Access Audio Here:

 
Download Presentation PDF Here: Six-Practices-in-Best-Cyber-Defense
Before we begin with the questions on the methodology, I would like to ask Mr Pietrocola the following question: just what are some of the new ways cyber criminals are operating and what challenges do these cause IT and C-level executives?
Mr. Pietrocola response;
• CEOs predict that cybersecurity will be the biggest threat to the world economy and their fiduciary responsibilities over the next decade, according to a new 2019 study from Ernst & Young.
• Cyber criminals are very greedy and cunning.
• They are innovative and using next generation technologies, such as artificial intelligence and machine learning, coupled with older technologies such as emails, social engineering and brute force hacking to steal your most confidential data.
• Clearly, the current and emerging attack surface is larger encompassing more devices, social media and public WiFi.
Seventy eight percent of regulated companies in the US financial services industry spend a large percentage of their IT budgets on perimeter defenses designed to protect them against the older more well-known threats – actually McKinsey states $3k per employee. However, the next generation technology is designed to beat these defensive postures making the investment costly, redundant and somewhat ineffective. Its time companies innovate just as cyber criminals are doing.
IT teams think, well maybe a better approach is to hope they are protected. The C-suite doesn’t understand their current status. Many companies still do little more than check the boxes, spend too little and have no real cyber risk management strategy.
For example,
• numerous banks were recently targeted by a simple email that was sent from a “real” employee to the human resource department asking to change his bank account for monthly payroll.
• Over 20 percent of those targeted were beat by this phishing hack and updated an employee’s bank account with one of the hackers.
• A lot of money has been lost on a simple hack.
Question: How much money are we talking about?
Mr Pietrocola response;
• Big, Big numbers!
• There is a concept called “whaling.” Hackers tend to go after the C-Suite and EVPs as they are moving so fast, the executives don’t see the hack coming. Therefore, if an average C-suite executive makes US$300,000 in annual salary, those monthly payments are being siphoned off at the rate of US$25,000 per pop.
Question: How should a financial firm design a cybersecurity protection program within its risk governance parameters?
Mr Pietrocola response:
• First, it is very important to point out that the program should be designed, tested and executed between the cybersecurity team and the chief risk or compliance officer. Note that I didn’t say the IT team. Once the program is ready for prime time both of these groups should prepare the C-suite and potentially their firm’s board of directors for executive table top exercises so all three stakeholder groups have the same understanding of their cyber strategy and can test the response.
• The real question is how companies are testing their programs to ensure compliance with regulatory requirements. Through enforcement actions, issued guidance and hearings, regulatory agencies such as the SEC are providing insight into their priorities regarding data privacy and data security measures. For example, the SEC’s Office of Compliance Inspections and Examinations (OCIE) 2019 Examination Priorities document clearly specifies certain cybersecurity priorities. The OCIE notes “proper configuration of network storage devices, information security governance and policies and procedures related to the security of retail trading information.”
• Furthermore, more companies need to risk score their most critical systems and digital assets to better gauge their cyber exposure. Once they risk score their assets, they can then develop programs to protect those assets with some of the techniques we will discuss later in this webinar. Since this webinar focuses on financial services, we can all speak in terms of dollars and not just subjective scoring methodologies. We can place a dollar value to each asset based on regulations and laws that pertain to our industry, sector and regulator.
• Think about how much more amount impactful it will be if the CIO tells the CEO and/or the board of directors that the firm has a US$25 million exposure of its most critical assets and another US$40 million in total attack surface. Now the executive team can better understand the risks and discuss technological and insurance-based protection in case of breach.
• We recently worked with a large mortgage bank where each workstation (not server) had an average of US$2,700 in potential fines based on ill-stored personally identifiable information (PII). It is a multi-million dollar plus problem for even small-sized financial companies. There is the potential to erode the company’s bottom line and brand value. Therefore, companies need to integrate cybersecurity measures into their day to day processes and make cybersecurity a consideration in major decisions.
