Contact Us


Secure and Fast - 5G Security

Cavirin, Accedian, and Quali Enabling More Secure and Visible 5G Deployments

5G deployments introduce additional security and performance concerns, along with the need to effectively model the infrastructure before deployment. At the upcoming Mobile World Congress in Barcelona, Cavirin is pleased to be included within Accedian’s and Quali’s, ‘Secure and Fast,’ a solution that addresses these sometimes conflicting requirements and embraces DevSecOps.

Secure and Fast - 5G Security

First, consider the diverse 5G use cases, spanning high-bandwidth fixed connectivity, low-power remote sensor networks and even low-latency autonomous vehicles. In order to effectively validate these use cases, the network must be effectively modeled long before deployment, and one way to accomplish this is via what Quali terms ‘Environments-as-a Service,’ or EaaS. This modeling spans the network, content, data, and applications, ultimately positively impacting the Quality of Experience for 5G subscribers.

One way to look at it is a twin to the public or private cloud, where developers, testers, and ops interact with the environment from the perspective of management, monitoring, provisioning, and configuration as if they were operating on an actual deployment. This is then paired with Cavirin’s ‘CyberPosture Intelligence’ and Accedian’s ‘Complete Visibility.’ Note that these are only two of the potential DevOps automation tools, spanning security, coding, and load/performance, that could in the future add to the solution.

Secure and Fast - 5G Security

Cavirin’s role within Secure and Fast is to address the security challenges facing 5G rollouts, including general cybersecurity threats and data breaches, as well as more specific requirements such as addressing security vulnerabilities, regulatory compliance, and data privacy. This is paired with Accedian SkyLIGHT PVX, designed to address visibility challenges that include performance, application responsiveness, as well as workflow analytics and efficiency. Quali, as depicted in the figure below, effectively models various aspects of the proposed deployment, including the different tools, clouds, applications, networks, and finally, devices.


Secure and Fast - 5G Security


For the operator, Cavirin will deliver a security and compliance vulnerability score, while Accedian’s contribution is a network and application performance score.  These scores, coupled with Quali EaaS, will permit organizations to simplify application and cloud rollouts, automate and expedite deployment processes, validate cybersecurity postures, and gain visibility into resource usage and potential performance impacts.  The advantage is that this all takes place in a replicable and secure sandbox environment before going ‘live’ with any changes or updates. 

Benefits to both enterprises and service providers are many-fold, and include:

  • Faster delivery of physical, virtual and cloud infrastructure for new products and services
  • Real-time monitoring of application performance and transaction times across multi-cloud environments
  • Ability to pinpoint the root-causes of performance degradations
  • Comprehensive visibility into the impact of the overall system security posture
  • Risk-free, lab-as-a-service tests of SDN and 5G network slices 

Secure & Fast will be demonstrated at Mobile World Congress Feb 25-29 in Barcelona and during RSA March 4-8 in San Francisco--Read the press release. To book a meeting or to express interest in trialing this new solution, please visit  


Cybersecurity and Homeland Security

The Damage A Second Shutdown Will Cause

Just over a month ago, we wrote about the potential impact of the government shutdown on our national cybersecurity posture--much like going off on vacation and forgetting to lock all the doors. And as expected, impacts were:

  • Externally visible, such as website TLS expirations and the associated security risks that come along with that.
  • Internally painful, including the inability to effectively respond to day-to-day threats and the vulnerabilities the agencies are still dealing with today.
  • Long term crippling, breaking down the confidence of mission-critical government employees and the belief that their careers are secure and that their actions are valued.
    • Some of the critical agencies caught up in the shutdown: the Cybersecurity and Infrastructure Security Agency, the U.S. Secret Service at DHS, the FBI and computer crime prosecutors at DoJ, and Commerce agencies (NIST, NTIA, and the NCCoE).

Even though the shutdown is over, many are still dealing with the financial impact and the potential windows it opened to future security threats.  Plus, some of those cybersecurity professionals who were considering a move to the private sector, are making their move.  Adding insult to injury, there have been multiple reports recently that many government agencies are in fact less secure than their civilian counterparts.

