2. JAY McLAUGHLIN
SENIOR VICE PRESIDENT,
CHIEF SECURITY OFFICER
Jay has over 15 years of technology
and security experience. He is highly
visible and frequently speaks at
industry conferences and summits.
His dynamic, balanced, insightful
presentations and writings cover
topics from perimeter security to
application layer security analytics.
Jay has been featured and quoted in
various publications including
ComputerWorld, CSO Magazine,
Credit Union Times, Credit Union
Magazine, American Banker, and the
ABA Banking Journal.
Jay holds a Bachelor of Science
degree in Management Information
Systems from the University of
Central Florida.
#q2connect15
3. ! " ?
Rapidly evolving
cyber risks
Financial institutions
are critically
dependent upon
technology solutions
A fundamental lack of
understanding of cyber
security threats &
vulnerabilities
CURRENT STATE
#q2connect15
Overview of threat landscape
4. Increase in number
of attacks and
attack methods
$ % &
ARMS RACE
#q2connect15
Attackers are
becoming increasingly
adept at defeating
security practices
New & evolving
techniques
and vectors
Attacks pose risks to
financial services &
critical infrastructure
Institutions are not staying ahead of cybersecurity threats
'
5. STATS
#q2connect15
Reference points from studies & publications
About 110M Americans
– equivalent to roughly
48% of U.S. adults –
had some form of their
personal data exposed
in 2014.
110M
Source: Ponemon Institute study,
reported by CNN, May 2014
Of hacking victims in the
business community didn't
even realize they'd been
hacked until they were told
by vendors, government
investigators or consumers.
80%
Source: 2014 Verizon Data
Breach Investigations Report
And according to a recent
report, banks are being hit
with cyber attacks “every
minute of every day”.
(
Source: Telegraph news report, Oct 2013
6. )
Risk
management
& oversight
+
,-
CYBERSECURITY BEST PRACTICES
Threat intelligence,
information sharing &
collaboration
Incident detection
& response
Security
Controls
Business continuity
& cyber resiliency
What you should be doing today
#q2connect15
7. 1. RISK MANAGEMENT & OVERSIGHT
#q2connect15
LACK OF OVERALL
UNDERSTANDING OF
INHERENT RISK
$ .
Significant concerns
OVERSIGHT OF
THIRD-PARTY
PROVIDERS
8. RISK MANAGEMENT & OVERSIGHT
#q2connect15
⋆
Critical to success
ENGAGE EXECUTIVE
MANAGEMENT
& BOARD
INVOLVE KEY
STAKEHOLDERS
ACROSS THE ENTIRE
ORGANIZATION
"
9. 0
Gathering, monitoring, analyzing, and sharing
information from multiple sources on cyber
threats and vulnerabilities
#q2connect15
2. THREAT INTEL, INFO SHARING & COLLABORATION
Definition
10. FAILING TO KEEP
UP-TO-DATE
ON THREATS
ABILITY TO CONSUME
THREAT FEEDS &
INCORPORATE INTO
MONITORING TOOLS
NOT
PARTICIPATING IN
VERTICAL SHARING
ORGANIZATIONS
THREAT INTEL, INFO SHARING & COLLABORATION
#q2connect15
Call to action
&
1
2
11. 4 5
#q2connect15
INCORPORATE INTO
CYBERSECURITY
MONITORING TOOLS
(SIEM)
PARTICIPATE IN
INDUSTRY
VERTICAL SHARING
ORGANIZATIONS
(FS-ISAC)
AVOID
INFORMATION
OVERLOAD
6
THREAT INTEL, INFO SHARING & COLLABORATION
Crawl, walk, run
SUBSCRIBE TO
THREAT
INTELLIGENCE
DATA FEEDS
12. Implement controls
based on risk assessment
activities
7
#q2connect15
Deploy preventative,
detective, &
corrective controls
8
Invest in appropriate
staffing & expertise
3. SECURITY CONTROLS
Starting point
9
Accept overall
residual risk
$
13. 4. INCIDENT DETECTION & RESPONSE
#q2connect15
RELY TOO HEAVILY
ON SECURITY
CONTROLS
: ;
Problems we are seeing
IMPLEMENT
FRAMEWORK TO
MATURE IR PROGRAM
14. #q2connect15
DETECT AND ISOLATE
THREAT VECTOR
○ =
Establish a process
REMEDIATION
EFFORTS MITIGATE
REOCCURRENCE OF
THE THREAT
PERFORM TRIAGE, ANALYSIS
AND INVESTIGATION BY
SECURITY RESPONSE TEAMS
>
INCIDENT DETECTION & RESPONSE
15. Ability to resume services or
operations following an event
#q2connect15
0
5. BUSINESS CONTINUITY & CYBER RESILIENCY
Definition
16. #q2connect15
LACK A STRATEGY TO
KEEP ORGANIZATION
FUNCTIONAL AFTER
AN EVENT
? ?