• Successful companies have developed a holistic strategic approach that includes the major stakeholders previously discussed. The most publicized breaches failed to incorporate some of the program design constructs we will be discussing today. Post-breach research has showed risk or C-suite understanding was lacking. If you are a CEO, CRO, CCO or CIO you are directly responsible for the cybersecurity of your firm. You should be aware of the risk your organization faces and facilitate budget, directives and staffing for your security team based on your risk evaluation. Cybersecurity isn’t just the IT department problem. It is the problem of the entire company and must be prioritized as such.
Question: How should a financial firm go about identifying all of its critical data assets?
Mr. Pietrocola response:
• Believe it or not, you may have your own percentage of critical assets but practically speaking as much as 50 percent of information assets are not mission critical. They could contain PII or other sensitive data by mistake or redundancy but are generally not considered mission critical.
• Companies should take stock of their information assets; tally the cyber risks they face and focus their cybersecurity assets on mitigating risks to critical asset. This can help them reduce their spending on cybersecurity by up to 20 percent. That said, you can’t protect what is not visible and since protecting everything is very hard, if not impossible, it can be even more difficult to prioritize your critical assets.
Question: What is the difficulty then?
Mr Pietrocola response:
There is a lack of understanding into what PII exists in unstructured data on legacy systems and employee computers. There is an inability to remotely delete or quarantine files from machines containing PII. There is also an inability to comply with data retention policies and sufficient tools to remediate non-compliant files. Insufficiently staffed IT departments make it difficult to search, analyze and communicate effectively regarding PII risk.
Question: Given all these challenges how does a firm begin to identify its critical assets?
Mr Pietrocola response:
Some companies begin prioritization with protecting the assets housing PII, intellectual property, customer transnational data, and financials. Doing so seems like a no brainer but everyone on this call may be surprised how difficult this task is. PII is located on endpoints and clouds throughout everyone’s organizations so it is difficult to effectively manage the risk associated with PII data across the enterprise.
• The best place to get started is not with the IT team cordoning off server and endpoints. It is with the chief risk and compliance officer under the purview of the CEO with board exposure. Firms must perform and enterprise cyber risk assessment of all endpoints, servers, workstations to find what sensitive data exists and the potential cost if that data were stolen. Such an analysis can be done in terms of dollar amounts and regulatory risk scores. However. it must begin with an honest assessment of where it would hurt the most to not only the bottom line but the brand perception.
Question: Your response indicates a bit of skepticism in using IT staff to identify critical assets. Why is that?
Mr Pietrocola response:
I LOVE IT TEAMS! BUT The IT team may not understand the sensitivity and regulatory requirements of all digital assts. I’s crazy to put cybersecurity on the shoulders of the IT team alone. IT has a knack for trying to protect everything because if there is a breach its reputation and jobs are on the line. Let the IT team execute the cybersecurity plan while the execs and chief risk officer define what are the mission critical assets.
Question: How can a financial firm take an offensive approach to tracking hackers?
Mr Pietrocola response:
• A firm must start by detecting attacks in real time or before they happen, not months later. Current security tools are reactive in nature…how does that help? Think about this, the average time malware dwells on a financial firm’s network is about 197 days. This is what happens when you are playing defense with busy IT personnel who aren’t out hunting for the bad guys.
• So far in this webinar we have talked about identifying and protecting your company’s critical assets and data. However, playing defense won’t win you the game alone. Financial firms which have a strong cyber-focused approach have offensive strategies.
• Let’s assume you have properly assessed your assets and have a solid idea of what data needs the most protection because of potential financial loss, regulatory fines, litigation and reduced brand perception. To take an offensive approach a cyber-smart organization will first implement a Security Operations Center (SOC) and include threat hunting. A SOC allows a company to deliver 24/7 threat monitoring, detection and auto response services to companies leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and response. Companies using a SOC experience on average 73 percent fewer breaches according to a study done by Deloitte in 2018. Furthermore, the average financial firm is spending just under $3,000 per employee to combat cyber threats. Utilizing a SOC and further a SOC-as-a-Service provides 24X7 offensive detection and hunting but lowers the per employee cost by over a third. That is a big percentage.
