Industry Compliance

Confidently Meet Data Privacy Regulations

New Security Solutions for Complex Compliance Challenges

An increasing number of data privacy regulations are being implemented at the state, national, international, and industry levels.

It all adds up to a complex and confusing landscape. Bad enough, but most traditional security tools focus too much on breach detection and prevention and don’t do enough to protect critical data assets across the enterprise. As a result, they can’t be relied on to meet various compliance requirements, such as GDPR’s 72-hour notification of a breach.

ARIA Cybersecurity solutions are proven to comply with today’s data privacy regulations, and we’re committed to developing new solutions to help you achieve compliance with additional regulations in the future.

Achieve compliance with ARIA solutions

  • Meet, even exceed, even the most stringent compliance requirements

  • Ensure the protection of critical high-value data and assets, such as PII and PHI data

  • Perform detailed reporting needed to comply with today’s data-privacy requirements

  • Identify the exact data impacted by a potential breach

Read our latest How-To guide! Download Now

What is the Cybersecurity Maturity Model Certification

The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to protect controlled unclassified information (CUI) within the entirety of the defense industrial base (DIB) of vendors, including all defense contractors and subcontractors. Starting in the fall of 2020, CMMC will be a requirement for all entities performing work for the DoD and other federal agencies.

The DoD has defined five different levels of CMMC compliance, ranging from basic data hygiene to advanced security. Each step comes with its own set of supporting practices and processes.

To meet a specific level’s requirements, contractors must first comply with all of the practices and processes within the level (or levels) that preceded it. It can be challenging since this approach creates a demanding “all or nothing” model to achieve compliance with all five levels.

Our Solution:

ARIA Cybersecurity solutions provide a unique approach to cybersecurity protection that encompasses all of these capabilities and more in one platform.

ARIA Advanced Detection and Response (ADR) solution is a single platform approach for enterprise-wide automated threat detection, containment and remediation. This “SOC-in-a-box” gives organizations all the benefits of a full SOC, in addition to automation and AI/ML capabilities, at a fraction of the cost.

Where other security solutions provide limited, or no, threat coverage ARIA ADR provides complete visibility into all parts of an organization’s network. This increased network visibility is critical to find the most harmful threats faster and earlier in the attack lifecycle before significant damage can be done.

Additionally, the ARIA Packet Intelligence (PI) application is integrated with the ARIA ADR solution, yet it can also run independently to improve the performance and effectiveness of existing security tools like SIEMs, IDSs/IPSs, UEBAs or SOARs. The application deploys transparently in the network and monitors all network traffic, including often unseen I IoT devices.

The application classifies this data and generates NetFlow metadata for all packet traffic, which can be directed to existing security tools like SIEMs, to surface validated threat alerts, or other analysis. All of this happens on the fly without impacting delivery to allow the monitoring of various IoT devices in network aggregation points that are usually one step back in the wireline network.

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) is a set of rules designed to give EU citizens more control over their personal data. In addition to stiff fines (up to $20M Euros or 4% of revenue), a critical component of GDPR is that organizations that collect data from EU citizens must comply, even if they do not conduct business in the EU.

Another key consideration is that a EU citizen can bring civil suits against companies to hold them accountable for lost data. Perhaps the most concerning is that GDPR dictates a 72-hour notification period.

Many experts view GDPR as the first regulation that will lead to a global domino effect of similar regulations. Companies may be watching to see how GDPR expands outside the EU – and how related regulations could affect them.

Our Solution:

ARIA cybersecurity products assist organizations in meeting or beating GDPR compliance requirements in three critical ways:

  1. The first is providing enhanced network security capabilities, including complete east-west traffic monitoring, automated policy enforcement and most importantly, immediate alert of an ongoing verified breach, giving the opportunity to rapidly identify and disrupt the attack. At the same time, our solutions generate a highly detailed report showing the exact data records that were impacted

  2. The second is simplified data encryption capabilities to fully protect all critical assets, like PII or ePHI, no matter where it is stored, used, or accessed throughout the environment – including application security for the data within and produced.

