The Newberry Group Blog

Archived Categories

Sort By: Title   |   Blog Date
Tuesday, June 07, 2016

Temporary Restraining Orders. Part 3 in a 6 Part Blog Series

In my last blog post, I began two case studies.  In both instances, we found that intellectual property had been taken when the employees left the company.   Following our process, we created the Departing Employee Report that outlined all of our findings.  We gave the report(s) to our clients and their external counsel.  It is at this point in the story that these two very similar cases went in completely different directions.

In most cases, after our client and their law firm have a chance to review our findings and determine a course of action we are typically asked to write either an affidavit or a declaration.  We take the information in our report(s) and put it into an accepted legal format (the affidavit or declaration) that can be presented in court. Which document we create depends on the law firm we are working with.  Typically one of these documents is presented with a TRO (temporary restraining order). 

When you hear TRO, many of you might immediate think of some type of harassment or abuse case.  However a TRO has other purposes as well.  One such instance that I have seen used over and over again in theft of Intellectual Property (IP) cases is requesting a TRO where the employee that left and took IP with them, not be allowed to go to work for the new company until the theft of IP case has been resolved in some manner.  Typically in these cases where this type of TRO is requested, the law firm and the forensic company must move quickly so that the legal team has the information that they need to file for a TRO. 

I cannot stress enough how important speed is when working a case like this.  Because if the new employee has already been working at the new company for a few months, there is a high likelihood that the information that was taken has already been disseminated around the new company and a TRO is less likely to be effective. While I am not saying that you can’t get a TRO after a few months, you can, but you will just have more hoops to jump through.  This scenario alone is a great reason to have a relationship established with a forensic company that excels at investigating IP theft cases.

Let’s get back to those two case studies.  While these two case studies are of two companies in completely different industries, they are very much alike from a forensic standpoint.  Data was taken upon employee departure, the departing employees went to work for the competitor and the companies hired external law firm to help.  In both of these cases we were initially hired by the same law firm, a law firm that we had worked with for years and had a well-established process with. 

Internal Employee Case Study Continued:

For this case, we wrote an affidavit to go with the TRO and the documentation went to both the departed employee and the departed employees “new” company.  The “new” company was a Fortune 100 company, they were large enough that their first response back to the TRO was “if we wanted that companies IP, we would have just bought them”.  At this point, the fun really started.

Along with the TRO, it was requested that the employee send all USB drives that they had used at our client’s company so that we could forensically examine them to find and remove our client’s IP.  If our client’s IP was found on any of the devices, the court would uphold the TRO and the employee would not be able to work until the case was resolved.

Based on the request, the former employee sent four USB drives.  As you may remember from the previous blog post, we were expecting over 20 to show up.   So the fact that we only got four devices surprised us and angered the legal team.    However, we still analyzed the 4 drives that we were given.  Once the serial numbers were identified, we realized that only 3 of the devices that were sent to us had been used at the former company.  The one extra USB drive was completely new to us.  In addition, the key USB device that we were looking for was not one of the four that was sent to us.

All of this information was sent to the court, along with a request to get access to the former employee’s home computer.  When the court learned that only 4 USB devices had been turned over, the court ordered that the home computer had to be sent to us for analysis.

A few days later, the home computer arrived and performed the full departing employee analysis on the home computer.  Undertaking a USB analysis on the computer, we were able to identify that most of the 20+ USB devices that we were looking for were also used on his home computer, along with several other USB devices that were used at home but not on his old work computer.   During this investigation, it was discovered that the one USB device that we didn’t have information on, showed up as being used on his home computer.  What was the most shocking/concerning to our client, was that the key USB device had been used on his home computer just after he had resigned.

Since we had a lot of information about this key USB device, we performed some special searches for files that we knew had, at one time, resided on that device which belonged to his former employer, our client.  We were able to determine that these files had been accessed and opened on his home computer, from that USB device after he had already started at the new company.   These facts were presented to the court. The court did two things, first they granted the TRO and the employee couldn’t work anymore until the case was settled and secondly, the court gave us access to his work laptop.  This upset his new company as they didn’t want to give up his work laptop. 

A few days after the court order, his new work laptop arrived in our forensic lab.  Once the device was in our lab, we performed the New Hire Program package on his machine.  Stay tuned to future blog posts to see what this uncovered and how both companies responded.

Home Based Employee Case Study Continued:

In the case of the home based employee for this case study, things took a completely different spin once we delivered to outside counsel the report and they showed our client that had the employees leave.  This company decided it would be in their best interest to change law firms and retain a firm in the state which the two former employees resided.  I have worked many cases where our clients have changed law firms mid investigation, but this change did surprise me because the original law firm had a well know reputation for successfully litigating IP theft matters and I knew nothing about the new firm besides the fact that they were a very large international firm.

