You are here: Home / ABOUT

ABOUT

Cymbel Corporation is an IT Solutions Provider, 100% focused on Security and Compliance. Cymbel was founded in 2000 and is headquartered in Newton, MA, with branches in Connecticut, New York, and New Jersey. Our 300+ clients are composed of mid-size enterprises and some of the largest, best known organizations in the Northeast.

Cymbel helps organizations (1) mitigate the new security risks created by changes in business needs, technology, threats, compliance requirements, and the economy, (2) reduce the costs of security operations and compliance audits, and (3) improve the infosec team’s responsiveness to the business. In many cases we have been able to do all three at the same time!!

Cymbel has no outside investors and is beholden to no third parties who could influence our recommendations or partnerships. Cymbel has been profitable for 42 consecutive quarters. Each of the principals of Cymbel has over 25 years of IT experience and over 12 in information security.

The Cymbel Approach

The Cymbel Approach is rooted in our belief that “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.” As organizations look to leverage advances in technology to address business needs, new security risks are created. The tough economic environment puts severe pressure on budgets. The Information Security team must mitigate these new risks as cost effectively as possible. In addition, the Cymbel Approach enables the information security team to be more responsive to the organization and provide senior management with an overall view of the organization’s security posture.

Dan Geer (@stake, Verdasys, In-Q-Tel) talks about long straightaways and hairpin turns as a metaphor for the way changes in technology occur. This includes changes in the threat landscape. In other words, change does not happen smoothly but rather discontinuously. We are in one of those hairpin turns. You can find more detail at Five Forces of Change.

From an information security perspective, the threat landscape has changed significantly with respect to:

  • Who the attackers are
  • The attackers’ objectives
  • The attack vectors they use
  • The target systems they use to gain entry
  • The access control issues organizations face
  • The best technical controls, both prevention and detection, which enable automatic and continuous monitoring

As a result, we have rethought and reassembled our solution portfolio to provide a next-generation defense-in-depth architecture focused on applications, users, and information. This enables the enterprise to better mitigate modern security risks and reduces the costs of compliance audits and security operations.

Mitigate Modern Malware Risks

As mentioned above, during the last several years we have observed dramatic changes in (1) technology and (2) the identity of attackers, their goals, and methods.

Technology: Applications are no longer assigned to TCP/UDP ports. In fact, there are hundreds of applications built specifically to port hop or take other evasive actions to bypass firewalls. Most corporate applications are now browser-based.

Attackers’ Identity and Motivations: Today’s most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property.  It’s not about glory any more, but about profits.

Attackers’ Traditional “Outside-In” Network-based Method: In the past, the primary attack vector was the traditional network-based “outside-in” method of directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities.

Attackers’ New “Outside-In” Application-based Method: The new Outside-In attack method is at the application level, i.e. web applications which are accessed via a browser. The most common attacks are SQL Injection, Cross Site Scripting, and Cross Site Request Forgery. Two very good reference sources are the OWASP Top 10 and the Mitre CWE/SANS Top 25 Most Dangerous Software Errors.

Attackers’ New “Inside-Out Application-Based Method: Today, the dominant attack vector is the “inside-out” method at the application level. It starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user’s browser with the rest of the web page’s content. The malware is designed to steal the user’s credentials, establishes a back-channel out to a controlling server, and then use those credentials to steal money from corporate bank accounts, credit card information, and/or intellectual property.

Cymbel’s 12 Best Practices for Mitigating the Risks of Modern Malware:

