Regulations, Motivations Are Top Concerns At Day 2 Of Cyber Security Exchange
Has ML Been Integrated? What Is 'Zero Trust'?
Day 2 of the Cyber Security Exchange: Financial Services was filled with thought-leading sessions and topical discussions that ranged from artificial intelligence (AI) and machine learning (ML), to the complex regulatory environment.
For those in the banking, financial services and insurance (BFSI) space, regulations and the business ramifications of them often uncover a praiseworthy or perfunctory security posture.
In the exchange, end-users network, collaborate and set benchmarks in ameliorating various business challenges. Because BFSI remains in the cyber-spotlight, key decisions made within this vertical dictate wider activity.
As such, BFSI cyber security certainly deserves due diligence. Here at the Cyber Security Hub, we outline key points from the event. What follows is our recap of Day 2.
Importance of NIST
Paul Ferrillo, Partner, Greenberg Traurig LLP., kicked off the day with an intimate look at the regulatory complexities of the space – especially with the rollout/fallout of measures like the General Data Protection Regulation (GDPR). The corporate lawyer underscored the importance of the NIST Cyber Security Framework, suggesting that many other measures are built around NIST principles.
The presenter said that NIST is not really just for critical infrastructure, “it really matters.” He said the Framework Core consists of five concurrent and continuous functions: identify, protect, detect, response and recover.
Although it may take some time for CISOs and others to flesh out applicable frameworks, such as NIST, Ferrillo said it is well worth it. It’s either that or face other ramifications, such as legal fees, he said.
Speaking about the Securities and Exchange Commission (SEC) Office of Compliance, Inspections and Examinations’ (OCIE) Cyber Regulations, Ferrillo said that the source material is largely NIST. “This stuff is not new anymore,” he said. “It all starts and ends with the NIST framework.”
Elsewhere, Ferrillo said New York has taken charge in the cyber security space. The state’s Department of Financial Services (DFS) developed regulations with broad requirements (detecting events, responding to them, recovering and reporting). However, what’s different about this visible measure is that it requires its adherents to appoint a CISO (internal or outsourced; but it’s the first time this has been mandatory).
In speaking about the European Union’s (EU) GDPR, the corporate lawyer also said most of it actually comes from the NIST Cyber Security Framework.
He outlined certain “basics” security teams can adhere to: strong governance, policies and procedures (mapped out), risk assessments, training and awareness, multi-factor authentication (MFA), incident response and business continuity plans and notification requirements.
Data, SOAR & More
In midmorning Ignite Sessions, Verizon Enterprise Solutions’ Senior Manager, Steve Stump, outlined data-driven cyber risks, using the company’s Breach Investigations Report.
Stump reminded attendees that hackers are “simply trying to find the easiest way into your environment.”
Near the end, he reminded attendees that for all of the “assets out there,” keep track of: patching cadence, web applications, and other enterprise-specific areas that could help you get ahead of the game.
Siemplify’s CMO, Nimmy Reichenberg, then spoke in a session called “Yikes! I Have Too Many Security Tools and Not Enough Skilled Resources.” He told attendees that according to Enterprise Strategy Group’s (ESG) Jon Oltsik, some of the biggest challenges facing the security team include: keeping up with the volume of security alerts, poor integration (“swivel tool integration”) and developing the right skills for cyber.
It’s here where Security Orchestration Automation and Response (SOAR) platforms come in handy, as they help cut down on response time – and assist in triaging, investigating, remediating and tracking/reporting.
ForeScout Techhnologies’ VP of Global Financial Services, Tom Dolan, then delivered a presentation on real-time asset intelligence. He told those in attendance that fundamental security issues, at present, include: the need for technology elasticity, and pressure –both regulatory and from within the business – to quantify (and mitigate) risks.
AI, ML Adoption
Day 2 soon moved into the panel format (on “intelligent defense”). Rahul Patel, CIO, KBC Bank NV, New York, served as moderator with a lineup that included Ferrillo, Max Tumarinson, CISO, Amalgamated Bank and David Stern, CISO, BGC Partners.
Notable “subtopics” within the automation, artificial intelligence (AI) and machine learning (ML) conversation that emerged included: whether these platforms are the “silver bullet,” “throwing more people” at a systemic issue, the need for data scientists, outsourcing some of the “plumbing” tasks within an organization and “cost per pound,” or the actual impact of data breaches. On the latter topic, Ferrillo reiterated that a foolproof cyber plan also has to take corporate reputation into account.
In a “masterclass,” Cybereason’s Director of Advisory Services, Danielle Wood, discussed “Defense in a New Landscape.”
Wood said that the security focus must become reversing adversary advantage by empowering defenders with ingenuity and technology to stop cyber-threats. The challenge is that the threat landscape is far too dynamic, and the adversary is using stronger and more sophisticated tactics. She said, “We are often woefully overmatched.”
In the session, the cyber expert said, “We are all targets. Attackers will target your supply chain partners both upstream and downstream. (They’ll use) data personally as a means to attack someone else.”
She also profiled today’s adversary, saying they’re largely nation-state actors, a part of a criminal enterprise, foreign competitors or hacktivists.
In her presentation, Wood listed advancements to watch for. These included: automated hunting/behavioral searching, pre-constructed relationships between data points, in-depth relationship analysis and AI informing detection.
Wood said that even with the spread of the AI mindset, the “static rules still matter.”
Trust No One?
In a midafternoon BrainWeave session, Luminate’s Co-Founder and CPO, Eldad Livni, spoke about the Zero Trust theory and the principle of least privilege.
Livni explained that with least privilege, access is only provided to requisite assets, and only for job-specific purposes.
The CPO said that because the network has widened, it’s not so easily defined. In order to clean it up a bit, identity and access management (IAM) principles apply. That means determining who is trying to access a network and where they are coming from. That, coupled with multi-factor authentication (MFA), enhances the Zero Trust mindset (universal scrutiny of those accessing the network).
Livni called the identity the “most basic anchor you can look at.” He said that instead of granting wide access to segments, today’s principles call for pinpointing allowance at a more granular level. So, which applications are needed to perform the job?
The Luminate presenter said that once the identity is established, network-level access must be deliberated, and that data must be enriched with context – this makes Zero Trust a reality.
To close out the day, Stifel Financial CISO, Tim Marsden, held a session on the “human element of security.” He incorporated best practices and psychological tidbits that can assist security practitioners.
Marsden insisted on driving behavioral change, and cited William Shakespeare in saying “all the world’s a cyber stage.”
One of the solutions Marsden discussed for the “human” problem with IT became knowing yourself (the IT staff), as well as the board/C-Suite.
Marsden also alluded to gamifying the cyber security space, to drive training and promote consistent growth. A part of that, he said, involves leveraging neuroscience, and human-level needs.
Keep tabs on the Cyber Security Hub for continued coverage of the Cyber Security Exchange: Financial Services!
Be Sure To Check Out: Security Analysts Becoming 'Data-Mining Gurus'? Q&A With Bay Dynamics' Ryan Stolte