A beer with a CISO

A few weeks back I caught up with a mate of mine who is a CISO for a major international bank. We try to make the effort to meet regularly, and I never pass up the opportunity to ask him some tough questions—an insight to the challenges, trends and priorities of the Financial Services Industry (FSI) is always valuable. These privileged relationships are extremely useful for keeping your finger on the pulse.

What follows are the highlights of our conversation, and what I am most curious about, is does this look anything like your own experiences?

ME: What are your top 5 technology security challenges?

CISO mate:

1. Malware
2. Data exfiltration
3. DDoS
4. Privileged access
5. Toxic access

ME: Toxic access? What do you mean by this?

CISO mate: the failure to remove previously issued access entitlements from users once they are no longer necessary or appropriate.

A real and serious example in the FSI is employees who move roles from middle office to front office, accumulating excessive privileges. Users that drag excess entitlements into their new role may create toxic combinations of access that often result in segregation-of-duties violations or other business risks. The organisation’s strategy for dealing with this is currently to revoke all access when an employee moves roles or departments. They are then required to request new access based on their new role.

ME: Sounds like a lot of work?

CISO mate: It’s an operational overhead, however it is a necessary countermeasure to threats we face. We don't want to be the next SocGen (reference to the trading losses of French Bank Société Générale in 2008 from the actions of convicted rouge trader Jérôme Kerviel)

ME: DDoS - do you think this an overhyped issue or a real threat for the Financial Services Industry?

CISO mate: Absolutely real, and something that from the intelligence and conversations we've had with other banks is only going to get more serious. What is really interesting is that the attacks are becoming more sophisticated and cyber-criminals are blending them in with other attack techniques to prevent victims of eFraud accessing their accounts after a fraudulent transaction has occurred. More specifically this is part of a very well planned and thought out eFraud campaign against high net-worth individuals who have higher daily transfer limits.

One other area that has caused some stress is that the attackers coordinate their attacks to roll around every 10-20 mins. This really has caused some challenges in terms of algorithms that profile the traffic over periods of time. These spikes not only impact availability, but have also forced us to rethink our response plans. No longer are we able to have a reactive solution, it needs to able to respond in real-time.

ME: Data exfiltration - what is your biggest concern, the much talked about APT or the insider?

CISO mate: Both! This threat really goes hand-in-hand with toxic access. Often there is data that the insider wishes to get out of the organisation to further whatever cause or objective they have. Then of course we have this mystical much hyped APT. Whilst we could never turn off antivirus, the reality for us is that we've had to truly re-think our strategy here. AV has proven itself continually to be infective in detecting many of the modern advanced malware out there.

It's not the users installing dodgy software or even using USB memory sticks, it’s the huge number of websites that are infected with drive-by malware and exploiting the million and one vulnerabilities in the end-users machine. We actively filter URLs and content, but so much of this malware is 'packed' in a way so that it is undetectable.

[We then spent quite a few minutes talking about how malware writers are trivially making their malware Fully Undetectable (FUD) through various 'packing' and obfuscation techniques.]

CSO Mate: So the challenge for us is two-fold. Firstly, detecting websites that are infected with drive-by malware and preventing users from accessing these sites. Secondly, patching the end-users’ systems. This is a change management nightmare, we are simply unable to certify these patches against our SOE quickly enough.

So we've been looking into Virtual Desktop Infrastructure (VDI) as one option. Completely locking down the environment and just delivering a thin client to users, but that just doesn't work in low bandwidth regions or fit the needs of the knowledge worker.

So to compliment this, we've being looking at advanced malware detection and response technologies, along with the big data security promise. This all takes time, money and resources, and we're still trying to figure out what 'normal' looks like when we and other organisations are running so fast.

[At this point we moved onto other topics.]

So does any of this sound familiar?

Join the CSO newsletter!

Error: Please check your email address.

More about APTCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ellis

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts