A few weeks back I caught up with a mate of mine who is a CISO for a major international bank. We try to make the effort to meet regularly, and I never pass up the opportunity to ask him some tough questions—an insight to the challenges, trends and priorities of the Financial Services Industry (FSI) is always valuable. These privileged relationships are extremely useful for keeping your finger on the pulse.
What follows are the highlights of our conversation, and what I am most curious about, is does this look anything like your own experiences?
ME: What are your top 5 technology security challenges?
2. Data exfiltration
4. Privileged access
5. Toxic access
ME: Toxic access? What do you mean by this?
CISO mate: the failure to remove previously issued access entitlements from users once they are no longer necessary or appropriate.
A real and serious example in the FSI is employees who move roles from middle office to front office, accumulating excessive privileges. Users that drag excess entitlements into their new role may create toxic combinations of access that often result in segregation-of-duties violations or other business risks. The organisation’s strategy for dealing with this is currently to revoke all access when an employee moves roles or departments. They are then required to request new access based on their new role.
ME: Sounds like a lot of work?
CISO mate: It’s an operational overhead, however it is a necessary countermeasure to threats we face. We don't want to be the next SocGen (reference to the trading losses of French Bank Société Générale in 2008 from the actions of convicted rouge trader Jérôme Kerviel)
ME: DDoS - do you think this an overhyped issue or a real threat for the Financial Services Industry?
CISO mate: Absolutely real, and something that from the intelligence and conversations we've had with other banks is only going to get more serious. What is really interesting is that the attacks are becoming more sophisticated and cyber-criminals are blending them in with other attack techniques to prevent victims of eFraud accessing their accounts after a fraudulent transaction has occurred. More specifically this is part of a very well planned and thought out eFraud campaign against high net-worth individuals who have higher daily transfer limits.
One other area that has caused some stress is that the attackers coordinate their attacks to roll around every 10-20 mins. This really has caused some challenges in terms of algorithms that profile the traffic over periods of time. These spikes not only impact availability, but have also forced us to rethink our response plans. No longer are we able to have a reactive solution, it needs to able to respond in real-time.
ME: Data exfiltration - what is your biggest concern, the much talked about APT or the insider?
CISO mate: Both! This threat really goes hand-in-hand with toxic access. Often there is data that the insider wishes to get out of the organisation to further whatever cause or objective they have. Then of course we have this mystical much hyped APT. Whilst we could never turn off antivirus, the reality for us is that we've had to truly re-think our strategy here. AV has proven itself continually to be infective in detecting many of the modern advanced malware out there.
It's not the users installing dodgy software or even using USB memory sticks, it’s the huge number of websites that are infected with drive-by malware and exploiting the million and one vulnerabilities in the end-users machine. We actively filter URLs and content, but so much of this malware is 'packed' in a way so that it is undetectable.
[We then spent quite a few minutes talking about how malware writers are trivially making their malware Fully Undetectable (FUD) through various 'packing' and obfuscation techniques.]
CSO Mate: So the challenge for us is two-fold. Firstly, detecting websites that are infected with drive-by malware and preventing users from accessing these sites. Secondly, patching the end-users’ systems. This is a change management nightmare, we are simply unable to certify these patches against our SOE quickly enough.
So we've been looking into Virtual Desktop Infrastructure (VDI) as one option. Completely locking down the environment and just delivering a thin client to users, but that just doesn't work in low bandwidth regions or fit the needs of the knowledge worker.
So to compliment this, we've being looking at advanced malware detection and response technologies, along with the big data security promise. This all takes time, money and resources, and we're still trying to figure out what 'normal' looks like when we and other organisations are running so fast.
[At this point we moved onto other topics.]
So does any of this sound familiar?