When is a breach not a breach? When you can prove that sensitive data has not been accessed - even off a lost or stolen device. And the way to ensure that, says former prosecutor Stephen Treglia, is through Absolute Data & Device Security.
This is not just a strategy, but also the name of a new solution from Absolute. The intent of Absolute Data & Device Security is to maintain a persistent two-way connection to all endpoint devices, so if one is lost or stolen, data can be frozen or even wiped - even if the device is not reconnected to the Internet.
"Once [the device] is off the grid, there are a lot of services we can provide," says Treglia, HIPAA compliance expert and legal counsel to Absolute. "We have been tracking down devices for over a decade, and to date have returned 38,000 stolen devices to their owners."
Absolute Data & Device Security was launched in the healthcare and education fields, but is now being deployed across all sectors, Treglia says. The biggest lesson he brings to these new sectors: "You can't plan soon enough," Treglia says. "If you wait until the breach - you're done. Because you can't catch up with everything you need to lay in terms of a foundation. You need to know where your vulnerabilities are. Not just your technical vulnerabilities, but your legal ones."
In an interview about data and device security, Treglia discusses:
- Current shortcomings in endpoint security;
- Effective strategies for addressing these gaps;
- Absolute's new product release for the enterprise.
Since November of 2010, Stephen has been Legal Counsel to the Investigations staff at Absolute, the leading creator and distributor of remote tracking and data management software for mobile digital devices.
At the start of 2013, Stephen became the HIPAA Compliance Officer for Investigations. In March of 2015, he received his certification from (ISC)2 as a HealthCare Information Security and Privacy Practitioner.
Prior to joining Absolute, Stephen concluded a 30-year career as a prosecutor, having created and supervised one of the world's first computer crime units at the Nassau County DA's Office from 1997-2010, complete with in-house forensic examiners, investigators and undercover investigators.
No 'Get Out of Jail Free' Card for Device Security
FIELD: When it comes to what you term, "Absolute Data and Device Security," where do you typically see enterprises falling short?
TREGLIA: For a while, the focus was on just securing the network, the main servers, and so forth - building the higher fences and taller ladders to outpace the bad guys who are trying to enter the network - and mobile device security was a lost sister in this discussion. I see that being less true today, although some organizations forget about their mobile systems when they're thinking about security.
Worse, enterprises assume that if their data is encrypted, it's safe. I've been at conferences where even lawyers say it's a "get out of jail free" card. This worries me because, first of all, we've had no definitive ruling by any court or any administrative body that suggests this. As a lawyer, you should look at the way the laws and regulations are written to get guidance. And, specifically, right after the HITECH Act in 2009, a regulation came out that said if a device's encryption key is defeated, accessed or decrypted, that device is no longer considered encrypted for HIPAA purposes.
This can happen in a number of ways. You can forget to encrypt the device or encrypt it incorrectly. Someone might steal the device that's assigned to them, so they know the decryption key. One of our investigators visited this three-story medical clinic with hundreds of devices. Each device had a printer label with its serial number affixed on the front - and its decryption key affixed to the back. So, I don't know how those devices could be considered secure in any way.
FIELD: And you know all the passwords are on a sticky note on the desk, right?
TREGLIA: This wasn't even a sticky note. This was affixed to the device itself. I insisted that the investigator take photographs because I couldn't believe it.
The Absolute DDS Approach
FIELD: What caused Absolute Software to move into the healthcare space?
TREGLIA: A little over three years ago, I was asked to start looking at the security protection environment and the various verticals. Healthcare was the first that came to mind because it had been getting so much attention in the news and because my wife actually works in healthcare. Soon after I started poking my nose into it, just a few weeks later, I realized we had to become HIPAA-compliant by September of 2013, because we're a business associate of our healthcare customers. I had to learn quickly what we needed to do to become HIPAA-compliant.
FIELD: What is the primary healthcare security gap Absolute Software addresses?
TREGLIA: Gaps are everywhere; we could spend hours talking about them. Absolute Software tries to identify what those potential problems are, whether you have avoided them, and whether you'd know to report a breach because we can see into the device after it's already left your control.
FIELD: Steve, I'm glad you're going there because I'd like to hear more about the Absolute DDS (Data & Device Security) approach. How does it differ from other security strategies in the marketplace?
TREGLIA: Absolute DDS has two pieces nobody else has. The first one is our Persistence Technology. We have partnered with OEMs so that, from out of the box at the factory, this capability is already implanted in the firmware as well as the OS. When a bad actor steals a device, the first thing they do is flush out anything in the system that could be used to find the device. They might swap out the hard drive, flash the BIOS, or install a new OS - anything that could defeat any surveillance service on the device. Our unique, patented system survives all of those attempts.
In the healthcare space, once a device leaves control of the proper people, those people have to presume they have a breach in their HIPAA environment. Our Persistence Technology isn't activated until the device is reported stolen, but once it is, we provide a window into the device when it connects to the Internet and provide risk response services even when it isn't, including device-free data delete.