Our client and the now former law firm had told me that our report had been sent to the new firm and that I would be hearing from them shortly.  Weeks passed and I had heard nothing.  Knowing that we were initially going down the path of a TRO for both these employees I was getting concerned that I had not heard from the new law firm.  

I contacted our client and let them know that I had not been contacted by the new law firm.  They were surprised and said someone would reach out to me within 24 hours.  Not one hour later, my phone rang.  It was an associate at the new law firm.  She said the partner asked her to touch base with me just to let me know that they got the initial report and they were working their way through it.

The clock was ticking for a TRO and it still took them two more weeks before they called again.  This time they actually asked me to step them through the report so that they could better understand what IP had been stolen.   This call ended up being the first of many phone calls to discuss the report and help better understand it.

In the end, the new law firm opted not to pursue a TRO against the two departed employees.   They decided to “play nice”, reasoning that the employees would willing turn over their personal devices for us to search and remove all IP associated with their former employer.  As you can imagine, that was not what happened.  The employees each retained their own counsel, which vigorously fought any request to turn over their personal devices. In the end, instead of utilizing the courts to litigate the stolen IP, the decision was made to continue the “play nice”. It was decided they would pursue arbitration instead.  It would be 8 months before I would hear from the new law firm again.

Where to Go From Here:

As you can see, two cases that were nearly identical at the start, have taken off in different directions. Is there are right or wrong way to take these cases?  I would say yes…  Over the next few blog posts, I will explain why as we continue with these two case studies. In addition, I will take a look at some things you can do to both prevent IP from being taken from your company and from new hires bringing stolen IP into your company.

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program and New Hire Program are fixed fee programs that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

 Next Blog: Reverse IP Theft

Posted by: Jerermy Wunsch
 | permalink

Wednesday, May 04, 2016

When The Threat Strikes. Part 2 of a 6 Part Blog Series

As I mentioned in my first blog post, the internal threat is very real and it strikes ALL companies. (Yes, even forensic companies that investigate internal threats.)  The smallest company that I have identified theft of IP during employee departure had 5 employees.  The largest client was a Fortune 100 company whose name all you would instantly recognize.  Even forensics companies are not immune. When I was the CEO at LuciData, I had a former forensic investigator leave and “take” IP with him to start a competing company. It happens all the time.  Numerous articles quote statistics that over 50% of departing employees take IP when they leave.

50% is a pretty large percentage of people.  Think of how many employees have left your company.   Think about what information they had access to.  Now assume that 50% did actually take information and brought it to a competitor. What would a competitor be able to do once they got their hands on that data?  What would the impact be to your company should that happen?  Loss of revenue, loss of competitive advantage?

Theft of your IP has happened to you with or without your knowledge. It might be happening right now and you don’t know it. In this blog and other blogs to follow; I am going to step through two examples of internal theft: an internal employee working at the office and a home based employee that was granted remote access to the network. The blogs will address what was done right and what could have been done better. 

There are always lessons to learn with departing employees, and most of those lessons deal with controlling your data better.

Internal Employee Case Study:

This was not the first time that our client had called us to investigate a potential theft of IP from a departing employee.   We had put in place a protocol to cover the first initial steps to investigate any departing employee that they suspected of taking IP.

As with all the other cases with this company, a “key employee” had departed, moved across the country to work for a competitor.  What caused our clients suspicion was that the competitor did not have a marketable “product” like the employee had been working on for our client, but the competitor was trying to get a foothold into that space.  The data that this employee had access to was incredibly valuable to the competitor.

As we were completing the initial first steps of the protocol and started digging into the data, there were red flags that we discovered that started to raise questions for us.  The first red flag we found was the sheer number of USB devices that had been used on the computer; including a few devices that were used during the last few days of his employment with our client.  While devices used on the last few days of employment don’t always point to a problem, for some of these devices, it was determined that it was the first time that they had ever been used.

The next red flag we saw was that a special folder sync function had been run.  This function was setup to sync multiple folders from the employee’s computer to what was labeled as “other device”.  This meant that it could sync to something like a network share or to a USB device, basically anything that wasn’t internal to the computer.

What was helpful to us was that this sync function left a log of the folders that it was syncing with, along with the last time that the sync took place.   Unfortunately, the folders that were synced were deleted by the former employee. Not to be deterred, using our forensics capabilities, we were able to recover the deleted folders and found just over 2,500 files in those folders that had been synced to other devices.  A copy of the recovered files list was given to the client to review and determine the “value” of the data.  We determined that most of the files contained documents that had “confidential” or “internal use only” written on the documents, leading us to believe these indeed would be very valuable documents to a competitor – a fact that was quickly confirmed by the client.. Our client asked us to immediately start working on determining if we could tell them where these documents went to (other devices, network share etc.)

