Improving Cyber Security Risk Management through Collaboration

Similar documents
Managing cyber risks with insurance

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Information Technology

ICBA Summary of FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool

Cybersecurity The role of Internal Audit

Into the cybersecurity breach

Testimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies

PRIORITIZING CYBERSECURITY

Cybersecurity and internal audit. August 15, 2014

Security Awareness Training Solutions

Cyber Security Evolved

THE TOP 4 CONTROLS.

Protecting against cyber threats and security breaches

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

CYBER SECURITY, A GROWING CIO PRIORITY

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Attack Intelligence: Why It Matters

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

Cisco Security Optimization Service

Risk Considerations for Internal Audit

Malware isn t The only Threat on Your Endpoints

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Click to edit Master title style

Can Cyber Insurance Be Linked to Assurance?

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Data Security Concerns for the Electric Grid

Cyber-Insurance Metrics and Impact on Cyber-Security

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Cyber Security Metrics Dashboards & Analytics

Examining the Evolving Cyber Insurance Marketplace

Managing IT Security with Penetration Testing

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

CYBER SECURITY SPECIALREPORT

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Cybersecurity y Managing g the Risks

PROPOSED INTERPRETIVE NOTICE

1 Introduction Product Description Strengths and Challenges Copyright... 5

The promise and pitfalls of cyber insurance January 2016

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

PCI DSS Overview and Solutions. Anwar McEntee

Total Protection for Compliance: Unified IT Policy Auditing

FINRA Publishes its 2015 Report on Cybersecurity Practices

Vulnerability Management

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

White Paper on Financial Industry Regulatory Climate

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Risk & Responsibility in a Hyper-Connected World: Implications for Enterprises

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

CYBER SECURITY Audit, Test & Compliance

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

VMware and the Need for Cyber Supply Chain Security Assurance

Statement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Attachment A. Identification of Risks/Cybersecurity Governance

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Middle Class Economics: Cybersecurity Updated August 7, 2015

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness.

The Five Most Common Cyber-Attack Myths Debunked

Are organizations completely ready to stop cyberattacks?

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

CYBERSPACE SECURITY CONTINUUM

SECURITY. Risk & Compliance Services

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

CyberArk Privileged Threat Analytics. Solution Brief

CGI Cyber Risk Advisory and Management Services for Insurers

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

CYBERSECURITY RISK RESEARCH CENTRE (832)

Dealer Member Cyber-security

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability

Zak Khan Director, Advanced Cyber Defence

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Achieving Cyber Resilience. By Garin Pace, Anthony Shapella and Greg Vernaci

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Key Cyber Risks at the ERP Level

Building a Global Network Reputation System: Metrics, Data Analysis, and Risk Prediction

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

Cyber Risks in the Boardroom

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Data Loss Prevention Best Practices for Healthcare

NERC CIP VERSION 5 COMPLIANCE

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Transcription:

CTO Corner April 2014 Improving Cyber Security Risk Management through Collaboration Dan Schutzer, Senior Technology Consultant, BITS Back in March 2013, I wrote a CTO Corner on Operational and Cyber Risk Management. 1 This article discusses what has changed and identifies the following three areas of increasing importance to better managing risk, anticipating and countering the threat: Collaboration across our industry and its partners; Availability of cyber-insurance options; and, Innovations in cyber risk data, metrics and analytics. Since last year, several events have occurred that have heightened C-suite focus and attention on cybersecurity matters. These events have included several waves of sophisticated distributed denial of service (DDoS) attacks in 2012-13; widely publicized breaches at respected retailers that have also led to congressional hearings 2 ; and the escalating threat of disruption to our nation s critical infrastructure, including financial services. The recent cyber events have highlighted the folly of examining risks one organization at a time while ignoring the interconnections. Cyber risks are not self-contained within individual organizations, or industries, and cyber risk management is not simply the aggregation of local technology and procedures in each organization. Organizations are exposed to outside risks through increasingly complex, tightly linked and interconnected networks and systems with counterparties, partners, suppliers, vendors and outsourcers. Poorly understood disruptive technologies applied to infrastructure relied on by societies further complicate matters. CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 1

