SlideShare a Scribd company logo

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan 13

Download as PPTX, PDF
Ulf Mattsson
Ulf Mattsson

Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, Bio: Ulf is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of his research during the last 15 years is in the area of managing and enforcing security policies for databases, including joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA. Ulf is a research member of IFIP and a member of ANSI X9. Leading journals and professions magazines, including IEEE Xplore, ISACA and IBM Journals, published more than 100 of his in-depth professional articles and papers. Ulf received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems, Ingres, Google and other leading companies. Ulf frequently gives presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association.

Technology
1 of 62
Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
Ulf Mattsson Inventor of more than 45 US Patents Industry Involvement: • PCI DDS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
My Work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Guidelines Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC Tokenization Products Task Force 3
4 Evolving IT Risk – My ISACA Articles
5 Data Security – My Recent ISACA Presentations
Agenda 1. FFIEC Cyber Assessment Toolkit 2. Current trends in Cyber attacks 3. Security Metrics 4. Oversight of third parties 5. How to measure cybersecurity preparedness 6. Automated approaches to integrate Security into DevOps 6
7
Federal Financial Institutions Examination Council (FFIEC)
FFIEC is a Formal U.S. Government Interagency Body It includes five banking regulators Source: WIKPEDIA 9 1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: • Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 10
FFIEC Cybersecurity Assessment Tool – Part One Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk: • Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. • Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. • Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. • Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers. • External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 11
FFIEC Cybersecurity Assessment Tool – Risk Levels The following includes definitions of risk levels: • Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees. • Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. • Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. • Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. • Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 12
FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity Maturity level within each of the following five domains: • Domain 1: Cyber Risk Management and Oversight • Domain 2: Threat Intelligence and Collaboration • Domain 3: Cybersecurity Controls • Domain 4: External Dependency Management • Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 13
FFIEC Cybersecurity Assessment Tool – Maturity Levels Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf Definitions for each of the maturity levels The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level 14
FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 15
FFIEC & NIST
Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 17
FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results Source: https://www.ffiec.gov/pdf/cyb ersecurity/FFIEC_CAT_June_20 15_PDF2.pdf 18
FFIEC Cybersecurity Assessment Tools - Excel Templates
FFIEC Cybersecurity Assessment Tool - Excel Template The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment. The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 20
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 22
FFIEC Cybersecurity Assessment Tool FFIEC released this as a free spreadsheet “tool”: • Spreadsheets are notoriously hard to maintain control of, and the information contained within this tool is clearly sensitive in nature. Like many other checklist assessment frameworks, the FFIEC CAT is relatively binary in how it forces the user to characterize the condition of the elements it evaluates. • Some tools, users rate each element of the framework as “Weak”, “Partial”, or “Strong”, enabling them to identify elements that have room for improvement and providing actionable insight. Making a meaningful comparison between “inherent risk” and control conditions is tricky though, and the FFIEC CAT describes a rudimentary matrix-like approach for doing so. • Some tools, combine these measurements graphically, which makes the comparison easier to digest. Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool 23
FFIEC Cybersecurity Assessment Tool – FAIR International Standard Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool Factor Analysis of Information Risk (FAIR) 24
FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and • Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 25
Board Involvement