Using time information from both the USB and the sync function logs we were able to determine that the data went to one or two USB devices on the same day the employee turned in his resignation notice.  We were able to determine the common name of the USB devices (like one gigabyte SanDisk) and we also had the serial number of the devices we could now start searching for.  This information was given to our client so their Information Technology department could determine if the devices still resided in the former employee’s office or some other place within the company.  When it was determined that the company did not have possession or access to these two USB devices and that the former employee most likely took them when he left, we helped our client’s counsel write the request for the former employee to turn over all USB devices that he used while employed at the company on that computer.  Based on our initial USB analysis, we were expecting 24 USB devices to be turned over.  With that request, the hunt for stolen IP began in earnest.

Home Based Employee Case Study:

In this case, we have a home based sales employee that was allowed to use his own personal computer for work purposes. His request to use his home based computer was granted by management even though it was in violation of company policy.  Because his personal laptop was a Mac, a request was made by the employee for a virtual machine partition to be placed on the machine so that he could use “normal” Microsoft Outlook for work related email. Again, a request granted by management and a violation of company policy.

When the employee left our client’s employment to go to work for a competitor, the company wisely asked for his computer to “image” it to make sure they had access to his email that was in the virtual partition.  However, this image was not a traditional forensic image. Luckily the image did capture all the data on the disk; which included all the Mac data and all the data in the Windows virtual machine.  Confident that they now had a copy of his email allowing them to answer any customer questions that might arise, they returned his personal computer back to him without deleting the virtual machine that contained years of corporate email.  They put the image on the shelf and did nothing with it.

Shortly after this first resignation, a 2nd sales employee resigned.  This employee was going to the same competitor as the first employee that left and this employee would reportto the first employee.  Concern was rising that something nefarious might be going on as the competitor they went to work for was the number one competitor of our client.  Losing both of these top sales people, was a grave concern in the very tight market that both these companies were in.  For the purpose of this blog post and so we can keep them straight, we will name the home based employee with the Mac, Bob and the employee that left second, Steve.

We were sent the work computer (which was a Windows computer) from Steve and we were sent the image of the home Mac computer that Bob used for work.  We initiated our departing employee protocol to determine if there might have been any visible signs of solicitation and to determine if any confidential data may have been taken by either of them.

While we did find signs that they were both communicating with each other, we didn’t find any signs that Bob asked Steve to leave and bring data with him.  At that point, our investigation turned strictly into theft of IP and we began to look at each of them individually.

Investigating both former employees’ computers, we determined that they both had USB drives hooked up to their computers.  Both of them used those USB drives on their final days of employment.  There were also signs that data may have been transferred over to those devices.  We worked with our client and their legal team to request that Steve hand over all the USB drives that he had used during his employment. This process was pretty straight forward with Steve’s computer, Bob and his computer was another story.

As we mentioned, Bob used his personal laptop for work.  This a machine was also used by family members.  Because of this, we were not completely sure the best way to ask for access to the devices, given the high likelihood that we would not be granted access to family member’s devices unless we could clearly prove that data had been transferred to that specific device.  This computer had been used for years and not only were there traditional USB storage devices that had been hooked up to it, but there were also iPhones, iPads and iPods that had been attached to this machine.  These devices, while traditionally used for other reasons, also have the ability to store data. 

Which devices were his, which belonged to his wife’s and his kids?  As the investigation continued into Bob’s computer, we started to notice references to network storage devices, like network attached storage (NAS) and references to Apple’s Time Machine backup, which appeared to backup his entire laptop.  Remember, Bob had the virtual machine that contained all his work email containing confidential information on this machine.  We realized that the work email was in the Time Machine backup, so we had to make sure to request access to that backup as well.  As it was becoming clear the type of home network that Bob had established, we realized that one of his NAS devices was syncing on a regular basis with his Mac.   If you are able to follow the trail - we now know that work email is stored in at least three locations – on his personal Mac in the company provided VM, the Time Machine Backup and on the NAS. 

We gave our client a file list of some of the files on the Mac image that contained the word “confidential”.  We handed over copies of documents, spreadsheets, PowerPoints and PDFs for them to look through.  It was quickly determined by our client those files were very key to the company, and Bob should never have been allowed to leave with that data still on his personal Mac that he used for work.  Like with Bob’s email, we were assuming that these files containing the documents, spreadsheets, PowerPoints and PDFs etc. were also on the Time Machine Backup and the NAS and potentially other USB devices.

At that point, the lawyers knew what we needed access to, but with Bob’s non-traditional home network this wasn’t going to be your normal legal request. This was going to be a case with many unexpected twists and turns.

Hurry up and wait.

As with all cases, once we find that IP may have been taken during employee departure we provide our reports, declarations and/or affidavits.  The lawyers then take over and it is hurry up and wait while the legal process runs its course.  Stay tuned to the next blog post to see what happened with these legal requests and the corresponding TROs (Temporary Restraining Order).