The financial services sector has stepped up its game with respect to sharing and collaborating with respect to cyber risk. Efforts include the FS-ISAC Threat Intelligence Automation project 3 to improve sharing and processing of incidents and cyber intelligence; The Clearinghouse Secure Token Exchange to mask and secure payments data 4 ; and the Merchant and Financial Associations Cybersecurity Partnership 5 focusing on increased information sharing, better card security technology, and maintaining the trust of customers. These efforts represent an important step, and should go a long way in improving the cyber security risk management posture of our industry and its partners. This enhanced information sharing should also result in needed cyber security event data that can be used to better compare and justify cyber security risk reduction investments against other competing investments. Additional improvements can be made if this collaboration and sharing can be incorporated into appropriate contingency plans to provide alternative means of delivering essential services and reassuring citizens and hence dampening the potential for social discontent and unrest in addition to disseminating the latest news and advice on cyber events. The application of sharing and employing up-to-date known cyber security techniques can go a long way in protecting a firm against cyber-attack. For example, the National Security Agency (NSA) and Australia s Defense Signals Directorate (DSD) found that whitelisting (which allows only authorized software to run on a computer or network), very rapid patching (both operating systems and programs), and minimizing the number of people who have administrator privileges, eliminates most of the risk of being breached 6. The US Cyber insurance market has grown to an estimated $1.3 billion per year in the U.S. 7 8 with recent studies indicating 31 percent of companies have purchased some type of cyber insurance, including insurance that covers disruptions, data breaches, and cyber extortion. There are approximately 25 insurers now offering this type of insurance for both first-party and third-party losses making cyber insurance a viable option for mitigating risk. 9. Insurers include Travelers, 10 Beecher Carlson Insurance Services, LLC, a wholly owned subsidiary of Brown and Brown, 11 and Allianz in partnership with Thales. 12 Cyber insurance can spread the cost of cyber incidents amongst many participants. It provides incentives in the form of premium discounts for a firm that complies with various standards (such as CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 2

SSAE 16 13 ) and requirements (such as FFIEC guidance), passes various certifications and audits, employs preventative strategies (such as conducting penetration tests and participating in exercises), and establishes a proven track record with respect to cyber incidents. Research and statistics collected and analysed as a result of proper pricing of cyber insurance may also result over time in establishing objective scores and benchmarks that can be associated with a firm s success in avoiding, detecting and responding to cyber threats in a responsive way that minimizes its losses. Cyber insurance serves as only one component of a balanced cyber risk mitigation strategy, and only covers direct costs, offering little relief against damage to a company s brand, nor removing any liability for a firm that has become a victim of a cyber-attack. Advances in processing power, big data management, and cyber security risk analytics are contributing to improved cyber security risk management in a number of ways, including enabling: More timely and cost-effective aggregation of data permitting the discovery of logical dependencies and plural interpretations. Continuous diagnostics, mitigation and predictive analysis. These powerful analytic processing systems, combining machine learning, modelling and simulation of many variants of attacks, when coupled with these advances in data collection and aggregation, have the potential to provide greater insights on the evolution of the threats leading to better predicting and anticipating new attacks and devising more effective defensive strategies against them. The work of the FS-ISAC s Security Automation Working Group (SAWG) 14 in standardizing and automating the collection and reporting based on the DHS-sponsored, open-community suite of languages and protocols, which include Structured Threat Information expression (STIX), Trusted Automated exchange of Indicator Information (TAXII) and Cyber Observable expression (CybOX), 15 helps make these advanced analytics possible. The combination of continuous monitoring and predictive analysis, when combined with relatively straightforward mitigation strategies reduces the opportunities for attack and forces attackers to develop more sophisticated (and expensive) techniques, or to give up on the target. This includes requiring the attacker to conduct careful time-consuming research of intended targets, and employ methods of concealment, both of the attack method and the perpetrators, and to constantly develop new attack vectors, as current ones are reverse-engineered and thwarted. As the financial community CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 3

