SunTUG 2015: Much Ado about Data

March 10th, 2015

Well, another very successful SunTUG meeting just finished and, while there were other important topics (e.g., modernization, integration, replication), the predominant area of discussion was data security. The focus on protecting sensitive data makes a lot of sense given that the SunTUG user community is composed of many sophisticated HP NonStop customers in industries like payments, financial services, and telecommunications.

Recently, HP made big news when it announced the acquisition of Voltage Security—the industry leader in Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST). SunTUG 2015 was the first HP NonStop user group meeting since that announcement and it was a great opportunity to highlight Voltage’s unique approach to data-centric security and Voltage’s partnership with XYPRO for the HP NonStop area.

Voltage and XYPRO coordinated their sessions to provide a two-part series on data protection for the enterprise and for the HP NonStop—these were the session titles with links to the presentations:

Part 1: Voltage Security: Data-centric Security for HP NonStop and Enterprise-wide Environments
Part 2: XYPRO: Optimizing Voltage Tokenization and Encryption for HP NonStop Environments

The 2-part series went very well—here’s a summary from those sessions of what differentiates the combined Voltage and XYPRO solution:

Voltage Security provides industry-leading tokenization and encryption
• Standards-based: all cryptography is standards based (AES) and
publicly validated
• Industry-proven: used by large payment processors, financial
institutions, retailers, and telcos
• Multi-platform support: HP NonStop, z/OS, Solaris, Windows,
Linux, Stratus, AIX, etc.
• Support for wide variety of data types: payments, other PII
(e.g., SSN, DoB)
• Stateless key management: no keys to store, manage or
• Flexible: full/partial encryption, masked, and tokenized data from
the same interface
• Runs natively on NonStop: tokenization and encryption happen
natively on NonStop

View the Voltage Presentation

XYPRO XDP optimizes Voltage for NonStop environments
• No application changes required on NonStop
• Support for nowaited/non-blocking encryption/tokenization
• Support for NonStop’s OS personalities and executable types
• Multiple language support: C, TAL and COBOL
• Distributed architecture provides fault-tolerance, parallelism
and scalability
• Built-in access control and auditing, as with all XYGATE products

View the XYPRO Presentation

More information about XYGATE Data Protection (XDP) is available on XYPRO’s website.

Finally, a couple short, heart-felt notes of appreciation: SunTUG 2015 was, as usual, a very well run affair with strong attendance—thank you SunTUG team and HP NonStop users! Also, thank you to the HP team for your presentations and involvement—your updates on the HP NonStop business and technology were exciting and provided a great start to an energetic conference.

Ken Scudder
Business Development and Strategic Alliances
XYPRO Technology Corporation

The Shelf is for the Elf, Not Security

February 17th, 2015

Businesses are managing more data than ever—and spending more money, year after year, to protect that data. Yet spending money on security doesn’t equate to actually being secure.

A recent study by Osterman Research discussed how prevalent the “shelfware” problem is becoming. The report showed that businesses spent an average of $115 USD per user on security software, hardware and services in 2014, an increase of 44% from 2013, yet nearly 30% of that security investment was underutilized or never implemented.

Small businesses, those with less than 1,000 users, were impacted more, with an average spending of $157 per user, yet the same underutilization pandemic still exists.

“The numbers were pretty eye popping,” said Josh Shaul, Trustwave’s vice president of product management. “We expected some security software on the shelf. What we found was companies are pouring money down the drain, while the folks approving these purchases are getting a false sense of security.”

Considering the security landscape we currently live in, CEOs, CISOs and board members have taken notice. Cybersecurity is now just as important in the board room as the bottom line. The problem is now important enough to where non-technology business leaders put more emphasis on security. No one wants their company to be the next Sony or Anthem (from a data breach perspective). Budgets are being allocated and money is being spent on protections, but, as the Osterman Research study shows, a large part of that security investment is sitting around doing nothing—it’s unimplemented shelfware.

As you’re reading this, you’re probably looking over at your white board thinking “Yeah, we still have to implement that”. Trust me, you’re not alone.

