CSO Perspectives (Pro) 4.19.21
Ep 43 | 4.19.21

Security in different verticals: Finance.


Rick Howard: Hey everyone. We are back.

Welcome to season five of the CSO Perspectives Podcast. I can't wait to get this thing started because for this season, we are tackling an issue that I've been debating with other security executives for well over a decade.

Are the strategies that security practitioners pursue in order to defend our organizations from cyber attack, different because of the verticals we reside in, or because the digital environment we are charged to protect is somehow not traditional like IOT environments or supply chain arrangements?

In other words, if we are in the financial vertical or the healthcare vertical or the energy vertical, is our collection of strategies different or are they the same and we all just use different tactics to pursue them? And if I'm trying to defend my IOT assets or protect myself from third-party contractors that are critical to my business, but I don't have any control over, do my overall strategies change? 

If you've been following along with me so far in this podcast series, you know that I've spent some time talking about cybersecurity first principles. We dedicated Season 1 and Season 2 to the concept. And then in Season 4, last season, we spent some time discussing how you might apply those first principles to securing the cloud.

he entire point to that exercise, from my point of view. Is that the first principles we outlined are universal. They don't change because some new technology emerges that we have never seen before, or because our business model is different. 

They are evergreen. The idea of first principles is that once you have them, they become your North Star, your way to prioritize resources and decide which actions to take first. 

If they weren't, it would be like Elon Musk saying that his strategies for going to Mars would be different if he was going to the moon instead that is Falcon 9 medium lift and Falcon heavy lift launch vehicles would need to be scrapped because the moon mission was so much different than the Mars mission.

What we are going to explore in this season is whether or not that's true, or even if it is, does it matter. 

And we're going to start with the financial sector and invite some financial experts to the Hash Table to see what they have to say. This is going to be good. So strap in. It might get a little bumpy.

My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. Before we sit down at the hash table with the big financial 100 pound brains, it might be worth noting the difference between strategy and tactics and why it's important to make the distinction.

In simple terms, when we have a problem to solve, two things come to mind: what we are going to do to solve the problem. And then how are we going to do it? The "what" is the set of strategies that you believe will make you successful and there may be several that you include in that set. The "how" by contrast is the collection of tactics, you will use to pursue each strategy. And there will absolutely be several tactics you try for each. If you do it right though, your strategy shouldn't change that often. 

In fact, if you are changing your strategies, it's because after a period of time, you've realized that even after you've done well implementing them, they aren't getting you closer to accomplishing your goal. In the early 1990s, we had a simple goal: prevent cyber attacks. The predominant strategy that emerged to solve that problem and that we all used was something called "Defense in Depth".

In other words, we deployed overlapping concentric circles of prevention technology, like firewalls, intrusion detection systems, and endpoint antivirus tools around our digital assets and hoped that the bad guys would run into them. By 2010, some in the security community realized that the "Defense in Depth" strategy wasn't working. Bad guys were getting in and even well-resourced organizations like Bank of America in 2005, America On Line in 2006, and even Google in 2009, just to name three, couldn't prevent it. New strategy started to emerge like zero trust, intrusion kill chain prevention, resilience, and risk forecasting.

And by the way, by 2010, we all started to realize that the problem that we were trying to solve, wasn't the right one either. Preventing all cyber attacks was a fool's errand and a waste of security resources that were scarce to begin with. It's the reason that I started this podcast in the first place, to re-examine cybersecurity through a first principle lens, to stop spending resources on the wrong problem and to propose what the real problem is.

And as we have covered in many episodes, I have made the case that "the" problem we are trying to solve, the atomic conundrum that the security community should be laser-focused on, is this: reduce the probability of material impact to my organization. 

If you haven't already go back and have a listen to Season 1, Episode 6, where I lay out the arguments for why that is an essential first principle for all security organizations. In this podcast series, once we agreed to what the problem was, the strategies to solve it are pretty straight forward.

