XYPRO, HP Security Voltage join Cyber-Security Gurus for Security Serious Week

November 2nd, 2015
XYPRO - Security Serious Week

XYPRO - Security Serious Week Partners

Monday October 26th kicked off with the launch of Security Serious Week where over 100 cyber-security experts came together for a photo call outside Tower of London to show support for a more secure online future and put a stop to the number of breaches hitting major organisations!

The first ever Security Serious Week, ran from Monday 26 to Friday 30 October and saw 70 of the world’s most renowned experts in cyber-crime and security freely offering their time and expertise to companies who want to become more security savvy and cyber-aware. A timetable of conferences, workshops, training sessions and webinars took place throughout the week and was aimed at educating users in a number of security disciplines.

XYPRO and our long-standing technology partner HP were both in attendance to promote regulatory compliance, encryption and tokenisation. XYPRO partners with HP to provide auditing and user authentication functionality to high-end HPE Integrity NonStop servers. Our XDP solution also serves to bring HP Security Voltage advanced tokenisation and format preserving encryption functionality to the HPE Integrity NonStop server.


XYPRO & HP at Security Serious Week

Security Serious has a microsite detailing everything that is being organised and offered over the five days, including a resource library containing a number of government sponsored and industry donated literature that informs organisations of their obligation to protect the data they collect and best practices to do so.

Yvonne Eskenzi, the driving force behind this campaign, explained, “Security Serious is all about those that can’t, learning from those that can – it’s simple really. The week brings together our leading experts to convey their words of wisdom to those people and organisations who want to become more security savvy.  The response we’ve received for this campaign, and the calibre of the supporters on board, all prepared to selflessly give their time to help create a safer online community is inspiring.”

Security Serious has attracted a number of high-profile supporters from the UK’s leading businesses, universities, associations and government bodies – including: Unilever, BT, HP Security Voltage, XYPRO, Canon UK, HSBC, Publicis Groupe, GlaxoSmithkline and many of the world’s leading IT security vendors.

To find out more about Security Serious, the organisations supporting the campaign and planned events, visit Security Serious

To learn more about the XYGATE Data Protection solution to enhance the HP Security Voltage Tokenisation solution for HPE Integrity NonStop servers, visit XYGATE Data Protection

Sean Bicknell

Sales Manager, Americas & EMEA

XYPRO Technology

Security Intelligence – Intercepting “Low and Slow”

October 9th, 2015

Security Intelligence

Originally published in Connect Converge – Fall 2015, pg. 20

Security has been a lifelong passion of mine. Growing up, I constantly pushed the envelope of what was possible. This was strictly for “research” purposes of course. I would spend a lot of my time after school (and sometimes during school) seeing what systems I could gain access to, discovering obscure security “features”, using my Svengali-like charm for social engineering or exploiting just plain security negligence . This was for no other reason than self-satisfaction, to cure a little bit of boredom and, to obtain some online fame. It was fun. I felt cool.  I WAS that kid in my parent’s basement, but as I was sitting in my parent’s basement banging away on my keyboard, I was pwning your tech! The dot-com bubble was just forming and n00bz didn’t stand a chance.

I look back at the wealth of experience gained from the need to alleviate boredom in my early life and wonder how trivial it would have been for someone to notice what I was doing and to shut me down, but in the late 90s, security wasn’t just an afterthought – it was virtually non-existent. No one was keeping an eye out whether the system was being used for anything other than for what it was originally intended.

MTTD in Today’s World

Fast forward twenty years and security is at the forefront of everyone’s minds, yet common security oversights of best practices and negligence are still very much part of today’s landscape. The Mean Time To Detection (MTTD) of a security incident is still over 200 days!¹ That translates to an attacker being in your systems for at least six months on average until someone notices, that is – if – someone notices. In my day, the issue was that no-one was tracking my activities – nowadays there is audit data being generated everywhere.  The problem has shifted from not enough data to too much data.


Figure 1.¹

In an era where everyone is used to, and in fact demands, instant gratification, and where we have a one hundred billion dollar plus cyber security industry providing the tools and solutions to satisfy that demand, MTTD is still 6+ months. We cannot underestimate the ability of criminals to stay ahead of conventional solutions by constantly adapting – allowing them to hide their malicious intentions or simply fly under the radar.  These low and slow attacks have become the Achilles heel of organizations worldwide. The data breaches that will be announced next year are taking place right now, as you’re reading this article. The attackers are already in the networks and systems doing their reconnaissance work, exfiltrating data, planning their next move – all the while, blending into the noise of everyday business users and operations for months and years at a time. How can one detect these anomalies?