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program is a fixed fee program that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

Our Incoming Employee Package consists of 2 services. 1st, it verifies that policies and procedures are appropriate so new employees understand that under no circumstances should any IP from previous employers be brought with them.  2nd, at a predetermined time (usually 30-60 days after the employees start date), we will check the new hire’s drive for signs of external IP.  If data is found, you can take immediate steps to remediate the data before any litigation commences. 

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

 Next Blog:  Temporary Restraining Orders (TRO)

Posted by: Jerermy Wunsch
 | permalink

Friday, February 26, 2016

The hacker, the departing employee, the new hire. Which one can cost you more? Part 1 of a 6 Part Blog Series

After almost 20 years of doing computer forensic investigations, and specializing in investigating data breaches and IP theft, I have realized a few things. Hackers are here to stay and those employees you trust the most can hurt you the most.

The Hacker

Let’s start where most organizations are mistakenly focused, hackers.

Hackers are malicious but most are only looking to steal usernames and passwords but some do try to steal personally identifiable information (PII) to sell or they are looking to run some other type of scam with the stolen information.  Rarely, do hackers steal data to create a competing product or service.

Yes, hackers cause harm. They steal identities; people fall for their scams. Hacks have been a daily occurrence for some time now. Most firms spend a lot of time and money trying to prevent them and have a budget set aside for investigating them. 

But when we look back, what is the real cost to the organization of a hack?  Google “cost of a hack” and you will find countless examples of what it costs organizations.  But the numbers are all different.  The real answer is that nobody knows.  Realistically, unless you are part of some of the largest breaches in the world, the cost of a hack does not create a very large dent on the organizations profit and loss statement.  The “official statement” says, sorry we were hacked, change your passwords and move on.

The Departing Employee

This is my favorite person in the company.  They are leaving for that new job.  Why did they get that job?  You guessed it, because of what they did at your company. 

Organizations as a whole are still a trusting bunch.  “Oh, my employees would not maliciously take information with them.” We hate to be the bearer of bad news – they will and it is probably happening a lot more than you realize. In the thousands of cases we have done over the years, I can count on one hand the number of times during an investigation where we didn’t find the employee stealing intellectual property (IP) and taking it with them.

If the departing employee left to start their own competing business or worse yet – went to your #1 competitor – more than likely they have taken some of your IP (think customer lists, pricing data, product development details, business planning details to name a few) with them to help them hit the ground running.  It is time to start an investigation to see what they took.

When do you pull in legal?  It all depends on the organization and if legal is in-house or not.  But most pull in the legal team after it has been identified that IP may have been taken.  Another key question when pulling in the legal team is to ask “do you have an experienced legal team to help you during the investigation?”

The “experienced legal team” is a delicate subject, but it must be brought up. While the organization is going through the investigation, it cannot be stressed enough: make sure your legal counsel – both inside and outside counsel understand the technology, the terminology and the forensics process.

Beware of what I refer to as the “Legal Tech Lawyer”.  These are attorneys from firms that got their experience from going to a few conferences and listened to a few webinars yet consider themselves experts in technology cases. In addition, beware of outside counsel that does not have any actual experience in conducting cases that had computer forensics examinations in the area of IP theft. 

Having an experienced legal team;  especially experienced outside counsel that understand the process and what forensics technology can and cannot do will cost more per hour than an attorney that doesn’t, but in the end, it will be worth it.  Not understanding the life cycle of an investigation; the differences in terminology, understanding the limitations of technology and what to ask for during the investigation will most likely cause the organization to incur additional downstream investigation fees because the investigation is not streamlined.  Uneducated attorneys are less likely to ask pertinent questions, will have to do additional research to understand what they need to have done, may ask for things to be done that are not necessary, or miss finding critical evidence that is germane to your case.  All of this will likely result in increased legal fees.

Legal expenses tend to be a very large chunk of the total cost of an IP theft investigation. Choosing the right attorney (s) is critical not only to the success of your investigation; but also to keeping your costs from spiraling out of control, especially when you are going after a temporary restraining order (TRO), and requesting access to both their home and “new work” computers. 

Your New Hire

Let us introduce you to your most expensive hire; the new employee that you just hired away from your #1 competitor.  The employee that took IP from their previous employer, who brought IP with them and is currently using that IP in their new job with you.

You didn’t ask them to steal IP from their previous employer, but they did.  You hired them because of their experience and their past contacts and connections. They told you they can help you beat their former employer; what they didn’t inform you about is they are bringing data with them that will be housed inside your walls. 

