Upload
phamnhan
View
231
Download
0
Embed Size (px)
Citation preview
Agenda
Overview of assessment tool
Review inherent risk profile categories
Review domain 1-5 for cyber security maturity
Summary of risk/maturity relationships
Overview of use case performed
Final thoughts Q&A
Benefits to Institutions
• Identifying factors contributing to and determining the institution’s overall cyber
risk
• Assessing the institution's cybersecurity preparedness.
• Evaluating whether the institutions cybersecurity preparedness is aligned with its
risks
• Determining risk management practices and controls that could be taken to
achieve the institutions desired state of cyber preparedness
• Informing risk management strategies.
Not just for Finance!
• Don’t tune out if your not in the financial services sector!!
• Throughout the presentation you can see that risk assessment and preparedness
is a major theme in any industry. Feel free to ask particular questions about your
company and industry.
Inherent Risk Profile Categories
• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats
Inherent Risk Profile
• Technologies and Connection Types
• Internet service providers
• Third party connections
• Internal vs outsourced hosted
systems
• Wireless access points
• Network devices
• EOL Systems
• Cloud services
• Personal Devices
Inherent Risk Profile
Online and mobile products and services delivery channels
Delivery Channels
ATM operations
Inherent Risk Profile
• Online/Mobile Products and
Technology Services
• Credit and debit cards
• P2P payments
• ACH
• Wire transfers
• Wholesale payments
• Remote deposit
• Treasury and trust
• Global remittances
• Correspondent banking
• Merchant acquiring activities
Inherent Risk Profile
• Organizational Characteristics
• Mergers and acquisitions
• Direct employees and contractors
• IT environment
• Business presence and locations of
operations and data centers
Automate Answers using existing solutions to:
Inherent risk Reponses Best Practice
Track in real time areas such as:
• Asset inventory
• Third party connections
• Transaction data
Cyber Risk Management & Oversight
Domain 1
Governance
Risk Management
Resources
Training and Culture
Domain 2
• Threat Intelligence and Collaboration
Threat Intelligence
Monitoring and Analyzing
Information Sharing
Domain 3
• Cyber Security Controls
Preventative
• Infrastructure management
• Access and asset management
• Device/endpoint security
• Secure coding practices
Detective
• Threat and vulnerability detection
• Anomalous behavior activity detection
• Event detection
Corrective
• Patch management
• Remediation
Domain 4
External Dependency Management
Connections
• Identifications
• Monitoring
• Management of external connections and data flows to third parties
Relationship Management
• Due diligence
• Contracts
• Ongoing monitoring
Domain 5
• Cyber Incident Management and
Response
• Incident Resilience
Planning & Strategy
• Detection, Response, &
Mitigation
• Escalation & Reporting
ABC National Bank Business Profile
Background Banking Operations
13000+ employees
1000+ banking
locations
HQ in Central US
Est. 1967
Branch Banking
Commercial Banking
Consumer Lending
Investment Advisors
Current State
EOL systems still in use, no upgrade plan
Mobile banking applications and some BYOD
Previous security incidents – external phishing
attempts and ATM’s being infected with malware
IT Security Director has left the Bank
Inherent Risk Score
Inherent Risk Score
507.69
legend
<=200 201-400 401-600 601-800 801-1000
Category Weights Data Points Least Minimal Moderate Significant Most
Technologies and connection Types 1 14 0 8 4 2 0
Delivery Channels 1 3 0 0 1 2 0 Organizational Characteristics 1 7 1 0 6 0 0 Online/Mobile Products and Technological Services 1 14 3 3 8 0 0
External Threats 1 1 0 0 1 0 0
Totals 5 39 4 11 20 4 0
10.26% 28.21% 51.28% 10.26% 0.00%
Low Inherent Risk
Minimal Inherent Risk
Moderate Inherent Risk
Significant Inherent Risk
Most Inherent Risk
Inherent Risk Profile
FFIEC Recap of Steps Taken for Use Case
Domain 1: Cyber Risk Management & Oversight
Domain 2: Threat Intelligence & Collaboration
Domain 3: Cybersecurity Controls
Domain 4: External Dependency Management
Domain 5: Cyber Incident Management and Resilience
Cybersecurity Maturity