Data is King

We use data every day to gain insight, plan our next moves and run our organizations. Too little data and you’re not getting the complete picture to make an informed decision, too much data and you’re overwhelming your staff and drowning in the noise to make any sense out of it.  Analyzing the vast amounts of data to detect pattern anomalies requires specialized knowledge and takes time. Attackers know this.

Traditional SIEMs and log management devices do what they do well. They aggregate data from multiple sources, report on the verticals you tell them to report on, and allow your auditor to put a tick in the PCI-DSS compliance checkbox for requirement 10.5.3. You would think that should make your CISO sleep better at night, but ticking the compliance box is all that exercise will allow you to do, and I guarantee you your CISO is not sleeping any better at night.

We are bombarded by marketing buzz words like “Big Data” and “Data Lakes”; how can we strip away the marketing buzz and introduce the concepts into our security strategy and use them to our advantage?

Hello Security Intelligence!

Security Intelligence and Analytics is the concept of collecting, normalizing and correlating the data you already have access to from the myriad systems and solutions that have been deployed in the enterprise. Typically a time consuming exercise for highly skilled data scientists, applying computer based algorithms and data analytics to the vast amount of data in order to detect valid security events introduces a new dimension to data intelligence that can be used for tracking security incidents before they occur, ultimately reducing the Mean Time to Detection, and potentially saving organizations millions of dollars and often more importantly – from appearing on the front pages.

Security Intelligence algorithms and analysis techniques take the data sets that are already  being generated from disparate sources in your enterprise, such as security audits, application logs, network flows, vulnerability management, configuration data, keystroke logs etc… It slices and dices that data, pivots the data and ultimately correlates the common elements between these unrelated sources while adding a layer of context to the correlation based on specific indicators of compromise for that system. You have now armed yourself with a proactive method to track anomalies and detect security events important to your environment, while separating the noise from the actionable data.

This real time correlation and contextualization of data sources enables notifications to security analysts of the anomalies that are being measured on a system as they’re occurring. Say for example commands are being issued on a system that are not typical of the user issuing them.  By recognizing this and correlating that activity with suspicious network flow and additional sources of data, security intelligence algorithms can detect and alert that something is happening on the system that is outside of what is normal for the given environment. This powerful concept provides meaningful comprehension of the data, allowing security practitioners to have the upper hand in detecting suspicious activity before you’ve reached the tipping point..

Highest ROI in the Enterprise

Sorting through millions of events to find something that is important to you is a near futile effort. It’s like searching for the proverbial needle in a haystack, meanwhile, more hay is being shoveled onto the stack at an alarming rate. This taxes resources, sends people and applications down rabbit holes chasing false positives, compromises system availability and ultimately wastes time and money, not to mention everything else involved with a large breach. This is why it’s 2015 and the MTTD is still 200+ days.

Staff Time Requirements

Figure 2.

The value of security intelligence and the way it takes the human effort involved in data analysis, contextualization, correlation and pattern matching and automates it cannot be underestimated.,. This complex analysis allows for efficient and effective processing of security data, so your security team can make quicker, informed decisions on events that are relevant to them. This in turn yields additional benefits by reducing operational costs, simplifies management, enhances security and increases response times. This is why Security Intelligence and Analytics have one of the highest perceived ROIs compared to its cost.

Organizations recognize the value of intelligence based on data analysis in other parts of their business strategy, like marketing – security intelligence is no different. Being able to leverage the data you already have access to through automated analysis empowers your organization to quickly and efficiently deal with the threats that are constantly evolving.


Steve Tcherchian, CISSP
XYPRO Technology

XYPRO – PCI SSC North America Community Meeting – September 29th

September 25th, 2015

XYPRO is looking forward to seeing you at the 9th annual PCI SSC North America Community Meeting in Vancouver on September 29th. From the world’s largest corporations to small Internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer’s payment card data secure.

For over 30 years, XYPRO Technology Corporation has been a leader in protecting mission-critical systems for the banking, financial services and payments processing industries. As specialists in the HP NonStop server, XYPRO closely partners with HP to enhance NonStop server security and compliance, and HP bundles certain XYPRO solutions with the NonStop OS.

XYPRO is excited to feature XYGATE Data Protection (XDP) which provides Enterprise-wide Format Preserving Encryption (FPE), Secure Stateless Tokenization (SST) and Key Management with no application changes. Visit XYPRO at booth #40 to learn more about XDP and how it can help you protect your sensitive data and help you meet PCI compliance.