Yes, there are a number of initiatives underway to directly address the government skills shortage, and some proposals are on the table to expand the country’s artificial intelligence strategy to maintain and advance national security, but that’s for tomorrow.  What about today?

As of Feb 12th, it is still touch-and-go whether the government will be funded after Feb 15th.  Negotiations in Congress could still break down, or the resolution could be vetoed by the president.  So with our cybersecurity at risk, what immediate action should be taken to maintain our country’s CyberPosture? 

Irrespective of whether another shutdown occurs, the various government agencies need to take a step back and closely evaluate their security protocols. They need to identify critical systems and potential vulnerabilities and add them to the set of assets that are monitored and maintained 24x7, independent of what happens on Capitol Hill. During the January shutdown, it was reported that security operations, software patching, and penetration testing all suffered, opening many windows to cyber attacks. Moving forward, agencies must introduce any and all possible security automation to ‘keep the lights on’ so-to-speak in the event of a repeat shutdown.  

Check out the Cavirin whitepaper, Accelerating Responses to Security Gaps Through Automation, for those looking to minimize the risks due to change management delays and manual processes.

Federal Privacy Regulations

Is 2019 The Year for Federal Privacy Regulations?

Over the past year, we’ve written about GDPR, the proposed California’s Consumer Privacy Act (CCPA), and support of the GDPR technical controls within our product offering.  Though a minority of the states are modeling proposed privacy regulations on GDPR or CCPA, there has been no unified action at the national level due to differing viewpoints.  Luckily, we’ve reached a tipping point, and if 2018 was the year that breaches became the topic of common discourse, 2019 should be the year that we’ll see real action taken to protect our privacy. 

Federal Privacy Security


In a Feb 5th opinion piece, the New York Times called for the Federal Trade Commission (FTC) to step in regarding Facebook’s application integration plans.  A way to look at this is for the FTC to take a more expansive role, not only looking at traditional metrics such as pricing but also taking into potential negative impacts on privacy.

As the Times points out, the proposed integration not only introduces additional privacy concerns due to data sharing across applications where users expect different privacy guarantees, it is also possible that Facebook is attempting to fast-track the consolidation to head off potential future FTC anti-trust action.  It may seem obvious, that if the services are in fact combined, all current users will need to accept the revised privacy terms, with their accounts placed in an inactive mode until which time they accept this.

Adding fuel to the fire, as I write, the German regulators have ordered Facebook to radically change how the company gathers and uses information, considering it a violation of privacy to gather data from 3rd parties, even if publicly available, for the purpose of profiling individuals.  Whether other countries take the same view is yet to be determines.

Where does that leave us?  One area of disagreement is between internet properties that rely on the monetization of user data (including advertising) and those that have less skin in the game.   Cisco, not surprisingly, has recently come out in favor of a GDPR-like regulation on the national level.  Apple straddles both domains and has also voiced approval.  Note that companies that do business in the EU are in fact subject to many GDPR provisions already, and those tech firms based in California will be subject to CCPA.  That leaves Facebook, Google, and others, their viewpoints evident in the controversy mentioned earlier.  

If the new Congress does its work, it will develop legislation that places personal privacy first, and the affected internet properties will understand that any action now will head off potentially more stringent regulations in the future.  They must also take into account any state regulations, and not attempt to pass a regulation that offers weaker guarantees.  Though some consider this hybrid approach onerous, it, in fact, can be effective such as with California’s auto emission guidelines.  And, as soon as we place a federal privacy regulation behind us, we can spend time on an issue just as important, or even more important: Security the Internet of Things.

For information on automating compliance in your organization visit

security automation framework


We’re excited to wrap up and announce our Winter 2019 release!

