A New Source of Cyberthreat UpdatesFS-ISAC Offers Briefings on Emerging Trends
The Financial Services Information Sharing and Analysis Center has partnered with cyber-intelligence firm iSIGHT Partners to provide its bank members with updates about the latest cyberthreats, including data from international markets, says Bill Nelson, president of the FS-ISAC.
"iSIGHT is now providing regular briefings and ad hoc briefings to [our] membership on the main threats to our sector, [including] how these attacks could be detected and, in some cases, even mitigated," Nelson says during an interview with Information Security Media Group [transcript below].
John Watters, founder of iSIGHT Partners, says the main challenge most organizations face is wading through the threat environment to get true cyberthreat information that is actually valuable.
"There's an awful lot of noise in the networks," Watters says. "We help FS-ISAC and their members clearly understand what threats are real and which ones are perceived, and that enables them to prioritize their resources."
Having accurate threat data then allows security leaders at banks to invest in areas that make sense, Watters says.
"The threat environment today is intentionally being filled with a lot of misinformation from the adversaries themselves, which makes it very difficult for companies without an intelligence arm to find out what's really relevant," he says.
During this interview, Nelson and Watters discuss:
- The lessons banking institutions can learn from the government sector;
- Why smaller institutions are most at risk;
- How automation is assisting the cyberintelligence fight.
Before joining the FS-ISAC, a non-profit association dedicated to protecting financial services firms from physical and cyberattacks, Nelson was elected vice chairman of the ISAC Council, a group dedicated to sharing critical infrastructure information. From 1988 to 2006, he served as executive vice president of NACHA - The Electronic Payments Association. While at NACHA, Nelson oversaw the development of the ACH network into one of the largest electronic payment systems in the world. He also oversaw NACHA's rule-making, marketing, rules enforcement, education and government relations programs.
Watters serves as the chairman and CEO of Dallas-based iSIGHT Partners, a managed intelligence services company. He previously was chairman and CEO of iDEFENSE, which was sold to VeriSign in 2005. Over the past decade, Watters has been involved with numerous cybersecurity companies, including TippingPoint Technologies, Archer Technologies, Netwitness and Lookingglass, in addition to iDEFENSE and iSIGHT Partners.
TRACY KITTEN: What can you tell us about the partnership?
BILL NELSON: From our perspective, we really wanted to leverage the subject matter expertise of iSIGHT Partners to obtain relevant and actual threat intel for our members. iSIGHT is now providing regular briefings and ad hoc briefings to the membership on the main threats to our sector and intelligence, about how these attacks could be detected and, in some cases, even mitigated. The analysis that we're getting from them is really helping our sector be better prepared.
JOHN WATTERS: This is what iSIGHT does exclusively. We're in the cyber-intelligence business, and, in doing so, we help FS-ISAC and its members demystify this threat environment they're operating in. There's an awful lot of noise in their networks. There's an awful lot of noise, frankly, in the press ... and we help FS-ISAC and their members clearly understand what threats are real and which ones are perceived, and that enables them to prioritize their resources against high-impact threats, the real true threats that are hidden in the cloud of noise around those threats, so they spend their money on the right things and focus on the right things.
The threat environment today is intentionally being filled with a lot of misinformation from the adversaries themselves, which makes it very difficult for companies without an intelligence arm to find out what's really relevant, which they could listen to and which they can avoid.
Collecting, Disseminating Cyberthreat Data
KITTEN: John, can you give us any idea about how iSIGHT collects its cyberthreat data and then provides analysis?
WATTERS: We collect it in a variety of ways, but the key differentiator is it has to be global and it has to be multilingual. We operate covering 56 different countries around the world, operating in 22 native languages with our 181-staff globally that are able to, through relationships and research efforts, really understand emerging threat centers - the tools, tactics and techniques that are being used, being developed and being merchandised in different parts of the world.