“As we advance payment security to fight back against cybercrime, collaboration is crucial,” said Payment Card Industry (PCI) Security Standards Council General Manager Stephen W. Orfei. “We’re pleased to have XYPRO participating in our North America Community Meeting in Vancouver and in the work we are doing every day at the PCI Council to protect payment transactions globally.”

Go Easy on Your CISO – They’re Under a Lot of Pressure

September 22nd, 2015

CISO Stressed

Threats are everywhere. And it’s no secret cyber criminals are getting more organized and working more patiently to accomplish their objective: stealing your data, access to which is provided via an infinite number of channels. There are currently an estimated five billion devices connected to the internet today and Gartner estimates that number to grow to 25 billion + by 2020. That’s almost 4 devices for every man, woman and child on the planet. Look around your desk. How many connected devices do you count? 5? 6? More? Further, just how many of these devices are being brought into and connected to the enterprise at work, exposing not just you, but your company to further risk? A recent article I read described the exponential increase of connected devices – including devices such as smart ice cubes that pulse to the beat of your music and monitor how much you’re drinking and smart diapers that can tell you when the baby needs to be changed! Every one of those devices pose a risk at home and work. This risk increases the strain on security resources that now have to be responsible for plugging up every hole, even ones they don’t know about.

The odds are against your success

Security professionals in today’s landscape have to be right 100% of the time to stop criminals, whereas the criminals only need to be right once. Those are pretty scary odds considering all the different devices they need to take into account. You would get better odds if you were to wager that I’d end up being the President of the Moon. I kind of like the sound of that.

I’ve been in the security space for nearly my entire career. Back in the old days, security was nothing more than installing a small firewall in a locked room that also housed the cleaning supplies because someone said a firewall was the right thing to do. Back then, the only time sensitive part of the job was ensuring the antivirus software on everyone’s system was up to date. Synching your phone was simply putting your Palm Pilot or Windows CE on its cradle to sync your contacts and calendar and working from home meant printing out your spreadsheets to take with you. As a CISO now, the number and magnitude of security risks that have to be factored into the day-to- day monitoring and overall corporate strategy are mind blowing. BYOD, IoT, VPN, ISO, PCI are all acronyms CISO’s lose sleep over. As a profession, we not only need to worry about the outside attackers intentionally threatening everything in our organizations, but we also have to make sure our legitimate inside users are informed  enough  so they’re not going to accidently open our systems to a vulnerability or circumvent security controls because “It gets in the way of doing real work”. We have all received those tempting emails offering an all-expenses paid trip to Tahiti or texts saying that we are entitled to a ten million dollar Nigerian inheritance; all we have to do is send them our SSN and corporate password to collect our riches. How do you ensure your users are armed with enough information so they know not to click or respond to obvious phishing scams as well as the more sophisticated ones designed to look perfectly legit?

Couple all that with the 100 different security tools we need to deploy from 50 different security vendors all with their own proprietary implementation and it’s a mystery to me why anyone would want to willingly work in the cybersecurity space. Don’t even get me started on physical security and regulatory compliance. Good luck getting any sleep at night! (Have I mentioned I’m thinking about switching careers to become a fisherman?)

You’re only as strong as your weakest link

You can spend millions of dollars on the fanciest security hardware with cool flashing lights and engage every vendor for their “Next Gen Security Whatever” solution, but all that aside, one gigantic vulnerability still exists in every organization. PEOPLE. Users are the single largest vulnerability when it comes to cybersecurity. In fact, studies show that 95% of successful security attacks are the result of human error – that is a scary number. Users can be manipulated into giving up sensitive information. Users can forget proper protocols and passwords, they can even forget that they’re not supposed to click that link!

A proper security awareness program with frequent reinforcement messages that advocate vigilance will help arm your users with the knowledge needed to protect your organization. Most regulatory compliance and security frameworks incorporate and in fact require a security awareness program for users. There is no use locking all the doors and windows when the users are going to continuously open them again. Informing your users why and how they should keep windows and doors locked empowers them with the information they need to turn them from our biggest vulnerability to our greatest asset. Security is no longer an IT problem, it is a business problem and security professionals at all levels need to work together to minimize the risk of the “people factor” and maximize the success of their security posture. As such, consider the following points to assist in the success of your security program.

