JP Morgan Chase Trusted Registry - Review

Transcription

1 ISE Northeast Executive Forum and Awards 2012 JP Morgan Chase Trusted Registry Jim Routh Global Head, Application, Internet & Mobile Security 1

2 Company Overview JPMorgan Chase (NYSE: JPM) is one of the oldest financial institutions in the United States. With a history dating back over 200 years, here's where we stand today: We are a leading global financial services firm with assets of $2.3 trillion. We operate in more than 60 countries. We have more than 240,000 employees. We serve millions of consumers, small businesses and many of the world's most prominent corporate, institutional and government clients. We are a leader in investment banking, financial services for consumers, small business and commercial banking, financial transaction processing, asset management and private equity. Our stock is a component of the Dow Jones Industrial Average. 2

3 Presentation/Project Overview Business Case for the Trusted Registry Implementation Approach Lessons Learned Results 3

4 JPMorgan Chase sends 4 billion s per year to its customers 600,000,000 s are sent annually to JPMC customers that are FRAUDULENT and not from JPMC domains 15% of s going to JPMC customers are fraudulent and potentially malicious resulting in: Customer fraud Brand erosion Dilution of legitimate effectiveness and the corresponding loss in sales/service opportunities One of over 100 Million JPMC Exact-Domain Match Phish Messages Delivered per Year at Google and Yahoo alone! Each Message Purports to be From a JPMC Domain Many are phishing s 4

5 > $3M cost per attack to brand-owner > 2000 brands phished per year 57,000 phish websites per week 700% Increase In Phishing Attacks In 4 Years 5

6 Consumers are Losing Confidence 6

7 ESPs 3 rd Party Senders The Ecosystem MTA Providers Campaign Mangmt. Mail Campaigns ISPs List Acquisition Data Intelligence Authentication Controls Open Source Cloud Service Providers Threat Protection Internet 7

8 Implementation 1. Implement Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) JPMC Registered Domains Chase.com Jpmchase.com ESPs 3 rd Party Domains Epsilon.com sender.com 2. Enable Intelligence Implement authentication monitoring Identify 3 rd party mailers Integrate Malicious URL Takedown Implement domain monitoring & alerting 3. Apply Controls to 3 rd Party Management Practices Document 3 rd Party Requirements Implement through TPO Obtain Listing of Delegated sub-domains from DNS Deliver authentication FAQs Enforce DMARC for 3 rd parties 4. Communicate to Internal Marketing teams 5. Enforce Policies with ISPs Notify ISPs on which domains to block mail from Enforce policies for exact domains and defensive domains through domain management 8

9 Industry Standard 9

10 Implementation Status May 2011 August 2012 Messages Purporting to be one of JPMCs Gmail, Yahoo!, AT&T, British Telecom and Rogers Communications Legitimate Messages Malicious Attempted Nominee Showcase Presentation Malicious URLS Submitted for Takedown Billion 194 Million 1.25 Million Policies Applied to Malicious Attempted (April 2011 Aug 2012) Policies Applied to Malicious Threats (Aug 2012) 18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 No Visibility Monitor Quarantine Reject % Change Compared to July % -55.4% Reject Policy Rejected 7,524,715 Unaddressed Unaddressed 3,049, Identification of fraudulent 2. Implementation of DMARC standard 3. Policy enforcement with ISPs Copyright 2012, Agari Data, Inc. All rights reserved. Confidential and Proprietary. 10

11 Lessons Learned/Best Practices Implementation requires a cross-functional program Means changes in vendor management practices This can provide a compelling story for customers 1 General Awareness - Inside 2 Awareness Material - Customer 3 Implementation Strategy 4 Technical Deployment Details 5 Security Metrics / Reports 6 Operational Documentation 7 Data Taxonomy 8 Training 9 Asset Inventory Marketing/Brand Mgmt Customer Service High Need Moderate Need Low or No Need Operations Infrastructure IT Risk & Compliance Vendor Management Fraud / Investigations Security Operations 11