So why are security solutions sitting around collecting dust?

The main reasons – IT departments are just too busy to properly implement what was purchased. Revenue generating tasks and keeping the engine running take precedence over something that may happen. This is followed closely by not having enough staff available and not understanding the purchased software well enough. According to the same report, the year 2014 finished with 49% of security positions left unfilled.

Interestingly enough, the least serious reason contributing to not getting security properly implemented was the IT staff not understanding the security problems they faced. On the contrary, IT understands the security problems and threats to the organization very well, they just lack the resources to implement the right solutions.

So how do you solve the problem?

Vendor professional service groups and security service providers can help ensure security technologies are properly installed, monitored and maintained throughout their lifecycle. The report surveyed that 79% of IT professionals believe leveraging managed services would reduce or eliminate the possibility that security goes unused in their organization.

XYPRO’s Professional Services Team is regularly brought in by Fortune 1000 companies to perform security assessments of HP NonStop server environments. Our XYPRO PS team ensures XYGATE security products such as Merged Audit and User Authentication, which have been shipped with the operating system as part of the NonStop security bundle on all new HP NonStop servers since late 2010, are properly configured and deployed to address your organizations specific needs. Whether those needs are auditing, compliance, monitoring, or help with your overall security initiative, XYPRO’s PRO Services Team can be an invaluable partner to protect your business and the investment you’ve made in security.

And that can help everyone sleep better at night. Unless you have one of those elves. They’re creepy.

Steve Tcherchian, CISSP
XYPRO Technology

HP’s Voltage acquisition great for XYGATE Data Protection (XDP)

February 9th, 2015

Here at XYPRO we’ve been very pleased at the news of HP acquiring Voltage Security.

XYPRO, as a long time partner of both Voltage and HP, sees the acquisition as a great fit. XYPRO already works with Voltage Security to optimize SecureData for the HP NonStop platform, and provides a range of capabilities to quickly and easily implement on HP NonStop. With XYGATE Data Protection (XDP) customers can take advantage of SecureData’s range of data protection options, including Format Preserving Encryption (FPE) and Secure Stateless Tokenization (SST) with no changes to NonStop applications or their databases. XDP adds the following critical NonStop-specific capabilities:

- Support for both Native (code 800) and non-Native (code 100)
- Support for applications written in any HP NonStop-supported
- Nowaited/non-blocking encryption calls
- Built-in access control and auditing, as with all XYGATE products
- Intercept library for environments where the customer’s application
  cannot be changed
- Simple SDK for environments where full application control is
- Integration with a full range of Voltage SecureData APIs, allowing for
  all data types to be easily protected
- Support for all NonStop databases – Enscribe, SQL/MP and SQL/MX

The XDP solution fully supports Voltage’s approach to data centric security, allowing for data to be protected right across the enterprise, from the point of acquisition of the sensitive data, through the HP NonStop, and on to whatever other platforms and applications need that data.

For more information about XYGATE Data Protection click here.

XYPRO extends congratulations to both Voltage and HP. We look forward to continuing our strong partnership with these two great companies.

Andrew Price
VP Technology
XYPRO Technology Corporation

XYPRO Welcomes an Already Exciting 2015!

February 2nd, 2015

Lisa Partridge, CEO

2014 was an eventful year for XYPRO. It was a year of changes in leadership and infrastructure improvements driven by our belief that our customers’ requirements and experience are at the center of everything we do. The management buy-out announced at the end of April was a significant moment in XYPRO’s evolution and generated lots of energy and excitement on our team. As a pioneer in the HP NonStop server space since 1983, and as specialists in mission critical security since 1990, XYPRO is strongly positioned to continue to innovate and grow with HP, the industry and our customers.

We are particularly thrilled to be extending the security capabilities of the flagship XYGATE suite of security and encryption solutions to the new HP NonStop X platform. We partnered with HP to port and test the XYGATE software that is part of the NonStop Security Bundle shipped on the new platform, as well as the entire XYGATE suite. XYGATE is ready for generation NonStop X!