  1. Executive Support – A security awareness initiative without executive support will not get much traction with the rest of the organization. If the executives don’t see the value, other key departments you need to work with won’t either. Getting this level of support can be difficult, even though there is a correlation between compliance and awareness efforts and reducing corporate risk.
  2. Peer and Interdepartmental Support – Everyone is busy, but just as important as getting executive support is getting departmental support. If people don’t see the direct value of your program, it’s not likely to succeed. Tailor your message to the specific department. Partner with them. Make key departments such as legal, HR and finance understand they have a vested interest. As security practitioners, we know we have to work up, down and sideways to get the support needed for our initiatives to be successfully implemented.
  3. Walk before you run – When it comes to security awareness, there isn’t a one size fits all solution. Depending on your industry and company culture, you will need to evaluate your audience and their level of expertise and cater your program to allow your audience to extract the most value out of your message.
  4. Have a Plan – I cannot stress this enough. After getting everyone to support your program, you need a way to execute and measure the success of the initiative. Compliance programs, such as PCI have their suggested methods, but these should be used as a baseline or framework to build on and customize for your organization. Create a 90 day plan and identify key performance indicators to keep your program successful and progressing.
  5. Reinforce, Reinforce, Reinforce – It doesn’t have to be weekly stern emails telling people not to click on links in emails sent from Romania or not write their corporate passwords on a sticky-note and place it under their keyboard. Be creative and be consistent. Make people want to join and engage in the program. Create a cybersecurity week and celebrate a theme. Have others share experiences. Give out prizes for participation. Create posters. Get everyone engaged. Employees feel engaged in the program if they can relate personal experiences to the message.

We all wear multiple hats when it comes to cyber protection and security awareness. We must protect ourselves against both internal and external threats, inform our legitimate users about what not to do, sniff out those looking to harm the rest of us. It’s an ongoing effort that requires teamwork. Make sure your team is educated, motivated and armed with the knowledge and tools necessary to do their part and they will.

Steve Tcherchian, CISSP
XYPRO Technology

Steve Tcherchian, CISSP
XYPRO Technology

Protecting Healthcare Data: An Ounce of Prevention

July 30th, 2015

2014 was a landmark year for the Healthcare Industry when it came to data breaches. 2015 is continuing that trend. According to the Identity Theft Resource Center, the Healthcare Industry accounted for 42 percent of all major data breaches reported in 2014.

Thieves have begun turning their attention to the 3 trillion dollar a year Healthcare Industry, whose data is turning out to be worth more than credit card numbers. The Healthcare Industry has not only seen a sharp uptick in the amount of large, widely publicized data breaches, but also in the value of the data stolen.

The average price of a single stolen credit card has dropped from $35 to under $1 because of flooded supply, causing thieves to look elsewhere for other more profitable sources of revenue. The Healthcare Industry, with its aging infrastructure, slow adoption of security and hasty need to move to electronic medical records, has turned out to be a treasure trove for cyber criminals. Medical data breaches are now rivaling those of the largest retail breaches.  We no longer live in an era where the only threat to our privacy is credit card theft. Today’s cyber-attacks make payment data leaks look like petty theft. Our transition to this new era has been sudden; our medical records, social security information and personal data  are all at risk. Because medical records are worth ten times more than credit card,  they have become a high value target. With so many players in the Healthcare Industry as well as government agencies being compromised, it is difficult to trust anybody with your information.

When I discuss these facts with others, they tend to ask me “How do you even monetize medical data? ”. Two words. Medical Fraud. Once medical data is compromised, thieves can submit fraudulent claims to an insurer for payment, costing you, me, healthcare providers, insurers and everyone in between billions of dollars a year. According to the 2015 Experian Data Breach Industry Forecast report, the cost of healthcare breaches are nearing the $6 billion a year mark. That number doesn’t take into consideration fines, fees, unreported fraud, as well as the side affect on other industries.

It doesn’t stop at medical fraud. Having a patient’s medical history gives a criminal access to sensitive information about that patient, which leads to medical identity theft. Medical identity theft allows a fraudulent person to receive healthcare benefits they’re not entitled to, as well as access to prescription history. This enables thieves to purchase prescription drugs on a patient’s behalf, which are then resold online on black market websites, such as the former Silk Road.

The HP NonStop, with it’s unique fault tolerant features, high availability and mission critical capabilities, is often in a pivotal position in the healthcare industry and is therefore a prime consumer of medical data. With so much at stake and the ramifications of a healthcare breach so damaging, what can be done and why isn’t more being done about it?