The Board’s Perception of Cybersecurity Risks • How would you characterize the board’s perception of cybersecurity risks over the last one to two years? • Source: PWC – The Global State of Information Security Survey 2016 Increased Increased significantly High No change 27
Source: PWC – The Global State of Information Security Survey 2016 Cybersecurity is now a Persistent Business Risk • Cybersecurity software, solutions, and services market is likely to remain a growth sector because executives and Boards recognize that cyber threats will never be completely eliminated, and regulatory and compliance requirements will likely become more stringent • Cybersecurity services market is expanding in the wake of increased incidents and heightened regulations, corporations and government agencies are scrambling to safeguard their data and networks—a push that is catalyzing growth in the market for cybersecurity solutions and technologies 28
Trends in Board Involvement in Cyber Security • Source: PWC – The Global State of Information Security Survey 2016 29
Questions the Board Will Ask Source: PWC – The Global State of Information Security Survey 2016 30
CEOs, CFOs, BRusiness Risk Owners & CISOs questions 1."How much cyber risk do we have in dollars and cents?" 2."How much cyber insurance do we need?" 3."Why am I investing in this cyber security tool?" 4."How well are our crown jewel assets protected?" 5."How do I know that we’ve actually lowered our risk exposure?" 6. "As my business changes through M&A, adding new business applications and new cyber risks , how can I get the quickest view of the impact on my overall business risk?" 31
• The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills • Need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line • But it's very hard to find information security professionals who have that mindset Security & Business Skills Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-about/a/d-id/1315690 32
Metrics
Trends in Board Involvement in Cyber Security Source: PWC – The Global State of Information Security Survey 2016 34
Risk Management Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: storm.innosec.com Are you prioritizing business asset risk? 35
Cyber Budgeting Source: storm.innosec.com Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost CRM High Medium $ 20,000 0 $ 20,000 HR High Medium $ 100,000 20,000 $ 120,000 Feed High Low $ 1,000 0 $ 1,000 Crossbow Medium Medium $ 5,000 50,00 $ 10,000 eTrader Low Low $ 1,000 0 $ 1,000 IT Alert Low Low $ 1,000 0 $ 1,000 SAP Low Low $ 1,000 0 $ 1,000 Total $ 129,000 $ 25,000 $ 154,000 36
Asset Sensitivity, Risk and Quarterly Findings Source: innosec.com 37
Data Breaches
Source: Verizon 2016 Data Breach Investigations Report Law Enforcement will Discover Your Breach – Not You 39
Data Security Blind Spots
Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 41
How can I Find My Blind Spots? Existing PII Data Unprotected PII Data Data Found in Audit Time Protected PII Data Audit 42
Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 43
Visibility Into Third Party Risk Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches. Source: SecurityScoreCard # Vulnerabilities Time 44
Focus on Applications and Data
Incident Classification Patterns Across Confirmed Data Breaches Source: Verizon 2016 Data Breach Investigations Report Web Application Attacks 46
Worry Only About the Major Breach Patterns Source: Verizon 2016 Data Breach Investigations Report 47 Application Attacks
FFIEC Applications and Data
FFIEC Cybersecurity Assessment Source: https://www.ffiec.go v/pdf/cybersecurity/ FFIEC_CAT_App_B_M ap_to_NIST_CSF_Jun e_2015_PDF4.pdf Risk Resources Controls 49
FFIEC Cybersecurity Assessment Source: https://www.ffiec.go v/pdf/cybersecurity/ FFIEC_CAT_App_B_M ap_to_NIST_CSF_Jun e_2015_PDF4.pdf Resources 50
Security Skills Shortage 51
Cybercriminal Sweet Spot Source: calnet Cybercrime Trends and Targets 52
Problematic and Increasing Shortage of Cybersecurity Skills • 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 • 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015 • 18 percent year-over-year increase 53
Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 54
FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 55
FFIEC Cybersecurity Assessment Source: https://www.ffiec.go v/pdf/cybersecurity/ FFIEC_CAT_App_B_M ap_to_NIST_CSF_Jun e_2015_PDF4.pdf Controls 56
Automation and Security Metrics
Security Tools for DevOps Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Fuzz testing is essentially throwing lots of random garbage Vulnerability Analysis Runtime Application Self Protection (RASP) Interactive Application Self- Testing (IAST) 58
Security Metrics from DevOps 59 # Vulnerabilities Time
Generating Key Security Metrics 60 # Vulnerabilities Time
DCAP Data Centric Audit and Protection - Centrally managed security Data Centric Security Lifecycle & PCI DSS UEBA User behavior analytics helps businesses detect targeted attacks PCI DSS Protect stored cardholder data YearI 2004 I 2014 I 2015 PCI DSS 3.2 I 2016 PCI DSS Security in the development process
Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com

