using machine learning and predictive analytics to combat ... · four pillars of comprehensive...
TRANSCRIPT
Using machine learning and predictive analytics to combat cyber threats
Payments Forum 2018
Vikas Munshi
https://www.linked.com/in/vikasmunshi
Are cyber-criminals a serious threat?
Has traditional security approach outlived its utility?
• Evolving expectations of stakeholders:
• Customers want convenience and safety
• Regulators want prevention of FEC and reduced barriers to trade
• Employees desire an enriching work environment with autonomy
• Traditional focus on stringent compliance requirements drives:
• Conservative and segmented organisations
• Multiple layers of checks and balances
• Overcautious approach to change
• Leading to an avoidably complex banking IT landscape:
• Segregation, Compartmentalisation, Audits
• New Entrants (FinTech’s) face no such constraints!
Are cyber-criminals new (dark) competition?
• Hard to understand (?)
• Business plans?
• Published results?
• Have you seen an invite to Cyber-Crime Con?
• Easy economic gain
• Stay under the radar as long as it takes
• Evolve like drug resistance
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
- Sun Tzu
Cyber-criminals
Known actions
Relevance and
impact
Motives and
resources
Counter-moves
Insights learned from cyber-attacks targeting banks
2009 RBS WorldPay: “Security protocols will be cracked”
https://www.fbi.gov/atlanta/press-releases/2010/at080610.htm
http://www.wired.com/2010/03/alleged-rbs-hacker-arrested/
http://www.wired.com/2009/11/rbs-worldpay/
2012/2013 Unlimited Operation: “Large value cash-outs are possible”
https://www.justice.gov/usao-edny/pr/eight-members-new-york-cell-cybercrime-organization-indicted-45-million-cybercrime
http://www.wired.com/2013/05/bank-cashing-suspect-killed/
2014 JPMorgan Chase: “Customer data is as valuable as cash”
http://www.wired.com/2015/11/four-indicted-in-massive-jp-morgan-chase-hack/
2013-2015 Anunal/Carbanak: “Complexity is not a deterrent”
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
2016 Bangladesh Bank Heist: “The real threat is from inside”
https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
https://www.wsj.com/articles/vietnamese-bank-says-it-was-target-of-attempted-cyber-heist-1463405095
http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN
In summary, lessons so far
• Security protocols will be cracked, reliance on secrecy of security measures is no longer safe;
• Large value cash-outs are possible in more ways than one - simultaneous cash withdrawal from ATMs across the globe; transfer to fake accounts - and with Instant Payment round the corner, cyber-criminals are about to get an extra edge;
• Customer data is as valuable as cash and in many cases easier to compromise. Now that data breach disclosure is a legal compliance requirement, even a suspected breach could, if mishandled, escalate into a major public-relations issue;
• Complexity is not a deterrent. For cyber-criminals, developing an understanding of the internal complexity of banks is an investment they can repeatedly capitalise;
• The real threat is from inside. So far, the known compromise of humans had been limited to simple social engineering - targeted email with malicious attachments. However, with proven high return business case, it is not hard to imagine cyber-criminals, perhaps in collusion with traditional organised crime networks, attempting to directly compromise multiple privileged users by coercion, bribery, or black-mail. Such an attack would not only be hard to foil but would also have far-reaching consequences for the targeted bank.
Looking at the conflicting imperatives facing banks today, a possible way forward
Four pillars of comprehensive cyber-security
• Know: Build actionable understanding of the external cyber-crime environment combined with a working appreciation of the internal landscape.“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu
• Protect: Design and implement efficient controls to protect effectively against known attacks.“The supreme art of war is to subdue the enemy without fighting.” – Sun Tzu
• Detect: Design and implement appropriate tools to learn to identify and foil known and unknown attacks as they commence.“Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience, nor by any deductive calculation.” – Sun Tzu
• Respond: Implement and exercise procedures to take action in response to detected cyber-security incidents; be prepared to respond vigorously.“Bring your enemies to justice for their crimes.” – Sun Tzu
Questions?