I’m also pleased to be able to report another year of record growth for XYPRO. Not only have we increased both XYGATE and partner product sales but we’ve also made great strides in our human resourcing, adding great new talent to the XYPRO team. We’ve welcomed people to XYPRO that bring new skills, enthusiasm and experience to our engineering, finance, services and sales organizations. Additionally, our intern program burst forth in 2014, with nearly a dozen young people contributing to our cultural innovation and operational improvements across all departments.

2014 was also a year where cyber-crime and data breaches were too frequently headline news. XYPRO implemented processes and incident management procedures that allowed us to be agile and respond rapidly to multiple public vulnerability announcements and the concerns and questions from our customers quickly, thoroughly and efficiently.

One of our most important core values is “Care Enough”. Quality is the result when you care enough to make sure it’s right. This core value, implemented company-wide is a cornerstone of the XYPRO culture. Another one of our tenets is striving for “Operational Excellence”. As XYPRO continues to grow and support more customers than we ever have before, we are making sure to focus on the fundamental building blocks of process and procedure, continually fine-tuning them to improve the quality and predictability of our releases. The new team members have specific experience in this area and the metrics we gather during and following a release are analyzed for areas of improvement. The significance of these processes get communicated regularly to the entire company, reinforcing everyone’s role in operational excellence and acknowledgment of everyone’s contribution to the end result.

XYPRO is committed to continuing to strive for excellence in everything we do, to always maintain open communication channels, and to keep our customers’ experience our central focus. When you make the effort to ensure you’ve done all you can to answer that question, fulfill that request, meet that deadline, or discover the solution – we all win.

At XYPRO, one of our top priorities for 2015, is bringing Data-Centric Security to the HP NonStop community. XYGATE Data Protection (XDP), in partnership with Voltage Security, provides enterprise-wide, Format Preserving Encryption (FPE), Secure Stateless Tokenization (SST) and Key Management. No keys to manage, store or distribute.

Also, as we move into high gear for 2015, I’d like to point you to the summary of a very informative blog series published over the course of last year: XYPRO’s Top 10 HP NonStop Security Fundamentals: Protecting mission-critical systems has many aspects and can seem overwhelming at times; XYPRO’s Top 10 security blog outlines the most important security considerations for the HP NonStop to ensure that those systems have strong security, in addition to high-availability and fault-tolerance.

Finally, we recognize you run your most important business applications and processes on the HP NonStop server and keeping it safe from data loss, tampering or even inadvertent harm is mission critical. We appreciate the trust our customers place in XYPRO solutions and services to help them protect those systems. We’re looking forward to 2015, and another successful year serving the HP NonStop community.

The new HP NonStop – I want an X box for Christmas!

December 3rd, 2014

The new HP NonStop – I want an X box for Christmas!

There’s been a lot of buzz, starting with NonStop Technical Boot Camp (TBC) last year, then through 2014, culminating with the HP Discover event currently being held in Barcelona, about the new x86-based NonStop server line.  At the NonStop TBC last month we heard that the new line of servers would be called “HP Integrity NonStop X”, and just today we’ve seen confirmation from HP that these machines should be available in March of 2015.  Exciting times indeed!

The introduction of the NonStop X range removes the last vestiges of proprietary NonStop hardware from the architecture, while maintaining the NonStop fundamentals (availability, scalability, fault tolerance) that we’ve come to expect from the platform.  NonStop X will support Infiniband, which replaces ServerNet as the platform’s interconnect fabric.  This move should see the platform’s costs continue to decrease, while taking advantage of the greatly increased throughput that Infiniband provides.

At HP Discover this week, Randy Meyer, Vice President and General Manager of Integrity Servers, expanded on this thought – “With NonStop X, moving the interconnect to InfiniBand is a huge deal, because of the fact that it’s all standard,” says Meyer. “NonStop runs on completely off-the-shelf hardware; there’s no proprietary hardware in there.  And it means you can connect other kinds of applications, running on Linux or Windows, more seamlessly in a NonStop environment… Now you can have your NonStop infrastructure handling payments, reservations, trading, whatever it may be, and surround it with maybe a mobile phone handling system, or a fraud management system, and have this huge flexibility.”

