Cyber Security Overview - Citibank

1 Cyber Security Overview Charles Blauner Managing Director Global Head of Information Security +1 908 563-3589 Treasury and Trade Solutions Overview : 2014 Significant Attacks 2 Overview : The Cyber Threat Landscape Actors and Methods Motivation: make money Methods: spear-phishing and other techniques; mature underground economy supporting criminal activity Threat Actors Motivation: theft of trade or craft secrets or support of military capabilities and nationalized industries Methods: advanced operations to establish a foothold into infrastructure Motivation: instill fear to have targets comply with demands or ideology Methods: using Cyber to enable their programs (recruit, incite, train, plan and finance) Motivation: seek publicity for their geopolitical agenda Methods: disruption ( , Distributed Denial of Service) and defacement Motivation: emotional or sometimes financial needs Methods: uses insider knowledge to steal data, conduct fraud, etc.

2 Nation-State Actors Organized Criminals Cyber Terrorists Hacktivists Insiders Methods 3 It s All About Speed The Bad Actors move at the speed of light, while the victims learn of it well after the attack 43% 29% 4% 11% 7% 7% 0% 8% 38% 14% 25% 8% 8% 0% 0% 0% 0% 27% 24% 39% 9% 0%5%10%15%20%25%30%35%40%45%50%SecondsMi nutesHoursDaysWeeksMonthsYearsInitial Attack to Initial CompromiseInitial Compromise to Data ExfiltrationInitial Compromise to DiscoveryConclusions The efficacy of attacks is high and, once a network is infiltrated, adversaries are difficult to detect and are often able to operate undetected for long periods of time Aggravating the issue of slow speed of detection, is the fact that in the majority of cases, the victim discovers the breach by being notified by third-party A key objective remains prevention but we can NOT assume we will be successful 100% of the time and need to enhance our ability to detect and respond to the adversary at each stage of the kill chain External Party 49% Internal Active 16% Internal Passive 28% Not Documented 7% Source.

3 2012 Data Breach Investigations Report from Verizon / 4 IS Capabilities Assessment Information Security Priorities IS Talent/Operating Model IS Capabilities Maturity Metrics/ Measures Threats IS Challenges Business Direction External/Internal Perspectives Drivers Talent/Operating Model Review Strategic Planning Process The strategic planning process must reassess key drivers versus current capabilities on a quarterly basis to define a set of Information Security priorities Situational Analysis IS Strategy/Plan 5 Prevention is not Enough For the Bad Actor to win they can succeed on 1 out of 100 attempts For Citi to be successful they must prevent 100 out of 100 attempts Given time, the Bad Actor will eventually succeed The ability to detect and respond to events are critical to a successful Cyber defense Intelligence about our adversaries and about ourselves must be used to inform all three phases of our defense system Prevention Detection Response Intelligence Led Ecosystem 6 The Cyber Kill ChainTM Cyber Red Zone The Cyber Kill Chain is a Trademark of Lockhead Martin Attacker must expose tools.

4 Techniques and processes as attacker moves through each phase of the intrusion chain 7 Malicious Attack Disrupting the Kill ChainTM Gathering Initial Information Creating Malware Delivering the Malware Exploiting a vulnerability to gain access to an asset Installing malware on the asset Creating a channel of communication back to the attacker Adversary performing their objectives Reconnaissance Prepare Delivery Exploitation Installation Command and Control Actions on Objective Protect sensitive data, stronger access controls, Intelligence gathering on up-coming malware Secure email protections, spam filters, Be Safe, Be Secure training More secure code, firewalls, Silvertail, IDS/IPS, vulnerability testing, EERS, privileged account controls Malware analysis, investigation support, network tools that capture suspicious traffic Reactive Proactive Intelligence gathering on new targets Predictive analysis that identifies potentially malicious URLs; Streamlined technologies/process for SOC alerting Tools that leverage analytics to identify attacks in progress Ability to know who is on the network with what credentials Real time network tools that can isolate suspicious traffic and identify source Simulate real world threats; identify and remediate process gaps 8 Cyber Defense Starts with Strong Intelligence Capabilities the threat: gain knowledge of the adversary and their tradecraft.