Plus, we also learn from different incident data from relationships we have with local law enforcement and country companies and consortiums, just small information-sharing partnerships, to where an attack that's being executed today somewhere in Asia or South America may be coming to North America next week. The origin of FS-ISAC and really a core function of what iSIGHT Partners does is community defense enablement to where one person's reactive is the next person's proactive and predictive. We're able to harvest our knowledge from all of these global centers, bring that back to our threat center and create analysis of what real threats are, how they're operating and what the technical characteristics are of those threats to enable our customers to detect and defeat it.
With respect to the FS-ISAC, where we're able to help there membership is really understand what's important, where to focus their efforts and what the real level of threat is so they can communicate with their leadership what the real risk is to their organization, rather than what the perceived risk may be from the press or what they're hearing from other sources. The delivery is through standard scheduled briefings. It's not delivery of all the content or delivery of all the research. It's delivery of the message and the meaning of what they're experiencing in a way that the banks can communicate properly with leadership and prioritize efforts to manage risk.
Importance of Latest Intelligence
KITTEN: Bill, why did FS-ISAC pursue this partnership now?
NELSON: The threats to the financial-services sector really continue to grow. We have cyber-criminals, hacktivists, nation-state threats and all of these have different motivations. John was right; there's a lot of misinformation about those threats, and the chief information security officers are often now part of the agenda of their board of directors and have become a C-suite issue. The FS-ISAC board and our members felt it was very important for the members to have the latest and best intelligence about these threats in order for them to really provide the maximum security to their firms and their customers, to really understand what these threats are and make sense of them.
... We were doing a lot of information sharing before this; ... this really augments it. ... Some of the information we were getting from government, other sectors and the media, even what members were sharing with each other - it augments it in many ways. But the key is putting the intel into context, really defining the threat, what the motivation is behind the attacker, who's being targeted, how to detect it, and how to respond and mitigate. All that really starts to make sense with this partnership.
Communicating with Members
KITTEN: How was FS-ISAC communicating information with its members before this partnership?
NELSON: I joined FS-ISAC in 2006, and frankly there wasn't that much information sharing going on at all in 2006. I've said this many times, but we literally would throw parties if they shared information. But that really changed over the last seven years and we saw a whole plethora of information being shared between the members, especially incident information. We started to get finally information coming from government that used to be a one-way street where we would seek government information and didn't really get much back, but we're starting to see more from them, so that's improved also. It could be better. But I think as a result of this, we now have actual intelligence, sometimes even before we see the attacks, which is very helpful to the sector. It helps them better prepare. I think that's the big improvement. It's not always the case, but sometimes it's after the fact. I think having the analysis about it was lacking before.
WATTERS: The one thing I would add to that is the one challenge with information sharing is that there's not a central analytical rigor applied to all of those information data points that are shared. You don't really have the knowledge center that everybody can draw from to take action. People have said oftentimes information sharing is overrated if all we're doing is filling up each other's inboxes. You have to have an analysis center that actually takes that information shared and delivers that store of knowledge in a useful way to its customers. That's where Bill's team does a good job with all the incidents that are shared on his members, and then we provide that external strategic threat view that says, "Here's everything we're seeing from the threat environment itself as it's developing into what may be a real risk for financial institutions." The coupling of the incident handling and sharing work that they do with what we do makes good service for the members.
Top Cyberthreats to Institutions
KITTEN: Distribute-denial-of-service attacks are an obvious concern for financial services, but what other cyberthreats and risks should be top of mind?
WATTERS: The world has changed dramatically in the last several years. If you think of the threat environment that the government has operated in forever from a cyber perspective, that used to be viewed as very different than the cyberthreat environment that the commercial sector operated in - different actors with different capabilities and targeting for different purposes.
Today, what we've seen is the convergence of the threat environment to where we're all operating in the same threat environment and you've seen the same types of capabilities, sophistication and tools being used against governments to be used against the commercial sector. That's really changed the complexity of the challenge for banks that aren't resourced to understand the threat they're operating in and how to position resources against advanced threats.
