CTO Corner April 2014 Improving Cyber Security Risk Management through Collaboration Dan Schutzer, Senior Technology Consultant, BITS Back in March 2013, I wrote a CTO Corner on Operational and Cyber Risk Management. 1 This article discusses what has changed and identifies the following three areas of increasing importance to better managing risk, anticipating and countering the threat: Collaboration across our industry and its partners; Availability of cyber-insurance options; and, Innovations in cyber risk data, metrics and analytics. Since last year, several events have occurred that have heightened C-suite focus and attention on cybersecurity matters. These events have included several waves of sophisticated distributed denial of service (DDoS) attacks in 2012-13; widely publicized breaches at respected retailers that have also led to congressional hearings 2 ; and the escalating threat of disruption to our nation s critical infrastructure, including financial services. The recent cyber events have highlighted the folly of examining risks one organization at a time while ignoring the interconnections. Cyber risks are not self-contained within individual organizations, or industries, and cyber risk management is not simply the aggregation of local technology and procedures in each organization. Organizations are exposed to outside risks through increasingly complex, tightly linked and interconnected networks and systems with counterparties, partners, suppliers, vendors and outsourcers. Poorly understood disruptive technologies applied to infrastructure relied on by societies further complicate matters. CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 1
The financial services sector has stepped up its game with respect to sharing and collaborating with respect to cyber risk. Efforts include the FS-ISAC Threat Intelligence Automation project 3 to improve sharing and processing of incidents and cyber intelligence; The Clearinghouse Secure Token Exchange to mask and secure payments data 4 ; and the Merchant and Financial Associations Cybersecurity Partnership 5 focusing on increased information sharing, better card security technology, and maintaining the trust of customers. These efforts represent an important step, and should go a long way in improving the cyber security risk management posture of our industry and its partners. This enhanced information sharing should also result in needed cyber security event data that can be used to better compare and justify cyber security risk reduction investments against other competing investments. Additional improvements can be made if this collaboration and sharing can be incorporated into appropriate contingency plans to provide alternative means of delivering essential services and reassuring citizens and hence dampening the potential for social discontent and unrest in addition to disseminating the latest news and advice on cyber events. The application of sharing and employing up-to-date known cyber security techniques can go a long way in protecting a firm against cyber-attack. For example, the National Security Agency (NSA) and Australia s Defense Signals Directorate (DSD) found that whitelisting (which allows only authorized software to run on a computer or network), very rapid patching (both operating systems and programs), and minimizing the number of people who have administrator privileges, eliminates most of the risk of being breached 6. The US Cyber insurance market has grown to an estimated $1.3 billion per year in the U.S. 7 8 with recent studies indicating 31 percent of companies have purchased some type of cyber insurance, including insurance that covers disruptions, data breaches, and cyber extortion. There are approximately 25 insurers now offering this type of insurance for both first-party and third-party losses making cyber insurance a viable option for mitigating risk. 9. Insurers include Travelers, 10 Beecher Carlson Insurance Services, LLC, a wholly owned subsidiary of Brown and Brown, 11 and Allianz in partnership with Thales. 12 Cyber insurance can spread the cost of cyber incidents amongst many participants. It provides incentives in the form of premium discounts for a firm that complies with various standards (such as CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 2
SSAE 16 13 ) and requirements (such as FFIEC guidance), passes various certifications and audits, employs preventative strategies (such as conducting penetration tests and participating in exercises), and establishes a proven track record with respect to cyber incidents. Research and statistics collected and analysed as a result of proper pricing of cyber insurance may also result over time in establishing objective scores and benchmarks that can be associated with a firm s success in avoiding, detecting and responding to cyber threats in a responsive way that minimizes its losses. Cyber insurance serves as only one component of a balanced cyber risk mitigation strategy, and only covers direct costs, offering little relief against damage to a company s brand, nor removing any liability for a firm that has become a victim of a cyber-attack. Advances in processing power, big data management, and cyber security risk analytics are contributing to improved cyber security risk management in a number of ways, including enabling: More timely and cost-effective aggregation of data permitting the discovery of logical dependencies and plural interpretations. Continuous diagnostics, mitigation and predictive analysis. These powerful