Recommended

How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
Ulf Mattsson
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
Ulf Mattsson
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Ulf Mattsson
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
Phil Agcaoili
 

Recommended

How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016How can i find my security blind spots in Oracle - nyoug - sep 2016
How can i find my security blind spots in Oracle - nyoug - sep 2016
Ulf Mattsson
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
Ulf Mattsson
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Ulf Mattsson
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
Phil Agcaoili
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains
Aparajita Banerjee
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
Enterprise Technology Management (ETM)
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Ulf Mattsson
 
Fintech security
Fintech securityFintech security
Fintech security
Glib Pakharenko
 

More Related Content

What's hot

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains
Aparajita Banerjee
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
Enterprise Technology Management (ETM)
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 

What's hot (20)

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Cyber risks in supply chains
Cyber risks in supply chains Cyber risks in supply chains
Cyber risks in supply chains
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 

Viewers also liked

Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Ulf Mattsson
 
Fintech security
Fintech securityFintech security
Fintech security
Glib Pakharenko
 
Zune Presentation
Zune PresentationZune Presentation
Zune Presentation
Ellen Underwood
 
Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25
Hortonworks
 
Privacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgePrivacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital Age
Agile Financial Technologies
 
Presentation on microsoft
Presentation on microsoftPresentation on microsoft
Presentation on microsoft
Joel Pais
 

Viewers also liked (6)

Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
 
Fintech security
Fintech securityFintech security
Fintech security
 
Zune Presentation
Zune PresentationZune Presentation
Zune Presentation
 
Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25Dataguise hortonworks insurance_feb25
Dataguise hortonworks insurance_feb25
 
Privacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital AgePrivacy & Security Challenges Faced By Financial Services In The Digital Age
Privacy & Security Challenges Faced By Financial Services In The Digital Age
 
Presentation on microsoft
Presentation on microsoftPresentation on microsoft
Presentation on microsoft
 

Similar to Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan 13

ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
Josef Sulca Cueva
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
Positive Hack Days
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core Banking
Positive Hack Days
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
Marc Crudgington, MBA
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
MuhammadAbdullah311866
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
Scalar Decisions
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
IRJET Journal
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
Charles Lim
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 

Similar to Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan 13 (20)

ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core Banking
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

More from Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
Book
BookBook
Book
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
Ulf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
Ulf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
Ulf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
Ulf Mattsson
 

More from Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 

Securing fintech - threats, challenges, best practices, ffiec, nist, and beyond - ulf mattsson - jan 13

