cyber risk landscape, cyber threat intelligence and …...2019/07/04 · restricted cyber risk...
TRANSCRIPT
RESTRICTEDRESTRICTED
Cyber risk landscape, cyber
threat intelligence and fostering
inter-agency information sharing
Sivanathan Subramaniam
Deputy Director, Technology Risk Specialist Unit
Risk Specialist and Technology Supervision Department
1
RESTRICTEDRESTRICTED
2
• Cyber-attacks are growing in intensity
and sophistication.
• Broad range of entry points due to the
interconnectedness of financial
systems exacerbate the risks.
• There is an increasing need for the
agencies in Malaysia to enhance
cooperation and improve cyber
situational awareness.
Technology megatrend and innovation in financial services are
increasing the attack surface
Financial Services
Tech Megatrends
2019 - 2023
Cyber Threats
Landscape
2019 - 2020
DDOS
AI-Driven
AI/ML
FinTech BlockchainBiometric
CloudOpenAPI
MalwareAPT
IOT-Based
Data Breaches
Phishing Organized
RESTRICTEDRESTRICTED
3
Unique characteristics of cyber risk that keeping us up at night
Highly dynamic and rapidly changing cyber threat landscape
Persistent nature of a campaign by motivated threat actors
Broad range of entry points (interconnectedness)
Sophisticated attack can render risk management and business continuity management ineffective
Cyber-attacks can be stealthy and propagate rapidly
Often stems from malicious intent
X
RESTRICTED
For example, are the right skills available? Do cloud processes conflict with other established processes? How does cloud adoption align with enterprise-wide technology framework? Do cloud plans conflict with enterprise culture?
Evaluate organizational readiness to adopt cloud
Monitor and track industry concentration to cloud provider
Consider possibility of shared supervision of major cloud providers
Multi-tenancy infrastructure increasesthe attack surface, leading to increasedrisk of data leakage if the separationcontrols fail
Contagion risk
No entity is 100% safe from disasterOver-reliance on a few providers raisesconcentration risks to cyber attacks,system failures or vendor bankruptcies
Concentration risk
Shared responsibility model requires FIsto have the competency and maturity tomanage security configurationsappropriately
Competency riskWhat could go
wrong?
Possible mitigation
Examine trade-off between cost and better security configuration options
Ensure adequate cloud provider certification
Higher cost for FIs to specify better security configurations
Not all perceived benefits of cloud computing may be available in the ‘basic’ packages
Cost-savings over-exuberance
Cloud computing will be a global challenge – a global response may be
needed
4
RESTRICTEDRESTRICTED
Call Back3
Phishing attack
1
Data Exfiltration
8
Distribute malware
2
Privilege escalation Steal credential4
Steal DB credential
6
Login DB7
Lateralmovement
5
! Unpatched workstation
! Unmanagedprivilege access
!Weak local adminpassword
Common advance persistent threat (APT) modus operandi
5
RESTRICTEDRESTRICTED
10 things you probably didn’t know about the dark web
I C
H D
J B
G E
A
F
It’s way more than just what you can’t google
Friends in dark places: social networks
Cyber threat actors profiting from exploits
The role of cryptocurrency
It’s probably not speaking your language
Bad actors use the dark web to recruit corporate insiders
There’s no honor among dark web thieves
It’s a useful tool for organized crime and one of many sources of CTI
Thieves and geeks: Russian and Chinese threat actors
Data leaks aren’t only on the dark web
6
RESTRICTED
01CYBER THREAT IS BANKS’ TOP EMERGING RISK
05SOCIAL ENGINEERING ATTACKS AN EMERGING TREND
2018 / 2019 Emerging Operational Risks Survey of Malaysian CROs
Ranked
Ranked
15%
3%
Of total annual expenditure is IT-related
of which
Invested in IT and cyber security
2017 IT spend of Malaysian domestic banks
Financial institutions recognize the seriousness of cyber risks but more
needs to be done
7
RESTRICTED
01
03
02
04Strong second line of defence for technology risk management
• Fortifying the independent enterprise-
wide technology risk function to
implement technology risk
management and cyber resilience
frameworks.
• Designate a CISO responsible for this
function
Greater cyber resilience to emerging risks associated with new technologies
• Establishment of Security
Operations Centre capabilities to
monitor, identify and respond to
potential breaches
• Periodic security assessments to
provide independent view of the
state of the financial institution’s
cyber security.