In order to reduce the probability of material impact due to a cyber event, we wanted a strategy to counter known cyber adversary behavior. We call that the intrusion kill chain prevention strategy. We also wanted a strategy to reduce the attack surface. We call that the zero trust strategy. We further wanted the strategy that would allow our organization to continue to function in the face of catastrophic failure. We call that the resilience strategy. And finally, we wanted a strategy to precisely measure the probability of material impact due to a cyber event. We call that risk forecasting. 

So these strategies are the "what," and I'm using air quotes here around the word what, and they should be universally chased in every security organization on the planet, but the tactics or the "how," and again, I'm using air quotes around the word how to pursue each of those strategies will be wildly different in every organization due to many factors like resource limitations, regulatory rule sets, and culture.

I was talking to my best friend, Steve Winterfeld about this. He is the advisory CISO for Akamai, and he's a regular at the Hash Table. 

He gets to talk to a lot of financial security leaders in his day to day. And he agrees that the generic tools that we all use to protect our organizations are the same, in a strategic kind of way, but how we deploy those tactically can be completely different from one organization to the next.

Steve Winterfeld: if you're asking, are the tools different? I don't know that the tools are radically different. 

Is a threat attacking in different ways? I don't know that the threat is attacking in radically different ways, but which tools I use, which resources I deploy are different.

Rick Howard: Gary McCallum is another friend of mine, another regular at the Hash Table, who by the way, has just stepped down as the long running CSO for USAA.

He worked there for some 11 years. So if anybody is looking for a new CSO, I know somebody, but you better bring a big checkbook in order to entice him out of retirement. He confided in me that he doesn't miss the late nights and weekends that are staples of the CSO job function. That said, he agrees with Steve, that the strategies are agnostic when it comes to different verticals, but when it comes to details, that's where the tactics come into play.

He also says that the way to get board buy-in for your strategy / tactic combo is to demonstrate that your tactics have actually reduced the risk to the business. 

Gary McAlum: I think the strategic approach is agnostic. 

I do think the devil's in the details. 

The vertical you're in is going to have a lot of input into that driven by regulatory and compliance requirements.

As you start to build out an implementation roadmap  and  milestones, and you're showing capability, I think another way of describing capability delivery is risk buy-down. Risk buy-down is really helpful in a highly regulated environment 

If you could tie it back to that, it's  a two birds with one stone win, but at a high-level, I believe it's agnostic. It's perhaps unique in the sense of volume and complexity of requirements, but I don't think  in and of itself that it's that unique requiring a different approach. 

Rick Howard: Not to sound like a broken record here, but the next Hash Table guest is also an old friend of mine and a frequent guest at the hash table. His name is Jerry Archer, the Sallie Mae CSO. 

Jerry Archer: I think there's some uniqueness within each vertical, but no matter what vertical you're in or what government agency you're in,  it's pretty much the same. You're protecting information first and foremost. Most verticals  would have the same attack or defense parameters. 

If I'm General Motors, I'm worried about a whole different problem. If I'm Airbus, I got a whole different problem. If I'm the North end of a nuclear reactor, I got a whole different problem. If I want to bring down an Airbus 380, the way I attack that 380 would be considerably different than the way I would attack sallie Mae's databases. You're not going to put up an application web firewall in front of an Airbus 380 flying through the sky. It's that protection mechanism is entirely different. 

At the end of the day, your strategy is how you're going to  close all your gaps. How do you fill out your security program in the next two to three years? What am I looking at in terms of  money that I spend, when I do it, and those sorts of things. I'm going to look at what are the principle risk to the business. Then I'm going to allocate resources against that, that becomes a strategy.  Now  I'll look at tools and capabilities to most adequately cover the gaps that are highest risk. 

Rick Howard: So everybody at the hash table is in agreement. Hmm, I think that's our first. Note to self: find more divisive questions in order to spice this up a bit, end note. 

But there's no universal truth here. There are at least some financial practitioners in the world who think that financial security requires different strategies than say healthcare or maybe energy because many financial institutions also have to deal with an additional component of fraud.

