Detect, contain, respond
14 July 2017
Luke Moranda of OCC delves into the murky world of cyber risk to explain why, with the threat of attack increasing, fortune favours the prepared
Image: Shutterstock
Cyber risk is a top concern for most companies across all industries, and it is a hot topic for senior management and boards of directors. Threat actors are becoming more sophisticated, and the frequency of these attacks is increasing. According to the 2016 PwC Global State of Information Security Survey, the number of security incidents across all industries rose in 2015 by 38 percent, the largest increase in the 12-year history of this study. In addition to attacks that are targeted at stealing sensitive data, attacks also focus on disrupting the availability of key systems, or the integrity of the data in those systems.
At OCC, we take our role in providing a secure and stable foundation for the markets we serve very seriously. Our main priority is assuring and delivering world-class risk management, clearance and settlement services, so it is critical that we ensure the confidentiality, availability, and integrity of our systems on behalf of market participants in our role as a systemically important financial market utility.
Even with a well thought out and implemented set of layered defenses, most firms recognise that it is virtually impossible to repel all cyber attacks.Therefore, focus must be given to how to detect, contain, and respond to an attack that has breached one or more levels of defence.
Firms have been investing in these capabilities for some time now, and the convergence of cyber risk and business continuity has been an ongoing and natural evolution. For example, increasingly, as part of their business continuity plan, many firms have a cyber response plan that addresses key cyber security scenarios and how the firm would respond in a timely fashion.
As firms develop these response plans, the complexity of the scenarios, and therefore the responses, increase.
The time it takes to detect a cyber breach is a significant complicating factor for certain types of events. The average security breach went undetected for 146 days in 2015 (down from 205 days in 2014, according to Mandiant M-Trends reports). This means that the cyber response plan must consider that systems or data have been compromised for a significant period of time.
For example, consider an advanced persistent threat (APT) scenario where the threat actors have been in a company’s systems for months and then activate an attack against the company’s data and systems. The traditional recovery mechanisms for business continuity scenarios, such as real-time replication of data to a disaster recovery (DR) site work against the company, as these technologies will replicate the same issue or breach to the recovery site. Furthermore, code could have been compromised months in advance with a delayed trigger, so rolling back to a recent previous version of code may not resolve the issue.
Therefore, companies must start planning and investing in recovery strategies for this type of attack well in advance to ensure they have the proper data and tools available to recover in a timely manner. For instance, in previous example, having multiple copies of data and code available is critical for both forensics and recovery. This allows the team to trace back to when the compromise happened, and to restore to a known good state as quickly as possible. Furthermore, it is critical that these back-ups are protected from corruption by such an attack through strict segmentation from the rest of the network and/or through the use of read-only storage media.
Delving further into the concept of back-ups raises several thorny questions, such as: what to back-up, how often to back-up, how to protect these back-ups, how long to retain the back-ups, how to find the last good back-up in case of a breach, and how quickly and efficiently the back-ups can be restored.
For complex cyber events, there are myriad different combinations and permutations of variables to consider, and each may require a somewhat different recovery approach. This can be very different than a traditional disaster scenario, where often there is a binary option: fix the current production system, or switch the entire system (or even the whole production environment) over to the disaster recovery site.
Therefore, the cyber response playbook will be much less prescriptive, and will need to contain a variety of tools that knowledgeable personnel can use to respond to the specifics of the particular event. It is also important that the business understands that not every scenario can be recovered in the typical two-hour recovery window for a DR event, and that they plan accordingly to manage the risk and attempt to limit the business impact in other ways where possible.
Cyber recovery planning is not a one-time event. The cyber threat landscape is constantly evolving, and the responses need to evolve as well. At OCC, we have access to federal-level resources that provide us with valuable insights into emerging methods of attack. It is imperative that we continue taking the new and emerging information on attacks and integrate it into our processes. Sometimes this also requires development of new tools, infrastructure improvements, and development of expertise to strengthen our ability to respond quickly and efficiently. It is always issue number one for a central counterparty like OCC to make sure that market confidence remains high, that issues are addressed, and that business continues.