Here at XYPRO, we’re enthusiastically adopting this new platform. We’ve been involved in beta testing our products with HP, and we will have “X certified” versions of our software available both through HP, and to our customers directly, when the new platform becomes available in March.

If you have any questions about XYPRO products and NonStop X, please contact your sales or support representative.

Andrew Price
VP Technology

NonStop Technical Boot Camp 2014 – The (New, More Secure!!) Way To San Jose

November 24th, 2014

We’ve just returned from this years’ NonStop Technical Boot Camp – what a whirlwind!  Held for the first time at the Dolce Hayes Mansion, in the suburbs of San Jose, there was a record number of attendees, and it was a vibrant and energetic conference.  We had a busy time, with lots of great customer interaction, both on the tradeshow floor and during the evening events.  The continued and increasing focus on security was clearly  evident, from the number of security vendors exhibiting, to the large number of sessions (both customer and vendor) discussing security, data breaches and various challenges related to those issues.  Speaking of, XYPRO had folks involved in 9 (!) different sessions during the 3 ½ days:

During the pre-conference sessions on Sunday, attendees got to experience a deep dive on a variety of different topics. Rob Lesan and Terence Spies (from Voltage) covered strategies for security in today’s payments landscapes, where breaches are becoming so commonplace. The workshop spanned magnetic stripe technology right through to Apple Pay, and covered cryptographic developments and tokenization evolution, and was a valuable session for anyone wanting to learn more about these important technologies. They also had a case study on implementing tokenization in a real-world payments application, based on our recent experiences.

Then after lunch, Lee Evans, recently from Wells Fargo, and the newest addition to the XYPRO team, took an in-depth look at XYGATE Object Security, and how the powerful combination of XOS and the two authorization SEEPs help to improve NonStop security through a range of advanced options that apply across the entire NonStop environment. Lee’s very recent customer experience with XOS gives him a unique and very relatable perspective on this topic, and it was well received.

For our final pre-conference session of the day, Rob Lesan (who had a very busy conference pulling double duty as the Connect Vice President!) covered our partner database solution from Merlon, SQLXpress. Attendees learned how our many customers deploy SQLXpress to comprehensively secure, and greatly simplify the management of, their SQL/MP and SQL/MX databases.

On to the conference proper…with HP Distinguished Technologist Wendy Bartlett, and comForte’s Thomas Burg, we presented at the security-focused opening general session on Tuesday. We covered the XYPRO security solutions that are included with the NonStop Security Bundle, letting customers know the best ways to get their systems secured using these “built-in” tools.

The first of several joint presentations with Mark Bower from Voltage covered data-centric security and its importance in NonStop ecosystems.  During this session on Monday morning attendees heard a summary of data-centric security, its applicability to payments applications and other typical NonStop deployments, and how a data-centric approach can prevent gaps in data protection across the enterprise. Then on Wednesday we took a closer look at Voltage SecureData and XYGATE Data Protection (XDP), two products that work together on NonStop to implement data-centric security with no application changes required.  We got great feedback on both sessions, with the data-centric security approach resonating well with audiences.

On Monday afternoon, Rob Lesan’s superior presentation skills and direct experience were exploited to explain the database management services we provide, and the database tools that we utilize to provide those services, including Discover, MARS and SQLXpress.

On Tuesday morning, we took a slightly different approach to the typical vendor track presentation.  In a follow-up to a popular ten-part blog series that Ken Scudder has published over the last couple of months, “HP NonStop Security: The Top 10 Things You Need to Know” we covered the highest priority things NonStop users should do to better protect their NonStop servers. We surprised the audience by having 10 different members of our sales and professional services team present, with each of them giving their own distinct spin on their specific topic.  A highlight was our AP Sales Manager, Feng Lin, greeting the audience in at least 6 different languages from his region!

