Follow the Money: Threat Intelligence for Financial Institutions
September 5, 2017 • Amanda McKeon
When you’re responsible for safeguarding the money, not to mention the personal financial information of your clients, what are your specific needs when it comes to threat intelligence? Where do you begin, and how do you get the best bang for your buck? Is open source intelligence enough, or should you invest in a paid solution from the outset? What about regulators? And how do you get buy-in from the board?
Here to answer these and many other questions is Dr. Christopher Pierson. He’s chief security officer and general counsel at Viewpost, an electronic invoice, payment, and cash management company. He also serves as a special government employee on the Department of Homeland Security Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee, and is a distinguished fellow of the Ponemon Institute.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 22 of the Recorded Future podcast. In today’s episode, we focus on threat intelligence for financial institutions. When you are the one safeguarding the money, not to mention the personal financial information of your clients, what are your specific needs when it comes to threat intelligence? Where do you begin and how do you get the best bang for your buck? What about regulators, and how do you get buy-in from the board?
Here to answer these and many other questions is Dr. Christopher Pierson. He’s chief security officer and general counsel at Viewpost, an electronic invoice payment and cash management company. He also serves as a special government employee on the Department of Homeland Security Data Privacy and Integrity Advisory Committee and the Cybersecurity Subcommittee. He’s also a distinguished fellow of the Ponemon Institute. Stay with us.
The financial sector has so many different threats coming at it, both in terms of many financial fintech companies having not just information on a person’s financial accounts and critical sensitive data, but also where the money is and where the money is transacted. These days, with the fintech industry booming so much, oftentimes fintech companies are the connectors between the banks and their system providers. In terms of threat intelligence for financial institutions, it’s more from physical intelligence on which type of criminal organization may or might be looking at a bank, or looking at an ATM, or skimming operations, or physical theft and robbery, into the digital world. Into the cybercrime and cybercriminal world of who’s looking at increasing carding sites and hacking attempts on payment processors. Who’s looking at exploiting website vulnerabilities and the login instances. Who, under federated models, is looking to, essentially, electronically knock over different institutions that might have backends that are supplied by common carrier providers.
When you take a look at threat intelligence as it relates to the electronic world for financial institutions, it’s all those same risks that they had in the physical world just coming at them electronically through their customers, through their websites, through all the different ways you operate. The mobile apps, mobile banking, the ATM machines — all those are direct interfaces and conduits into financial institutions directly, and then, of course, the fintech companies are all directly connected into those financial institutions, as well as trusted partners. The landscape, the security plane, has greatly increased in terms of how, potentially, cybercriminals can take advantage of electronic compromise, data breach, and other forms of surveillance into financial institutions banks, and really, it calls for a much more holistic intelligence threat program.
The organizations that are within the financial sector — how do they go about prioritizing the weighting of the different sources that are coming at them? There’s no shortage of sources of threat intelligence, open source, private, and so forth. How do they go about deciding what demands their attention?
This is a key problem for financial institutions. As you point out, there’s a number of different sources that come out of the government, or are government-aligned. When financial institutions look at who they’re pulling information from, it’ll be from the FBI in terms of the FBI directly, as well as the info guard units that they have throughout the U.S. Secret Service. It’ll be through the Secret Service directly, but especially the electronic crimes task force. DHS also have several different working groups that collaborate in this space as well, but also, I include within this the ISO. The ISOs, such as the financial services information-sharing analysis center as kind of your quasi-government, quasi-private information sharing, and threat intelligence group. You have that first category of government.
Second category you have is private sector threat intelligence. That could be that which comes from directive vendors themselves, as well as more program players. Folks that look at threats no matter how they come in, where they come in, and aggregate, analyze, and produce that data for you. Of course, all of the open source, third category being the open source data that you can grab and gleam. Some of it quite good. The problem isn’t necessarily with the financial sector not having resources or the availability of the capacity to grab that information. That is all there. It can be paid for, it can be bought, it can be bartered for, it can be joined in terms of listservs in organizations, and even in physical in-person meetings.
The problem that they have is kind of like the problem that the CIA has. Huge vacuum cleaner, huge collector for intelligence, and great as a DVR mechanism, in terms of being able to look at it after the fact. What we have to do, and do a better job of, is actually grabbing in what is truly important, making sure that we’re picking sources from government, from private, and from open source, and combining it into one management plane. One single pane of glass, one management plane so you can figure out, what are the things that I as a bank, I as a financial institution, I as a fintech company have decided and selected are truly important for me. How am I going to rank and risk those according to the gear that we have, whether they’re in a data center, whether they’re in the cloud, the types and specific number of gear we have, and what we’re actually doing?