5 Know ourselves, valuable assets and challenges Cyber threat intelligence and analysis into decision-making: Deliver tactical and strategic intelligence products a Foundation of Information Sharing: Increase internal and external information sharing in a trusted environment Execution of Program Management: Support an enterprise approach to integrated processes while conducting incident response in a learning cycle environment Collaboration: Promote collaboration and partnerships both internal and external; sharing best practices and benchmarking Team Success: Hiring top talent, providing the best available training and experiences, focused on enterprise solutions Technology: Identify and develop innovative technologies that enhance safety and Security Principles of an Intelligence-led Organization 9 IS Architecture Defense in Depth IS architecture is one of layered Security deploying the latest technologies at the network layers as well as within the strategic data centers.

6 10 Cyber Kill ChainTM and a Layered Defenses Strategy (by Capability) Phase Protection Detection Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Cyber Security Fusion Center Cyber Intelligence Center Proxies Firewalls Proxies Intrusion Detection Antivirus Antivirus Proxies Data Leakage Protection Anomaly Detection Proxies Malware Analysis Anomaly Detection Network Application ID Network Malware Analysis Sandboxing Internet SSL Decryption Malware Analysis Sandboxing End Point Monitoring End Point Monitoring End Point Monitoring Anomaly Detection End Point Monitoring Next Gen Firewalls Forensic Analysis Malware Analysis A n a l y t i c s 11 Cyber Kill ChainTM and Building a Detection Capability The Security Operations Center (SOC) follows standard processes for detecting potential attacks IS Event Alert SOC L1 Detection IS Event Triage Data Collection Event Annotation Case Creation Case Escalation Firewalls Identified threats Known vulnerabilities Business-critical IT assets Intrusion Detection Systems External Threat Data Damballa VPN McAfee Applications Databases SafeWord Entrust Symantec DLP SiteMinder Raw Events Security Relevant Events Correlated Events Arbor Windows UNIX Risk-based Prioritization Threat Determined Damballa ForeScout ArcSight Netwitness 12 Why Focus on War Games?

7 The more you sweat in peace, the less you bleed in war (1939 Chinese Generalissimo Chiang Kai-shek) 13 War Games Overview Execute internal and external Cyber based exercises/workshops to ensure Citigroup is prepared to react to Cyber incidents of all levels. It is structured to simulate the experience of a real attack and involves representation from information Security , technology, business, legal, and communication organizations Overarching Program Objectives Identify opportunities for Citi to enhance its Cyber threat preparedness with a focus on three areas Effectiveness of existing Cyber incident protocols, processes and procedures Cross-functional coordination and command and control Coordination and communication with internal/ external parties 14 Citi believes that sustainability is good business practice. We work closely with our clients, peer financial institutions, NGOs and other partners to finance solutions to climate change, develop industry standards, reduce our own environmental footprint, and engage with stakeholders to advance shared learning and solutions.

8 Highlights of Citi s unique role in promoting sustainability include: (a) releasing in 2007 a Climate Change Position Statement, the first US financial institution to do so; (b) targeting $50 billion over 10 years to address global climate change: includes significant increases in investment and financing of renewable energy, clean technology, and other carbon-emission reduction activities; (c) committing to an absolute reduction in GHG emissions of all Citi owned and leased properties around the world by 10% by 2011; (d) purchasing more than 234,000 MWh of carbon neutral power for our operations over the last three years; (e) establishing in 2008 the Carbon Principles; a framework for banks and their power clients to evaluate and address carbon risks in the financing of electric power projects; (f) producing equity research related to climate issues that helps to inform investors on risks and opportunities associated with the issue; and (g) engaging with a broad range of stakeholders on the issue of climate change to help advance understanding and solutions.

9 Citi works with its clients in greenhouse gas intensive industries to evaluate emerging risks from climate change and, where appropriate, to mitigate those risks. efficiency, renewable energy and mitigation 2015 Citibank , All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world. IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used,and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax any instance where distribution of this communication is subject to the rules of the US Commodity Futures Trading Commission ( CFTC ), this communication constitutes an invitation to consider entering into a derivatives transaction under CFTC Regulations and , where applicable, but is not a binding offer to buy/sell any financial terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separatedefinitive written agreements.

10 This presentation is not a commitment to lend, syndicate a financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor arewe acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks andmerits (and independently determine that you are able to assumethese risks) as well as the legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing(and you are not relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you should apprise senior management in your organization as to suchlegal, tax and accounting advice (and any risks associated withany Transaction) and our disclaimer as to these matters.