Maturity Achieved Against Defined Targets – ABC Bank 81.06%
Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk
Management and Oversight
Intermediate 64.89% Innovative 1 15 6.67% 6.67% Advanced 5 32 15.63% 15.63% 15.63% Intermediate 7 29 24.14% 24.14% 24.14% Evolving 23 34 67.65% 67.65% 67.65%
Baseline 31 31 100.00
% 100.00
% Threat
Intelligence and
Collaboration
Intermediate 88.46% Innovative 0 8 0.00% 0.00% Advanced 2 11 18.18% 18.18% 18.18% Intermediate 8 11 72.73% 72.73% 72.73%
Evolving 7 7 100.00
% 100.00
% 100.00%
Baseline 8 8 100.00
% 100.00
% Cyber Security
Controls Intermediate 80.62% Innovative 2 20 10.00% 10.00%
Advanced 5 25 20.00% 20.00% 20.00% Intermediate 23 39 58.97% 58.97% 58.97% Evolving 30 39 76.92% 76.92% 76.92%
Baseline 51 51 100.00
% 100.00
% External
Dependency Management
Intermediate 86.84% Innovative 0 7 0.00% 0.00% Advanced 3 7 42.86% 42.86% 42.86% Intermediate 6 9 66.67% 66.67% 66.67% Evolving 11 13 84.62% 84.62% 84.62%
Baseline 16 16 100.00
% 100.00
% Cyber Incident Management and Resilience
Intermediate 84.48% Innovative 1 10 10.00% 10.00% Advanced 3 15 20.00% 20.00% 20.00% Intermediate 15 21 71.43% 71.43% 71.43% Evolving 17 20 85.00% 85.00% 85.00%
Baseline 17 17 100.00
% 100.00
%
Domain 1 - Governance, Risk, and Audit Solution capability desired - Visibility and Intelligence
• No Endpoint visibility • Limited Intelligence on oversight and audit functions
• Polling and scanning, basic manual risks assigned
Domain 2 - Threat Intelligence and Sharing Solution capability desired - Intelligence and Integration
• Limited Intelligence without any Integration • Alerts and logs are consolidated in a SIEM for integration, manually shared Threat Intelligence
Domain 3 - Preventive, Detective, and Corrective controls Solution capability desired - Detection, Prevention, and Response
• Detection: AV signatures Only detects known malware, extensive logs analysis
• Prevention: Relying on AV only stops known malware • Response: Reimage machines,
No root cause analysis
• Detection: Software and IP reputation data
• Prevention: Remove admin rights, Basic whitelisting
• Response: Manual root-cause and scope analysis, Post-mortem forensics
Domain 4 - Third Party Management Solution capability desired - Visibility and Detection
• No visibility into third party security or threats • No detection of security incidents spawned from third
party's
• Limited visibility into criticality of third party’s
• Still no detection of interactions or unauthorized attempts to obtain/change sensitive information
Domain 5 - Incident Response Solution capability desired - Detection and Response
• Detection: AV signatures Only detects known malware, extensive logs analysis
• Response: Reimage machines, No root cause analysis
• Detection: Software and IP reputation data
• Response: Manual root-cause and scope analysis, Post-mortem forensics
Domain Level Controls
Control Maturity Level Baseline Evolving
Inherent Risk Profile Level Low Minimal
Negative Security Approach
Risks exceed appetite they are escalated to management Policies include threat intelligence Baselines cannot be altered w/o formal change request Formal IT change management process Risk management includes financial strategic, regulatory, and compliance implications Benchmarks and target performance metrics are established Audits are used to identify gaps
Industry standards are used for the analysis of gaps Automated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory Automated processes are in place to detect and block unauthorized changes to software and hardware Risk assessments of changes in change management system Risk data aggregation and real time reporting capabilities support ongoing reporting Periodic audit process improvements based on threat landscape
Continuous monitoring of security controls KPI's determine training awareness influence Formal change management function governs decentralized or highly distributed change requests and measures security risks Automated enterprise tools are implemented to detect and block unauthorized changes to software and hardware
Formal threat Intelligence program is implemented and has external and internal source A read only central repository of cyber threat intelligence is maintained Profile of threats is created