Customers will benefit from closed-loop security, which unlike siloed approaches to proactive and reactive security, assesses the impact of alerts related to new, deleted or changed resources from AWS CloudTrail and Google StackDriver Monitoring using CyberPosture scoring to prioritize infrastructure changes based on their risk. As part of closed loop GCP security, a Cavirin-developed Google Function watches Google StackDriver Monitoring for events related to the creation, deletion and changes to specific Google resource types. As these changes accumulate beyond a certain threshold, Cavirin triggers an assessment of your GCP account. This results in CyberPosture scores for affected resources which in turn helps create a remediation plan sorted based on improvement to security posture. A similar (alert -> threshold trips -> assess -> score) blueprint applies to AWS resources based on AWS Lambda Functions and AWS CloudTrail events.

Next, prioritized security gaps can be auto-remediated using AWS Lambda and Google Functions, as applicable. As the figure below shows, the remediation blueprint for Google comprises of a Google Function that watches for remediation requests from the Cavirin server on a GCP PubSub topic. As the Google Function remediates security gaps, the Cavirin server processes the remediation confirmations as another set of changes to your environment. As before, as changes accumulate beyond a threshold, an assessment is triggered, resulting in updated and improved CyberPosture scores. A similar remediation blueprint applies to AWS.


machine learning in cyber security


Extending closed loop security to operating systems resources, the Winter 2019 release also offers Ansible integration to streamline the hardening of operating systems powering compute instances. Cavirin periodically assesses all instances, checking for drift against a known baseline and recommending and carrying out remediation through Ansible to re-establish the instances’ golden posture. As the figure below shows, as we assess OS resources for policy packs like CIS and generate Ansible artifacts, in particular a variables file (list of failed policies to remediate) and a hosts file (list of Ansible-managed resources that require remediation), which when applied with the Ansible playbook for the given policy pack results in a return to the golden posture.

ai machine learning

Compliance and security professionals struggle with translating regulatory requirements and industry standards to automated technical controls – spreadsheets and manual mapping processes are the state of the art. While organizations like UCF have provided a universal/canonical representation of regulatory requirements, gaps still remain with respect to mapping requirements to technical controls with quantitative inputs that can drive risk scoring and security analytics.  Cavirin’s Winter 2019 release is the first to apply machine learning to recommend technical controls for industry standards (e.g. NIST 800-171) and regulatory frameworks (e.g HIPAA) with associated weights and severities which in turn drives the ability for customers to drive compliance based on risk, using Cavirin’s CyberPosture scores. Machine Learning ensures consistency of mapping and the resulting weights and severity. This further improves the efficacy of CyberPosture scoring and resulting remediation guidance.


cybersecurity through machine learning

Announced earlier, we now feed security findings for resources in a customer’s Google Cloud Platform into Google Cloud Security Command Center, which unifies security finds from a select group of Google Cloud partners. To leverage this feature, be sure to check out Cavirin Cloud SCC Companion and Cavirin CyberPosture Intelligence on the Google Cloud Marketplace!

deep learning for cybersecurity

Reporting enhancements: A new change reports feature offers the ability to compare the latest assessments against the previous one enabling users to quickly gauge the effectiveness of change management. A new reporting service for RSA-Archer permits management of Cavirin-reported compliance posture gaps through an organization’s existing GRC platform. 

Enhanced connectivity through Bastion and proxy hosts: Network segmentation and isolation are important best practices. With the Winter release, customers can isolate compute instances behind bastions and proxy hosts while allowing Cavirin to discover and assess these assets.  

Other new capabilities include additional OS scanning support, including for Amazon Linux 2, SUSE Linux 11/12 and Ubuntu 18.04.


Smart City Security - NIST CSF

Our Rush to Automate Our Cites 

In “The ‘Too-Smart’ Home – Uninvited Guests,” I look at unintentional threats due to insecure internet-connected devices. Do we face some of the same issues with our rush to automate our smart cities, where spending is expected to grow from $80 billion in 2018 to over $158 billion by 2021? As reported numerous times over the past year, the answer is a resounding yes, with Industrial Internet of Things (IIoT) devices harboring an unknown number of vulnerabilities. The New York Times even recently reported on the potential threat, citing that cities, in the rush to publicize their ‘smart creds’, many times don’t understand the privacy, security, and financial implications of their deployments. These deployments are many times proposed by technology vendors, not always taking into account the readiness of the city to properly manage them. However, not all is lost!