  3. Finally, our solutions make existing threat analysis tools, such as SIEMS or IPS much more effective at threat detection. Our tools drastically reduce the scope of intrusion alerts for investigation and analysis. Additionally, our solutions feed these tools additional intelligence, such as flow-level metadata, to perform highly effective, focused analyses.

The combination of highly detailed reporting and full encryption leads to the proof and auditing means for improved GDPR compliance.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 regulations designed to reduce fraud and protect customer credit card information.

These standards were developed to ensure that all companies that accept, process, store, or transmit credit card information will maintain a secure network, manage a vulnerability program, implement strong access control measures, as well as regularly monitor and test networks, and maintain an information security policy.

PCI DSS requirements are constantly being updated to keep pace with the evolving threat challenges, so it can be a challenge to keep your security program in sync.

Our Solution:

ARIA’s cybersecurity solutions provide credit card merchants, brokers, or clearinghouses the tools needed to comply with the network monitoring, testing, and information security requirements set forth by PCI DSS.

Using our enhanced network security solutions, InfoSec teams can automatically set and enforce network policies to block improper access, as well as conduct full PCI data monitoring across the entire network, including north-south and east-west traffic.

Our packet intelligence applications can isolate suspicious conversations between PCI data assets and feed this traffic, as well as other related intelligence, to existing threat analysis tools, like SIEM or IPS. This enhanced and extremely relevant data improves the effectiveness of threat detection and accelerates incident response with a rapid and focused forensic analysis.

In addition, our simplified data encryption and encryption key management solutions fully protect personal details related to credit cards and any applications involved in financial transactions – no matter where they are stored, used, or accessed throughout the environment.

For PCI application developers leveraging a DevOps approach and are evolving to a SecDevOps approach, ARIA provides simple connectors to easily build encryption and other advanced security features into their applications. No coding needed!

What is HIPPA?

The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individuals’ personal health information (PHI), and data in electronic form (e-PHI). Any healthcare organization, including hospitals, medical records, insurance, and other medical-related businesses that stores, processes, or transmits PHI data electronically must meet HIPAA compliance requirements.

The Security Standards for the Protection of Electronic Protected Health Information, known as the Security Rule, addresses the technical and non-technical safeguards that covered entities must put in place to secure individuals’ e-PHI. This rule is organized into a set of national security standards with implementation and compliance requirements. Additionally, these standards are grouped into five categories: administrative safeguards, physical safeguards, technical safeguards, organizational requirements, and policies and procedures.

Our Solution:

ARIA cybersecurity solutions help healthcare organizations satisfy the mandatory administrative, physical, and technical safeguard requirements needed to maintain compliance with the Security Rule, as well as document every security compliance measure.

With our ARIA SDS applications for enhanced network security and data protection, all e-PHI and other critical assets are protected with automatic network monitoring, including east-west traffic, enforcepolicy control and/or encryption. All data is protected, no matter where the it resides, is used, or accessed – including data that is used or created by applications.

Any intrusions or potential misuse of ePHI are automatically flagged, verified, and reported on to identify the exact ePHI data, if any, was impacted. Further threat analysis, through a SIEM or other tools, can be conducted as only the data that matters is redirected for ingest – a threat against critical assets. With this material, security teams can conduct a not only a rapid, but surgical and thorough forensic breach analysis to quickly generate auditable reporting required for HIPAA compliance.

What is the NYDFS and 23 NYCRR 500?

The New York State Department of Financial Services’ (NYDFS) mandatory cybersecurity policy requires organizations to establish and maintain a “risk-based, holistic, and robust security program.” The ultimate goal is that any cybersecurity policy must be designed to not only protect consumers’ highly sensitive data, such as financial transactions and other personal identifiable information (PII), but prove any and all measures taken to protect this data.

Additionally, the NYDFS has instituted another cybersecurity regulation for financial institutions: 23 NYCRR 500.

Both of these regulations acknowledge the ever-growing threat posed by cyber-criminals and are designed to ensure that financial services institutions are doing all they can to protect their customers’ confidential information from cyber-attacks.