  • 1. Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
  • 2. Ulf Mattsson Inventor of more than 45 US Patents Industry Involvement: • PCI DDS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
  • 3. My Work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Guidelines Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC Tokenization Products Task Force 3
  • 4. 4 Evolving IT Risk – My ISACA Articles
  • 5. 5 Data Security – My Recent ISACA Presentations
  • 6. Agenda 1. FFIEC Cyber Assessment Toolkit 2. Current trends in Cyber attacks 3. Security Metrics 4. Oversight of third parties 5. How to measure cybersecurity preparedness 6. Automated approaches to integrate Security into DevOps 6
  • 7. 7
  • 9. FFIEC is a Formal U.S. Government Interagency Body It includes five banking regulators Source: WIKPEDIA 9 1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
  • 10. FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: • Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 10
  • 11. FFIEC Cybersecurity Assessment Tool – Part One Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk: • Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. • Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. • Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. • Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers. • External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 11
  • 12. FFIEC Cybersecurity Assessment Tool – Risk Levels The following includes definitions of risk levels: • Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees. • Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. • Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. • Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. • Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 12
  • 13. FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity Maturity level within each of the following five domains: • Domain 1: Cyber Risk Management and Oversight • Domain 2: Threat Intelligence and Collaboration • Domain 3: Cybersecurity Controls • Domain 4: External Dependency Management • Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 13
  • 14. FFIEC Cybersecurity Assessment Tool – Maturity Levels Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf Definitions for each of the maturity levels The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level 14
  • 15. FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 15
  • 17. Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 17
  • 18. FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results Source: https://www.ffiec.gov/pdf/cyb ersecurity/FFIEC_CAT_June_20 15_PDF2.pdf 18
  • 20. FFIEC Cybersecurity Assessment Tool - Excel Template The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment. The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 20
  • 21. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
  • 22. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 22
  • 23. FFIEC Cybersecurity Assessment Tool FFIEC released this as a free spreadsheet “tool”: • Spreadsheets are notoriously hard to maintain control of, and the information contained within this tool is clearly sensitive in nature. Like many other checklist assessment frameworks, the FFIEC CAT is relatively binary in how it forces the user to characterize the condition of the elements it evaluates. • Some tools, users rate each element of the framework as “Weak”, “Partial”, or “Strong”, enabling them to identify elements that have room for improvement and providing actionable insight. Making a meaningful comparison between “inherent risk” and control conditions is tricky though, and the FFIEC CAT describes a rudimentary matrix-like approach for doing so. • Some tools, combine these measurements graphically, which makes the comparison easier to digest. Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool 23
  • 24. FFIEC Cybersecurity Assessment Tool – FAIR International Standard Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool Factor Analysis of Information Risk (FAIR) 24
  • 25. FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and • Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 25
  • 27. The Board’s Perception of Cybersecurity Risks • How would you characterize the board’s perception of cybersecurity risks over the last one to two years? • Source: PWC – The Global State of Information Security Survey 2016 Increased Increased significantly High No change 27
  • 28. Source: PWC – The Global State of Information Security Survey 2016 Cybersecurity is now a Persistent Business Risk • Cybersecurity software, solutions, and services market is likely to remain a growth sector because executives and Boards recognize that cyber threats will never be completely eliminated, and regulatory and compliance requirements will likely become more stringent • Cybersecurity services market is expanding in the wake of increased incidents and heightened regulations, corporations and government agencies are scrambling to safeguard their data and networks—a push that is catalyzing growth in the market for cybersecurity solutions and technologies 28
  • 29. Trends in Board Involvement in Cyber Security • Source: PWC – The Global State of Information Security Survey 2016 29
  • 30. Questions the Board Will Ask Source: PWC – The Global State of Information Security Survey 2016 30
  • 31. CEOs, CFOs, BRusiness Risk Owners & CISOs questions 1."How much cyber risk do we have in dollars and cents?" 2."How much cyber insurance do we need?" 3."Why am I investing in this cyber security tool?" 4."How well are our crown jewel assets protected?" 5."How do I know that we’ve actually lowered our risk exposure?" 6. "As my business changes through M&A, adding new business applications and new cyber risks , how can I get the quickest view of the impact on my overall business risk?" 31
  • 32. • The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills • Need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line • But it's very hard to find information security professionals who have that mindset Security & Business Skills Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-about/a/d-id/1315690 32
  • 34. Trends in Board Involvement in Cyber Security Source: PWC – The Global State of Information Security Survey 2016 34
  • 35. Risk Management Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: storm.innosec.com Are you prioritizing business asset risk? 35
  • 36. Cyber Budgeting Source: storm.innosec.com Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost CRM High Medium $ 20,000 0 $ 20,000 HR High Medium $ 100,000 20,000 $ 120,000 Feed High Low $ 1,000 0 $ 1,000 Crossbow Medium Medium $ 5,000 50,00 $ 10,000 eTrader Low Low $ 1,000 0 $ 1,000 IT Alert Low Low $ 1,000 0 $ 1,000 SAP Low Low $ 1,000 0 $ 1,000 Total $ 129,000 $ 25,000 $ 154,000 36
  • 37. Asset Sensitivity, Risk and Quarterly Findings Source: innosec.com 37
  • 39. Source: Verizon 2016 Data Breach Investigations Report Law Enforcement will Discover Your Breach – Not You 39
  • 41. Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 41
  • 42. How can I Find My Blind Spots? Existing PII Data Unprotected PII Data Data Found in Audit Time Protected PII Data Audit 42
  • 43. Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 43
  • 44. Visibility Into Third Party Risk Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches. Source: SecurityScoreCard # Vulnerabilities Time 44
  • 46. Incident Classification Patterns Across Confirmed Data Breaches Source: Verizon 2016 Data Breach Investigations Report Web Application Attacks 46
  • 47. Worry Only About the Major Breach Patterns Source: Verizon 2016 Data Breach Investigations Report 47 Application Attacks
  • 53. Problematic and Increasing Shortage of Cybersecurity Skills • 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 • 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015 • 18 percent year-over-year increase 53
  • 54. Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 54
  • 55. FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 55
  • 58. Security Tools for DevOps Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Fuzz testing is essentially throwing lots of random garbage Vulnerability Analysis Runtime Application Self Protection (RASP) Interactive Application Self- Testing (IAST) 58
  • 59. Security Metrics from DevOps 59 # Vulnerabilities Time
  • 60. Generating Key Security Metrics 60 # Vulnerabilities Time
  • 61. DCAP Data Centric Audit and Protection - Centrally managed security Data Centric Security Lifecycle & PCI DSS UEBA User behavior analytics helps businesses detect targeted attacks PCI DSS Protect stored cardholder data YearI 2004 I 2014 I 2015 PCI DSS 3.2 I 2016 PCI DSS Security in the development process
  • 62. Securing FinTech: Threats, Challenges, Best Practices, FFIEC, NIST, and Beyond Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com