We all understand the quicker you detect a breach, the sooner you minimize the amount of damage an attacker can cause, but the current mean time to detection of a breach is over 200 days. That means an attacker is in your network, on your systems for over 6 months on average, wreaking havoc and most organisations don’t even have a clue.

XYPRO’s XYGATE Data Protection (XDP) powered by HP Security Voltage has the ability to neutralize the damage caused by a breach by rendering useless that valuable medical and personal data stored on your mission critical systems. A proper implementation of XDP will encrypt or tokenize medical and personal data to ensure continuous interoperability with your applications, while rendering the data useless to a thief. This requires no modifications to your applications. XDP retains the data formats that your applications currently use.

The challenge of protecting sensitive data is no longer a concern only for those organizations who process card payments. The extremely valuable and sensitive nature of Personal Identifiable Information (PII), Personal Healthcare Information (PHI) and medical records have thrust the Healthcare Industry right into the cyber-security spotlight. Implementing the proper security infrastructure to make the ongoing protection of this data is no longer a nice to have, but a critical requirement.

Steve Tcherchian, CISSP
XYPRO Technology

Monish Mehta
Security Analyst
XYPRO Technology

2015 is looking BIG!

July 17th, 2015

A little over halfway through 2015, and it’s shaping up to be a great year for XYPRO.  HP’s acquisition of our longtime partner Voltage Security has boosted interest in this critical data security technology, and we’re talking to many customers about how XYGATE Data Protection optimizes Voltage for the HP NonStop.  We’ve also been keeping busy with new releases of our software to support the new NonStop X Server, and have the first of our customers going live on this platform currently.  Our other product development is also continuing at the usual high velocity, so things are busy!

Maintaining this pace takes lots of great people, and while our current team is awesome, they need help!  We have a number of exciting job openings currently advertised on our careers page at:


Take a look at these job descriptions, and if any of them seem like something you could get your teeth into, please send your resume to jobs@xypro.com

Andrew Price
VP Technology

E-Crime Singapore: Data and Device Centric: The Two Security Strategies for your Enterprise

June 10th, 2015

What better place to host the latest E-Crime & Information Security Series than steamy Singapore: The modern gateway to the Asia Pacific Rim. The Marriott Tang Plaza acted as a fitting host on the bustling and extravagant Orchard Road in the heart of Singapore.

The show was well attended from a variety of delegates across APAC to and including the financial sectors, gaming and hospitality, education and government to entertainment sectors.

XYPRO provided its part through a strong representation of two primary pillars of security; Data-Centric and Device-Centric Security through our product partnerships with HP Security Voltage and Device Authority.

Between topics of “Today’s Enterprise Security”, “Changing Landscape and Threats in Payment Security” to “Are your E-Payment Systems Vulnerable to fraud, laundering  and other financial crimes?”, the reoccurring themes kept popping up as pain points with Authentication and the security of data, most notably, your clients’ data! This is an important distinction in the fact that your customers are entrusting you with the protection of their data! We have all heard the numerous public breaches and the staggering financial costs both directly and indirectly but also of course the numerous fallout and repercussions to your business both financially and to your reputation.

It was therefore with great interest that a majority of the delegates were quite engaged with our offering and approach to Data and Device-Centric security. Taking a Data-Centric approach with HP Security Voltage is exactly what the name implies in that we protect the data itself by neutralizing a potential breach through the adoption of Tokenization and Format Preserving Encryption (FPE) of the Data, PANs and other valuable information. So regardless of whether our perimeter defenses fall under a calculated persistent attack; the intrinsic value and costly compromises with such a data breach are relegated as virtually innocuous.

Device Authority takes a novel approach to Authentication by utilizing the Device itself as the key. No more can we rely on Username and Password as the defining factor for gainful entry onto our critical systems. There needs to be a manner to which we can ensure access to not only the rightful individuals but also the devices to which they plan to gain entry with. Our devices provide a stable form factor to provide a unique and identifiable signature of the device itself linked with the credentials of a given user; thereby drastically reducing the threat surface by eliminating millions of risky entry points onto our systems through the provisioning of only a few trusted devices that are linked to our given credentials.

Today’s hackers penetrate through multiple layers of defense. Increasingly it is highlighted by security researchers that multi-layer protections need to be in place, to protect network, system, application and personal data. Regulatory bodies across the globe are also providing guidelines for layered security and compliance policies. Naturally delegates were so intrigued to discover the add-on of Device-Centric security to fend off threats from external systems prior to connection, and the flexibility of tokenization and FPE to ensure maximum data protection even after a breach has occurred.