How does a company prove compliance? It’s a real that includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.

Our Solution:

ARIA cybersecurity solutions can help New York or any other financial services organization improve its compliance efforts and results with complete data protection, including encryption.

Our portfolio of cybersecurity solutions provides powerful enhanced network security with complete traffic monitoring, including east-west traffic, for complete visibility into transactions or conversations between specified high-value data and assets. By isolating down on the threats and data that matters and redirecting that information to security tools, like SIEMs or IPS, they become much more effective at threat detection, prevention, and analysis.

In addition, automatic policy enforcement ensures that data access has the appropriate level of access control, with immediate notification if unauthorized access is identified. With our data protection capabilities, an organization’s most important data is encrypted, even while it is in use or motion, to make it unreadable if an intrusion is successful.

For foolproof breach response our automated breach identification and incident response solutions quickly verify a breach, leveraging data from firewalls or other tools, while it is ongoing, and immediately dispatch a notification along with detailed reporting on the full extent of the breach. This type of information is critical for a complete and highly focused forensic analysis – resulting in the auditable reporting needed for NYDFS and 23 NYCRR 500 compliance.

What is FISMA?

The Federal Information Security Management Act (FISMA) assigns responsibilities to various federal agencies to develop, document, and implement an information security program to safeguard their systems and data to ensure the security of data in the federal government. In addition to government agencies, FISMA also applies to contractors and third parties that use or operate an information system on behalf of a federal agency.

One of the core requirements of FISMA is compliance with the United States Government Configuration Baseline (USGCB). USGCB is a government-wide initiative that provides guidance to federal agencies on secure configuration settings for IT products, specifically on desktops and laptops. Security Content Automation Protocol (SCAP)-validated technologies can be used to assess compliance of systems with USGCB.

Our Solution:

ARIA cybersecurity solutions provide an easy and cost-effective approach for organizations to meet the network, data, and reporting requirements dictated in FISMA. This includes the safeguarding of data, conducting reviews internally and independently for compliance, implementing policies and procedures to reduce risk to an acceptable level, and reviewing and testing procedures to ensure effectiveness develop standards for categorizing information and information systems by mission impact.

Using our comprehensive enhanced network security, data protection, application security, and incident response solutions, organizations can develop and implement a security strategy in accordance with the FISMA standard. The automated threat identification and monitoring capabilities found in our breach and incident response solutions, as well as our enhanced network monitoring and improved packet intelligence applications, deliver cost-effective ways for organizations to improve their overall security posture.

In addition, organizations can rest assured that any reporting and auditing needs can be met with as our solutions provide the details needed to know the exact extent of an malicious intrusion, if one did occur.

What is Critical Controls?

The Center for Internet Security (CIS) Top 20 Critical Security Controls is a prioritized set of best practices created to stop today’s most pervasive and dangerous threats. It was developed by leading security experts from around the world and is refined and validated every year.

These controls are intended to help organizations improve their overall security and compliance programs and create community-developed security configuration benchmarks to increase security efforts and results.

Our Solution:

ARIA makes it easy for organizations to develop and implement a flexible, scalable enterprise-wide network security strategy that not only adheres to but adapts to the critical controls evolving best practices.

Our comprehensive solutions for network, data protection and application security s protect an organization’s critical data no matter where it is located, used, or accessed.

Additionally, enhanced network security applications, including full network monitoring, including east-west traffic, provide the insights,visibility and better intelligence on what’s happening throughout the network – each critical for smarter security decisions. Threat analysis tools become more effective as targeted and the most relevant data are directed for further analysis.

In addition, InfoSec resources can automatically apply and manage access policy controls, as well as manage and generate encryption keys for complete protection of not only the data within and produced by application, but also what can connect to the applications themselves.

Our breach and incident response solutions provide the notification of a verified breach, while it is ongoing as well as the detailed reporting needed to prove and mitigate the effect of a breach – if not disrupt it and eliminate it completely.

What are Center of Internet Security (CIS) Benchmarks?