• Now the fun part starts- threat hunting. Rather than relying solely on static signatures, true hunting should depend on using heuristic analysis to examine behaviors and patterns across the company, industry peers and the internet. As thousands of logs are collected experienced security analysts using machine learning technology, can weed out the noise and reduce thousands of events and alerts to those that have a factor of irregularity. The key is that the machine learning technology learns the actions, events and routines of the legitimate users. Once deviations begin machine learning alerts analysts to do more research. The best part of such technology is that it can auto-remediate to ensure alerts are prioritized and placed on watch stopping the malware or hack from moving forward. We are hunting the hunters before they are able to execute their malicious applications.
Question: Haven’t hackers and cyber criminals figured out how to game the system using the same machine learning technology?
Mr Pietrocola response:
Of course. They are super smart engineers. That is why you have to constantly adapt your machine learning platform to ensure you are staying a step ahead. Cyber criminals are beating emails and antivirus with big advances in machine learning and artificial intelligence especially when it comes to phishing. It’s easier to develop algorithms that get employees to NOT click on malicious emails. The headline here is good SOC-as-a-service is constantly innovating. Because we have a portfolio of customers, not just one, we can learn and protect clients with greater scale and effectiveness.
Question: How can a financial firm build security features into its applications?
Mr Pietrocola’s response:
• Everything is an application these days. Whether it be a cloud-based CRM, core-banking system, customer mobile app or portal, the list is endless. Software has eaten the world, as Marc Andreessen from Netscape and now Andreessen Horowitz famously argued, and the world is run by applications.
• Since companies are building their own engineering teams and developing apps and publishing continuously, we see the need for IT to scan applications that can execute over 100 attack modules using OWASP, SQL, Injection, and cross-site scripting, etc. Companies can easily scan targets into application portfolios. Web applications these days are rarely monolithic. They have complex multi-component architectures such as decoupled front ends that interface with micro-services that transact with the backend as well as multiple stages, such as development, pre-production and production.
• Newer technologies dealing with run time protections or RASP can actually use run time instrumentation to detect and block computer attacks by taking advantage of information from inside the running software. Therefore, an organization has protection in front of and within its core applications.
• All right here are a few interesting stats courtesy of Verizon’s 2018 Cyber Report: 44 percent of all cyber-attacks on financial institutions in 2018 began by attacking applications, API’s and client portals, etc. Cyber criminals are finding wide open holes in open source technologies that are commonly used. Further the average financial company website or portal has 51 vulnerabilities…51! And these vulnerabilities are not segregated from the network, they lead back to the network. The front door is cracked, and the backdoor is wide open!
Question: There is a lot of talk about protecting critical data in a cloud? How can that be scanned for cyber threats?
Mr Pietrocola response:
• It can be a tad more difficult but a good SOC has developed agents to ensure whatever your cloud provider may be- whether it is Amazon Web Services (AWS), Google Cloud, Microsoft Azure or privately protected cloud be protected. This includes protection for Microsoft 365 and the Google Suite.
• For example, AWS and Azure operated on a shared responsibility model for security. This means that while Amazon and Microsoft secure their infrastructures, users are responsible for the security of their applications, content and systems. Customers of AWS or Azure still need a managed security service for both security and compliance challenges. Nothing changes the fact they need threats to be discovered in real-time, t continuously scan for responsibilities, to respond to incidents and to demonstrate compliance.
Question: What should a firm protect against cyber breaches when changing or upgrading current applications?
• Mr Pietrocola response: The key here is upgrading and patching. The overwhelming majority of application breaches happen when applications are not patched or upgraded. This approach is critical. It should be part of your IT cybersecurity and will keep you in compliance. This is like shooting yourself in the foot if you are breached because you failed to upgrade or patch. The application vendor knows there is a security hole, tells you how to fix it and what do you do, go ignore it!
• When changing an employee application, it is vital to perform an c a cybersecurity checklist review to understand how compliant the vendor is. This task is part of being compliant with the stated vendor management process and regulations.
• By the way and I cannot believe I have to reiterate this, but you can only buy and use technology that is security-sound. Do you have any idea of how many applications are downloaded on phones, iPads and laptops that are not secure and let the publishers own the data. Now this is scary. The number one app over the past three weeks has been Face App which allows you to upload your pics and shows you what you will look like when they are old. By the way, who wants to know what they will look like when aged. Look in the mirror daily!