Put aside for a moment that numerous healthcare organizations also have that problem. And probably several other verticals too, but let's put a pin in that for a second. What's interesting is that all of our hash table guests see the two worlds of cybersecurity and anti-fraud converging. What I mean is that financial institutions have been dealing with anti-fraud issues in its many forms since way before we had the internet.

Their tactical plans to reduce the probability of material impact due to a fraud attack started out in the auditing world. As computers came online, though, anti-fraud practitioners started adding behavioral analytics algorithms into their arsenal. 

These are the same kinds of statistical and machine learning algorithms that the traditional cybersecurity teams use in tools like EDR, NDR, and XDR. In other words, end point network and combined detection and response.

Only the anti-fraudster teams used them to find money laundering schemes and whatnot. As a thought experiment, think of a set of all activities that a traditional cybersecurity team does every day. Then think of another set of activities that a traditional anti-fraud team does every day. In the early days, say the 1990s, those two sets had no intersection, but as time went on, they began to move closer and closer together, and eventually overlapped. Hackers began running traditional attack campaigns across the intrusion kill chain with the goal of committing fraud against the financial institution. That meant that the infosec team had to share information with the anti-fraud team and vice versa. That's the convergence we are talking about here. But to be clear, there is still plenty of criminal activity that is purely traditional cybercrime and purely only fraud. Here's Steve. 

Steve Winterfeld: The difference between cybercrime and fraud I think is worth exploring a little bit. Fraud includes an aspect of deception, whereas cybercrime be done with just malware. 

There is some anti-fraud and then there is just basic security. A lot of the fraud is just implemented in different ways. Wire fraud can often be done using social engineering through a phone call and, " Hey this is the CEO. We're looking at M and A, I need you to send $5 million to this account. This is under SEC rules. You're not allowed to talk to anybody else about this because it is confidential. So wire are the money and don't tell anybody else in the company what's going on." 

There are tools that the fraud team has traditionally used. They give you a risk score.  Just like we do in security, you can make decisions based on the risk score. .

Rick Howard: When I asked Gary about the difference between traditional cybercrime and fraud, he talked about how the two disciplines are overlapping. 

Gary McAlum: I love this question because,  years ago when I started at USAA, my last organization, I had the opportunity to pull together  and be accountable for not just the information security team, but also the fraud team. At the time it was financial crimes management, which even included,  anti-money laundering as part of it. For the most part, that fraud organization was focused on the consumer-facing side. 

As I  worked over time to develop a integrated strategy,  the way I described it to the board was, well, we think about cybersecurity I think of it as two sides of the same coin.  On one side is the consumer or the member-facing security problem. Each individual member interacting with us, they expect us to secure their transactions and protect their personal and financial information. 

On the other side of the coin, is the enterprise  and that's what the information security team worries about, the back-end,  the servers, the mainframes, the endpoints,  the third party relationships. If you have a problem on the information security side, I call that a front page problem because if you fail in that regard, it's going to be a big bag.  It's going to impact, if not all members, a large portion of the members and that's front page, that's bad.

But  on the other side of the coin, if a member has a problem,  and they're compromised student account takeover, for example, in other words, a cyber criminal has either social engineered them to gain access to their account, or they've picked up malware on their home computer, and now there's a keystroke logger and they lose a bunch of money.  That member doesn't care if they're part of a major data breach or they're  by themselves. They've experienced a significant emotional event. So as a cybersecurity team, we have to be cognizant of both sides. We have to worry about the front door and the individual consumer interactions and we have to worry about the enterprise approach to the information security team. 

But here's where I think,  we did some innovative things. There's a whole suite of tools that the information security team uses,  that  would typically not be used by the fraud team because the fraud team is primarily focused on identity and authentication. Everything is pretty much focused on, can we validate who this person is coming in saying they're Gary McAlum trying to access their account, and let's authenticate them to the best of our ability. And then there's a lot of,  intermediate steps in there. Oh, we don't recognize this device, maybe we use step-up authentication. Oop. Oh, they failed their password three times, let's route them over here. Oh, is this a phone call versus a digital transaction? Are they using the app versus the online? 