Our second piece is our Absolute Investigations team. Our team of 40 investigators, most of them former law enforcement, have been tracking down devices for over a decade, and as of today, have returned over 38,000 stolen devices to their owners. They figure out who is accessing the device, why they're accessing it, and what they're doing with it.
Absolute's Secret Sauce
FIELD: Steve, you just came to the secret sauce, your team of investigators. You mentioned a law enforcement background. Talk about that and what really distinguishes your team of investigators.
TREGLIA: Yes, they are former law enforcement investigators with over 1,000 years of collective law enforcement experience and over 250 years of that in management leadership positions within law enforcement. This group also boasts over 300 years of cybercrime investigative experience. On top of that, several of our people have privacy certifications. At the beginning of 2015, I, myself, acquired my healthcare information security and privacy practitioner certification through (ISC)Â². We have several other versions of security and certifications, from such organizations as CISSP, spread around our team as well.
In addition, we have over 7,500 law enforcement connections worldwide developed over the many years we've been in the consumer and business market, prior to coming into healthcare. We have touched base with over 37,000 individual law enforcement officers, and we've maintained that contact information in a database. As a result, we know who to go to in a jurisdiction when a device has disappeared and talk law enforcement to law enforcement officers. We know the language. It's amazing the doors that open up when you can say you're a retired prosecutor or detective or FBI agent. That brotherhood or sisterhood comes into play.
And in the HIPAA environment, as well as most other privacy environments, if law enforcement tells us they want to investigate further, the more we know they're engaging in combatting cybersecurity attacks. They may want to do an investigation, and so we'll help them file the necessary paperwork. They may decide to put a halt on any breach notification so as not to damage the investigation, and the law is very cognizant of that. That gives them more time to put together the pieces with our assistance and our customers' assistance into what happened to the device in the first place.
Extending Absolute's Solution to New Verticals
FIELD: So, Stephen, a quick follow-up. Based on what Absolute Software does, is there an ultimate goal to this process?
TREGLIA: Yes, we definitely believe that the analysis we conduct for healthcare can be extended to any other vertical. The HIPAA statute has a provision that, if a covered entity or business associate can show a low probability that critical protected health information (PHI) has been accessed or transferred from a stolen device by unauthorized persons, then it's not considered to be a breach. And if there is no breach, you don't have to comply to the consequences under the law. You don't have to notify the patient, notify the Department of Health and Human Services, any state or local agencies, or go public to the press. It gives healthcare providers a great deal of relief.
So that's ultimately the game plan, and we can provide that documentation to the healthcare provider. Interestingly enough, forensic analysis can recognize whether any breach under HIPAA rules has occurred, which we notably provide to our healthcare customers and to our corporate customers as well.
FIELD: Steve, when we started talking, we mentioned about how Absolute Software debuted the DDS approach in healthcare and, since then, you've moved into education and now into the enterprise space. What do you find to be the challenges of scaling up and expanding?
TREGLIA: We are very comfortable in the education space. It's equally our biggest customer, along with the consumer space. And over the last six months or so, healthcare has shown double-digit growth.
So, now we're moving into the corporate world, which has an added dimension that healthcare, with its finite set of well-written laws, doesn't necessarily face. The regulatory environment in the corporate and financial world is much more complex and multilayered. We've been partnering with experts in the corporate and financial sectors across the country who will get us up to speed very quickly into these verticals.
Prepare Before the Breach Happens
FIELD: What would you say is the biggest lesson you've learned from your healthcare, education and consumer clients, and how do you expect it to be applied now to new customers in the enterprise space?
TREGLIA: The biggest lesson we've learned from these clients is that you can never plan soon enough for a breach. You need a foundation in place. If you wait until the breach occurs, you're done because you can't catch up. You need to know where all your vulnerabilities are, both technical and legal. For example, most businesses are multijurisdictional entities, so they have to adhere to the laws of various localities, states, the federal government and the EU, among others. In the same way the Internet is a worldwide network, we are becoming more and more a worldwide economy, and if you're not up to speed with all the dangers, risks and means of response, you are going to be behind the curve.
On top of its other benefits, Absolute's DDS environment gives you our knowledge and experience. We test out the things you need to do, so that you're not facing all these issues for the first time when a breach happens.
Absolute's New SIEM Solution
FIELD: Last question for you. I know you've just debuted a new solution. What can you tell us about it now?
TREGLIA: It's a new SIEM (Security Information and Event Management) solution that creates an integration with already existing network methodologies. We can now integrate information from our DDS mobile device solutions with the network analytics to provide broader analysis throughout your entire system. When events happen, whether on the network or your mobile devices, our new solution can bring all these threads together.
And combined with our Persistence Technology, we give you the advantage of being able to evaluate multiple mobile environments. No matter what devices your employees are using, we have the ability to draw on that information and match it with what's going on in your network environment. We've even partnered with RSA to create a level of understanding that is unique in the marketplace.