On Wednesday audiences were treated to our Chief Architect, Scoff Uroff, helping to present a customer-centric view of our two products that are included in the HP NonStop security bundle on all new NonStop servers: XYGATE Merged Audit and XYGATE User Authentication. This session, based on input from TELUS in Canada, showed how they use these solutions to get a handle on their audit data and simplify their user authentication—conveniently with products bundled with the NonStop OS!

All this, along with early starts on the trade show floor, combined with evening festivities, meant that we had 18 very tired XYPRO conference attendees by the time the show closed around midday on Wednesday.  I suspect we weren’t the only ones!  Still, a fantastic conference, and we’re already looking forward to doing it all again next year, wherever in San Jose it happens to be.

Incident Response Planning: Expect the Best, Plan for the Worst and Prepare to be Surprised

October 27th, 2014

“There are only two types of companies: Those that have been hacked, and those that will be”
FBI Director Robert Mueller 2012

“There are only two types of companies: Those that have been hacked, and those that don’t know they’ve been hacked
Reality 2014

Last month we discussed the cost of incident response and the lack of proper funding to keep up with the ever evolving threat landscape. Since then, multiple breaches and vulnerabilities have hit the news. In fact, as I’m writing this, the industry is being bit by the SSLv3 POODLE, which has incident response teams chasing after the cat again.

A proper Computer Security Incident Response Plan (CSIRP) is critical to minimizing the impact of a security breach and ensuring sustainability of the business. Yet, for most organizations, some of the more challenging aspects of creating a CSIRP is still the lack of preparedness, obtaining high level buy-in and asset classification due to limited visibility into process and data. This can be a dangerous combination.

Research from the Economist Intelligence Unit (EIU) shows that 77% of organizations surveyed have suffered an incident in the last 2 years yet only 17% were fully prepared to respond to those incidents. More than two-thirds had no plan.

Last year, The National Institute of Standards and Technology (NIST) published the cross-industry Computer Security Incident Handling Guide (, which breaks down incident response into four sections:
Preparation, Detection, Containment and Post Incident Activity. Let’s focus this article on Preparation.

Be Prepared
We all know that panic clouds common sense, so you want to be as prepared as possible before an incident. There are obvious things we know we have to do.

• Get executive buy-in
• Make sure network infrastructure maps are up to date
• Understand who is in charge and how to contact them.
• Assign a CISO. Someone needs to make decisions.
• Verify you have adequate logging, auditing and detection on
important assets (See XYPRO’s Top 10 article this month where we
talk about the necessity to log everything
• Assess resources and skills to ensure incidents can be detected and
reported properly (can your staff determine what is just noise and
what is a real alert?)
• Review and re-review your security tool configurations (See XYPRO’s
Top 10 NonStop security article on continuously monitoring security
• Document everything (Document, Document, Document!!!!)
• Train personnel, keep your plan updated and execute a test of it at
least once a year

Sure, it’s a thankless job and you probably won’t win any recognition or awards for it, but it’s got to be done and if you don’t do it, who else will? After all, you’re preparing for something that may never happen and CEOs love that! As Ben Franklin said – “By failing to prepare, you are preparing to fail.” Many of my co-workers are getting sick of me repeating that quote.

Ok, those were the obvious ones (man, I hope you thought them obvious) – what are some other important steps for preparation of your CSIRP?

Classifying your Data
Data classification is a very important process to building a secure organization, yet often overlooked as part of the preparation process. Understanding what data you have and attaching a value to its importance and sensitivity will allow you to plan for and allocate the necessary resources and funding to adequately protect it. Industry standards and government regulations, such as HIPAA, PCI-DSS, EPA, EU Privacy Act etc… identify this data and set minimum levels of protection we have to meet, but if you don’t know the types of data your organization has and where it lives, how can you properly protect it and ultimately respond to an attack on it? Do you store PAN data? PII data? CPI data? What is obtained and stored during mergers and acquisitions? Do you know what records HR keeps? What customer data does the marketing team have about customers? It’s a daunting task and no doubt feathers will be ruffled as you gather more information from business unit leaders about what data they’re in charge of, but ultimately, it’s for the protection of that data and the good of the organization.