Effective board oversight on IT and cyber risks
• Reviewing and approving IT and
cyber security strategic plans
and technology risk appetite
through a designated board-
level committee.
Building resilient IT infrastructure to ensure continued service availability
• Embedding security considerations in
the application systems and network
services;
• Time limits on unplanned downtime
• Risk controls for cloud computing
4 key thrusts of the RMiT –Application on a proportionate basis where additional standards are imposed for large FIs
Risk Management in Technology
Regulatory requirements aim to raise the minimum standards
8
RESTRICTED
Board
First and second line
Third line
All staff
Board should include at least a member with technologycompetencyBoard members should undergo regular training tounderstand and appreciate technology risk
Provide continuous training and certification for staff intechnology operations, cyber security and riskmanagement
Develop professionally certified internal IT auditcompetency
Ensure regular cyber hygiene training for all staff
Building cybersecurity competency is a new focus
9
RESTRICTEDRESTRICTED
10
Inter-agency cooperation and information sharing is one of the key
components of BNM’s financial sector cyber resilience roadmap
Foster coherent
regulations and reduce
information asymmetry
i. Promote and
institutionalize cyber
hygiene practices
ii. Encourage use of
cybersecurity
ratings
iii. Standardize cyber
incident reporting
convention
iv. Establish
cybersecurity
assurance and
assessment scheme
v. Develop deep cyber
insurance market
Financial Sector Cyber Resilience Blueprint (2019 – 2023)
1
Ke
y O
bje
ctive
s
Enhance identification
and assessment of
evolving cyber threats
and vulnerabilities
i. Develop financial
systems cyber
contagion map
ii. Enhance sectorial
cyber threat
situational
awareness
iii. Establish
cybersecurity
maturity
assessment
framework
iv. Strengthen
upstream
infrastructure
Enhance detection,
response and
recovery strategies
i. Increase emphasis
on ex-post liability
ii. Enhance analytical
response and
forensics tactics
iii. Conduct regular
cyber-attack
scenario analysis
iv. Strengthen
continuity of
operations and
disaster recovery
capabilities
v. Promote adoption
of emerging
cybersecurity
solutions
Promote and expand
international and
domestic cross-
sectorial cooperation
i. Empower industry
associations to
establish financial
sector
cybersecurity
advisory council
ii. Institutionalize
information sharing
iii. Expand biennial
national cyber-drill
to more FIs
iv. Promote
collaborations and
research
v. Shape global
regulatory
discourse on cyber
risks
Uplift human
capability,
competency and
awareness
i. Promote
development of
sustainable
cybersecurity
talent pool
ii. Institutionalize
cybersecurity
awareness and
acculturation
programs
Pill
ars
2 3 4 5
This is still work in progress
RESTRICTEDRESTRICTED
Cyber threat intelligence and information sharing
Challenges• Establishing trust• Achieving Interoperability and
automation• Safeguarding sensitive information• Quality of received information• Legal and organizational
requirements• Enabling information consumption
and publication• Attribution
Benefits
• Shared situational awareness
• Improved security posture
• Knowledge maturation
• Greater defense agility.
Major Types of CTI Include
• Indicators
• Tactics, Techniques and Procedures (TTPs)
• Threat Intelligence Reports
• Tool Configurations
Establishing Sharing Relationship• Define the goals and objectives• Identify internal sources of threat
information• Define the scope of information
sharing activities• Establish sharing rules• Join a sharing community• Plan to provide ongoing support for
sharing activities
.
11
RESTRICTEDRESTRICTED11 key questions to answer before you invest in cyber threat intelligence
solution
❑Which categories of CTI are most valuable to you?
❑Who will be using the CTI?
❑Will CTI be integrated with your existing security processes and infrastructure?
❑How are finished CTI reports part of your TI strategy?
❑How much expertise will you need to get started?
❑Which sources of threat data do you need?
❑How will your CTI capability scale?
❑Do you need your CTI delivered in real time?
❑Do you need an all-in-one solution or separate software tools?
❑Where is the best place to deploy the solution?
❑How will you future-proof your CTI investment?
12
RESTRICTEDRESTRICTED
Ensure a proper
cyber mindsetDo the basics
Use and share
cyber threat
intelligence
If you don’t
have cyber
insurance, get it
Accelerate your
move to cloud
(for non-critical
systems)
Some final words on how to avoid becoming a victim of cyber-attack
13
RESTRICTED
The end
14