How am I going to make sense of it? That is the single biggest problem that, I think, financial institutions have, is the capacity and capability of being able to understand the data that they’re having flowing. It isn’t a lack of data, it’s being able to make sense of it and make sense of it in a risk-based format.
Are there companies who are successfully doing that?
I think that there are companies that are successfully doing this in terms of threat intelligence programs. Somewhat the problem becomes, “how are you doing this and who is doing it?” In larger financial institutions, coming, once again, out of the physical security space. These hopes worked with law enforcement, Secret Service, and the FBI, and other agencies, and then eventually morphed into working a little bit with the FS-ISAC and groups like that. They’ve kind of taken over this, “we’re going to grab in data and information no matter whether there’s a physical or cyber or other threat, and we’re going to put it into a generalized program, a platform that we have, and we’re going to take this over.”
Those groups are easier to see, easier to recognize, easier to maintain, because they’ve always existed within those larger organizations. There’s much better governance, much better collaboration there, and they actually have the FTEs. The people, they have the headcount to be able to do that. Within smaller organizations you don’t find that. Intelligence, threat intelligence, cybersecurity intelligence — that realm is a one hour to do a week, three hours to do a week, a check in for 30 minutes, or an hour each day as a single task for individuals a part of … maybe if you have a five-person cybersecurity team, one analyst will have it on their to-do list of looking at the FS-ISAC threads, Recorded Future threads, other threads that come in, and really take a look at those as it applies to your organization. Once again, that’s a smaller group team.
Other institutions, though, that are out there that are just starting, especially small fintechs, this is something that they’re not doing. Not grabbing a hold of it yet, because they think it’s an impossible task, or they don’t realize there are tools to be able to do this for them. By that, I mean, you spend a large amount of time on the front end setting up, maybe every three months, maybe every four months, setting up the rubric by which you want to operate, the threat matrix by which you want to operate, and you set it and forget it and you just take in the fruit of that labor and look at it for 30 minutes a day, or two or three hours a week. You decrease your risk posture, increase your use of that intelligence, but it’s more of an ad hoc add-on for those companies until they grow and reach a sustainable strength in terms of numbers.
What’s your advice for, if an organization is looking to provide threat intelligence to the financial sector, what are the specific things that that sector wants to see?
I think it’s really a few things. Number one, the financial sector has a large number of sources and feeds of data and information. The real key is going to be distilling that into one location, one way to analyze it, one way to assess it, one way to say, “this is important for us based off of our architecture, based off of the plane that we expose, based off of the different things that we see impacting us.” Let me give you an example: skimming. Skimming is only going to apply for your financial institution if you have a physical footprint, if you have ATM machines. That is going to be something that you become much more aware of, need to actually have a threat intel program around, need to actually be working with the ECTF and Secret Service around, and actually need to be calling into your program. You don’t need to pay attention to that if you’re just a fintech provider and you have none of those types of exposures.
Similarly, in the cyber world, if your organization has different controls and detective measures that makes a threat that has come out almost impossible to actually take advantage of, almost impossible to try to exploit based off of how you are designed, then the risk of that threat is going to be much lower to your organization, and you don’t necessarily have to jump on it as quickly as someone else. The first area is the aggregation and delivery of that information in one single source manner. Second, making it relevant to your specific organization. I’m going to say it again, making it relevant to your specific organization. Just simply blowing out the top 10 threats of the day, or the top 20 threats of the week is not what the financials are looking at. Not good enough. Looking for providers that can actually tell you, based off of your environment, the equipment in your environment, how your architecture is created and enabled.
Basically, being able to risk rate that and threat rank that so you can address what is truly important — that’s what is special. That is what helps cybersecurity teams and engineering teams succeed, and that is what provides direct business value back into the organization.
What about the interface between the folks who are ingesting this threat intelligence and the board room? We often talk about how there’s a communications gap between those two groups of people. What’s your advice to the folks who are dealing with this intelligence on a daily basis on the best way to present it to the board?