• Anyway, 38 percent of the downloads of that app are happening on the company WiFi or to mobile devices that have huge email and other connections to confidential corporate assets. If you don’t think this leads to a compromise, you are delusional. Just think about this for a second. It’s happening right now as we talk.
Question: A recent analysis showed that cryptojacking was on the rise. What can firms do mitigate against that?
Mr Pietrocola response:
• On a personal note, I’m a big fan of Bitcoin but cryptojacking is a real problem that can totally infiltrate your most critical assets. Hackers do this by either getting the employee to click on a malicious link in an email that loans cryptomining code on the computer, or by injecting a website or online ad with JavaScript code that auto-executes once loaded into the victim’s browser. Again, with the employees clicking on emails they shouldn’t be it has become a pervasive problem.
• This February, a Bad Pockets Report found that 34,474 sites running Coinhive, the most popular JavaScript miner. Here is a scary figure: 48 percent of financial service firms use Github in their in-house engineering teams. In March, Avast Software reported that cryptojackers were using Github as a host for cryptomining malware.
• So, how can financial firms mitigate. First, training your employees on phishing, often. Then deploy a SOC. A good SOC-as-a-service can monitor, detect, remediate and even prevent this. If you are already a victim, a SOC can detect this and remediate the problem. Third, keep browser extensions updated and fourth, use a mobile device management (MDM) solution to better control what is on users devices since everyone allows bring-your-own device.
Question: Training is often cited as a critical cyber defense. How can a financial firm train its employees to be more aware of potential threats?
• Mr Pietrocola response: Your weakest link as a financial firm is also your greatest asset– your people. They enable a firm to deliver market beating financial returns and boost its growth. However, if not properly trained they can also be a weakness that cyber criminals are only too keen to exploit. However, sixty percent of senior executives surveyed by the Ponemon Institute for a recent study say their employees are not knowledgeable about their company’s cybersecurity risks. The Ponemon Institute also found 55 percent of companies surveyed had already experienced a security incident due to a malicious or negligent employee.
• Verizon, the multinational telecommunications firm, says that the significant proportion of cyber incidents are caused by either malicious insiders or more often human error. Its 2017 data breach investigations report showed that 43 percent of reported breaches involved social engineering of some form, most notably in the guise of phishing. For ransomware attacks the figures are even higher with the vast majority of ransomware attacks originating in an email tricking the recipient into opening a malicious attachment.
• Therefore, it is critically important throughout the year to educate and remind employees about best practices like changing their passwords, creating strong passwords and not writing their password down on a post-it note stuck to their monitor. Even more important is proper training against phishing emails which means training and testing that training all year-round. This is not a one time and you’re done training.
• The employee education also needs to include education on social engineering, spearfishing, whaling and business email compromises. Companies need to annually review their policies on password management, bring your own device and removable media policies with the human factor in mind.
• Even if a business invests in top security solutions that feature secure network access and ensure encryption of all communications and authentication procedures, sensitive data could be at risk to hackers. Consider an employee who decides to bring device from home, such as a tablet, into the office to access emails through the day. The tablet may not be set up with secure software or anti-virus protection, thereby running the risk of connecting to an unsecured network. Imagine the nightmare of having dozens or even hundreds of unsecured devices of this type connected to your organization’s network and accessing the cloud.
Question: Is the answer then to ban the use of such devices at the office? Or what then.
• Mr Pietrocola response: This cannot and will not happen. Our lives run from our devices. I spend my business day on my smart phone. Don’t we all. Since you can’t stop people from using smart phones, connecting to public WiFi especially when traveling and bring your own devise you must deploy SOC monitoring to detect, prevent and remediate cyber threats. If you banned devices it would be like charging for water in your office. You will lose people and quickly.
Question: We have mentioned malicious employees. How can a firm predict a cyber breach from a malicious employee?
Mr Pietrocola response:
• Okay, now is the tough stuff. If the NSA, CIA and FBI can’t stop a Snowden or a Manning how can you protect against Bob Smith. By the way, if you have a Bob Smith in your firm, I’m sure he is a great guy. Sorry Bob. Again, properly monitored networks can protect against this as monitoring solutions would be able to detect abnormalities and potential exploits. For example, if an employee were taking confidential business documents, financials, documents with PII, PCI, HIPAA and began emailing them to DropBox or another cloud platform, such activity can detected and stopped or technology integrated at the end points could encrypt these docs or prohibit them from being shared or emailed out. These are simple policies that need to be considered.