This data now resides someplace on your network. It could be a little, it could be a lot. For example, maybe they took a PowerPoint presentation. They changed a few words and logos and now your next project is the exact same project they were working on at their previous company. They shared a copy with their boss.  Their boss shared it with their boss who presented it at the national sales conference.  You get the picture.

Now imagine this scenario. Their previous employer knows you have hired their employee and suspects that they have taken IP – lots of it. They hire a forensic company to look at the former employee’s work machine and they find IP was taken.  They suspect you now have it. They want it back or eradicated and they want monetary damages. 

The next thing you know, you are served with a TRO and litigation hold.  You are getting sued by your new hires former employer for theft of IP.  You know nothing about this, you didn’t ask them to take it, but they did.  Courts are starting to open up the doors to allow forensic companies to investigate inside the “new company” to verify that the previous company’s data is or is not inside the new company.  The Forensics Investigation Team has been allowed full access to email servers, network servers and storage, laptops and desktop, cell phones, tablets and cloud accounts that may have the stolen IP on them. 

If that happens to you; more than likely your organization will be responsible for the cost of that investigation. If IP is found, the costs ramp up even further.  The IP will have to be remediated and most likely the courts could issue some pretty large judgment against you.  We have had cases where the judgment in 1 IP theft alone was upwards of twenty ($20) million dollars that the “new company” had to pay the “former company” because the departed employee took IP with them and used it at the new company.  While judgements of this amount are not common, they do happen.  It is becoming more common to get judgements against the new company of a few million plus all third party fees (legal, computer forensics, court costs, etc).

What Can You Do To Be Proactive?

  1. Have an appropriate IT budget to spend on and implement monitoring solutions that watch internal employees in how they use the organizations data. Whether it is device control, DLP solutions or BYOD technology – having monitoring technology is a must these days. 
  1. Have current AUP (acceptable use policy) and any other corporate policies governing the use of corporate data.  Nothing is more painful than learning that you allow employees to take whatever they want.
  1. Be consistent in enforcing those policies.  Precedent is a big word in the legal community and I have seen many cases lost on precedent.
  1. Ask the right questions of legal team on their experience level in conducting forensics investigations.
  1. Get an experienced Digital Forensics team that understands IP theft considerations for departing and incoming employees.

How can you protect yourself?

There are economical ways to forensically determine what data and or IP was taken from an organization or brought into an organization. An excellent program will:

  • Have a well-defined AUP covering both incoming and outgoing IP.
  • Consist of defined computer investigation service packages that identify and report on employee data activity
  • Be able to identify data that was taken from your network as well as brought in to your network.


Hackers are here to stay.  Most companies are well prepared to defend against hacks and have budgeted for such an event.

Employees will also continue to take IP.  It is not a question of if IP theft will happen, it is a matter of when and at what cost to the organization. Most companies are not as well prepared to investigate theft of IP. Nor have they budgeted for what the potential investigation might cost them or what the effects of a theft might be – loss of revenue, loss of clients, loss of productivity, business interruption – the list goes on and on.

Does an investigation have to break the bank to learn what IP might be taken? No, it does not.  Investigations can be streamlined, simplified and be cost effective if an organization has the proper team and services in place prior to kick off of an event.

As to the initial question that we started with, “The hacker, the departing employee, the new hire.  Which one can cost you more?” Stay tuned to future posts to learn, but I can tell you, it isn’t the hacker.

Newberry Group has services that can support all of your needs in these areas.  Our experienced team can conduct investigations that cover both the departing employee as well as the new hire for a fraction of the cost that you could incur should the examples above play out.  Our Departing Employee Program is a fixed fee program that consists of defined computer investigation service packages that identify and report on employee data activity. The packages vary as to scope and cost in order to provide you with a level of assurance proportionate to the value of the employee and the access that the employee had to your IP.

Our Incoming Employee Package consists of 2 services. 1st, it verifies that policies and procedures are appropriate so new employees understand that under no circumstances should any IP from previous employers be brought with them.  2nd, at a predetermined time (usually 30-60 days after the employees start date), we will check the new hire’s drive for signs of external IP.  If data is found, you can take immediate steps to remediate the data before any litigation commences. 

For more information on these services as well as other Forensic-related services we offer, please visit our website at or email us at

Next Blog:  Newberry Group’s Departing Employee Program.

Posted by: Jeremy Wunsch
 | permalink

Tuesday, August 19, 2014

Keeping Student Data Secure in Education

As students and teachers alike are embracing online learning tools, a need for better internet security in schools is becoming more apparent. The recent report on tech adoption in education by the Consortium for School Networking (CoSN) and the New Media Consortium (NMC), highlights this trend of hybrid learning models that “blend the best of classroom instruction with the best of Web-based delivery.” However, the report also points out that the safety of student data is considered a “difficult challenge” and “solutions are elusive.”