That’s a great question. The threat intelligence is really not talked about at all in the boardroom unless you have the right representation there among the executive management and the board members. However, I think that this is a missed opportunity. Boards are usually comprised of successful business people from whatever walks of life that they have, and for those companies that are startups or are just getting rolling. Folks from the VC community. Everyone at a grassroots level, from watching the news, watching weather patterns, watching the most recent storms that have affected the U.S. and are coming, they understand the great abilities that looking at a satellite feed five and 10 days ahead of time has to predict the future.
In some form or fashion, everyone understands the nature of intelligence. The nature of a heads up, the nature of a warning, in being able to allow you to risk rate what actions you take as a result. Should you go ahead and fill up the generator, should you get the gas line, should you stock up on water — all those things. It’s important to have folks just like, actually, what I’ve just done here, translate something that is happening right now, today, that everyone can get their arms around and be able to translate that into why it is important. For example, Hurricane Harvey, how you can actually take that storm and the role the radar, weather men, geographic patterns, and how all the rest have played in terms of providing intelligence for folks in different cities and Houston, to be able to take action ahead of time or prepare and translate that into what you have done as an executive to make sure that … look, you can’t prevent a breach from happening.
You can’t stop all breaches from happening. What you can do is situate your defensive controls, examine your risk, try to mitigate, but also, make sure that you don’t have blinders on. Look out over that castle wall, get out there into the different networks and try to figure out what’s happening. The board will relate to that. They’ll relate to your going ahead and describing it just as I have done in terms of making sure you have that radar map, making sure the radar’s turned on. That you’re looking out. That you’re hauling in all these different distinct events and making sure they’re relevant for you.
If you happen to be someone that’s in California, you might not have needed to prepare or do anything for Hurricane Harvey. Hurricane Irma, which is currently being tracked right now … maybe Florida needs to start thinking about things for the next seven or 10 days. Once again, all information in a way of explaining things to the board that they can understand, that then brings light, it shines the light on threat intelligence, a cybersecurity threat intelligence program. It gets you budget, it gets you dollars, it gets you support, and it gets the board asking great questions about that program in asking for data. What has it done? How many threats have been mitigated ahead of time? How are we able to go ahead and avoid the ransomware attack because we acknowledge the Microsoft SNB patch, because you jumped on it in the first two weeks, 12 weeks later when other people hadn’t jumped on it, that we were able to be much more successful in not having this happen to me. Our company, another company that I serve on the board of, actually had this happen to them.
If they had the same threat intelligence program that we had here, would not they have been better off? Why, yes sir, they would have been. Those are the types of things that we need to translate the cybersecurity and the tech into risk, into business enablement, and into a communication pattern that we can go ahead and communicate directly with the board in a way they understand.
What about regulators? How are they looking at threat intelligence as part of the spectrum of information that organizations are using?
This is a real interesting one. It is an interesting question for a few reasons. Number one, there is nothing that is, per se, written down in terms of a “thou shalt have” threat intelligence as a part of your cybersecurity program. There are many “thou shalts” that have happened. The Massachusetts 201 CMR 17.00. The Massachusetts security law that came in, right, everything has to be encrypted that has sensitive information on it that is a mobile device. That made sure that all the laptops and USB drives and et cetera, that really pushed further state of data encryption. There isn’t anything similar to that yet, and I want to add the “yet” in terms of an asterisk. I think we’re moving there.
I think financial regulators, from the questions that they’re asking, from the questions in their supervisory reviews, they are asking those questions — some might not be a specific line item that they can point to which regulation or rule it comes from. That’s not the ongoing duty of the regulators to go ahead and tick and tie everything to a specific section. It’s an expectation that financial institutions grow and increase their programs in terms of sophistication to match the threat matrix that they have to analyze and assess those threats. The only way that you’re able to do that right now as a financial institution, or some other fintech sector, and other sectors, I think, healthcare, and government, and defense industrial based, et cetera, is if you have a threat intelligence program. A threat management program. There just is no way to respond to the question unless there is some form or fashion of how you’re doing things.
Maybe, look we’re starting, and 5%, 10% of this employee’s time is doing threat intelligence. We’ve named them as a threat intelligence officer and they’re part of the FS-ISAC, or they have a subscription into this service, or we’re reviewing these things and we have policies and procedures in place to make sure that that gets funneled directly into our cybersecurity engineers, or our infrastructure engineers and a risk-rating system. I think that that’s definitely what they’re looking for. Once again, a holistic cybersecurity program. I’ll tell you this: if you are in the financial sector, or other highly regulated sectors — healthcare, defense industrial based, or part of a critical infrastructure sector — power, electricity, light, all of that type of gas — and you do not have a threat intelligence program that includes your physical threats as well as your cybersecurity threats, and some type of single pane of dashboard management tool and processing governance process, I think you’re behind the ball.
