This is the second post in a series examining compliance. Read the first post here.
Here is a quiz. What is the one thing common between Facebook, Yahoo!, Uber and Twitter?
They all suffered huge data breaches in recent years, compromising information relating to millions of customers. In fact, for Yahoo! there was a double whammy – once in 2013 impacting 3 billion accounts and again in 2014 affecting 500 million, something that the company kept under wraps until the Verizon acquisition closed in 2017. The 2018 IBM Cost of Data Breach Study says that the average cost of resolving a data breach is $3.9 million globally and $7.9 million in the US. The highest cost of data breach is in the healthcare industry, at $408 per record, almost double that of the financial services industry (at $206), which came in as the second highest.
Enough of statistics. The one thing that stands out from the study is that companies that suffer a data breach have a 28% chance of facing a second breach within the next two years. Why?
This is because the window of vulnerability for an average organization is rather large: an average of around 1,500 days! This is the time taken to identify and secure against a breach, which has a significant impact not just on the vulnerability front but also in terms of costs. What can organizations do, not reactively but proactively, to anticipate and to protect?
Invest in Compliance
I know, compliance to many is like going back to the draconian times. On a more serious note, spending on compliance is probably cheaper than spending on non-compliance and managing its repercussions. For proof, just look at what happened in 2017 and the number of breaches that the financial industry suffered during that year. Non-compliance with PCI-DSS resulted in cardholder data being stolen for an average length of 284 days during that year. According to compliance consulting organization securityMETRICS, 85% of organizations did not have comprehensive methods to restrict access to their networks. Now, with IoT and your smart refrigerator connecting to the office network, the threat surface has become explosive. In such a scenario, it is not just important to monitor the edge devices connecting to the network but also recursively index and discover all network assets.
The issue with current vulnerability management solutions is that they cannot enable protection to devices that they don’t see. Our Lumeta solution routinely finds an average of around 40% more devices than what is typically known on any network. Lumeta has its roots in the Internet Mapping Project, mapping every network connection, host, and active IP on the network. The accurate and real-time intelligence Lumeta provides on hybrid network architecture, network segmentation and cybersecurity analytics allows our clients to validate IT policies, analyze the connectivity between assets and networks, uncover risk patterns and policy weaknesses, and proactively secure their critical assets.
Lumeta’s network-level discovery data includes:
- Discovered devices
- Unknown IPs
- Non-responding networks
- Leak paths
Lumeta Keeps You Compliant
Today, organizations grapple with multiple compliance requirements, depending on the industry they are in – EU’s Global Data Protection and Regulation (GDPR), HIPAA, FISMA, SOX, GLBA, PCI-DSS and a number of country- and state-specific laws. If you read many of these, rule #1 is to know what you have on your network – at all times. Something that is easier said than done. This requires constant monitoring and compliance audits. Lumeta supports a wide range of compliance regulations by helping organizations:
- Maintain compliance amid network and regulatory change
- Optimize vulnerability management and incident response
- Eliminate audit surprises
- Gain “fact-based” compliance reporting
- Show protective measures are in place around sensitive customer & personnel data
- Provide continuous monitoring
- Automate audit reporting on network infrastructure
Lumeta aligns with the ISACA approach to auditing network security, with a focus on determining the extent of the network. Lumeta will identify exactly what comprises the network, including any connections to external networks.
It is a Dark World without Lumeta
It has been proven, time and again, that organizations need to actively invest in threat intelligence, device and network discovery, access governance, and cyber analytics. Monitoring and reporting have to happen in real-time, not in spurts of time lapses. Enterprises need to discover threats irrespective of the geographies that they originate in… ahem, this is especially important as the specter of state-sponsored attacks looms large. How can even highly regulated verticals such as Finance and Healthcare protect themselves from malignant intrusions and attacks if 35% – 50% of their networks is dark, invisible and undiscovered?
Detection is a pre-requisite for deterrence and response, which is why Lumeta is the first line of defense for agencies that protect our national security. As almost all industries face the Gideon’s Sword of compliance, the proliferation of IoT and BYOD, cyber threats, and breaches, the business case for Lumeta has never been a more powerful one.
Learn more about how you can apply Lumeta in your hybrid and multi-cloud environment here: http://bit.ly/2vvsgkc.