23 NYCRR 500 – How LANGuardian can help with Compliance
The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
23 NYCRR 500: What it means for you
NYCRR 500 is a regulatory compliance standard that regulates the Financial Services Industry (FSI) in New York. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more.
NYCRR 500 requires that banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
The key date to keep in mind is September 1, 2017: that date marks the end of the 180 day period to comply with the guidelines set forth in 23 NYCRR 500.
The key elements of the proposal are as follows, and a summary of these elements can be found here:
- Establishment of a Cybersecurity Program to include:
- Adoption of a written Cybersecurity Policy
- Identify and assess internal and external Cybersecurity risks that may threaten the security or integrity of data stored in an organization’s IT systems.
- Use defensive infrastructure and implementation of policies and procedures to protect the IT systems from unauthorized access or malicious acts.
- Detect cybersecurity events.
- Respond to identified or detected Cybersecurity events to mitigate any negative effects.
- Recover from Cybersecurity Events and restore normal operations and services.
- Fulfill applicable regulatory reporting requirements.
- Mandatory Chief Information Security Officer
- Cybersecurity Training for Employees
- Third-Party Service Providers Risk
- Incident Monitoring and Reporting
- Information Security Audits
How LANGuardian can help with 23 NYCRR 500
While no one system can provide the full range of compliance across all of the regulatory requirements, a forensic threat investigation solution and incident response plan will be the most important tools for demonstrating compliance.
Written policies (as defined in section 500.3) are an important first step, but compliance requires the demonstration of consistent policy enforcement. Forensic data and reporting are needed to demonstrate consistent enforcement of these new rules, and there are four sections in particular where LANGuardian provides many benefits.
Section 500.02 Cybersecurity Program (1) (3)
Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems.
LANGuardian includes both an intrusion detection system (IDS) and and advanced network traffic analysis engine. This allows you to spot rogue devices on the network as well as providing the ability to generate alerts when cybersecurity events are detected.
Information Security—500.3 (a)
Being able to protect the sensitive and confidential information hosted on systems is critical in the financial industry. You must have a policy in place that allows you to identify who should have access to sensitive information. When a security breach takes place, you need to see what the bad actors have gained access to and what saw. Finally, you need to be able to prove if somebody outside of your authorized list accessed the sensitive information.
LANGuardian can monitor network actvity both inside and at the network edge. No need for agent or client software and because it is not inline it will not impact on the performance of your network. The image below shows an sample LANGuardian report which is listing what users accessed certain files on a network share.
Systems and Network Security—500.3 (g)
When it comes to systems and network security, there should be a policy that defines what security tools are in place and the protections that they offer. What tools do you have in place, and how do you know what security functions they provide? Regardless of the tools, you need to define a policy outlining how the tools protect your sensitive information.
The image below shows how LANGuardian highlighted a suspicous network scan originating from an external IP address. In this case we would use LANGuardian to firstly identify when the scanning started and if the external clients accessed any other systems on the network. Based on this forensic analysis we would then take an appropiate action like block certain ports on the firewall.
Systems and Network Monitoring—500.3 (h)
To enforce the policies of systems and network security, active surveillance and analysis of network systems are required. Without baselining user and traffic behavior, network and security teams are blind to network activity. You need to have an exhaustive record of normal traffic patterns, and you must set up a system that alerts when traffic deviates.
LANGuardian uses a combination of metadata capture and network based intrusion detection to monitor network traffic on a network. It does not age data, so you can look back at historical data in the event of a security breach. The image below shows a LANGuardian report which lists what clients were making outbound connections from a network.
Incident Response—500.3 (n)
The main goal in any incident response and forensic threat investigation solution is to provide teams with the ability to respond quickly to incidents. With that in mind, using such a solution provides organizations with the ability to respond quickly to threats and discover where they’ve gone.
LANGuardian can generate email alerts, or export alerts as SYSLOG events, which can be picked up by SIEM systems. The image below shows a sample of event types that can be triggered by LANGuardian.