Studying Breaches
Understanding what you need to protect and the attacks that threaten your organization and industry are critical in formulating a proper incident response plan. Protecting customer data should be the top priority for any company, but the types of attacks that target that data may not be the same from one industry to the next. From banking to retail to manufacturing and beyond – how can you properly protect against and ultimately respond to threats if you don’t understand what those threats are? Malware, APTs, unintended disclosure and insider threats are typically at the top of most lists and understanding these attacks and their patterns within your industry will allow you to better prepare for what’s possibly to come.

Preparing your incident response plan doesn’t have to be a challenge no one wants to touch. There are side benefits to the process. Not only will it allow you company to successfully sustain a breach, but the process itself typically unifies business units for a common purpose and improves internal communication and coordination along the way.

Preparing a CSIRP no longer only applies to large business or government agencies. Symantec’s 2013 Internet Security Threat Report identified that 31% of attacks were against small businesses, those with fewer than 250 employees. In fact, small business was the largest growth area for targeted attacks from the previous year. Security breaches don’t just affect the large organizations you hear about on the news. Incident response is not a static field. Threats are evolving, attackers are getting more sophisticated and more organized. Everyone from the smallest startup to the largest suppliers need to be prepared to properly handle them.

If you’d like additional information or help with NonStop security, please contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Steve Tcherchian, CISSP
XYPRO Technology

Audit all security-related activity and events. #1 on XYPRO’s Top 10 List of HP NonStop Security Fundamentals

October 27th, 2014

Because high-availability and fault-tolerant systems need strong security

Finally, we’ve made it to the #1 spot on our Top 10 list! Before we get to that, though, just a reminder that the first nine HP NonStop server security fundamentals cover some incredibly important aspects of NonStop server security and are vital for protecting your mission critical systems and applications—you can review the full list of Top 10 NonStop Security Fundamentals on XYPRO’s website.

So what is THE MOST important fundamental? It’s simple really:

#1: Audit all security-related activity and events

Of course, auditing all NonStop security-related activity and events may seem easier said than done—especially when you have hundreds of thousands (maybe millions) of events occurring daily throughout your NonStop server environment. What you need is a really powerful software solution that allows you to track, filter, manage and report on all NonStop security-related activity.

Good news: You already have the solution you need

Fortunately, HP has partnered with XYPRO to provide just such a solution to all HP NonStop server users. Since August 2010, HP has bundled XYGATE Merged Audit (XMA) with all new J-series and H-series HP NonStop servers. So, if you’ve received new NonStop systems since August 2010, you already have the XMA software and licenses!

Let’s focus on five key aspects of logging and auditing and the capabilities that XMA provides for HP NonStop servers:

1. Consolidate NonStop security event data.
Security event data is created and stored in many places on a NonStop server which can make it difficult to monitor and report on security activity. To resolve that challenge, XMA merges multiple sources of NonStop audit data (for example, Safeguard, XYGATE, EMS, Measure, ACI BASE24® and/or HP’s HLR Telco solution) into a single NonStop SQL/MP database. This merged (and normalized) data can be used for security analyses, alerting, audit reporting and integration with enterprise Security Information and Event Management (SIEM) solutions, like HP ArcSight. Note: an HP NonStop SQL/MP license is not required for the XMA database.

2. Create alerts on important events.
Given the high volume of security events, users need some way to filter out routine activity so they can focus on highly important, unusual or suspicious activity. XMA has advanced filtering capabilities that use pre-defined rules and custom user-defined rules to identify important events. A GUI security event monitor is included with XMA, allowing users to monitor and be notified of events right on the desktop in graphical, acoustical and action-oriented formats. Users can also receive automatic alerts by e-mail or SMS.