The Center of Internet Security (CIS) is a non-for-profit organization that develops its own Configuration Policy Benchmarks, or CIS benchmarks, that allow organizations to improve their security and compliance programs and posture.

This initiative aims to create community-developed security configuration baselines, or CIS benchmarks, for IT and security products that are commonly found throughout organizations.

Our Solution:

ARIA cybersecurity solutions make it easy for organizations to follow and scale to meet the CIS benchmarks.

With an easy-to-implement, flexible, and scalable approach to comprehensive enterprise-wide network and data security, our solutions protect an organization’s critical data no matter where it is located, used, or accessed.

Security personnel can leverage automated capabilities to discover and secure VMs and containers within their IT and network infrastructure as they spawn. Full network traffic monitoring, including east-west, provides the insights, enhanced intelligence and visibility on what’s happening throughout the network needed for faster, smarter incident and breach response.

With enhanced network security and application security capabilities, InfoSec resources can automatically apply and enforce access policy controls, securing not only what can connector or access the data but using sophisticated encryption techniques, within and produced by applications.

In most cases our cybersecurity solution augment security tools already in place. For instance our breach response solution leverages intrusion alerts to identify the alerts that matter, drastically reducing the scope but also verify breaches, in real time, and provide the notification of a breach, while it is occuring. It also provides the detailed reporting needed to prove and mitigate the effects of a breach – if not disrupt it or eliminate it completely. Both are important to proving compliance to data privacy and security.

What is Sarbanes-Oxley?

Created in response to the accounting scandals that occurred at major corporations in 2001 and 2002, the Sarbanes-Oxley Act (SOX) requires that publicly-traded companies ensure their internal business processes are properly monitored, managed, and auditable.

The main intention of SOX is to establish verifiable security controls to protect against disclosure of confidential data and tracking of personnel to detect data tampering that may be fraud related. SOX requires the timely monitoring and response to issues that may materially affect data used or relied upon to generate public financial reports. Financial reporting processes are driven by IT systems, so IT needs to be configured securely, maintained properly, and monitored.

All public companies now must comply with SOX, both on the financial side and on the IT side. While the act does not specify how a business should store records or establish a set of business practices, it does define which records should be stored and the length of time for the storage – which is not less than five years.

Our Solution:

ARIA cybersecurity solutions make it easy for organizations to meet and prove compliance with the financial and IT requirements set forth by SOX. To be fully SOX-compliant, organizations must not only secure any financial and PII data, but also log and audit access to it and other critical files used in preparation of public financial reports.

Our enhanced network security solutions enable organizations to automatically monitor, apply policies against, and encrypt their high-value data, as well as control and record all devices that access that data. For full compliance assurance, all network traffic, including east-west, is not only monitored but all or specific data (like PII) is recorded for analysis and auditing purposes. These details can provide the insight needed to prove unauthorized access (if any) as well as all the exact extent of the data impacted and whether that data was encrypted, and therefore unusable.

It is an easy and cost-effective ways for organizations to augment their existing security infrastructure and tools and to easily strengthen their security posture.

What is NIST

NIST Special Publication 800-53 provides a catalog of security controls and guidelines for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce.

NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Our Solution:

ARIA cybersecurity solutions make it easy for federal agencies, including those in the government, healthcare, and education industries, to follow the incident response standards and requirements specifically set forth by NIST 800.53.

Our enhanced network security, data security, and incident response solutions enable organizations to meet 800.86 for forensic incident response as well as 800.171 for inspection. For fast, focused breach response, our solutions enable automated notification and detailed reporting of verified breaches. This detailed information can be redirected to existing threat analysis tools, such as SIEM or IPS, for a complete forensic analysis that can be completed in just hours, not the typical weeks or months.

Organizations rely on ARIA for a flexible, scalable, and cost-effective way for data protection, including not only data encryption but also encryption key generation and management, which is critical in meeting the FIPS 199 and FIPS 200 requirements. Our solutions also augment any organization’s existing security infrastructure and tools to strengthen their overall security posture.