Effective March 2017, a set of cybersecurity requirements (collectively called “23 NYCRR 500”) became a first-in-the-nation milestone achievement by New York. The new regulations recognize the growing threats to information and financial systems by malicious actors, nation-states, and terrorist organizations. Such threats have become increasingly difficult to detect and prevent as cybercriminals use more sophisticated means to exploit technological vulnerabilities—especially from high-value targets such as financial institutions.
Due to the lack of a comprehensive federal cybersecurity policy, New York’s Department of Financial Services (DFS) has created its own state regulation. To ensure protection for corporate and consumer data, it now requires all banks, insurance companies, and other financial services institutions under its regulation to comply with 23 NYCRR 500.
23 NYCRR Section 500: Overview and Governance
To drive compliance, the DFS has outlined specific minimum standards for a cybersecurity program. The regulations set forth protective measures based on the risk assessment of an organization, its personnel, training, and those controls in place to protect data and information systems. The “covered entities” under the DFS’ purview (which includes banks, insurance companies, mortgage brokers, etc.) must now report cybersecurity events through the department’s online cybersecurity portal. The portal permits the state’s financial institutions to not only report events (within the required 72 hours), but also to file their required certifications of compliance. And DFS has published a set of dates by which organizations must reach certain compliance milestones:
Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Section 500)
- March 1, 2017 – 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180-day transitional period ends. Covered entities are required to be in compliance with 23 NYCRR Section 500 requirements unless otherwise specified.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One-year transitional period ends. Covered entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Section 500.
- September 3, 2018 – Eighteen-month transitional period ends. Covered entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Section 500.
- March 1, 2019 – Two-year transitional period ends. Covered entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
How Exabeam Can Help
Exabeam’s Security Intelligence Platform provides a host of capabilities that support DFS compliance, helping covered entities keep pace with technological advances. It provides rich insights into potential cybercriminal activity and prevents losses for DFS-regulated entities—as well as for consumers to whom they provide services.
Exabeam helps companies identify risky behavior by distinguishing legitimate business transactions from actual threats. It also provides a robust set of incident response capabilities to effectively deal with security events. Overall, the Exabeam platform provides DFS-regulated firms the tools they require to support a strong and healthy cybersecurity program.
Monitoring Security Events
23 NYCRR 500 regulations call for continuous monitoring as part of your cybersecurity program. (Absent that, covered entities can also conduct annual penetration testing and bi-annual vulnerability assessments.)
Monitoring logs and security events is already a core component of strong information security. Corporate IT teams use Exabeam to ingest (directly or via a SIEM/log management system) file access logs, Windows event logs, email logs, web proxy logs, and other information necessary to identify risky activity. This fulfills the DFS requirement to detect the existence of cybersecurity vulnerabilities and malicious activity.
Monitoring IT Operations
A core DFS requirement is to continuously monitor relevant systems for critical errors that require attention, for general systems can have a significant impact security. Exabeam’s log management and data lake capabilities offer a powerful combination for monitoring IT operations. As changes occur throughout your environment, Exabeam’s centralized logging and reporting facility not only aids in continuous monitoring, but also provides a long-term repository for auditing needs. Moreover, the platform can alert administrators to immediately respond to problems that may negatively impact DFS compliance.
Leveraging Risk Scores
Section 500.09 requires entities to perform periodic risk assessments on information systems to inform the design of their cybersecurity programs. This involves evaluating business and IT assets used at financial organizations, and assigning a meaningful risk score to each potential threat vector. Risk scores for accounting systems, enterprise resource planning (ERP) systems, et al., serve as valuable data points Exabeam can use to inform incident response. For example, when security events occur, a higher priority can be assigned to a critical financial system vs. a lower-risk system.
Detecting Unauthorized Use or Tampering
To help comply with DFS’ requirements to track unauthorized access and data tampering, Exabeam has built-in file monitoring models that can follow every action related to a file—from initial access and attaching to an email, to a download and write action on a local USB drive.
Exabeam is the only data monitoring solution that can track file actions even as a user changes devices or account identities. For example, if an employee copies a sensitive file to a local workstation, then attaches it to an email using an unrelated shared admin account, Exabeam is able to confidently attribute this activity chain to that user.