In a typical payment system environment, XYPRO is already aiding numerous organizations’ security by enabling authentication, role based authorization, security policy and centralized log management for intrusion detection. These Device-Centric and Data-Centric solutions bring significant value to our comprehensive suite of solutions, additional options and greater security assurance to your ever expanding interconnections.

It was interesting to note from our discussions with the delegates that many were determining which approach to take? Secure Authentication protocols to ensure the Identity and the Integrity of users or shore up your Data defenses with Tokenization/Format Preserving Encryption to neutralize a breach before it occurs by rendering data useless in the wrong hands. As self-serving as the answer sounds, the answer of course is both. There is no magic bullet for security. A comprehensive approach to [Multifactor Authentication with Device Authority] and a [logical deployment of Tokenization / FPE with HP Security Voltage] is a sound investment across your enterprise and will continue to be a prominent focus for XYPRO and its clients.

Angelo Nicolaides
XYPRO Technology Corporation
Sales Executive

Did Someone Say ”Downtime”?

June 9th, 2015

All I have ever really known with complete certainty in my near thirty-year relationship with NonStop has been that HP NonStop computers are mission critical servers that are truly fault tolerant and have full redundancy capabilities for a single reason: they need to be available all the time.  Availability is the primary directive.  Or at least it was.

Very recently, I had the opportunity to spend some time with some friends at a longtime customer.  This customer is one of the top five US Banks and takes very seriously the need for NonStop and its reliability and availability.  I was told that the senior executives at this bank have indicated there is a single circumstance under which they would accept, and actually prefer, downtime. That circumstance is a security breach. After all, a downtime event is recoverable. A security breach is not.

The words “downtime” in the NonStop world are sheer blasphemy. How can this be? Uptime is critical to a successful business model in the industries that rely on NonStop.  Uptime ensures customers’ service expectations are met, delivers financial benefits and avoids penalties for downtime.  Uptime also comes with bragging rights and prestigious awards.Mgmt Concern of Breach 1

Like so many of us in this great community, my introduction to Tandem was far too many years ago and in a very different world than we are a part of today.  I was in high school.

My first introduction was not through employment, but from my father who had been working on a project to bring an ATM and Online-Teller network to the bank where he was employed.  He explained to me about this very special computer system that could process transactions very quickly and had two of everything so it was really reliable.  The year was 1983, I remember all of this and that my father was immensely impressed. Like a typical teenager, I didn’t really care much about this. I only really began to understand a few years later when I had the opportunity to learn and work with the Tandem myself.

Working part-time in the evenings while in college, I gained some exposure to the inner workings of a bank’s data center. It was a hub of activity with lots of people and with machines of all sizes. Reader-Sorters, Line printers, 9-track tape drives, massive disk packs, etc. There was also a prized area on the data center floor where the Tandems were kept. The Tandem operation also had a separate command control room where these systems were monitored. Everyone knew they were there, everyone knew they were special, not everyone knew why.

The Tandems would run all the time, literally.  This was their value.  In the data center, the Tandem NonStop II sat beside the gleaming new TXP. I still knew very little but I began to understand why these Tandems were special.

Later on, as we came to depend more and more on these machines, the systems in place to support their uninterrupted operation were big, important and becoming more sophisticated. As an operator, testing the UPS (Uninterrupted Power Supply) system, test-firing the diesel generator at least weekly and ensuring there was enough fuel to run for several days was a mandatory procedure. These were mission-critical computers.  They had to run all the time and the Tandem systems did.

The only thing that is constant in technology is change and striving to improve and speed up the way things work.  There is always something driving the need for even greater reliability and uptime.  A simple fire suppression system malfunction or even worse, a fire itself, could render the system unusable.  The growth of DR (Disaster Recovery) centers began in an upward direction.  In the unlikely event of a disaster, the remote DR center could, and had to, be up and running in a matter of minutes.  Availability was of paramount importance.

Business Continuity Planning was now the new buzzword in the Tandem community (along with remembering to call these computers NonStops following the acquisition of Compaq by HP).  With natural disasters such as earthquakes and hurricanes and now very unnatural terrorist threats, the NonStop server had real-time data replication in active-active environments, spanning very large distances to ensure that these computers were operating on individual power grids and fully separate communications infrastructure that could not be affected by the loss of availability at any single site.  The great Myth Busters TV show even blew up a NonStop server to prove just how quickly a failover and recovery could happen. These computers are truly mission critical and the customers who purchase and use them do so because their businesses rely on the ability to run without interruption.Outage cost per minute 1

For my thirty years on NonStop, the only direction I knew was that more uptime, and in most cases, continuous uptime, was the way to go.  Never did I suspect that there would be something that was so critically important to a business they would sacrifice this near perfection. Sadly, earthquakes, hurricanes, tornadoes, and even nuclear warfare are no longer the ultimate threat to uptime. It is the cyber-criminal.