3. Run audit reports.
Let’s face it, audit reporting can be a difficult and time-consuming process—yet it is extremely important. XMA enables easy creation of consolidated audit reports to comply with company policies and regulations such as the Sarbanes Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPPA). Users can choose from a wide selection of report templates, use preformatted samples or design new reports for specific needs. Whether generating reports to the NonStop spooler or to a Windows PC, XMA allows the right information to get to the right people at the right time!

4. Integrate with enterprise SIEMs.
In today’s complex security environment, companies need a comprehensive view of security events and information—SIEM solutions, like HP ArcSight, collect security information from many sources in the enterprise and use advanced analytics to identify threats and manage risks. XMA integrates with HP ArcSight and other SIEMs , such as RSA envision and IBM QRadar, enabling the HP NonStop environment to be part of an enterprise security management solution.

5. Learn more about XMA at NonStop Technical Bootcamp.
Please, join us at Bootcamp for the HP sponsored breakout session, “Getting the Most out of XMA and XUA from the new Security Bundle”, presented by XYPRO’s Andrew Price and Rob Lesan.
(Okay, this session isn’t really an aspect of auditing per se but it’s a great way to learn more about XMA, and, as a bonus, you’ll learn about XYGATE User Authentication (XUA) which was added to the NonStop Security Bundle last year).

So that’s our #1 NonStop Fundamental—it can be summarized as “audit everything” to ensure complete visibility of security-related events on the NonStop. This is such an important aspect of security that HP bundles XYPRO’s logging and auditing solution, XMA, with every new HP NonStop server. Please make sure to take full advantage XMA’s power capabilities.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

XYPRO’s Top 10 HP NonStop Security Fundamentals

October 23rd, 2014

Because high-availability and fault-tolerant systems need strong security

Does it make sense to have high-availability and fault-tolerance without strong security? We at XYPRO don’t think so. We recognize that companies run their most important business applications and processes on the NonStop server platform and keeping those assets safe from data loss, tampering and inadvertent harm is mission critical.

XYPRO has been providing HP NonStop server security solutions for over 30 years—we’ve literally written the books on NonStop security—and we’ve assembled an informal “Top 10” list of HP NonStop security fundamentals.

Top 10 NonStop Security Fundamentals (in descending order)

#10: Secure the default system access settings
To facilitate initial configuration and set-up, HP NonStop servers come with a number of default security settings—to have a well-protected HP NonStop system, many of these default settings need to be addressed.

#9: Set-up strong Safeguard authentication and password controls
Establishing strong user authentication and password management controls are critical aspects of any security program and are a major requirement for meeting PCI DSS compliance.

#8: Ensure individual accountability (no shared IDs!)
Security best practices and industry regulations, like PCI DSS, require users to have unique userids so that there is clear accountability. This also facilitates effective auditing, remediation and management of individual user rights and access.

#7: Establish granular control of user activity
Increasing the granularity of control builds on security concepts discussed in earlier HP NonStop fundamentals and goes deeper into specific system areas which need closer security management.

#6: Audit all actions of privileged access users
A thorough logging and auditing program for privileged users establishes the means for strong oversight over users with the greatest security access rights and who, therefore, may pose the greatest potential risk to the system.

#5: Strengthen access management with role-based access control (RBAC)
Role-based access control (RBAC) is a security approach in which system access and permission rights are grouped according to user roles and then individual users are assigned to a role. RBAC simplifies security administration and can enable a greater degree of security and control for your HP NonStop systems.

#4: Dynamically secure all NonStop system resource objects
Resource objects are key parts of your NonStop system and must be fully secured. While Safeguard provides some capabilities to do this, a best practice approach is to use a third-party tool that enables rule flexibility, expands security attributes and provides strong security to not just the Guardian subsystem but OSS, as well.

#3: Protect sensitive data
Data can be an organization’s most valuable treasure and it’s a major target for cyber-criminals. Encryption and/or tokenization are critical solutions for protecting sensitive data, reducing the scope of regulatory compliance, and neutralizing the impact of a data breach.

#2: Continuously monitor security compliance
Ensuring compliance is a critical aspect of any IT security program and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic HP NonStop security environment.

