

So, what can we learn from this?

We know from the number of attacks in the first half of this year that cybercrime is not decreasing.  Both the number of attacks, and the cost of those attacks, continues to rise.  Cybercriminals utilise opportunistic attacks for relatively small gains in many cases, and targeted attacks on financial institutions.  Card numbers continue to be stolen, in large volumes.

It remains critical to protect sensitive data, both at rest, and in transit.
Use SSL and file encryption solutions when possible.
Ensure that the platforms/applications receiving the sensitive data also protect it.
Get to know the security administrators on those platforms and ask them to do the same with the applications/platforms they share data with.


Remove as many areas of opportunistic attack as possible:
Don’t use default userids and passwords.
Put granular access control and auditing in place.
Feed your audit data (from all platforms and applications) into a SIEM device to get an enterprise-wide view of your security events.

XYPRO’s XYGATE security suite can address all these areas, and more.  For more information on how XYGATE can help secure your HP NonStop platform, applications and data, please see our website www.xypro.com, or email me at andrew_p@xypro.com

Andrew Price
XYPRO Technology Corporation
www.xypro.com
Posted by at No comments:

Wednesday, September 7, 2011

EDB Card Services AB Brings its HP NonStop™ Audit Into The Enterprise

SIMI VALLEY, California – XYPRO® today announced that, as part of its PCI-DSS project, EDB Card Services AB has successfully implemented its XYGATE Merged Audit (XMA) tool to integrate EBD’s HP NonStop servers with its RSA® enVision SIEM (Security Information and Event Management) system.

EDB Card Services AB, part of EDB ErgoGroup, is one of the leading payments services companies in Scandinavia. It provides a wide range of card-related services including issuing, acquiring, processing, switching, national card blocking etc. for banks and payment operators in Sweden, as well as greater Scandinavia and Europe.

XYGATE Merged Audit (XMA) gathers security audit data from various sources on HP NonStop systems (such as EMS, Safeguard, ODBC, BASE24, XYGATE tools, custom programs etc.) and intelligently merges the security audit data together to form a single SQL database. Log Adapters then export that data to almost any SIEM or central compliance repository. XMA provides extensive reporting capabilities as well as customisable real-time alerts.

“As part of our PCI-DSS (Payment Card Industry Data Security Standard) compliance project, we had to bring our HP NonStop security audit data into the enterprise” said Sissel Johnsen Head of Production & Operation at EDB Cards Services AB. “Our previous log tool wasn’t suitable, so we selected XYGATE Merged Audit, which has a far more user-friendly interface and gave us exactly what we needed in terms of collecting the necessary data from our NonStop systems.  XYPRO’s RSA Log Adapter  ensures all NonStop audit data feeds seamlessly to our RSA enVision SIEM.”

Barry Forbes, XYPRO’s VP of Sales and Marketing said, “We are very happy that EDB Card Services selected XMA as its PCI-DSS NonStop audit solution.  Since HP selected XMA in 2010 , as  the NonStop operating system recommended Audit Solution, we’ve seen a large expansion in our XMA customer base.  As our most recent European customer, we know that EDB Card Services will continue to enjoy the same security benefits and efficiencies XYGATE customers around the globe are accustomed to.”

About XYPRO
Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, FIPS-validated, cross-platform encryption, audit and compliance solutions.
www.xypro.com


Contacts

XYPRO Technology Corporation
Barry Forbes, 705-799-0247
VP-Sales and Marketing
barry_f@xypro.com
Posted by at No comments:

Wednesday, August 10, 2011

Cybercrime Costs Continue to Dramatically Rise


The recent HP-sponsored study on cybercrime costs (“The Second Annual Cost of Cybercrime Study”, conducted by the Ponemon Institute http://bit.ly/ql8JXP) produced a wealth of interesting and valuable data on the increasing costs of cybercrime.  Some of the key points of the study, which looked at a sample of 50 US organizations, included:
  •         The average annualised cost of cybercrime to each company was $5.9M, ranging from $1.5M to $36.5M
  •         These figures represent a 56% increase over the inaugural study conducted last year
  •         The number of attacks increased by 45% from last year’s study.  The companies studied were affected by a total of 72 attacks each week – an average of 1.4 attacks per company per week
  •         90% of all cybercrime costs were caused by malicious code, denial of service, stolen devices and web-based attacks
  •         Average time to resolve cyber attacks was 18 days, with an average cost of $416,000 per attack – a 67% increase from 2010
  •         Smaller companies are not immune from cyber attacks, and in fact these attacks cost smaller companies more on a per capita basis
  •         Deploying SIEM solutions can mitigate the impact of cyber attacks.  Organizations with SIEM solutions in place realized a saving of 25% because of the ability to quickly detect and contain cybercrimes.
  •         Companies that deployed a Governance, Risk and Compliance (GRC) program saw significantly reduced costs associated with cyber crime when companies that did not have a GRC program.  Average costs for the GRC group were $6.8M versus $9.4M for the non-GRC group


Perhaps the most interesting fact to come from the study was:
…recovery and detection are the most costly internal activities, highlighting a significant cost-reduction opportunity for organizations that are able to automate detection and recovery through enabling security technologies.

Reading between the lines of this summary, a few things come to light.  A large number of cyber attacks are “inside jobs”.  Malicious code, stolen devices and other forms of attack are only practical when conducted by insiders.  As such, putting controls in place within the enterprise is critical.  As mentioned in my last blog, ensuring that employees have the ability to do the tasks related to their jobs, and nothing more, is of utmost importance.  Tracking commands issued and security events at a granular level to allow for quick identification of cyber attacks is key to reducing the number and duration of attacks, and therefore the cost.  SIEM devices, whilst extremely useful, need to have data fed to them from all systems and applications in the enterprise to ensure early detection of issues. 

Additional methods of detection should also be considered – have critical files had attributes changed?  Have users been given access that they previously did not have? Have privileged programs, that may be malicious, been installed?

In the NonStop environment, only the XYGATE security suite from XYPRO provides all these capabilities, in an integrated, centrally managed solution.  XYGATE Access Control ensures that only the necessary levels of access to system resources are granted.  All commands and subcommands are audited.  XYGATE Merged Audit integrates consolidated audit data on the NonStop, to give a unified view of all security activity.  It optionally feeds that data to SIEM devices, allowing the NonStop to participate in the single view of the enterprise. 

Perhaps most importantly, XYGATE Compliance PRO monitors a wide range of data on your NonStop, and alerts you when aspects of your system configuration fall outside previously defined boundaries, including unauthorised PROGID’ed programs, users with unauthorized access and unauthorized files on system volumes. Compliance PRO can also compare files from one scan to another, alerting the security administrator if the file size changes, or if the security configuration from two systems that previously matched are now different.  

So, as the incidence and costs of cybercrime continue to rise, it becomes even more important to pay attention to your critical data and applications, and the users who are able to access them.  Automating as much of this process as possible is important in reducing the time for detection, and therefore the costs of these incidents.   XYPRO can help with this – please contact me at andrew_p@xypro.com or your local XYPRO representative for more information.

Andrew Price
Director, Product Management
XYPRO Technology Corporation        
www.xypro.com


*Be sure to complete our updated survey! You’ll be automatically entered for a chance to win a TouchPad. 
Please note that you’re still eligible to win even if you completed the survey last quarter. 
Simply click here : http://www.xypro.com/survey

Posted by at No comments:

Monday, July 11, 2011

Hard on the outside, soft and chewy on the inside…

The title refers to a great quote from a recent Tom Kemp article on Forbes.com http://blogs.forbes.com/tomkemp/2011/07/05/as-hacks-proliferate-new-security-technology-emerges-to-monitor-privileged-it-users/, explaining that the old way of securing a computer system (let only trusted people logon, then let them do whatever they want), no longer suffices.  Of course, on NonStop we’ve always had more control over our users than that, but it’s worth considering whether further improvements to security are in order. 