Smart City threats - NIST CSF 

Attack Vectors

As with the home, it is not only the infrastructure that may be compromised, but the data gathered as well.  But in contrast with the home, both outcomes may be much more damaging, if not fatal.  One good measure of potential vulnerabilities is to map a typical smart city to the 16 DHS critical infrastructure sectors




Relevant areas of concern include communications, emergency services, government, and commercial facilities, information technology, transportation systems, water and wastewater, and in many cases, energy, healthcare, and dams. Instead of each of these separately managed and secured, under a smart city initiative, one or more may very well be under the control of a single, interconnected operations platform, where a single breach may impact multiple sectors simultaneously.  Highlighting concerns, a recent ISACA survey identified energy, communications, and transportation as the three sectors (71%/70%/64%) that will benefit most from a smart cities initiative but are also the most susceptible to breach.

Attacks can come from multiple sources, including malware/ransomware as well as denial of service, with both nation-states (67%) and hacktivists (63%) likely culprits.  And, with more smart infrastructures in place, hackers have a larger attack surface, with pre-existing vulnerabilities more likely to be found and exploited.  Research from Threatcare and IBM X-Force Red, lends credence to this, having uncovered multiple zero-day vulnerabilities across different IIoT vendors. Security gaps identified include the use of default passwords, authentication bypass flaws, SQL injection vulnerabilities, and even open ports where control is possible from across the internet.  And the threat has only increased, with a recent Gemalto study finding that almost half of all businesses can’t detect if an IoT device has been breached.  There are even websites such as Censys and Shodan (among others) that make an attempt at tracking IoT devices.  And, more sophisticated attacks could take place against RF-controlled devices that may find their way into smart city architectures.  For example, Trend Micro recently identified security gaps in many commercial products, vulnerable from hardware-based rogue RF controller man-in-the-middle attacks.


The Threat Landscape

Moving from the general to the more specific, what are the types of IIoT devices one may encounter, and what specific actions are most effective and that one or more of the sectors described earlier?


Function / Use






Structural monitoring

Monitoring of vibrations and material conditions in buildings, bridges and historical monuments.


Noise monitoring

Sound monitoring in bar areas and centric zones in real time.





Smart roads

Intelligent Highways with warning messages and diversions according to climate conditions and unexpected events like accidents or traffic jams.


Smart lighting

Intelligent and weather adaptive lighting in street lights.


Smart parking

Monitoring of parking spaces available in the city.


Traffic congestion

Monitoring of vehicles and pedestrian levels to optimize driving and walking routes.





Forest fire detection

Monitoring of combustion gases and preemptive fire conditions to define alert zones.


Air pollution monitoring

Control of CO2 emissions of factories, pollution emitted by cars and toxic gases generated in farms.


Snow level monitoring

Snow level measurement to know in real time the quality of ski tracks and allow security corps avalanche prevention.


Landslide and avalanche protection

Monitoring of soil moisture, vibrations and earth density to detect dangerous patterns in land conditions.


Earthquake early detection

Distributed control in specific places of tremors.


Perimeter access control and geofencing

Access and communications control to restricted areas and detection of people in non-authorized areas.


Liquid presence monitoring

Liquid detection in data centers, warehouses and sensitive building grounds to prevent breakdowns and corrosion.


Radiation levels

Distributed measurement of radiation levels in nuclear power stations surroundings to generate leakage alerts.


Explosive and hazardous gases

Detection of gas levels and leakages in industrial environments, surroundings of chemical factories and inside mines.


Crime noise monitoring

Gunshot monitoring in real time.

 Water and Wastewater




Potable water monitoring

Monitor the quality of tap water in cities.


Chemical leakage detection

Detect leakages and wastes of factories in bodies of water.


