Hackers move fast. The cybersecurity industry works hard to move as fast (or faster) than hackers.
And regulators work to keep pace.
In 2017, the New York Department of Financial Services enacted the sector’s most ambitious set of cybersecurity regulations: 23 NYCRR Part 500. These “Part 500” rules have been updated to reflect the evolving threat landscape, the most recent change (“Amendment 2”) implemented in December 2023 to address emerging cybersecurity needs, including:
Increased rigor and frequency of updates for cybersecurity plans and policies
More precise control of user access and privileges
A greater emphasis on vulnerability management
Demands for “timely remediation” of any vulnerabilities
Requirements for business continuity planning and resilient backup
Post-incident requirements for regulatory notification
It’s a lot to manage; Financial services cybersecurity pros are racing to deflect new threats (on one hand) and looking over their shoulders for new regulations (on the other). And Amendment 2 also includes new requirements for Chief Information Security Officers and internal cybersecurity governing boards–so leadership has got to get this right.
Fortunately, Rubrik has cyber resilience solutions that can address many of the financial services industry’s cybersecurity regulatory requirements. Here’s a handy checklist that matches Rubrik products with the Part 500 requirements you may need to address.
#1 Cybersecurity Plans and Policies
What Part 500 Says: The original 2017 text of the Part 500 rules specified that all covered entities must have a cybersecurity incident response plan in place to protect information systems and data at the time of attack. But the requirements for these plans were vague and the timeline for updating them was non-existent. Amendment 2 fixes that: these plans are not just some theoretical effort, but must lead to new procedures that bring these cybersecurity strategies to life within the business. These plans must now be reviewed and updated annually, ensuring that the internal authorities who sign off on them can affirm that their plans and processes for cyber resiliency meet the moment.
How Rubrik can help:
Once the CISO and cybersecurity governing board draw up their plans, Rubrik has a number of offerings that can help execute predetermined procedures in the event of a cybersecurity incident. Notably:
AI support during an incident: When a cyber incident occurs (and research shows, a cyber incident likely WILL occur), it’s essential to keep a cool head and follow predetermined procedures. But what do you do when a novel threat emerges or you find yourself in uncharted cyber territory? When time is short and the stakes are high, it’s good to have an expert in your corner, on demand. That’s where Rubrik’s Ruby can play a critical role, helping analysts learn more about the threat, search for impacted objects, and request recommendations for quarantining and recovering infected data. And Ruby does not assume any cyber expertise from its users, allowing the cyber security team to expand its ranks in a time of crisis.
Assist with ransomware recovery: Ransomware is specifically added to the Amendment 2 (500.16) update as an example of the type of cybersecurity incident that would require a response plan. Rubrik’s Ransomware Response Team complements the in-house cybersecurity team to help Rubrik customers restore their environments as quickly and efficiently as possible. RRT staff are available 24X7, 365 days a year to urgently and confidentially aid in incident response and data recovery operations during a ransomware event. Access to RRT is available to any Rubrik customer with an active support contract.
Professional services: Rubrik has experts who can translate an organization’s cybersecurity plans into concrete cyber resilience procedures. A big part of this entails working with Rubrik to set up a series of automated run books in Rubrik Security Cloud. These runbooks enable a cybersecurity team to recover mission-critical and sensitive data with one click. That means: by pushing a big button labeled “Start Cyber Recovery”, data contained in an isolated recovery location can be copied back into production, in accordance with cybersecurity plans.
#2 User access and privileges
What Part 500 Says: Section 12 of the 2017 Part 500 requirements makes a broad statement that multi-factor authentication (MFA) must be used for anyone who accesses the internal systems of a “covered entity” (any business that is subject to the NYDFS rules). But the 2nd amendment significantly expands the section to give greater detail regarding exactly who must use MFA. It also underscores that anyone who needs an exemption from MFA must obtain that exemption in writing from the CISO, who in turn must provide adequate alternative controls. So your CISO will be responsible for ensuring MFA is adequately secure across the system.
How Rubrik can help:
Rubrik systems play such an essential role in the defense and recovery of business operations, including MFA capabilities in the products.
Rubrik supports time-based, one-time password (TOTP) MFA for local and LDAP accounts. TOTP MFA is an easy to implement solution that does not require additional server tooling or software deployments. It works with commonly available authentication applications, such as Microsoft Authenticator or Google Authenticator. For SSO integration, Rubrik integrates with SAML 2.0 Identity Providers (IdP), enabling users to access multiple applications with a single set of credentials. SAML providers can support multiple types of MFA schemes, including Okta, Duo, and Ping Identity.
Rubrik also provides the next level of permissions management: role-based access control. Users can be granted access only to the data, applications, and instances that are essential to their job role. This kind of segregation of access shirks the risk that internal actors may take liberties with systems they have no business logging into. Common job roles come pre-built in Rubrik systems (to describe known relationships between classes of employees and system access) but can also be customized to address temporary, project-based access needs or unique roles within the organization.