These days, with SOX, HIPAA and PCI regulations insisting that we more closely monitor all actions performed by all users, the “hard on the outside, chewy on the inside” approach is not enough.  Guardian and Safeguard allow some level of control over file access, and utility program execution, but do not give the fine-grained access control, nor the necessary level of auditing, that is required. 

The XYGATE Access PRO suite, and the Access Control module it includes, greatly extend the basic access control capabilities providing by the native NonStop security subsystem.  NonStop security administrators can control the specific commands and subcommands that each user can issue from any NonStop utility program.  Users can also be granted access to specific commands that would normally be outside their capabilities, meaning that shared access to Super and Manager IDs is no longer required for those users to be able to do their job.  All commands are audited, and full keystroke logging is also supported.

Once you have implemented more granular access control, the next step in securing your system is to put a good level of auditing in place.  The PCI Data Security Standard (DSS) requirement 10, for example, states “Track and monitor all access to network resources and cardholder data”.  What this means will be specific to your application and environment, but again, it will require more than the standard Guardian/Safeguard levels of security to achieve compliance. 

XYGATE Access PRO supports all this functionality, and has done so since 1990, back when PCI was just a glimmer in someone’s eye.  Whilst the NonStop has always had an enviable security record, my new colleagues at XYPRO have constantly been thinking of ways to ensure that our customers reduce their risk of finding themselves on the front page due to a security incident.  For more information on XYGATE Access PRO, see https://www.xypro.com/index.php?id=24 or contact me at andrew_p@xypro.com.

Andrew Price
Director, Product Management
XYPRO Technology Corporation
Posted by at No comments:

Thursday, July 7, 2011

Large European Payment Processor Selects XYPRO to Meet its HP NonStop Server Security and PCI-DSS Requirements.

(July 6, 2011) Simi Valley, CA – XYPRO today announced that Equens SE has successfully implemented its XYGATE suite of security and compliance solutions. Equens will leverage XYGATE to improve its HP NonStop security and achieve PCI-DSS (Payment Card Industry Data Security Standard) compliance.

Equens is one of the largest pan-European payment processors, leading the market for future-proof payments and card processing solutions. With clients and partnerships in multiple European countries and an annual processing volume of 9.7 billion payments and 3.9 billion POS and ATM transactions, Equens SE has a European market share of more than 12.5%.

“When our security team started its PCI-DSS compliance project, we faced the same dilemma as many other large firms,” said, Stefan Dusée, Equens’ Security and Control Manager.  “We needed a solution that would allow us to meet PCI-DSS as cost-effectively as possible, but also went well above the minimum standards set out by PCI-DSS, thus potentially future-proofing our security standards.”

Equens created a detailed list of requirements, prioritised from “essential” to “desired” and developed a comprehensive RFP. Equens determined that XYPRO’s XYGATE security, compliance and auditing suite offered the best solution to meet their existing and future security and audit needs.

The XYGATE security suite includes role-based access control (RBAC), keystroke audit, user management, real-time alerts, user authentication and the most comprehensive audit and compliance software available for the NonStop server. Equens is using XYGATE security software not only to make its systems as secure as possible, but also for essential, time/labor-saving functionality.

 “We’re confident we made the right choice in selecting XYPRO for our HP NonStop security and compliance enhancements,” said Dusée. “Configuring such an extensive range of products presented quite a challenge, but XYPRO has provided excellent support and training services and the new tools are proving to be worthy investments.”

Barry Forbes, XYPRO’s VP of Sales and Marketing said “We are thrilled to announce Equens’ selection of XYGATE for its PCI-DSS security requirements.  As a valued customer, we know that Equens will continue to enjoy the same security benefits and efficiencies all XYGATE customers are accustomed to.”

About XYPRO
Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, encryption, audit and compliance solutions.

www.xypro.com
www.equens.com


Barry Forbes, XYPRO VP of Sales and Marketing 
Posted by at 1 comment:
Subscribe to: Comments (Atom)