• The last two companies I worked for explicitly forbid anyone from the CEO to an engineer from using any removable media in laptops. We soundly protected our IP against potential rogue employees. It was a little bit of a pain, but for us in the C-suite it was a total piece of mind. Now how do you stop someone from using a smart phone to snap a picture of confidential data and text that out. That becomes nearly impossible. I guess we all need to hire smarter!
Question: The use of chat rooms and social media is on the rise. How can a firm prevent a cybersecurity breach from an employee using one of those means of communication?
Mr Pietrocola response:
• Websites can be blocked on a corporate network, but anyone can use his or her mobile device. The idea here is ensuring networks are monitored and employees are trained.
Question: Once the cybersecurity defenses have been put into place, comes testing. How should a firm conduct tabletop exercises with IT and the C-Suite?
Mr Pietrocola response:
• Knowing that cyberattacks will occur, companies should consider plans for responding to them. Once their incident response plans ae in place, companies should regularly put them to the test in simulated cyber attacks or Table Top Exercises. Such realistic simulations can increase digital resilience and improve the communications efforts to customers, investors and regulators. How can you communicate unless you know what happened, what was affected and what you are doing to solve the issue now and prevent it from happening again.
• The purpose of a Table Top exercise is to evaluate an organization’s preparedness for a particular disaster and to inform the required stakeholders of their roles in the response. I strongly recommend this be done with your IT team, communications team and the C-suite. According to the Ponemon Institute, companies that have a plan in place end up saving about 25 percent of the cost of responding to an incident. This should give the C-Suite and the board some peace of mind as they know their organization is prepared for the inevitable.
• At a minimum, I recommend that every company have a one-page plan that identifies some high-level objectives for responding to an incident including whom to contact, when to contact him or her and what triggers the incident response process. Companies that truly excel should have more robust plan that is tested annually.
Question: How should the tabletop exercises be adapted for C-suite executives, given that not all of them might be knowledgeable in cybersecurity? Who should be involved in developing the exercises?
• Mr Pietrocola response: That is the point. The C-suite is most likely not knowledgeable about cybersecurity. The folks are busy running the business. A good tabletop exercise done with the C-suite, run by a third party with the blessing of the CIO, shows the C-suite just how prepared the organization is to handle the top five to seven most common financial service breaches.
Question: What do executives need to know?
Mr Pietrocola response:
• They need to hear about their strengths and weaknesses, the legal process in the event of a breach, the internal and external communications, firm-wide departmental coordination, decision making, escalation and remediation. This is not a technical discussion. It is a business continuity planning discussion.
Question: We have discussed defending against cyber threats. How will the steps we discussed help prevent regulatory sanctions?
• Mr Pietrocola response: In 2018, the SEC’s OCIE examined about 17 percent of RIAs, compared to only nine percent just five years earlier. That percentage is expected to be closer to 25 percent in 2019 and even higher. That means that your firm has an even greater chance of being examined than ever before. The SEC and FINRA wil continue to prioritize cybersecurity in each of its five examination programs with examinations focused on the proper configuration of network storage devices, information security governance and policies and procedures related to retail trading information security. The OCIE recently announced two new cybersweeps. One announced in March is focused on cybersecurity at branch offices while the other is focused on vendor due diligence and oversight, looking at how firms are protecting data at third parties and cloud service providers.
Question: Based on the six steps we outlined above, which one do you feel has the greatest risk for error and why?
• Mr Pietrocola response: This will be a short answer but aside from my saying that all are major risks for error, employee training and table top exercising are the ones most ripe for error.
Question: Why those two categories in particular?
• Mr Pietrocola response: Because we are all human and that means we fail. Those are human driven exercises. However, deploying a SOC can help limit the ill effects of human induced errors.
Question: What can investment advisers do to prepare for the new cyber sweeps in particular?