Water leakages

Detection of liquid presence outside tanks and pressure variations along pipes.


River floods

Monitoring of water level variations in rivers, dams, and reservoirs.


Pollution levels

Control real-time leakages and wastes in bodies of water.


Water flow

Measurement of water pressure in water transportation systems.





Smart grid

Energy consumption monitoring and management.


Tank level monitoring

Monitoring of water, oil and gas levels in storage tanks and cisterns.


Photovoltaic installations

Monitoring and optimization of performance in solar energy plants.


High voltage line monitoring

Monitoring of line issues due to severe weather.

From Iibelium




Privacy, data, and identity theft

Authentication, encryption, and access control

Electric car charging stations,

Device hijacking

Device identification and access control, security lifecycle management

Traffic lights, robotics

Permanent and Application Level Denial of Service

Authentication, encryption, access control, application level DDoS protection, security monitoring, and analysis

Electric grids, monitoring systems

Man-in-the-middle attacks

Authentication and encryption, security lifecycle management

Water supply

From:  Rambus



One way to look at a solution is to first consider a set of universal security hygiene actions, and then look at specific requirements sector-by-sector.  An analysis by Microsoft looked at the properties of highly secure devices, and came up with the following recommendations:


Examples and Questions to Prove the Property

Hardware-based Root of Trust

Unforgeable cryptographic keys generated and protected by hardware. Physical countermeasures resist side-channel attacks.

Does the device have a unique, unforgeable identity that is inseparable from the hardware?

Small Trusted Computing Base

Private keys stored in a hardware-protected vault, inaccessible to software. Division of software into self-protecting layers.

Is most of the device’s software outside the device’s trusted computing base?

Defense in Depth

Multiple mitigations applied against each threat. Countermeasures mitigate the consequences of a successful attack on any one vector.

Is the device still protected if the security of one layer of device software is breached?


Hardware-enforced barriers between software components prevent a breach in one from propagating to others.

Does a failure in one component of the device require a reboot of the entire device to return to operation?

Certificate-based Authentication

Signed certificate, proven by unforgeable cryptographic key, proves the device identity and authenticity.

Does the device use certificates instead of passwords for authentication?

Renewable Security

Renewal brings the device forward to a secure state and revokes compromised assets for known vulnerabilities or security breaches.

Is the device’s software updated automatically?

Failure Reporting

A software failure, such as a buffer overrun induced by an attacker probing security, is reported to a cloud-based failure analysis system.

Does the device report failures to its manufacturer?

From: Microsoft Research, The Seven Properties of Highly Secure Devices


IBM’s recommendations, based on the identified vulnerabilities described earlier, and more focused on software and processes, include: 

  • Implementing IP address restrictions for who can connect to the smart city devices, especially if networks rely on the public internet.
  • Leveraging basic application scanning tools that can help identify vulnerabilities.
  • Using strong network security rules to prevent access to sensitive systems, as well as safer password practices.
  • Disabling unnecessary remote administration features and ports.
  • Taking advantage of security incident and event management tools to scan network activity and identify suspicious internet traffic.
  • Hiring ethical hackers to test systems, such as IBM X-Force Red. These teams are trained to “think like a hacker” and find flaws in systems before the bad guys do.

From:  IBM, The Dangers of Smart City Hacking

And remember that these recommendations also apply to 3rd parties, an environment known to be especially vulnerable, and one where a breach may lead to disastrous consequences in the context of a smart city.  

In essence, develop a comprehensive architecture for proposed smart city services and applications, planning head vs creating a bolt-on architecture where every new sector becomes an exception or custom integration.  This planning is also critical in defining a least-privilege architecture where only those systems that must communicate with one another are actually able to do so.  Sure, a single screen depicting power, water, and roadways may look good and not disappoint Hollywood, but this may not be the most secure implementation. As with enterprises, leverage best practices such as the NIST-CSF, CIS, SOC2, and others, as a baseline to evaluate one’s security posture. 