There's all these complexities  from an identity access matchup perspective, you have to be ingesting all of this information. But on the information security side, That team sees a bunch of stuff happening at the perimeter. They're using firewalls. They are using IPS. They are using a lot of things. They've got lots of content filtering going on. Right? 

In the old days they would see stuff that  would be really helpful to a fraud organization if they knew about it. Great example, credential stuffing. If you're seeing an automated attack at your perimeter where somebody is using, in some cases, millions of user ID and password combinations that they've gotten from the underground economy. And now they're trying them on your particular  website, trying to see if they can get a match. Wouldn't that be really useful to to go back through the logs when you detect that attack to figure out which of those combinations may have popped as a positive and then feed those over to your fraud team? Well, that's what we did. 

In the old days, that credential stuffing attack would have been okay,  we're seeing this automated attack, some sort of a bot attack. Let's just block it or make it go away. We wouldn't peer any deeper into like what was going on  and could there be useful information.

Credential stuffing is a great example where InfoSec can detect it and then inform the fraud team  based on what's in the logs, and they could take action. So what we would do is: Oh, we saw this number of  sets of user ID credentials that were positive because somebody is reusing their password from another site. Wow. That never happens, but it does. Well,  hey, why don't we go and take those members and go ahead and automatically default them into MFA now instead of waiting. 

In other cases,  our information security team  used a third-party service where we would detect phishing attempts  against USAA  whether it was an employee or our members, and we use this third-party service to shut them down. 

In the old days,  we might just focus on USAA employees, but  well,  why not our members  as well? So our fraud team doesn't even have to worry about that. We're shutting down phishing against our members by the information security team, because we need them to shut down phishing attacks against our employees. 

In my mind, there is a lot of operational synergy between the two. They are different problems, but I call them,  two sides of the same coin, but they are different.

Rick Howard: When I asked Jerry the same question about the difference between traditional cyber crime and fraud, he talked about how similar the analyst tools are, even though the data sets are different, so much so that there is a natural convergence between the two activities.

Jerry Archer: There is a different set of tools, but more and more, what we see is we see cyber intersecting with what you'd call traditional fraud. The tools that we use and they use are now  merging like behavioral analytics. Jerry Archer: They look at behavioral analytics around the fraud dimension. We look at behavioral, the analytics around things like identity theft, breaking into our networks, and stuff like that. But if you think about it, there's  this natural convergence between traditional fraud and what we would call cyber crime. 

If you start looking at behavior of online fraudsters, I can detect that through true cyber actions that they do. Meaning,  what time did they log on? What methods did they use to log off? That's all cyber side kind of stuff versus the fraud that they commit, which was to convince somebody to change an account number someplace so they could move money.  

We tend to work hand in glove with them.  If there's something that we see that they need to look at, they're not going to be cyber experts. They don't have the tools. But they're going to do the fraud investigations. We become the support for that fraud effort, if you will, providing the evidence and capabilities.

Rick Howard: After long conversations with these hundred pound brain financial thought leaders, I have learned that we are all on the same mind, the strategies, or the "what," they want to accomplish in order to reduce the probability of material impact are no different than any other thought leader in any other vertical. If any of them move from the financial sector to a completely different vertical, they wouldn't be scrapping their fleet of Falcon 9 medium lift and Falcon heavy lift launch vehicles for something completely different. Zero trust, resilience, intrusion kill chain prevention, and risk forecasting are still the first principles strategies, even if they have an extra element to worry about in terms of financial fraud. But where it will change is the "how," the tactics of the things they will do to pursue those strategies.

And that's a wrap the first episode in Season 5. And welcome back everybody. If you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Next week, I'm going to be talking to some hundred pound brain thought leaders from the healthcare sector to see what they have to say about all of this. You won't want to miss that. 

The CyberWire CSO Perspectives is edited by John Petrik, and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.