Threat Intelligence is automatically received from multiple sources in real time Threat Intelligence is used to update architecture and configuration standards
IT systems automatically detect configuration weaknesses based on Threat Intellgince and alert management Real time threat sharing Threat analysis systems correlates threat data to risks while taking automated actions and alerting management Invests in threat intelligence and collaboration mechanisms Combines all threat intelligence from mechanisms
Security controls for remote access Unauthorized code prevention tools Emails and attachments are automatically scanned to detect malware and blocked when it is present Tools for unauthorized data mining Tools to monitor security logs Audit logs are backed up to a centralized log server that is difficult to alter Event detection processes are tested as reliable
Anti-spoofing measures for forged IP addresses Automated tools proactively identifies high-risk behavior signaling on an employee who poses insider threat Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices Real-time network monitoring and detection is implemented and incorporates sector wide event information Real time alerts are automatically sent when unauthorized software, hardware, or changes occur Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters Patch monitoring software is installed on all servers
Automated real time risk scores of infrastructure Centralized end-point management tool Real time risk scoring of threats Detection of insider threats and block activity in real time Remediation of systems damaged by zero-days
Controls verified to detect and prevent intrusions from third party connections Monitoring covers all external and internal connections
Maintain and improve security of external connections Detailed Diagram of data flow analysis
IR team notified when anomalous behavior and attack patterns or signatures are detected Detect infiltrations before attacker traverses across systems, Incidents detected in real time through automated processes and correlated events across the enterprise Networks and system alerts are correlated across business units to detect and prevent multifaceted attacks Early analysis of security events to minimize impact
Institution corrects root cause for problems discovered during testing Sophisticated and adaptive technologies are deployed that can detect an alert the incident response team of Specific tasks when threat indicators across the enterprise indicate potential external and internal threats Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert IR teams in real time, IR team collaborates with threat intelligence team during and incident, Detailed metrics, dashboards and/or scorecards outlining cyber events are provided to management.
IR plan ensures recovery from disruption, assurance of data integrity, and recovery of lost or corrupted data following an incident IR process includes detailed actions and rule based triggers for automated response Validated the ability to remediate systems damaged by zero day attacks to maintain RTO Detect and block zero day attacks and alert management and IR teams in real time Risk management of significant cyber incidents results in limited to no down time for critical services Mechanism in place to alert in real time incidents through multiple channels while tracking and verifying communication for audit
Control Maturity Level Intermediate Advanced Innovative
Inherent Risk Level Moderate Significant Most
Positive Security Approach
W/b9 +cb @ intermediate Maturity Achieved Against Intermediate Targets – with Proactive Security
92.98%
Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most Cyber Risk Management and Oversight
Intermediate 73.40% Innovative 7 15 46.67% 46.67%
Advanced 11 32 34.38% 34.38% 34.38%
Intermediate 9 29 31.03% 31.03% 31.03%
Evolving 29 34 85.29% 85.29% 85.29%
Baseline 31 31 100% 100% Threat Intelligence and Collaboration
Intermediate 100.00% Innovative 4 8 50.00% 50.00%
Advanced 5 11 45.45% 45.45% 45.45%
Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100%
Baseline 8 8 100% 100% Cyber Security Controls
Intermediate 91.47% Innovative 8 20 40.00% 40.00%
Advanced 16 25 64.00% 64.00% 64.00%
Intermediate 32 39 82.05% 82.05% 82.05%
Evolving 35 39 89.74% 89.74% 89.74%