Challenges we face
MAY NOT FULLY
UNDERSTAND
OPERATIONAL SIDE
BUSINESS CONTINUITY & CYBER RESILIENCY
17. #q2connect15
@
Establish a plan to
weather the attack while
incurring minimal impact
to the organization
BUSINESS CONTINUITY & CYBER RESILIENCY
Institutions must begin to focus on resiliency, not recovery
19. FFIEC CYBERSECURITY ASSESSMENT BASICS
#q2connect15
In 2014, the FFIEC piloted a
cybersecurity examination
work program at more than
500 community institutions
Purpose of assessment:
evaluate institutions’
preparedness to mitigate
cybersecurity risks
>$
20. ! A +
Rapidly evolving
cyber threats are
facing FIs
FFIEC INVOLVEMENT
#q2connect15
Not a matter of if,
but when an
attack will occur
Must increase the
readiness and
capabilities
FFIEC wants to help financial
institutions enhance their
cyber security risk capabilities
and overall preparedness
21. FFIEC CYBERSECURITY ASSESSMENTS
#q2connect15
;
Created in response
to growing risks and
complexity of attacks
B C
Coordinate with
intelligence/law
enforcement/
homeland security
A dedicated support
for community FI’s
lacking resources
22. D
E
F
FFIEC CYBERSECURITY ASSESSMENTS
Round 1
#q2connect15
FIs need to increase the focus
of risk management / oversight
Must increase the
readiness and
capabilities
Overall preparedness
and capability to
respond to these risks
23. G
IDENTITY
risk awareness,
organizational
understanding
H ☼
=+
PROPOSED FRAMEWORK
The FFIEC Cybersecurity Assessment’s Suggestions
PROTECT
develop and implement
appropriate safeguards
DETECT
early alerting of
cybersecurity events
RESPOND
appropriate activities
to take action
RECOVER
resiliency; ability
to restore services
& capabilities
#q2connect15
26. Be prepared to communicate
and articulate your FI’s process
for conducting and revisiting
technology risk assessments
HOW TO
Demonstrate fundamental
understanding of inherent risks
#q2connect15
Organizational units
must be involved in the
risk assessment process
Must be able to convey the bank’s
awareness and identification of potential
risks, including any third-party risks that
may result from vendor relationships
*This is the first place
examiners will focus.
Unfamiliarity or lack of
knowledge related to
this process will raise a
red flag to dig deeper.
28. Staff must be show
they are well-versed
in cyber security
controls and industry
recommendations
ARTICULATE
Approach for implementing
controls to address risks
#q2connect15
Be ready to show how the
bank has aligned its cyber
security strategy with its
business strategy
For example, how
risks will be managed
now and in the future
30. Need to have evidence of
programs for continuously
monitoring the latest risks
& threats to determine
(along with the process for)
implementing mitigations
EXHIBIT
Maturity readiness
and preparation for
adapting to threats
#q2connect15
Must show how
you’re leveraging
and incorporating
threat intelligence
Show involvement in
industry information
sharing groups (FS-ISAC)
32. Show how board members are
being brought in specifically for
their experience and
knowledge around information
technology and security
CONVEY
How executive level management
and board level are being engaged
#q2connect15
Must educate existing
board members
• Inform and engage
• Share facts, speak in
their language (RISK)
33. #q2connect15
Updated BCP Booklet that
contains 16-page appendix
around business continuity
was released in Feb 2015;
continued emphasis on
planning and resiliency
Increased scrutiny on
third-party relationships
and how the FI is managing
the oversight processes
FFIEC plans to issue a cyber
security self assessment tool
this year to assist institutions
in evaluating their inherent
cybersecurity risk and their
risk management capabilities.
6
ALSO FOR CONSIDERATION
Expect more to come
J0
34. CLOSING THOUGHTS
#q2connect15
F
Institutions are
struggling to stay
ahead of cyber
security threats
K
Implement a
framework for
building a robust
security strategy
.
Engage Executive
Management
'
Attackers becoming
increasingly adept at
defeating security
practices
$
Proper assessment
of risk is critical!
+Threat landscape will
continue to evolve
WE MUST ADAPT