Cyber Security Overview - Citibank

1 Cyber Security Overview Charles Blauner Managing Director Global Head of Information Security +1 908 563-3589 Treasury and Trade Solutions Overview : 2014 Significant Attacks 2 Overview : The Cyber Threat Landscape Actors and Methods Motivation: make money Methods: spear-phishing and other techniques; mature underground economy supporting criminal activity Threat Actors Motivation: theft of trade or craft secrets or support of military capabilities and nationalized industries Methods: advanced operations to establish a foothold into infrastructure Motivation: instill fear to have targets comply with demands or ideology Methods: using Cyber to enable their programs (recruit, incite, train, plan and finance) Motivation: seek publicity for their geopolitical agenda Methods.

2 Disruption ( , Distributed Denial of Service) and defacement Motivation: emotional or sometimes financial needs Methods: uses insider knowledge to steal data, conduct fraud, etc. Nation-State Actors Organized Criminals Cyber Terrorists Hacktivists Insiders Methods 3 It s All About Speed The Bad Actors move at the speed of light, while the victims learn of it well after the attack 43% 29% 4% 11% 7% 7% 0% 8% 38% 14% 25% 8% 8% 0% 0% 0% 0% 27% 24% 39% 9% 0%5%10%15%20%25%30%35%40%45%50%SecondsMi nutesHoursDaysWeeksMonthsYearsInitial Attack to Initial CompromiseInitial Compromise to Data ExfiltrationInitial Compromise to DiscoveryConclusions The efficacy of attacks is high and.

3 Once a network is infiltrated, adversaries are difficult to detect and are often able to operate undetected for long periods of time Aggravating the issue of slow speed of detection, is the fact that in the majority of cases, the victim discovers the breach by being notified by third-party A key objective remains prevention but we can NOT assume we will be successful 100% of the time and need to enhance our ability to detect and respond to the adversary at each stage of the kill chain External Party 49% Internal Active 16% Internal Passive 28% Not Documented 7% Source.

4 2012 Data Breach Investigations Report from Verizon / 4 IS Capabilities Assessment Information Security Priorities IS Talent/Operating Model IS Capabilities Maturity Metrics/ Measures Threats IS Challenges Business Direction External/Internal Perspectives Drivers Talent/Operating Model Review Strategic Planning Process The strategic planning process must reassess key drivers versus current capabilities on a quarterly basis to define a set of Information Security priorities Situational Analysis IS Strategy/Plan 5 Prevention is not Enough For the Bad Actor to win they can succeed on 1 out of 100 attempts For Citi to be successful they must prevent 100 out of 100 attempts Given time.

5 The Bad Actor will eventually succeed The ability to detect and respond to events are critical to a successful Cyber defense Intelligence about our adversaries and about ourselves must be used to inform all three phases of our defense system Prevention Detection Response Intelligence Led Ecosystem 6 The Cyber Kill ChainTM Cyber Red Zone The Cyber Kill Chain is a Trademark of Lockhead Martin Attacker must expose tools, techniques and processes as attacker moves through each phase of the intrusion chain 7 Malicious Attack Disrupting the Kill ChainTM Gathering Initial Information Creating Malware Delivering the Malware Exploiting a vulnerability to gain access to an asset Installing malware on the asset Creating a channel of communication back to the attacker Adversary performing their objectives Reconnaissance Prepare Delivery Exploitation Installation Command and Control Actions on Objective Protect sensitive data.

6 Stronger access controls, Intelligence gathering on up-coming malware Secure email protections, spam filters, Be Safe, Be Secure training More secure code, firewalls, Silvertail, IDS/IPS, vulnerability testing, EERS, privileged account controls Malware analysis, investigation support, network tools that capture suspicious traffic Reactive Proactive Intelligence gathering on new targets Predictive analysis that identifies potentially malicious URLs; Streamlined technologies/process for SOC alerting Tools that leverage analytics to identify attacks in progress Ability to know who is on the network with what credentials Real time network tools that can isolate suspicious traffic and identify source Simulate real world threats; identify and remediate process gaps 8 Cyber Defense Starts with Strong Intelligence Capabilities the threat: gain knowledge of the adversary and their tradecraft.

7 Know ourselves, valuable assets and challenges Cyber threat intelligence and analysis into decision-making: Deliver tactical and strategic intelligence products a Foundation of Information Sharing: Increase internal and external information sharing in a trusted environment Execution of Program Management: Support an enterprise approach to integrated processes while conducting incident response in a learning cycle environment Collaboration: Promote collaboration and partnerships both internal and external; sharing best practices and benchmarking Team Success: Hiring top talent, providing the best available training and experiences, focused on enterprise solutions Technology: Identify and develop innovative technologies that enhance safety and Security Principles of an Intelligence-led Organization 9 IS Architecture Defense in Depth IS architecture is one of layered Security deploying the latest technologies at the network layers as well as within the strategic data centers.

8 10 Cyber Kill ChainTM and a Layered Defenses Strategy (by Capability) Phase Protection Detection Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Cyber Security Fusion Center Cyber Intelligence Center Proxies Firewalls Proxies Intrusion Detection Antivirus Antivirus Proxies Data Leakage Protection Anomaly Detection Proxies Malware Analysis Anomaly Detection Network Application ID Network Malware Analysis Sandboxing Internet SSL Decryption Malware Analysis Sandboxing End Point Monitoring End Point Monitoring End Point Monitoring

9 Anomaly Detection End Point Monitoring Next Gen Firewalls Forensic Analysis Malware Analysis A n a l y t i c s 11 Cyber Kill ChainTM and Building a Detection Capability The Security Operations Center (SOC) follows standard processes for detecting potential attacks IS Event Alert SOC L1 Detection IS Event Triage Data Collection Event Annotation Case Creation Case Escalation Firewalls Identified threats Known vulnerabilities Business-critical IT assets Intrusion Detection Systems External Threat Data Damballa VPN McAfee Applications Databases SafeWord Entrust Symantec DLP SiteMinder Raw Events Security Relevant Events Correlated Events Arbor Windows UNIX Risk-based Prioritization Threat Determined Damballa

10 ForeScout ArcSight Netwitness 12 Why Focus on War Games? The more you sweat in peace, the less you bleed in war (1939 Chinese Generalissimo Chiang Kai-shek) 13 War Games Overview Execute internal and external Cyber based exercises/workshops to ensure Citigroup is prepared to react to Cyber incidents of all levels. It is structured to simulate the experience of a real attack and involves representation from information Security , technology, business, legal, and communication organizations Overarching Program Objectives Identify opportunities for Citi to enhance its Cyber threat preparedness with a focus on three areas Effectiveness of existing Cyber incident protocols.