To draw an analogy from the public cloud, the cities and their vendors share responsibility for the secure deployment, operation, and updates of any hardware and software deployed.  And, as opposed to deployments where detailed lifecycle security plan may be a ‘nice-to-have,’ here it is critical.  This is doubly true for devices whose data is made available to the public-at-large, such as the City of Santa Clara, CA traffic cameras.  In support of this, the government will step in to push the industry along, as with California’s recent IoT legislation.  Though only a beginning and not by any means comprehensive, it does imply that IIoT security has gained awareness.


Divergent Views – The East and the West

 Are there different priorities and approaches between smart city deployments in London and Shanghai, for example?  The answer is yes.  Though much of the technology will be the same, approaches to individual privacy differ.  There is less reluctance to gather PII from multiple sources and then correlate it, and many of the views track debates concerning just how to open the internet should be and to what data citizens should have access.  Already, many deployments include facial recognition to target individuals, and these use cases are spreading to the US.  On the positive side, there is probably a greater emphasis on centrally planning and securing any deployment.


The Future

As I noted earlier, there is still time to properly secure the IIoT with many of the suggestions listed above.  Looking to the future, a few initiatives are in play to better secure the various devices deployed.  As an example, the major public cloud providers, with their interests in the IoT space, have proposed and deployed architectures to better secure their services and devices.  Examples include Google’s Titan, Microsoft Azure Sphere/Pluton, and AWS’s IoT Device Defender.   One would hope that the various players reach consensus on a single, interoperable approach, but in any case, it will take years for these more secure devices to be deployed, and existing devices will still present vulnerabilities.

Check out our Leveraging NIST CSF Playbook, for more information on securing our critical infrastructure. 

HHS Releases Voluntary Cybersecurity Practices for Health Industry

Voluntary Cybersecurity Practices for the Healthcare Industry

Just after the new year, the US Dept of Health and Human Services (HHS) released updated guidance to help healthcare organizations protect themselves against a cyber attack.  This guidance is not only timely, but essential given the continued escalation of attacks against healthcare environments--attacks that are becoming more complex, including DDoS, ransomware, and those against connected devices.   As they say, thieves go where the money is, and the typical healthcare record is worth $100 , 10x more than those across other verticals such as financial records.   The cost of a breach is just as impactful, with a loss of over $400 per record compromised.


     healthcare data breach cost 2018

 Organizations of all sizes, but especially smaller ones that may not have deep IT expertise, will, therefore, benefit from this guidance. 

The overall intent of the guidance is a:

  • Cost-effectively reduce cybersecurity risks for a range of health care organizations;
  • Support the voluntary adoption and implementation of its recommendations; and
  • Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

Note that these are great goals for any vertical!

Resulting from the 2015 Cybersecurity Act (CSA), the guidance, Health Industry Cybersecurity Practices:  Managing Threats and Protecting Patients, aligns closely with the NIST CSF, a set of best practices that Cavirin embraces and supports.  The five threats explored in this document are as follows:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

The two technical HHS volumes, Cybersecurity Practices for Medium and Large Health Care Organizations, and Cybersecurity Practices for Small Health Care Organizations go into much greater detail and the 
Managing Threats and Protecting Patients Resource and Template document maps the best practices to specific NIST identifiers.  

Best practices for threat mitigation fall into ten areas:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies
 NIST CSF for Healthcare

Check out the Cavirin NIST CSF Playbook, where we outline the mapping between the NIST CSF and healthcare-specific standards and best practices such as HIPAA and IEC/TR 80001-2-2 similar to what the HSS recommends here.  
Cavirin's healthcare solution supports the NIST CSF, HIPAA technical controls as well as the AWS HIPAA Quickstart, and the ability to customize frameworks based on specific business requirements including the CIA (Criticality, Impact, Availability) for specific controls so that healthcare organizations can automate compliance to achieve and maintain their golden cybersecurity posture just as Pacific Dental Services, Cepheid, and a large national healthcare partner have done.




© 2019 Cavirin Systems, Inc. All rights reserved.