  1. Application-level Positive Enforcement Model Firewall Policy – Reduce the organization’s and the end users’ attack surface with a Next Generation Firewall that supports a Positive Enforcement Model.
  2. Firewall Management – Firewalls are generally the largest and most critical information security control. A firewall management system will (1) reduce administrative and audit costs, (2) reduce errors and unplanned downtime, and (3) improve responsiveness to business needs.
  3. Multi-layer, Application Aware Threat Detection / Prevention - Once application usage is controlled, the remaining traffic must be monitored for threats using multiple methods such as application-aware, vulnerability-based signatures. web site and IP address blacklists, heuristics with sandbox testing of suspicious executables, and behavior anomaly detection.
  4. Remote and Mobile Worker Protection – The ever increasing remote and mobile worker population is the most vulnerable in the organization. Host-based controls are inadequate. A network-based layer of protection must be added plus specific controls for smart phones.
  5. Application and User Aware Log and Flow Analysis - While the above Prevention controls are critical, Detection Controls must also be in place. We recommend an integrated Log and Flow Analysis control for the primary detection control.
  6. Internal Network Segmentation at the Application and User Level – Perimeter protection that leaves the internal network “soft and chewy” is no longer reasonable. Nor are VLANs acceptable for regulatory compliance. The internal network must be segmented at the application and user/group level.
  7. Web Application Protection - While most organizations have adopted a Secure Development Life Cycle, there are always going to be bugs. Complementary controls include Black Box Application Scanning and integrated Web Application Firewalls.
  8. Encryption – While encryption is not new, it is still plays an important role in a defense-in-depth architecture and regulatory compliance.
  9. Wireless LAN Security - The flexibility, affordability, and ease of installation continue to drive the popularity of wireless local area networks and therefore the need for a specialized security control to prevent rogue networks. Even if the policy is no WLANs, a control is needed to enforce that policy.
  10. Device Visibility, Configuration and Access Control – There is a fundamental requirement to assure that all network attached devices are known and their configurations and access to the network controlled. You cannot monitor what you don’t know about. Configuration control includes not only the operating system but the applications as well.
  11. Virtualization and Cloud Security – While we all understand the cost savings and flexibility virtualization and cloud computing offer, we must realize that they also introduce new risks. Simply deploying traditional host based security controls creates unnecessary overhead and does not address several key vulnerabilities specific to hypervisors.
  12. Full Packet Capture – Forensics analysis and certain regulatory regimes like FINRA’s logging requirements for using social media require application reconstruction level full packet capture.

For more information, see Cymbel’s 12 Best Practices for Mitigating the Risks of Modern Malware.

Reduce the costs of security operations and compliance audits

Here are the ways Cymbel helps its clients reduce the costs of security operations and compliance audit

  • Consolidate network security technical controls
  • Segment internal networks to reduce audit scope
  • Centralize network security policy
  • Centralize identity and application access control
  • Continuously monitor configuration changes for servers and network devices
  • Increase the number of VDI users per server
  • Integrate black-box web application vulnerability testing with the Web Application Firewalls
  • Outsource 24×7 Log and Security event monitoring

Improve the InfoSec team’s responsiveness to business

While Information Security at a high level is about the Confidentiality, Integrity, and Availability of data, dare we include Agility as a fourth factor which must be taken into consideration when evaluating new controls? We say yes. George Westerman and Richard Hunter wrote an excellent book called IT Risk which made a compelling case for including Agility as one of the four IT Risks.

The areas where we have been able to help are:

  • The increasing number of remote and mobile workers
  • New partners
  • New services and applications
  • Enable the safe use of new technologies
    • Web applications
    • Virtualization
    • Cloud computing
    • Smartphones
    • Converged video, voice, and data

Partner Selection Criteria

We partner with the most innovative and proven security, compliance, and IT service management manufacturers in the world. Our criteria for selecting partners are as follows:

  • Solution fit with the Cymbel Approach, i.e. ability to mitigate the risks caused by the changes we’ve seen during the last several years in business needs, technology, threats, compliance requirements, and the economy
  • Ability to reduce the costs of meeting compliance requirements
  • Ability to reduce administrative and operational costs
  • Fast time-to-value, i.e. minimal professional services needed for deployment
  • Proven deployments
  • Corporate viability
  • Responsiveness to customer feature requests
  • Customer support satisfaction

Learn more about our partners

Cymbel’s Guiding Principles

Through the years, working with hundreds of clients, we have developed a set of principles which guide our thinking:

  1. It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.
  2. The biggest risk an organization faces is the failure of imagination when assessing  the behavior of the enemy.
  3. In theory, there is no difference between theory and practice. In practice, there is.
  4. The biggest problem with communication is the illusion that it has taken place.

Etymology of the word “Cymbel”

The Oxford Dictionary of Music defines one of the controls on classical organs as a “cymbel.” When engaged, the cymbel generates what is described as “a brilliant mixture of things” from a variety of organ pipes.

When starting Cymbel ten years ago, we were seeking to do the same; to bring together for our clients the best-in-class solutions for information security and compliance. We sought then and deliver today what we believe is that harmonious and brilliant mixture of things: Next Generation Defense-in-Depth.

Links to Explore

If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.