As a vendor of HP NonStop server security solutions, it’s a positive thing to hear a customer say their focus on security is right up there and even ahead of availability and performance.  The revelation that unscheduled downtime is more acceptable than a security breach is not only a sign of these modern times but a continental shift in priorities for the majority of companies that rely on fault tolerant, mission critical servers.

And just as the needs for more uptime drove the development of more and more sophisticated solutions to avoid possible availability catastrophes, so too  the need to thwart the ongoing threats of cyber criminals and hackers drives the development and implementation of advanced security solutions, these days at lightning-speed..

Many of these solutions already exist in the form of strong encryption and tokenization of data, enhanced access controls, audit and analysis, continuous real-time monitoring and threat detection, security incident and event management, and more. It is a matter of time, education, commitment, investment and effort that this very present threat to downtime can be tackled.  We’re investing our best efforts and resources to staying ahead of the cyber criminals and hackers. It’s not too difficult to imagine what will we be the next phase in the evolution of the NonStop uptime story, but there is no doubt that security will always be a big part of the solution.

Please visit the XYGATE Overview to see our full range of security solutions.

Comprehensive Security Solutions for the HP NonStopTM Server for nearly 30 years, XYPRO®
Technology Corporation has provided
software solutions and professional services to companies who manage and transport
business-critical data on a large scale. Our security solutions and services help improve HP
NonStop server environments and enhance the jobs of those who operate them.
XYPRO’s comprehensive solution oering includes the following software packages:
• Access PRO • Audit PRO
• Compliance PRO • Encryption PRO
• Safeguard PRO
Each PRO package oers end-to-end security and consists of
specic modules designed to meet the various requirements within its area of specialty.

Barry Forbes
XYPRO Technology Corporation
VP of Sales and Marketing

A Journey through Space & Security

May 8th, 2015

What a great conference GTUG turned out to be!            Apart from the 200+ delegates taking part we were treated to a mesmerizing presentation from the European Space Agency (ESA).  There’s something very engaging about mankind’s journey into space; and especially when the story is about landing on a comet. No-one has ever done that before, except Bruce Willis in some crazy movie.  Manfred Warhaut, ESA’s Head of Mission Operations recounted the 12 year mission of Rosetta to reach the comet 67P; its many revolutions around the sun to gain increasing speed and direction towards 67P, and then its road-runner style braking to almost walking speed so it could go into orbit around what they thought was going to be a potato-shaped comet. In the end it turned out to be more of a peanut. Not that this was disappointing in any way. The comet was chosen because it was pristine; it hadn’t been worn down by countless orbits of the sun; it represented life as it was at the very start of our solar system some 4.7billion years ago. The very triumph of the mission has to be the devices they planned for attaching the Philae lander vehicle to the surface of this peanut, where the gravity was so small they’d need all the help they could get.  A mixture of screws in its feet, a harpoon under its belly, and a thruster rocket were all designed to help it stick to the surface. In the end bizarrely none of these worked, but the more important fact was that they landed; they actually landed. Soil samples showed complex compounds that we find on earth; it shows where we came from.

Which in a strange way brings me philosophically to the fact that we the delegates at the conference had so much in common; apart from all being made of stardust, there was a lot of common interests in the topics of the moment on HP NonStop. The press is increasingly talking about the hacking of information, whether it’s a Facebook account or some other personal items of interest that those unsuspecting souls would rather stay private.  This is driving increasing interest in securing the increasing amounts of data that we store around the world, and how we can make it safe.

XYPRO was delighted to see so many delegates take an interest in our XYGATE Data Protection solution (XDP).  Presenting our joint solution, Andrew Price, XYPRO’s VP of Technology and Anna Russell of HP Security Voltage educated and entertained the audience with their stories and examples of how NonStop Users can secure their system data against the hackers. The facts themselves are astounding; almost 80,000 reported security incidents worldwide last year; estimated losses to businesses of some $400million; 700 million records compromised; over 2000 confirmed data breaches. Not that data breaches will end any time soon. Andrew pointed out that they will continue; we have to accept this and instead focus on making the data itself of little value to the hackers.