Especially in 2017, I think you’re behind the ball. You need to have these as part of your programs. You need to be able to respond to the regulators with what you have and how you’re constantly enhancing. It doesn’t have to be perfect. The nice thing is, in the SaaS platforms that exist right now, to be able to enable this, are phenomenal. We didn’t have these 10 years ago. This is all individual programs and individual things that are being spun up on SharePoint sites, internally within banks and Excel spreadsheets, and all the rest. We didn’t have the capability of being able to add in this managed cybersecurity workforce on threat intel, we didn’t have the ability to be able to mash that into our environments. We do now. We have that. To not use it, not take advantage of it with all the different positives that it brings and risk reduction options it brings, would definitely be a step in the wrong direction.
Bottom line: regulators, especially those highly regulated areas, are looking for this. You should be marching forward with this. You should be able to articulate and show what you’re doing and how you’re enhancing it, and quite honestly, for those companies that have something that they want to make sure doesn’t get out there, and want to make sure they’re much more prepared and safer to react to, this is something where you start. You start with the half an hour a day, a few hours a week, and you leverage those tools that exist to be able to better inform, better shape, and better secure your organization.
Suppose I’m that person in the organization who’s been tasked with starting up our threat intel program. What’s your advice for the best way to go about that? Do we start with open source information, or is it worth the right out from the get go engaging with a company to provide it? What’s your guidance there?
I think what you have to do is, figure out what the endgame is going to be. How large is the company, how large is the program, how large do you think it’s going to have to flex up to. It used to be that you try to go ahead and create a minimally viable product, both as a company and also as a … if you’re in the threat intelligence area, what is the shear, the lowest common denominator of what you need to do to be able to show and provide value to then get more budgeting, finance, operations, and all the rest. I think that that is definitely a plausible way to go about this, however, based off of the number of threats, the amount of information, the amount of data and the speed at which it happens, I don’t think there’s a way to necessarily show great value unless you’re using more of an automated platform, in some form or fashion.
I think that it’s probably better to start out in an automated, more SaaS-based world where you’re actually getting in this data and digesting it. Now, pricing can become an issue here, but companies are willing to work with folks in this regard in terms of getting them on the system, getting them on a platform, and quite honestly, the value add in the future in the next two, three years, it will absolutely come back to the company. Starting out from a managed platform can enable the cybersecurity analyst to do the three hours a week, five hours a week, four hours a week. The spreadsheet method won’t. The going out to all the different types of sites and pulling back information, won’t.
With that said, if all you’re going to have is something to be scrappy, then what you want to do is make sure you get your bang for the buck — open source, right? A lot of great stuff there. The U.S. search site. A lot of great information there. Maintaining a relationship with both the Secret Service and the FBI, this is coffee once every four, three or four months, at UCSF or an InfraGard meeting. Two of those a year to make sure you’re gaining some traction with meeting some folks and solving some common problems. You can do a lot on a shoestring budget, but if it’s … depending on what you’re doing and how you’re doing it, and how fast you’re going to scale, you’ll want to move to more of an automated platform and have your time and resources spent less on prospecting or cultivating information, and more on analyzing based off of what I currently see.
How am I going to respond? How am I going to reduce our risk? And how am I going to take action that it can manage, that it can leverage into KPIs? I can show other people that it adds value and benefit to our business, and getting more funding, more resources, all the rest, and have our organization be safer. That’s really what I love about this area, and that’s what I love about the technology that exists today.
Our thanks to Christopher Pierson for joining us.
If you want to learn more about protecting financial services, there’s a free white paper on Recorded Future’s website. It’s called “Insider Threats to Financial Services: Uncovering Evidence With External Intelligence.” You can find that at go.recordedfuture.com/financial-services.
Be sure to save the date for RFUN, the sixth annual threat intelligence conference coming up in October in Washington, D.C. Attendees will gain valuable insight into threat intelligence best practices by hearing from industry luminaries, peers, and Recorded Future experts. Details are at recordedfuture.com/rfun.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.