#1: Audit all security-related activity and events
It can be summarized as “audit everything” to ensure complete visibility of security-related events on the HP NonStop. This is such an important aspect of security that HP bundles XYPRO’s logging and auditing solution, XMA, with every new HP NonStop server. Please make sure to take full advantage XMA’s power capabilities.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Breaching Bad and the Cost of Incident Response

September 22nd, 2014

Last month, we explored data breaches involving memory scraping – how payment card information can get into the hands of thieves by siphoning off unencrypted data directly from system memory of the POS system. Since then, several widely publicized breaches hit the news, and speculation is that they were all victims of this same type of memory scraping malware. Because of this, I’ve been issued a slew of new credit cards and have to go through the joy of having to check my credit reports weekly – and I know I’m not alone there. Thanks a lot!

But what if you, as the administrator, did the due diligence, changed your default credentials, implemented two factor authentication, enabled account lockout settings and you were still breached? What happened? The likely culprit is an Advanced Persistent Threat, or APT, that’s what. APTs are a set of stealth, continuous hacking processes executed by a group or organization with a lot of patience. They know what they’re targeting and they’ll take their time to do it right, and be nearly impossible to detect. As the old saying goes, we as security professionals need to be right 100% of the time, the attacker only needs to be right once.

APTs demonstrate that the security landscape is changing quickly. The approach of focusing efforts and security budgets strictly on a “defense first” strategy is no longer sustainable. Determined attackers will keep coming and keep coming until they get what they’re looking for. So what do you do?

Detection goes a long way in putting up that fortifiable barrier between you and the attack and empowering you with the security intelligence needed to take the next steps. XYPRO tools like Merged Audit and Compliance PRO help you achieve that level of security on the HP NonStop server. XYPRO’s Top 10 list on NonStop Security Monitoring takes a deeper dive into the techniques and best practices for accomplishing this.

At the BlackHat USA conference in August, nearly all the sessions were focused on offense and attacks. From hacking a hotel’s network to hacking mobile phones to USB devices- offense was the name of the game. So it was quite a pleasant change of pace to hear famed cryptographer and security expert, Bruce Schneier, taking time to discuss something we aren’t always thinking about, likely because we’re hoping to never get there – Incident Response.

Incident response is something we all know we need to be prepared to do, but why is there so little effort put into it? Take a look at the cyber security market. We’re inundated with defense and detection products. We spend billions of dollars per year to protect against attacks, but give little thought about what would happen if that expensive hardware with the flashy lights fails to do what we paid it to do.

Response products and budgets are not growing at anywhere near the same pace. Schneier indicated this is because of the way people assume response works. Defense and detection can be mostly accomplished with intelligent software and expensive hardware, whereas incident response is more people-centric and less automated.

A proper security program needs to consider both areas. Defense and response need to work together to detect the breach, limit your exposure, protect you and your customers’ assets and protect your brand. These seem like huge reasons to focus efforts on incident response, but we still see very slow and uncoordinated execution in response to a breach.

A report put out earlier this year by the Ponemon Institute outlined that half of the 674 IT and security professionals surveyed indicated that less than 10% of their security budget is dedicated to incident response and that budget has not increased in the past two years, even though the cost of data breaches keeps increasing. The same report indicated that the average cost of a data breach to a company is $3.5 million (US) and that’s up 15% from last year.

In a world where cloud computing is becoming the norm, we have less control of our data and IT infrastructure than we ever have, which makes planning for incident response all the more necessary. Attackers are becoming more sophisticated and organized, even being sponsored by nation-states. Schneier indicated “We have to bring people, process and technology together in a way that hasn’t been done before to protect and respond against these types of attacks.”

Focusing on incident response is just not a bridge to “cross if you get there” anymore, but pointing out data breach costs can help executives make the case that a strong security posture that includes a proper incident response can result in a financially stronger company.

Next month, we’ll take a deeper dive into how to prepare your incident response plan, not for “if it happens”, but unfortunately for “when it happens”.

Steve Tcherchian, CISSP
XYPRO Technology