While internet security is a pervasive issue for all industries, schools deserve some extra attention. Along with the increased need for bandwidth to access online courses and tools, students and teachers are all too quick to share personal information through the internet. Schools need to carefully plan their network security in much the same way they plan their physical security. There has to be a good balance between access and security.

The solutions for balancing the security of student data with providing the right level of access required in today’s learning environment don’t have to be “elusive.” There is a full suite of solutions, such as network access controls or web filters, that are available at affordable prices and can offer the necessary protection for K-12 schools up through universities.

So what should you look for in a solution? Here are some good starting points:

  • URL Filtering – In 2013, 85% of malicious links used in web or email attacks were located on compromised legitimate websites. Controlling which websites can be accessed can limit the possibility of malware infecting your network.
  • Secure Data Transfer – An estimated 6% of all PCs will suffer at least one episode of data loss per year. 20% of all laptops suffer hardware related data loss in the first three years. A good IT strategy implements an off-site backup solution for important data. In an education environment, that would include student records. Securing this transfer of data is necessary as not only can the physical data be accessed but the transmissions of that data can also be intercepted.
  • Mobile Device Security – On average, network administrators are only aware of 80% of the devices on the network. In an educational setting, where nearly every student has a mobile device with the ability to connect to a local network, this figure is most assuredly much lower. Utilizing an agentless solution that discovers devices as soon as they access the network will protect vital information such as student records and institutional data while allowing the proper access necessary for the learning environment.
  • Bandwidth – With the inclusion of streaming media in today’s curriculum and the distribution of network resources across a geographically separated campus, load balancing bandwidth is essential to providing consistent access for both students and faculty
  • Efficient Configuration – School IT departments are minimally staffed. And often, the staff is simply challenged by time and resources just to maintain let alone implement and improve the network. Solutions that are easy to configure and maintain yet provide robust security features are a must.

Posted by: Gerald Kennedy
 | permalink

Wednesday, July 23, 2014

How to Choose Security Solutions for Mobile Healthcare - Part 2

To read Part 1 of this series, click here.

According to the HIMSS Analytics 3rd Annual Mobile Survey, the top benefit to having mobile tech in facilities is increased access to patient information, and the ability to view data from a remote location. But this means there are thousands of devices accessing a provider’s network. In order to select a proper security solution that not only meets HIPAA requirements but offers the protection for medical device end points in use, medical IT Administrators must look at a number of factors:

  • What is on my network? This is the first and most important step in providing a secure IT enterprise. Many IT administrators believe they know what devices are on their network. However, healthcare facilities are littered with transient devices such as personal phones and tablets, patient monitors and diagnostic tools that have unique and often antiquated operating systems. These devices may only show up on IT networks once a week or perhaps once a month. It can be a daunting task to know exactly what is connected to the IT enterprise.
  • Controlling BYOD. Practitioners, nurses, and administrative staff often use their own unregulated devices, such as phones and tablets, to record data and communicate with staff and patients. Add to that the fact that many facilities offer open WiFi to their patients and guests. This creates a massive amount of end points that are not monitored and leave the IT enterprise vulnerable to malware, viruses, and advanced persistent threats. Survey findings shows that 32% of hospitals are not even using technology to enforce their BYOD policies.
  • End Point Compliance. Knowing what is on the network is one thing. Keeping known devices compliant is something else entirely. Security of an IT Enterprise is only possible through awareness. Once the devices are discovered IT administrators must be certain that they remain compliant. Having the ability to confirm applications and disable those that are unauthorized, verify whether or not the devices meets established security policies, knowing if the device is compliant with the latest security patch and antivirus definitions is essential.
  • Cost vs. Risk. While the Federal Government provides some mandates that direct medical IT Administrators to protect patient data, the healthcare IT network remains largely susceptible to your average hacker. It is up to each healthcare IT Administrator to protect the physical network to the degree they feel necessary to secure data and network end points. Healthcare budgets, like many vertical industries, are balanced toward production vs. protection. In the HIMSS Analytics survey, lack of funding was the most common barrier to implementing a security solution. An effective solution with low cost of ownership is necessary. And while incentive programs such as EHR Incentive Program may seem to add balance to this in favor of the healthcare facilities, the incentive received is certainly not equivalent to the cost of losing patient data.

Network administrators can’t secure what they can’t see. It is imperative that administrators have access to real-time visibility of everything on their network and be able to control what is on their network at all times. When choosing a solution that meets all of these requirements, look for one that is simple to install on your network, without the need for agents or client software.

If you’d like to talk more about end point security solutions or need help, get in touch with us!

