New York State Cybersecurity Requirements for Financial Services Companies — 6 Things You Should Know

Recognizing that the financial services industry is a significant target of cybersecurity threats, the New York State Department of Financial Services (NYDFS) recently promulgated Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500).

If 23 NYCRR 500 applies to your organization, you will need to familiarize yourself with all the details, but in the meantime, here is a summary of the 6 key things every financial institution needs to know about this set of regulations. Read more “New York State Cybersecurity Requirements for Financial Services Companies — 6 Things You Should Know”

5 Years in Review: 5 Can’t-Miss Posts From Our Archive of 450+

Five years is a blink of the eye in time, but in technology, a lot can happen. This year, we’re celebrating the fifth year of the Threat Stack blog. We’ve been digging around our archives and analyzing the metrics to see what’s changed in the market since our inception, how our own product has evolved, and what topics are still tried and true.

Some things changed, and some stayed the same. Most interesting, we saw five of our personal favorite topics rise to the top in terms of article popularity. Some written several years ago, some written this year, they’re indicative of how the market is shifting and what companies are focused on today.

Without further ado, here are the five most-read articles of all time on our blog, and if you haven’t read them, data says you should. Read more “5 Years in Review: 5 Can’t-Miss Posts From Our Archive of 450+”

9 Common Questions About SOC 2 Compliance

SOC 2 compliance is a crucial framework for technology and cloud computing companies today. As with many other compliance mandates, it is not a simple connect-the-dots proposition, but rather a complex set of requirements that must be reviewed and carefully addressed. But it doesn’t have to be overwhelming. Below, we’ll break down nine of the most common basic questions that we hear about SOC 2. Think of it as a 101 on SOC 2.

Read more “9 Common Questions About SOC 2 Compliance”

3 Key Points on How Vulnerability Management Can Help You Become Compliant

Two interesting observations:

The average number of days that attackers were present on a victim’s network before being discovered is 146 days. (FireEye)

At Threat Stack, we have observed that a majority of the market is moving toward automated security vulnerability and configuration scanning.


You would be hard pressed to come by a compliance framework that did not require you to have a system to detect and manage vulnerabilities. Vulnerabilities are as old as technology itself, so to call yourself compliant, you first need to demonstrate that you have a sound vulnerability management program in place.

Vulnerability management systems identify common vulnerabilities and exposures (also known as CVEs), alerting you when a server or package is at risk so you can patch it immediately.

Simply by having a vulnerability management program in place, you can often satisfy many other major compliance requirements. In this post, we’ll explain how vulnerability management helps you to become compliant. Read more “3 Key Points on How Vulnerability Management Can Help You Become Compliant”

Springbuk Case Study: How to Get Ahead of Compliance and Security Requirements on AWS

This is a guest blog post by Steve Caldwell, Director of Engineering at Springbuk, a health analytics software company that unifies pharmacy, biometric, and activity data, as well as medical claims to help employers make better decisions about employee health benefit programs.

As a health analytics company, Springbuk helps companies make better decisions around disease prevention and management through data. As such, meeting HIPAA requirements and following security best practices are very important to us; to ensure that we’re always compliant and as secure as possible, we needed to get a better handle on how security was managed across the organization. Read more “Springbuk Case Study: How to Get Ahead of Compliance and Security Requirements on AWS”

Steps for Establishing Your AWS Security Roadmap

Yesterday, we hosted one of our most popular webinars to date: Steps for Establishing Your AWS Security Roadmap. Threat Stack’s VP of Engineering, Chris Gervais, was joined by AWS Solution Architect, Scott Ward, along with Zuora’s Head of Infrastructure Security, Bibek Galera for a practical discussion on how companies can build an effective cloud security roadmap from day one. Read more “Steps for Establishing Your AWS Security Roadmap”

How to Talk to Your Prospects About Cloud Security

Security can be a huge sales and business enabler, as I’ve mentioned before. If your company and its prospective customers are in a regulated industry — and even if they’re not — you can bet they’re going to ask about your security posture during the sales process. For a number of reasons (including the many high-profile security breaches over the last few years), sales prospects are more aware of risks to their data than ever before. Naturally, they are upping the security requirements for doing business with vendors and partners alike.

This means it’s more important than ever that your sales team understands how to talk to prospects about security. In this post, we’ll outline a number of ways that businesses can do this and do it well. Read more “How to Talk to Your Prospects About Cloud Security”

Three Good Reasons to Get Compliant Now

When things are hectic at your organization, compliance may not feel like the highest priority. If you aren’t in an industry that absolutely requires compliance, it can feel like a box to check — more of a nice-to-have than a must-do. In other cases, it may seem like a good idea . . . but one that can be kicked down the road indefinitely. However, we believe it’s a good idea to approach compliance early — often earlier than you may think.

Indeed, there are some situations in which compliance can actually move the needle in a big way for your business, either positively or negatively. Here are three specific, value-driven reasons why you should consider being proactive about compliance and get out ahead of it before it’s too late. Read more “Three Good Reasons to Get Compliant Now”

What Insurance Companies Need to Know About Cloud Security in 2017

Few understand the concept of mitigating risk better than the insurance industry. The insurance industry faces a unique set of challenges when it comes to cloud adoption and security. In this post, we’ll walk through some of the reasons why moving to the cloud is an excellent idea for insurance companies and provide some guidance on how they can overcome the most common hurdles. Read more “What Insurance Companies Need to Know About Cloud Security in 2017”

MineralTree Achieves PCI Compliance With Threat Stack

Compliance processes have a reputation for being expensive, time-consuming, and fraught with difficulties — and sometimes certifications are looked upon with skepticism. However, most of the PCI requirements are common sense, best practices that any organization that is concerned with security should adopt. At MineralTree, we use Threat Stack to mitigate security threats. Additionally Threat Stack helps us adhere to PCI requirements and document our compliance.

Let me explain  . . .

Read more “MineralTree Achieves PCI Compliance With Threat Stack”