As we continue to work to fulfil OCC’s mission; which is to promote stability and market integrity through effective and efficient clearing, settlement and risk management services, addressing all risks including cyber is a top priority if we are to serve market participants at the high level of service they expect from us.
At OCC, we take our role in providing a secure and stable foundation for the markets we serve very seriously. Our main priority is assuring and delivering world-class risk management, clearance and settlement services, so it is critical that we ensure the confidentiality, availability, and integrity of our systems on behalf of market participants in our role as a systemically important financial market utility.
Even with a well thought out and implemented set of layered defenses, most firms recognise that it is virtually impossible to repel all cyber attacks.Therefore, focus must be given to how to detect, contain, and respond to an attack that has breached one or more levels of defence.
Firms have been investing in these capabilities for some time now, and the convergence of cyber risk and business continuity has been an ongoing and natural evolution. For example, increasingly, as part of their business continuity plan, many firms have a cyber response plan that addresses key cyber security scenarios and how the firm would respond in a timely fashion.
As firms develop these response plans, the complexity of the scenarios, and therefore the responses, increase.
The time it takes to detect a cyber breach is a significant complicating factor for certain types of events. The average security breach went undetected for 146 days in 2015 (down from 205 days in 2014, according to Mandiant M-Trends reports). This means that the cyber response plan must consider that systems or data have been compromised for a significant period of time.
For example, consider an advanced persistent threat (APT) scenario where the threat actors have been in a company’s systems for months and then activate an attack against the company’s data and systems. The traditional recovery mechanisms for business continuity scenarios, such as real-time replication of data to a disaster recovery (DR) site work against the company, as these technologies will replicate the same issue or breach to the recovery site. Furthermore, code could have been compromised months in advance with a delayed trigger, so rolling back to a recent previous version of code may not resolve the issue.
Therefore, companies must start planning and investing in recovery strategies for this type of attack well in advance to ensure they have the proper data and tools available to recover in a timely manner. For instance, in previous example, having multiple copies of data and code available is critical for both forensics and recovery. This allows the team to trace back to when the compromise happened, and to restore to a known good state as quickly as possible. Furthermore, it is critical that these back-ups are protected from corruption by such an attack through strict segmentation from the rest of the network and/or through the use of read-only storage media.
Delving further into the concept of back-ups raises several thorny questions, such as: what to back-up, how often to back-up, how to protect these back-ups, how long to retain the back-ups, how to find the last good back-up in case of a breach, and how quickly and efficiently the back-ups can be restored.
For complex cyber events, there are myriad different combinations and permutations of variables to consider, and each may require a somewhat different recovery approach. This can be very different than a traditional disaster scenario, where often there is a binary option: fix the current production system, or switch the entire system (or even the whole production environment) over to the disaster recovery site.
Therefore, the cyber response playbook will be much less prescriptive, and will need to contain a variety of tools that knowledgeable personnel can use to respond to the specifics of the particular event. It is also important that the business understands that not every scenario can be recovered in the typical two-hour recovery window for a DR event, and that they plan accordingly to manage the risk and attempt to limit the business impact in other ways where possible.
Cyber recovery planning is not a one-time event. The cyber threat landscape is constantly evolving, and the responses need to evolve as well. At OCC, we have access to federal-level resources that provide us with valuable insights into emerging methods of attack. It is imperative that we continue taking the new and emerging information on attacks and integrate it into our processes. Sometimes this also requires development of new tools, infrastructure improvements, and development of expertise to strengthen our ability to respond quickly and efficiently. It is always issue number one for a central counterparty like OCC to make sure that market confidence remains high, that issues are addressed, and that business continues.
As we continue to work to fulfil OCC’s mission; which is to promote stability and market integrity through effective and efficient clearing, settlement and risk management services, addressing all risks including cyber is a top priority if we are to serve market participants at the high level of service they expect from us.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