Many of Exabeam’s models are context-based. It recognizes that even an authorized user who is accessing files outside of his/her normal baseline activity can be a red flag. Additionally, it can distinguish between business-justified activities vs. anomalous behavior stemming from compromised credential use (more on that follows).
In addition, Exabeam is able to ingest file access log information from across disparate threat vectors (e.g., cloud, database, email, application) and assemble it into a coherent activity chain—even as users try to hide by swapping account credentials, devices, or IP addresses.
Detecting Compromised Credentials
A fundamental cybersecurity control is to ensure that only authorized personnel have access to sensitive/confidential data, especially for non-public data that DFS is keen to protect. This includes the prevention of both internal employees and external actors from obtaining credentials, then setting off an attack chain.
The DFS regulations emphasize the importance of continuously monitoring accounts, which can include privileged users or even third-party vendors who have special access. This poses a unique challenge, for such credential use can appear as legitimate business, potentially resulting in malicious activity going unnoticed for long periods of time.
But Exabeam eliminates this problem by detecting anomalies and piecing together a fuller story. It does this by accurately modeling the behavior of users, entities—and even security alerts from other security solutions—then surfacing it in a centralized way.
Exabeam can quickly detect complex threats and alert IT security teams of suspicious activity, even if it occurs using valid credentials obtained from an unwitting user within your organization. By monitoring and revealing anomalous actions, Exabeam gives your security team the context and knowledge to take corrective action against malicious actors who are using compromised credentials.
Incident Response Planning
Section 500.16 calls for a written incident response plan, designed to quickly respond to and recover from any cybersecurity incidents threatening the confidentiality, integrity, or availability of information systems. Exabeam supports a covered entity’s internal processes for responding to a security incident, providing a robust, off-the-shelf incident response solution. It allows firms to configure custom remediation actions to fit their unique needs, or to take advantage of pre-built playbooks and workflows.
Exabeam’s comprehensive security orchestration includes:
- Native integration with popular log management systems, security data lakes, and UEBA tools to enable users to quickly and easily kick off and manage breach investigations.
- Pre-built API integrations with hundreds of IT and security infrastructure solutions to programmatically pull data from, or push actions to, third-party solutions. This enables rapid investigation and visibility for enterprise security and SOX-compliance stakeholders.
- Automated response workflows, ranging from passive (notify a security analyst), informational (send a warning email to employee), to full force (lock down access and instigate a response)—leveraging existing security solutions.
Unlike existing triage and case management systems most SOCs use to track incident status, Exabeam provides automated incident response via security orchestration and workflow automation. This provides huge productivity gains for IR teams, yielding lower response times and fewer manual errors.
Such activities are subsequently logged by Exabeam and available as forensic evidence that the corporation has taken steps to identify and remediate security incidents. This fulfills the DFS requirement to document and report security events and their corresponding incident response activities.
How Exabeam Maps to DFS Requirements
The DFS regulation has a phased timeline by which certain parts must be met. Covered entities are required to be in full compliance by March 1, 2019.
Here is how the Exabeam Security Intelligence Platform maps to 23 NYCRR 500.
|DFS 23 NYCRR Section 500||Subsection||Exabeam DFS Capabilities|
|500.05 Penetration Testing and Vulnerability Assessments||The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.||
|500.06 Audit Trail||(2) Include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part
of normal operations.
|500.09 Risk Assessment||(a) Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part.||
|500.14 Training and Monitoring||(a) Implement risk-based policies, procedures, and controls designed to monitor the activity of authorized users and detect unauthorized access
or use of, or tampering with, nonpublic information by such authorized users.
|500.16 Incident Response Plan||Incident plans will address the following areas:
(1) The internal processes for responding
to a cybersecurity event;
(5) Identification of requirements for the remediation of any identified weaknesses in Information systems and related controls;
(6) Documentation and reporting regarding cybersecurity events and related incident
With the NYS DFS regulations comes a slew of requirements that Exabeam can help you meet. Our products are designed with compliance in mind, and we deliver a purpose-built solution to help security teams of all sizes stay on top of DFS commitments. With Exabeam, security teams benefit from DFS-ready solutions while also having wholly effective threat management capabilities.
Schedule a demo with us today to learn more about how Exabeam can help your organization adhere to DFS regulations.