Posted by: Gerald Kennedy
 | permalink

Monday, July 21, 2014

How to Choose Security Solutions for Mobile Healthcare – Part 1

The last time I visited to the doctor, he recorded everything on a tablet device. While it’s convenient, mobile security is always at the forefront of my mind. I was doing a bit of reading on mobile security and came across the Medicare and Medicaid (CMS) Electronic Healthcare Records (EHR) Incentive Program. This program gives healthcare providers a financial incentive for demonstrating the meaningful use of certified EHR technology or for adopting, implementing, or upgrading EHR technology. EHR technology allows providers to easily record and share patient data so that it’s consistent and readily available throughout the provider chain. This is certainly a great benefit to all healthcare providers as well as patients. No need to transfer records and records can be updated in real time through hand held devices, patient monitors, or diagnostic tools connected to the network.

However, broader access to electronic databases and the use of additional devices to access that data only adds to the already vulnerable IT environment within the healthcare industry. IT components within healthcare are already severely susceptible to hacking and advanced persistent threats. Medical device end points, such as monitors and diagnostic tools, could have severely outdated operating systems that don’t lend themselves to standard patching processes. Even personal healthcare devices, such as insulin pumps, have known vulnerabilities as demonstrated by Jerome Radcliffe when he hacked his own insulin pump. These weaknesses, coupled with the fact that medical practitioners regularly bring their own smartphones and tablets and are often unregulated at many facilities, leaves a provider network open and vulnerable.

The HIPAA Security Rule provides standards for the securing of electronic health information. These rules are in place to protect patient data through access control, audit controls, integrity controls, and transmission controls. While important, they rely on the provider to select and implement the necessary security solutions to prevent a data breach. And without proper security for personal and medical end point devices, it is only one finger in a dam that has many holes.

Stay tuned for Part 2 later this week where I discuss the factors to consider when looking at different security solutions.

UPDATE: Part 2 is live! Check out: How to Choose Security Solutions for Mobile Healthcare - Part 2

Posted by: Gerald Kennedy
 | permalink

Monday, June 09, 2014

Case Study: Optimizing Barracuda Load Balancer to Meet Web Application Demands

Barracuda Load BalancerChallenge:

A regional energy cooperative wanted a way to provide seamless application availability for their customers and scalable performance for future growth demands. Their current Barracuda Load Balancer and Oracle ERP solutions were deployed by a 3rd party using a method that would significantly impact performance and scalability in their  virtualized environments.  With a deadline on the horizon, they needed a solution that offered both flexibility and availability while minimizing complexity.


Newberry conducted a network and infrastructure assessment and found that the current Load Balancer and ERP deployment would only meet a fraction of the organization’s web application demands.  Newberry’s engineer worked closely with the customer to fine tune their Barracuda Load Balancer and rebuild their Oracle ERP system from the ground up while keeping the principles of scalability and application uptime at the forefront.


Newberry enhanced the organizations ability to manage and scale critical application environments by:

  • Creating custom Load Balancer services and rules to automate application failover, rewrite URL requests for cross-platform compatibility with Oracle, and utilized URL redirection to simplify end user navigation during their initial orientation.
  • Tuning the Load Balancer’s application layer for session persistence and Layer 7 health monitoring.
  • Clustering the Load Balancers together using High Availability for seamless failover and web application availability.
  • Identifying I/O performance bottlenecks in virtual and networking environments.
  • Redesigning the customers ERP architecture by reducing complexity and adding additional nodes which resulted in doubling the amount of concurrent users and sessions available.
  • Training and knowledge transfer with System and Network Administrators covering operations, maintenance and advanced troubleshooting.

Why Newberry Group?

As one of the few Barracuda partners that can support the entire product line beyond what was required by this customer, Barracuda immediately turned to Newberry to make this project a success. Newberry’s Barracuda-certified engineers brought their in-depth knowledge, experience and passion for technology that was needed to exceed the demands of this time critical project.

Posted by: Nicholas Trifiletti
 | permalink

Tuesday, May 20, 2014

Case Study: Protecting a Large-Scale Federal Network with Sourcefire NGIPS

Sourcefire logoChallenge:

A Federal agency recognized that they needed to improve their threat protection by monitoring all traffic as it passes through their gateways without hampering their network performance. This agency knew that malware was entering into their network enterprise but was not able to detect it.  Due to client data sensitivity and the need to ensure the security of the network for their customers, they needed to be able to apply customized protections as quickly as possible.


Newberry Group partnered with Sourcefire to provide a solution that included multiple Sourcefire Next-Generation IPS Sensors at the four main data centers. The Sourcefire IPS solution provides the agency with real-time contextual awareness and threat protection with the ability to act intelligently and automatically when an internal host is affected by a client side attack.


With Sourcefire’s NGIPS, Newberry Group helped the customer meet performance and customization demands so that the agency has access to:

  • Real-time contextual awareness with the ability to see and correlate extensive amounts of event data related to their IT environment—applications, users, devices, operating systems, vulnerabilities, services, processes, network behaviors, files and threats.
  • Advanced threat protection to discover, assess and respond to hacking activities, intrusion attempts and vulnerabilities in order to stay ahead of threats.
  • Intelligent security automation with event impact assessment, IPS policy tuning, policy management, network behavior analysis, and user identification. This significantly lowers the total cost of ownership to the agency and enhances their ability to keep pace with changing environments.