develops analytics specifically tailored to analysing threats targeted to the financial services specific products, services and supply chain vulnerabilities, the work of the attackers will get even more difficult and the effectiveness of the financial sectors cyber management strategies and tactics will become more effective. Research and incorporation of tools such as Decision tree analysis 16, and Bayesian inference 17 combined with evidential reasoning 18 have the potential to develop future cyber security remediation and risk reduction strategies and decision-making that go beyond the simplistic risk analysis based on prioritization based upon estimates of likelihood of occurrence and magnitude of the loss, by enabling incorporation of prior knowledge (and intelligence) of the threat, and improving decisionmaking under uncertainty. Another research avenue worth exploring is the application of the game theory analyses 19 to cyber-security risk management aimed at helping to evolve sophisticated counter threat strategies by better understanding not only how a threat is conducted but by better understanding and influencing the underlying motivations of the threat. In conclusion, progress in sharing and collaborating both within the financial sector and with financial sector partners, emergence of more robust cyber security insurance coverage, and the application of big data and advanced risk analytics to the measurement and development of cyber security risk management strategy and tactics have the potential to improve cyber risk management. Both industry and policy makers should encourage, nurture, and accelerate their deployment and implementation. 1 http://www.bits.org/publications/cto/ctocornermar2013.pdf 2 Cyber Risk Is World s Third Corporate-Risk Priority, by Becca Lipman, March 07, 2014, http://www.wallstreetandtech.com/data-security/cyber-risk-is-worlds-third-corporate-ris/240166486, U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represent the highest average loss across all industries and 43.9 percent higher than in 2012 3 https://www.fsisac.com/sites/default/files/news/fsisac_pr_sawg_feb19-2014v1ah%20-%20dhe-all- EDITS-FINAL2%20EG.pdf 4 http://digitaltransactions.net/news/story/4154 5 http://www.nrf.com/modules.php?name=news&op=viewlive&sp_id=1771 6 http://www.usatoday.com/story/tech/2013/03/25/cybersecurity-simple-steps/2016243/ 7 http://nakedsecurity.sophos.com/2013/08/09/will-insurance-firms-be-the-big-winners-in-the-struggle-for-cybersecurity/ 8 http://betterley.com/samples/cpims13_nt.pdf 9 http://nakedsecurity.sophos.com/2013/08/09/will-insurance-firms-be-the-big-winners-in-the-struggle-for-cybersecurity/ 10 Travelers knows cyber and offers flexible insurance options to meet your needs, https://www.travelers.com/businessinsurance/cyber-security/liability-protection.aspx CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 4

11 http://www.beechercarlson.com/company-news/beecher-carlson-introduces-cyberselect-new-cyber-liability-and-dataresponse-coverage, March 5, 2014 12 Allianz teams up with Thales to offer Allianz Cyber Data Protect insurance, http://commerciallines.insurancebusiness-review.com/news/allianz-teams-up-with-thales-to-offer-allianz-cyber-data-protect-insurance-160114-4160496, January 16, 2014 13 http://ssae16.com/ssae16_overview.html 14 https://www.fsisac.com/cyberintelligencerepository 15 http://www.us-cert.gov/information-sharing-specifications-cybersecurity 16 http://vserver1.cscs.lsa.umich.edu/~spage/onlinecourse/r4decision.pdf 17 http://research.microsoft.com/enus/um/redmond/groups/adapt/msbnx/msbnx/basics_of_bayesian_inference.htm 18 http://eycarat.faculty.ku.edu//myssi/_pdf/4-an-introduction-to-evidential-reasoning-ijai.pdf 19 A player's strategy, in game theory, refers to one of the options he or she can choose in a setting where the outcome depends not only on his own actions but on the action of others.[1] A player's strategy will determine the action the player will take at any stage of the game, http://en.wikipedia.org/wiki/strategy_(game_theory) CTO Corner: Copyright 2014 BITS/The Financial Services Roundtable, All Rights Reserved 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information