Mr Pietrocola response:
This year, OCIE has announced plans for two new cyber sweeps especially with RIA’s in mind. Firms should be prepared to receive any of the document request lists from all the security sweeps. I recommend firms need to prepare to discuss a wide range of topics including cloud and network, your vendor management program, employee training.
This is no secret but proper configuration of network storage devices, information security governance generally, and policies and procedures related to retail trading information security. If you read the highlights OCIE will emphasize cybersecurity practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers, and continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. This seems like simple stuff, common knowledge but the stats show only about 15% of financial service companies are prepared to handle these hackers let alone the auditors.
Question: So far, we have discussed the six steps firms can take themselves to protect against cyber threat. Your firm offers security as a service. What exactly does it offer and under which circumstances should a firm consider it?
Mr Pietrocola response:
• Agile 1’s SOCaaS is designed to protect your mission critical assets, save your company money and provide you with peace of mind. Our SOC is managed by a team of certified security analysts, 24/7 security monitoring and alerting. We identify threats, auto remediate problems, mitigate future issues and provide in depth reporting that gives you complete visibility of your company’s data security. Our team is certified in offensive threat hunting that utilize our sophisticated machine learning technology that hits the bad guys before they hit you.
Question: What would you say to firms that say we can create such a SOC in-house?
Mr Pietrocola response:
• You can build an internal SOC. But consider these factors. First, hiring is difficult as there is an estimated three-million-person shortage in cyber disciplines. Second, the Ponemon Institute estimates that it is seven times more expensive to build your own SOC when you take into account, hiring, license costs and continuity training. I think it’ probably closer to 4.5 times more expensive but as you can see the costs are staggering. Why recreate a wheel while you are driving. Use the proven one you can see. I can send more figures upon request. Third, a SOC as a service such as ours at Agile 1 can see and learn from similar clients across our portfolio of clients. You don’t and won’t have access to this. You will just have access to your own data. This helps with proactive threat detection. Finally, regulators love to see you using an expert third-party that is an extension of your team.
Question: Your firm also provides a virtual CISO. What exactly is that and under which circumstances should a firm consider such a service?
Mr Pietrocola response:
• Agile 1 can complement your internal IT team adding a top-tier security expert. Seventy percent of C-level business executives now believe that a CISO’s guidance can increase profitability. I don’t know about that, but I know it can save you a ton of money against breaches and regulatory fines. Our certified top-tier talent provides organizations with a CISO of your own. We can evaluate your current efforts, develop a strategic plan, communicate the plan with your executive team and board and then work with your team to guide the execution of the plan. Our CISO experts are trained to keep your environment safe and act as a member of your team, not just an external consultant. It is critical that the CISO act independent of the IT team to give you an impartial view of your cyber risk. Our CISOs develop trusted relationships with our CIOs and other executives to become an impartial member of your cybersecurity team.
Question: Here is a question one of our attendees posed in advance of this event. How does a financial firm know if a data breach occurred on its side or from the side of a third-party vendor? And related to this question: What is the biggest cyber threat from a third-party vendor.
Mr Pietrocola response:
• Talk about counterparty risk! By 2022 API abuses will be the most frequent attack vector resulting in data breaches focused on enterprise web applications, according to Gartner Research. Sixty one percent of companies reported a data breach caused by a vendor’s API or other integration points. It is critical to ensure that all your vendor-supplied applications and APIs are up to your own internal security standards and identify what hackers know about external domains and assets. It’s very important to implement a governance process for third-party vendors and work with your vendors to access and remediate their code.
Question: Once a breach has happened, how does a firm find out whether the breach was its own fault or the fault of the third-party vendor?
Mr Pietrocola response:
• Through proper forensics, which are part of any SOC-as-a-service program.
Question: We have one final question from one of our attendees. Given that the financial services industry is always dealing with mergers and takeovers how should cybersecurity be factored into the merger or takeover process.
Mr. Pietrocola response:
• In an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that has already occurred) in the event of a breach and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally have a major impact on the value the acquirer places on the target market and on the way it structures the deal. For example, Yahoo was acquired for US$350 million less than intended by Verizon after it revealed the largest email breach in history.
• Omitting cybersecurity in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them.