Increasing the Value of Threat Intelligence

As financial institutions continue to incorporate new and expanding uses of data into their business models, the threat surface is growing in novel ways. With it, the volume of threat intelligence coming at security teams is exploding, making it challenging to sift the signal from the noise. We spoke with Koral Anderson, most recently Chief Security Officer (CSO) and Chief Data Officer (CDO) of Deutsche Bank (now with Barclays) about new threat trends and their impact on the business, where automation does and does not fit in to managing cyber threats, and how an increasing part of her job is education.

New Uses of Data: Opportunities and Threats

How has cybersecurity in the financial services industry evolved in the last few years?  

Several trends are converging, shifting the way CISOs and cybersecurity teams need to think about evolving threats. One is the evolution from credit card theft and retail account takeover/theft to wholesale financial attacks, which forces us to consider how being an account manager, correspondent bank, and/or an intermediary bank for large wholesale institutions plays into this world of much larger and more involved cyber attacks. This is exacerbated by the proliferation of connectivity, which makes attribution and defense (both inside the enterprise and across the internet) even more difficult.  In addition, the number of devices now used to perform financial transactions is exploding, and these must be secured. Finally, threat actors are now increasingly both attacking business processes from the inside and targeting clients as a means to attack the business process. This shift means that cyber defense has become a shared value proposition and responsibility between institutions and their customers, a new but now fundamental component in the business relationship. 

What are the security implications and business risks of increasing and new uses of data across the financial services industry? 

Decentralization and enabling broader access to data has significant advantages for customers. It also has some real security concerns, as it provides a much bigger and more valuable target. Access to information through APIs, data marts, and even data lakes represent an aggregated target for actors, and we are seeing attempts at exploitation of these across the industry.  Aggregation is a common theme and an increased threat vector, with managed, internet, cloud, and other “wholesale” aggregated service providers bearing the brunt of the impact.  
 
Protecting these is a delicate balance of enabling the business and ensuring mitigation of data exfiltration and data distortion threats. While companies continue to look at opportunities to strengthen their “core” controls (access, vulnerability, logging, and monitoring), they are also looking beyond that at enabling transaction security activities to more closely align and facilitate analysis of behaviors against established norms. This will allow firms to keep a closer eye on the anomalies, which are sure to expand as users and machine access are enabled to proliferate. 

The Business Value of Threat Intelligence 

What are the similarities and differences in the way financial firms handle market data and the way they must now handle threat intelligence data? 

Financial firms typically consume and integrate huge volumes of market data on a continual 24-hour global basis.  In some cases that data comes with high quality assurance and validity but in others, there is no authoritative source and firms consume “the best they can find.”   

In threat intelligence, that volume is difficult.  We have learned that more is often the opposite of better. Across the industry, teams were flooded with threat intelligence and alerts, which resulted in exhausted analysts while not really improving security. Our ability to find contagions and anomalies is based on pattern recognition, which allows us to significantly reduce threat inputs. When managing and prioritizing vast quantities of data to discern the patterns, we have shifted to a “systems engineering” approach of defining the requirements (our threats to be mitigated) and aligning our data to that objective. It allows us to tune the noise on the threat intelligence feeds and turn up the volume on what we see (and our FS-ISAC partners see) to be our compass for threat mitigation activities.  

How do you realize value for Deutsche Bank through threat intelligence management?  

One of the pieces of “value” we provide is education to the organization and our customers.  We don’t openly align our programs to ROI, but we attempt to educate our customers on potential threats and ultimately the potential risk of exposure to those threats. Obviously, we look at probability models to help us to determine our likelihood of compromise and as we lower that, we use that as our ROI to the organization. It has always been a difficult value proposition, but certainly when we lower the probability of risk, we can measure that in terms of cost avoidance. In the future, we expect that more capital requirements and insurance will be tied to our threat and risk posture as likelihood and impact of our threat exposure will be more closely aligned with our need to hold capital against those risks. 

What is the best way to convey the importance of threat intelligence to boards? 

All data has value to a business. For financial services firms, there is significant value in understanding the relevant threats, prioritizing those, and responding quickly and appropriately. This helps protect sensitive data and ensures that we provide continuous service to our customers, which is the minimum most customers expect and therefore clearly foundational to what the business, and its brand promise, must deliver. This all starts with good threat intelligence data harnessed and utilized in the right way. 

For this to be effective, boards need education on how to understand and interpret our threat data. This is one of the primary reasons we created an annual threat assessment, in which we communicate what our tailored threat intelligence is telling us in a straightforward, non-technical way. As the collection and compilation of raw data is increasingly automated, we show our board that the real value-add of holistic and informed threat intelligence is in the analysis that makes the critical connections between threat, business process, assets, and vulnerabilities exposure. 

The Value of Automation

How do firms combine automation and human strategic thinking to make an effective cyber program? 

Any cyber program exists to meet or support the business objectives. Most businesses have objectives around cost and risk appetite which are particularly relevant for a cyber program. Often attention is given to the technical aspects of the program and the human dynamics can be overlooked or somehow de-prioritized. To me, this is a mistake, as both are critical. 

For example, employees are a point of entry to the business and its assets and a point of control over those assets. They require training on the risks those controls are intended to mitigate as well as on more generic information security risks, such as social engineering. As a group, their activities also need to be monitored for early warning signs of potential issues all the way through to investigation of actual breaches and incidents. 

On the other hand, automation requires us to think not like a human at all. Automation (especially when paired with orchestration) invites a different way to create “shortcuts” in processes by eliminating human thinking where it is serving no material benefit (e.g. someone needs to think about this, someone has to assign a value to that…). However, this is only achievable if good human thought and strategy is correctly applied to the design of the process, focusing on the desired outcome and working backwards to the inputs and processing needed to achieve that outcome.