I was pleased to speak with a large number of conference delegates about their plans and issues for nonstop in 2015, and where data protection fits in this picture.

Fortunately XYGATE Data Protection is helping business today to avoid these painful and costly scenarios.  I think we are likely to keep seeing all the unfortunate stories in the press about data being stolen; the good news is that XYPRO can help.

For more information on XYGATE Data Protection and how we optimize the HP Security Voltage solution for NonStop servers, visit:  XYGATE Data Protection (XDP)

Craig Lawrance

Sales Executive

XYPRO Technology Corporation

CISO Executive Forum – Free Coffee and Lemon Cake Included

May 7th, 2015

Top level security executives and CISOs gathered last month in San Francisco for the International Systems Security Association (ISSA) CISO Executive Forum. The quarterly forum, which was chaired by XYPRO’s Head of Security, Steve Tcherchian and UPS Director of Security and Risk Management Wayne Proctor, focused on “New Strategy and Technology Approaches for the CISO” and there was plenty to discuss on the topic.

The guest speakers for the exclusive event were a who’s who of Silicon Valley (and Seattle) industry big hitters including HP Chief Information Security Officer Brett Wahlin, the United States FBI, the always entertaining and controversial CSO of Cisco Systems – John Stewart and Starbucks CISO, Dave Estlick – free coffee and lemon cake tasting included.

Cyber-terrorism, insider threats, regulatory compliance, cloud, the internet of (every)thing and security intelligence were at the forefront of the dialogue.

In their respective sessions, HP’s Brett Wahlin and Cisco’s John Stewart discussed how intelligence plays a vital new role in how security is assessed in the enterprise. It’s estimated by the end of 2015, the planet will have generated more data in 1 year than it has in the past 5000 years combined. That includes all of last year. Think about that exponential growth.

With so much data being produced, HP’s Wahlin explained how it’s key to separate noise, which in some cases can be billions of events per day, from the actionable data.  This filtering must be done at levels never previously attempted before, with the machines needing to  learn behavioral patterns and then  present and sometimes act on that data in an intelligent manner.  You’re literally looking for a needle in a haystack while more hay is continuously being piled on top.  Wahlin also discussed how getting creative with data sources and having the means (technology and staff) to intelligently aggregate and correlate that data allows for detecting anomalies that you may not necessarily be looking for. The evolution of the traditional SIEM in a sense.

As has been the ongoing case for quite some time now, regulatory compliance and protecting customer data was still a hot button issue. Whether its card holder data under PCI regulations or other types of customer data, the strategy of how to protect that valuable data went on throughout the day. This included solutions for endpoint protection and data tokenization to reducing or completely neutralizing the data to which a thief could get access. But with so many different solutions in the enterprise and having to understand and support multiple platforms, the CISO’s job becomes increasingly difficult as we try to identify our sensitive data and prevent gaps.  An average enterprise can have upwards of 30 different security tools, most of which aren’t fully implemented (See our blog about Security on the Shelf) or if they are, provide overlapping functionality that the security staff didn’t necessarily understand. At the end of the day, it’s those gaps that can be exploited and that’s what keeps CISOs up at night.

In all, another valuable and successful face-to-face event by ISSA enabling CISOs from all industries to share information about their strategies, threats, and solutions in a candid, beneficial environment.

The next CISO Forum will take place in August in Las Vegas just ahead of the BlackHat Conference.  The forum is a highly motivated, highly strategic cybersecurity event tailored for senior level security executives to interact with their peers.  If you’re interested in becoming a member, please go to https://www.issa.org/?page=CISOhome to review membership criteria and submit an application to join.

XYPRO’s Head of Security joins ISSA CISO Advisory Council

Steve Tcherchian, XYPRO Technology’s Head of Corporate Security, recently joined the ISSA CISO Advisory Council as a board member. Already a member of CISO Executive Forum, Steve now joins the board which is responsible for all aspects of the quarterly event including setting the content and theme about what’s important in cybersecurity, speakers and sponsors and overseeing partnerships for the forum.

The CISO Executive forum provides a venue for C level security executives to share concerns, successes and feedback in a peer only environment. The forum creates a unified voice to influence security industry vendors, standards and legislation.

“Joining a leadership position in ISSA not only shows XYPRO’s commitment to our customers’ security as well as our own security posture, but also allows XYPRO to give back to the community by contributing its 30+ years of experience in the security space” said Steve Tcherchian.

XYPRO Technology Corporation