Quorum authorization also assists in the mitigation of authentication threats by ensuring that changes to designated, mission-critical systems must be reviewed (and agreed upon) by a defined cohort of interested users. That means risky configuration changes or unauthorized downloads cannot happen without additional scrutiny and cohort authorization.
#3 Vulnerability Management
What Part 500 Says:
Amendment 2 changed the title of section 500.5 from “Penetration testing and vulnerability assessments” to “Vulnerability Management.” That change in language sends a necessary signal: It’s not enough to “test” your systems and know where the weaknesses are. Protecting your critical systems against external and internal threats is a continuous process that has to be actively managed to be effective.
Additionally, the vague requirement for “continuous monitoring” has been replaced with a requirement for “automated scans of information systems” with the expectation that any vulnerabilities discovered during these scans are addressed “timely.”
The key to addressing the vulnerability management elements of the Part 500 rules is to find a balance between the strengths of automation and the value of human security work.
How Rubrik can help:
Rubrik has a combination of hands-on and automated tools to detect inbound threats, stifle attacks in progress, and limit the business impact of any system vulnerabilities. Those solutions are organized around four product areas:
Threat Monitoring and Intelligence: Rubrik Threat Monitoring provides continuous threat scans of new backup data, automatic scans of stored backup data, and notifies cybersecurity analysts when a match to a known threat is identified. This approach helps reduce the threat dwell time and, in turn, decreases the likelihood of severe damage. Rubrik Threat Monitoring uses a curated threat intelligence feed that automatically ingests vetted threat intelligence from Rubrik’s InfoSec team, Rubrik Zero Labs, threat intelligence programs, and trusted third party sources. This feed includes YARA rules and file hashes along with advanced metadata enriched indexes to accelerate incremental scanning for indicators of compromise.
Anomaly Detection: Rubrik Anomaly Detection analyzes backup data for unusual behavior and changes caused by an attack. Using machine learning to detect deletions, modifications, and encryptions the solution analyzes unusual access and use patterns to help analysts quickly identify and locate which applications and files were impacted by the attack. This allows the cybersecurity team to surgically recover affected systems, reducing the work (and time) needed to address a cybersecurity event.
Threat Hunting: Identifying what systems were first affected (and when) can be a challenge. Rubrik Threat Hunting allows cybersecurity analysts to explore backup instances for threats using specific hashes, user behavior patterns, and YARA rules to identify indicators of compromise. Further, the team can analyze those backups to pinpoint clean, uninfected snapshots to use for recovery.
Data Loss Prevention: Rubrik Sensitive Data Monitoring uses backup instances to discover and classify sensitive enterprise data. The solution tracks the location of the information that matters most to the business and shares that inventory with Rubrik partner Zscaler. Zscaler can then inspect outbound traffic using a data protection policy that flags completely or partially matching documents as they move across the network. This combination of data-at-rest and data-in-motion monitoring capabilities helps prevent data exfiltration by alerting the cybersecurity team when a user moves sensitive data out of the perimeter of the enterprise.
#4 Timely Remediation of Vulnerabilities
What Part 500 Says:
A recurring notion in the Amendment 2 update is about acting in a timely manner. There are requirements for timely reporting of material cybersecurity issues; Timely remediation of known vulnerabilities; Timely recovery of critical data and information systems after a cybersecurity incident; Timely disclosure of incident details to customers and regulators. Given the scale and complexity of enterprise systems, cybersecurity leadership needs to make the right investments in processes and technology to keep pace with regulatory expectations.
How Rubrik can help: A number of Rubrik capabilities can be used to quickly identify, isolate, and remediate emerging threats and vulnerabilities, including:
Automated Threat Detection: Rubrik Threat Monitoring is specifically designed to automate malware detection, enabling a proactive and accelerated incident response. By identifying issues promptly, you can swiftly initiate root cause analysis and begin the remediation process, effectively reducing the mean time to resolution. Rubrik Threat Hunting provides security teams with vital visibility into the most crucial components of their infrastructure, even in situations where monitoring capabilities may be limited or challenging. Additionally, automated alerts can be sent to the relevant IT teams, SIEM/SOAR solutions, or existing log management systems, enabling them to address any pressing security concerns and take immediate action promptly.
Threat Containment: By leveraging Rubrik Threat Containment, cybersecurity teams can immediately and automatically quarantine infected files or backup snapshots once they are discovered to be corrupted. By isolating the infected snapshots, Rubrik Threat Containment helps minimize the likelihood of reintroducing the malware into the environment during recovery operations, which leads to less downtime.
Vulnerability Management: One of the best ways to wage a quick defense against cyber threats is to avoid the threat altogether. Rubrik product development continuously scans the products they work on for vulnerabilities–and the products are updated regularly to proactively protect against new threats. Fixes for zero-day vulnerabilities are installed urgently.
#5 Business Continuity Planning and Resilient Backup
What Part 500 Says:
In addition to more intense demands and scrutiny of a business’ cybersecurity plan, Amendment 2 also adds a business continuity and disaster recovery plan to the mix. The rule insists that this new plan must assure a “timely recovery of critical data and information systems” to “resume operations as soon as reasonably possible.”
Central to this plan is the ability to bring IT-based business operations back online quickly after an attack. Systems for frequent, offsite backup are explicitly mentioned in the rules, with the understanding that if backup policies and procedures are not adequate to meet the moment, covered entities will not be able to bring the business back online without some loss. “Each covered entity shall maintain backups necessary to restore material operations. The backups shall be adequately protected from unauthorized alterations or destruction.”
How Rubrik can help:
For ten years, Rubrik’s core business has been devoted to creating some of the most robust backup and recovery capabilities in the tech industry. With Rubrik Security Cloud, cybersecurity teams can set up policies for archival, replication, and data backup of local and cloud based files that support business continuity.
Here are some of Rubrik’s unique features that make the solution ideal for cyber resilience and business continuity:
Native immutable file system: Rubrik’s filesystem is natively immutable by design. What does that mean? It means that data written to the system cannot be altered once written. So, malware can be installed in an immutable backup system. Immutable backup data, by design, cannot be encrypted and held hostage to prevent malicious actors from deleting backup data. By contrast, conventional backup systems can be altered, so data is vulnerable to encryption or deletion during an attack (and ransomware attacks that target backups are on the rise). Restoring from an immutable backup snapshot is the only way to ensure a clean recovery after production systems are compromised.
Zero trust architecture: Rubrik solutions are engineered based on zero trust design principles: reduce intrusion risk, ensure data security, detect anomalous activity, and enforce compliance. Zero Trust principles assume all users, devices, and applications are untrustworthy and can be compromised. Only users that have been authenticated using multi-factor methods get access to data—and only to the data they need. Permissions and access are strictly limited, to prevent users from taking malicious actions to stored data.
Encryption: Encrypting backup data ensures that if malware or a hacker gains access to your backup data, it cannot be read, reducing the risk that sensitive customer and employee data or valuable intellectual property will be breached. Rubrik delivers encryption for data-at-rest and data-in-flight, meaning that data is secure whether it’s sitting on a server or moving between servers.
Logical air gap: Rubrik backup storage is not online nor is it accessible over through insecure protocols, there’s a logical air gap that blocks data from being discoverable or accessible. A logical air gap refers to the segregation and protection of a network-connected digital asset by means of logical processes. For example, through encryption and hashing, coupled with role-based access controls, it is possible to achieve the same security outcomes that are available through a physical air gap.
Orchestrated Application Recovery: This feature in Rubrik Security Cloud allows users to write recovery plans that group several related virtual machines into a single recovery object. That way, cybersecurity teams can align the recovery of key business applications with the goals of the business continuity plans–allocating the off-site compute, storage, and network resources necessary to maintain the virtual machines necessary to maintain application uptime. Recovery orchestration ensures that the recovery plan brings these virtual machines back online in priority order, allowing the cybersecurity team to first devote resources to the missions-critical systems required for business continuity.
Retention-locked SLAs: Service Level Agreements (SLAs) set protection levels for data backup workloads. Deploying SLAs in Rubrik Security Cloud allows the cybersecurity team to create rules for data backup: how often snapshots are taken and how long they are kept, for example. Setting SLAs for backup can be very powerful, as it automates the essential (but mundane) tasks associated with copying and saving enterprise data. But if a bad actor gained access to these SLAs, they could wreak havoc by disabling basic backup processes that the cybersecurity team takes for granted. Rubrik Security Cloud features retention lock, which prevents users from altering the parameters of these SLAs. For example, a disgruntled employee with privileged access cannot modify a retention locked SLA in a way that results in backup data loss. Also, retention locked SLA archival targets cannot be modified, preventing the redirection of data outside of company control.
#6 Public Notification
What Part 500 Says:
The Part 500 rules insist that covered entities must report details of a cybersecurity incident to the NYDFS within 72 hours after determining that an incident has occurred. The Department may request additional information about the details of the incident–and the cyber security team must promptly provide that information. The CISO can’t simply say “We were hit by ransomware.” Regulators will likely expect an account of how the attack happened, what data was exposed, and what the team did to remediate.
With only three days to assemble that information–and the enterprise still dealing with the fallout from the attack–the cybersecurity team will be hard pressed to deliver an accurate account of the incident.
How Rubrik can help:
Fortunately, Rubrik Compliance and Risk Mitigation can assist with notification. Rubrik can automatically diagnose the scope of attack impact and provides a clear view into what data was impacted and where it resides. Rubrik Sensitive Data Discovery automatically discovers, classifies, and reports on where certain types of sensitive data reside to help manage regulatory notification requirements. And since Rubrik Sensitive Data Discovery does not use virtual machines (which can be destroyed during a cyberattack), users can be assured they will maintain access to the detailed insights they need to manage the requirements for sensitive data reporting.