analytic processing systems, combining machine learning, modelling and simulation of many variants of attacks, when coupled with these advances in data collection and aggregation, have the potential to provide greater insights on the evolution of the threats leading to better predicting and anticipating new attacks and devising more effective defensive strategies against them. The work of the FS-ISAC s Security Automation Working Group (SAWG) 14 in standardizing and automating the collection and reporting based on the DHS-sponsored, open-community suite of languages and protocols, which include Structured Threat Information expression (STIX), Trusted Automated exchange of Indicator Information (TAXII) and Cyber Observable expression (CybOX), 15 helps make these advanced analytics possible. The combination of continuous monitoring and predictive analysis, when combined with relatively straightforward mitigation strategies reduces the opportunities for attack and forces attackers to develop more sophisticated (and expensive) techniques, or to give up on the target. This includes requiring the attacker to conduct careful time-consuming research of intended targets, and employ methods of concealment, both of the attack method and the perpetrators, and to constantly develop new attack vectors, as current ones are reverse-engineered and thwarted. As the financial community CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 3
develops analytics specifically tailored to analysing threats targeted to the financial services specific products, services and supply chain vulnerabilities, the work of the attackers will get even more difficult and the effectiveness of the financial sectors cyber management strategies and tactics will become more effective. Research and incorporation of tools such as Decision tree analysis 16, and Bayesian inference 17 combined with evidential reasoning 18 have the potential to develop future cyber security remediation and risk reduction strategies and decision-making that go beyond the simplistic risk analysis based on prioritization based upon estimates of likelihood of occurrence and magnitude of the loss, by enabling incorporation of prior knowledge (and intelligence) of the threat, and improving decisionmaking under uncertainty. Another research avenue worth exploring is the application of the game theory analyses 19 to cyber-security risk management aimed at helping to evolve sophisticated counter threat strategies by better understanding not only how a threat is conducted but by better understanding and influencing the underlying motivations of the threat. In conclusion, progress in sharing and collaborating both within the financial sector and with financial sector partners, emergence of more robust cyber security insurance coverage, and the application of big data and advanced risk analytics to the measurement and development of cyber security risk management strategy and tactics have the potential to improve cyber risk management. Both industry and policy makers should encourage, nurture, and accelerate their deployment and implementation. 1 http://www.bits.org/publications/cto/ctocornermar2013.pdf 2 Cyber Risk Is World s Third Corporate-Risk Priority, by Becca Lipman, March 07, 2014, http://www.wallstreetandtech.com/data-security/cyber-risk-is-worlds-third-corporate-ris/240166486, U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represent the highest average loss across all industries and 43.9 percent higher than in 2012 3 https://www.fsisac.com/sites/default/files/news/fsisac_pr_sawg_feb19-2014v1ah%20-%20dhe-all- EDITS-FINAL2%20EG.pdf 4 http://digitaltransactions.net/news/story/4154 5 http://www.nrf.com/modules.php?name=news&op=viewlive&sp_id=1771 6 http://www.usatoday.com/story/tech/2013/03/25/cybersecurity-simple-steps/2016243/ 7 http://nakedsecurity.sophos.com/2013/08/09/will-insurance-firms-be-the-big-winners-in-the-struggle-for-cybersecurity/ 8 http://betterley.com/samples/cpims13_nt.pdf 9 http://nakedsecurity.sophos.com/2013/08/09/will-insurance-firms-be-the-big-winners-in-the-struggle-for-cybersecurity/ 10 Travelers knows cyber and offers flexible insurance options to meet your needs, https://www.travelers.com/businessinsurance/cyber-security/liability-protection.aspx CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 4
11 http://www.beechercarlson.com/company-news/beecher-carlson-introduces-cyberselect-new-cyber-liability-and-dataresponse-coverage, March 5, 2014 12 Allianz teams up with Thales to offer Allianz Cyber Data Protect insurance, http://commerciallines.insurancebusiness-review.com/news/allianz-teams-up-with-thales-to-offer-allianz-cyber-data-protect-insurance-160114-4160496, January 16, 2014 13 http://ssae16.com/ssae16_overview.html 14 https://www.fsisac.com/cyberintelligencerepository 15 http://www.us-cert.gov/information-sharing-specifications-cybersecurity 16 http://vserver1.cscs.lsa.umich.edu/~spage/onlinecourse/r4decision.pdf 17 http://research.microsoft.com/enus/um/redmond/groups/adapt/msbnx/msbnx/basics_of_bayesian_inference.htm 18 http://eycarat.faculty.ku.edu//myssi/_pdf/4-an-introduction-to-evidential-reasoning-ijai.pdf 19 A player's strategy, in game theory, refers to one of the options he or she can choose in a setting where the outcome depends not only on his own actions but on the action of others.[1] A player's strategy will determine the action the player will take at any stage of the game, http://en.wikipedia.org/wiki/strategy_(game_theory) CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 5