The biggest change is not just the incredible increase in DDoS capability in the disruptive type of force it could apply to institutions. The biggest fear on top of that today, as we saw in Saudi Aramco and was another fear that came to light through these South Korean attacks, is destruction of data. There's one thing to disrupt your operations for a period of time; it's another thing to destroy the integrity of your information in a way that it makes it very difficult and challenging to operate. That's a risk that you wouldn't typically think of in terms of a commercial target. What's the value to destroying my data to an adversary? There's no financial value, but there's potentially some strategic or national value in doing so, or at least messaging value in doing so, that wasn't heretofore considered a real risk.
Risk Mitigation Challenges
KITTEN: Bill, what are you hearing from your member institutions about emerging threats?
NELSON: The biggest challenges in some of these attacks that we've seen, particularly advanced DDoS attacks in general, are they're very persistent and they really widen their scope of the attacks. It's not just against some big-name companies - credit card companies, large banks or retail banks. They've gone to regional banks and credit unions. They've hit insurance companies. Even some small community banks have been hit with some of these attacks. We see a real need to help some of the smaller financial institutions. They've been hit before too with account takeover attacks, for instance, from the cybercriminal area and attackers. But from the DDoS side, a lot of these small institutions now have been hit with DDoS to either disguise account takeover or, in some cases, even some advanced DDoS that were just disruptive. It's also the concern that John raised and we heard that kind of theme at the RSA conference, that disruption is the pathway to destruction. We're very concerned about that; at least the members are.
Automating Threat Data
KITTEN: Are there any other points about the partnership that you'd like to highlight?
NELSON: One of the things we're looking at is more automation of the threat data, some of the incident data that the members are sharing today and some of the threat indicators we're getting from government and other sources. This really allows us to spend more time on automating the data so it can be digested by the members and prioritized, and it allows the strategic aspect in terms of analysis that iSIGHT can provide, and it frees our members up to do actually more strategic thinking about how to protect themselves going forward. I think that's a big advantage, too. It frees us up to do more of the operational automation projects that we've been wanting to get to, but we also were trying to address the analysis side, too. At least we've got one of those covered and we can now address automation.KITTEN: Are there any final thoughts that either one of you would like to share before we close?
NELSON: First I want to say I think the partnership is working out very well so far. We've had several briefings already, and we're very pleased. Going forward, I think there are opportunities for further partnerships.
WATTERS:We're operating in a threat environment today that's very similar to what the government has been operating in for years, yet if you look at the way that the commercial sector spends its money on security, it's very different than the way the government does. The government, for example, will spend 10 percent of their security dollars on an intelligence program to understand the threat environment they're operating in and the tools and trade craft of the adversaries that they're up against to inform the other 90 percent of how they need to spend that properly. Yet, the commercial sector has really been very far behind in investing on the intelligence side to understand the threat environment that they operate in.
This partnership is a good bridge for organizations, particularly the mid-sized and smaller organizations that couldn't afford an intelligence program on their own, and it will help inform the larger institutions that have not yet implemented an intelligence program to really have a full-borne cyberintelligence program that leads their operations so they can prioritize all of their investments tactically and strategically against the threat realities they're up against as they change.
It's a different way of doing business. It's leading intelligence towards the core of your security program versus having compliance or some other driver of how you invest your dollars. I think it is incumbent upon the commercial industry to begin to learn from lessons of folks like the government, which has been up against the same threat environment we're now operating in commercially for the last several years. It's a good opportunity to learn from what's been seen before.
Small to mid-size organizations, they may not have all the tools, capabilities and the expertise necessarily to fight the fight tactically as well as the big guys do, but at least they can understand and communicate the risk to their boards. For the larger organizations, I think this will help enlighten those that may be on the tipping point of trying to implement an intelligence program, that there's value in this type of approach to managing risk.