enterprisesecuritymag

CSPi: True PII Breach Detection

Gary Southwell, General Manager, Cybersecurity Division, CSPiGary Southwell, General Manager, Cybersecurity Division
The cure to any ailment begins with proper diagnosis, be it in medicine or cybersecurity. The 1,400 reported breaches in the U.S. last year are grim reminders of the sad state of affairs in properly protecting PII. In most cases, it takes over two months for organizations to figure out that they have been breached—let alone which PII/PHI data records were actually exposed. The right diagnosis then is what helps victims uncover the underlying ailment; this is where CSPi has positioned its unique value proposition.

Why does detecting a PII breach present such a challenge? Daily the average organization, according to industry reports, is faced with over 5,000 cyber threat incidents, making the task of identifying actual breach incidents daunting. Quickly understanding and pinpointing the aftermath of an identified PII data breach is especially important, as companies that have lost valuable customer records must pay fines if they don’t report the incident to the relevant authorities within strict deadlines, including naming the citizens whose records were exposed.

CSPi takes a different approach to diagnosing a breach— “we actively record all data going to and from databases and file shares storing PII data. If those systems have been breached, organizations can search the conversations and locate the exact exposed records. To automate the process, CSPi works with Fortinet’s FortiGate ingesting the firewalls and IPS’s threat alerts. We actively utilize the Fortinet API, allowing our system to access FortiManager to pull relevant alerts into our solution and run automated searches of bad actors communicating with the monitored and recorded assets,” states Gary Southwell, GM at CSPi.

We actively utilize the Fortinet API, which allows our system to identify breached PII records in our client systems


In the event of a verified breach, CSPi automatically extracts a file, or detailed report, from the recording, presenting the entire conversation the bad actor is having with the database, and identifies the actual records that were exposed. This provides the vital forensic evidence required to properly report the breach. Another benefit is the recoded data can be replayed through the application to prove if the records were effectively protected by encryption. If so, breach notification is not required, but the extraction files must be saved as evidence.

Here is a real-life use case, a metro healthcare center with 19 clinics was breached. They brought in a third-party incident response company who couldn’t narrow down the actual records exposed, after billing $180,000. CPS, however, instructed that by adding a FortiGate IPS coupled with CSPi’s Myricom appliance, would provide an effective means to detect the details of a breach, for under $90,000 and pays for itself on the first breach. In this case—recreating the breach circumstances with the Fortigate and CSPi solution—took a total of ten hours to get the extraction files, review it all, and pinpoint which records were exposed, all while the customer was shown how to use the system.

CSPi has subsequently introduced the ARIA Software Define Security (SDS) platform, which automatically encrypts data at the application level. CSPi inserts an agent inside the application making it easy to add encryption during the development process. Addressing another prevalent issue, CSPi has invented an intelligent network adapter with the processing power to run encryption functions within the NIC, this offloads these intensive process from running on server cores thereby allowing encryption to be effectively deployed on any installed legacy system.