Baseline 51 51 100% 100% External Dependency Management
Intermediate 100.00% Innovative 0 6 0.00% 0.00%
Advanced 3 7 42.86% 42.86% 42.86%
Intermediate 9 9 100% 100% 100%
Evolving 13 13 100% 100% 100%
Baseline 16 16 100% 100% Cyber Incident Management and Resilience
Intermediate 100.00% Innovative 6 10 60.00% 60.00%
Advanced 8 15 53.33% 53.33% 53.33%
Intermediate 21 21 100% 100% 100%
Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%
Maturity Achieved Against Defined Targets – Status Quo
61.05%
Domain Desired Target %Achecived Maturity Achieved
Statements Least Minimal
Moderate
Significant Most
Cyber Risk Management and
Oversight
Innovative 47.52% Innovative 1 15 6.67% 6.67%
Advanced 5 32 15.63% 15.63% 15.63%
Intermediate 7 29 24.14% 24.14% 24.14%
Evolving 23 34 67.65% 67.65% 67.65%
Baseline 31 31 100.00% 100.00% Threat Intelligence and Collaboration
Innovative 55.56% Innovative 0 8 0.00% 0.00%
Advanced 2 11 18.18% 18.18% 18.18%
Intermediate 8 11 72.73% 72.73% 72.73%
Evolving 7 7 100.00% 100.00% 100.00%
Baseline 8 8 100.00% 100.00% Cyber Security
Controls Innovative 63.79% Innovative 2 20 10.00% 10.00%
Advanced 5 25 20.00% 20.00% 20.00%
Intermediate 23 39 58.97% 58.97% 58.97%
Evolving 30 39 76.92% 76.92% 76.92%
Baseline 51 51 100.00% 100.00% External
Dependency Management
Innovative 74.51% Innovative 0 6 0.00% 0.00%
Advanced 3 7 42.86% 42.86% 42.86%
Intermediate 6 9 66.67% 66.67% 66.67%
Evolving 13 13 100.00% 100.00% 100.00%
Baseline 16 16 100.00% 100.00% Cyber Incident
Managament and Resillence
Innovative 63.86% Innovative 1 10 10.00% 10.00%
Advanced 3 15 20.00% 20.00% 20.00%
Intermediate 15 21 71.43% 71.43% 71.43%
Evolving 17 20 85.00% 85.00% 85.00%
Baseline 17 17 100.00% 100.00%
W/b9 +cb @ innovative Maturity Achieved Against Innovative Targets – with Proactive Security
77.65%
Domain Desired Target %Achieved Maturity Achieved Statements Least Minimal Moderate Significant Most
Cyber Risk Management and Oversight
Innovative 61.70% Innovative 7 15 46.67% 46.67%
Advanced 11 32 34.38% 34.38% 34.38%
Intermediate 9 29 31.03% 31.03% 31.03%
Evolving 29 34 85.29% 85.29% 85.29%
Baseline 31 31 100% 100% Threat Intelligence and Collaboration
Innovative 77.78 Innovative 4 8 50.00% 50.00%
Advanced 5 11 45.45% 45.45% 45.45%
Intermediate 11 11 100% 100% 100% Evolving 7 7 100% 100% 100%
Baseline 8 8 100% 100% Cyber Security Controls
Innovative 81.61% Innovative 8 20 40.00% 40.00%
Advanced 16 25 64.00% 64.00% 64.00%
Intermediate 32 39 82.05% 82.05% 82.05%
Evolving 35 39 89.74% 89.74% 89.74%
Baseline 51 51 100% 100% External Dependency Management
Innovative 80.39% Innovative 0 6 0.00% 0.00%
Advanced 3 7 42.86% 42.86% 42.86%
Intermediate 9 9 100% 100% 100%
Evolving 13 13 100% 100% 100%
Baseline 16 16 100% 100% Cyber Incident Management and Resilience
Innovative 86.75% Innovative 6 10 60.00% 60.00%
Advanced 8 15 53.33% 53.33% 53.33%
Intermediate 21 21 100% 100% 100%
Evolving 20 20 100% 100% 100% Baseline 17 17 100% 100%
Key Considerations While Using the CAT
• Being Innovative in Cybersecurity
Maturity
• Real time detection and response
• Always be updating for changes
• Automatic metrics and reporting
• Threat analytics that matter
• Baseline risk measurement
Future of FFIEC
Present
• Examiners have begun using the handbook
• Criticism from FI’s of making a voluntary tool seem mandated.
• They do not track the NIST Cybersecurity Framework
• Declarative statements that are subjective in nature.
Future
• FFIEC took in feedback as a response to the accusations this January.
• The tool will be updated on a periodic basis.
• Publications from the FFIEC and OCC released stating the CAT could become mandatory if examiners do not see risk mitigations improvements from banks.
Not just for Finance!
• Industry’s can use the tool to fit their inherent risk profile by changing the criteria
that best fits them.
• Eg, healthcare can tailor their inherent risk based on the nature of health services
provided, number of devices connected to the network including medical devices,
the number of sensitive patient files, and number of medical services locations as
a start .
• Same goes for the cyber security assessment maturity questionnaire, you can
tailor the questionnaire using the controls for HIPAA, PCI, and NIST and any other
standard that pertains to your industry.