Posted by: Tony Hausmann
 | permalink

Monday, April 21, 2014

Case Study: Installing a Websense Web Security Filtering Appliance


Websense logoA Federal agency recognized that they needed to improve their current web security solution to allow for better filtering of the Internet traffic coming in and going out of their network.  They needed to provide for data loss protection, as well as utilize real-time analysis of malware and recognized advanced threats with the ability to perform forensic activities. They needed the solution to provide protection for local and remote users as well as support multiple campus sites.  Additionally, in the end, they wanted to be able to centrally manage the system post-deployment and develop reports for Executive staff and trend analysis.  Thus the solution needed to have an easy to use interface that allowed for the monitoring and management of the entire system from a single location.


Newberry Group partnered with Websense to provide a technical solution that included multiple Websense appliances and the implementation of the Websense Web Security Gateway Anywhere (WSGA) solution installed at a main campus and a satellite location.  The final solution included the following:

  • Scalable deployment for up to 12,000 users with high availability and automated failover and load balancing.
  • Deployment of Websense’s TruHybrid solution that protected the agency’s branch offices and remote and mobile users.
  • Provisioning through a single unified interface.
  • Deployment of Websense’s TruDLP to prevent data loss and enable compliance with agency and NIST standards and policies.
  • Real-time analysis utilizing Websense’s Advanced Classification Engine (ACE) and threat intelligence from Websense’s ThreatSeeker Intelligence Cloud.
  • An advanced threat dashboard providing actionable forensic detail on who was attacked, what data was attacked, where the data almost went, and how the attack was executed.
  • File sandboxing to protect the environment from advanced malware.
  • Training of Websense Administrators on system operation, maintenance and report generation.


Newberry enhanced the agency’s overall environment by optimizing the customers filtering and security monitoring.  The agency now has the ability to:

  • Identify and monitor security vulnerabilities while being supported by manufacturer recommendations, industry best practices and compliance requirements.
  • Implement security configurations for web filtering policy down to a user level.
  • Provide reporting documentation to support security investigations or remediation.
  • Direct reach-back to Newberry engineers and Websense Premium Support

Why Newberry Group?

As a preferred Federal Executive Partner for Websense, Certified Triton Integrator, and Authorized Training Center, Newberry can offer a full scope of products and services to each of our clients. Our in-house certified Websense engineer trainers are able to provide a wide range of professional services that include integration, configuration and installation of Websense technology as well as standard and customized training courses to meet a client’s specific needs.  

Posted by: Valerie Root
 | permalink

Thursday, March 13, 2014

Case Study: Ensuring Network Health with ForeScout CounterACT

Newberry Blog | ForeScout Logo and CounterACTChallenge:

A large Midwest firm wanted to allow employees and guests to access to their networks and internet regardless of the device being used. They also wanted a way to ensure anti-virus and security vulnerability patches were up-to-date on their own Windows devices.

The company needed a solution that provided visibility of their network and attached devices, provided an agentless capability, and was easy to install and manage. Compatibility with the client’s current switch and MDM vendors was another key factor as well as ensuring it could move forward with a future global deployment.


Newberry partnered with ForeScout to provide a plan around the CounterACT solution. The client tested the solution for more than a month to ensure that the product worked well with the existing infrastructure, that it was easy to use, and that it would not cause network disruption.

CounterACT also provided the organization with a large amount of instant information they did not have access to previously. Now they can see who’s connected to specific switches, see who was the last person to log into the network on a specific Windows PC or user IP address, then enforce policies against those devices and machines attempting to connect.


Forescout CounterACT enhanced the health of the customer’s network by providing:

  • A more efficient and effective way to control network access (authority to connect) and ensure endpoint compliance.
  • Real-time inspection and easy manageability of guests, contractors and employees using a variety of devices to connect.
  • The ability to enforce security policies to only allow devices on the main network that have up-to-date antivirus, OS, and application patches.
  • The ability to quarantine any noncompliant devices and devices with viruses and immediately reduce the threat of malware entering the network.
  • An agentless solution with unprecedented compatibility with over 16 switch vendors and multiple MDM, antivirus and antispyware vendors.
  • Fewer resources required for network access control (NAC) deployment, maintenance and administration

With ForeScout CounterACT, Newberry was able to quickly improve the customer’s network health and provide an automated solution for network access control, mobile security and endpoint compliance. Do you have a similar network access situation? Learn more about how Newberry can help.

Posted by: Tony Hausmann
 | permalink

Page size: