Cybersecurity technology and legislation are integral to building a large-scale defense against cyber-threats. But if industry and government don’t collaborate and share information on threats and breaches, even the best laws and technologies will fall short.
With cyber-activity exploding globally, this isn’t possible without a secure, central hub through which information continuously flows. For the financial sector, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is that hub.
“There's so much intel out there that it’s challenging to try to consume, process, and act on it,” said Rick Lacafta, in the opening minutes of his presentation, FS-ISAC Threat Intelligence Ecosystem, at Sage Data Security’s 2015 Cybercrime Symposium.
As director of insurance services for the FS-ISAC, Lacafta used his vantage point to give symposium attendees an in-depth look into the FS-ISAC community, its operations, and how it helps members overcome these challenges.
Scope and Scale
Launched in 1999, FS-ISAC’s mission is to help protect the global financial services infrastructure against cyber- and physical attacks that threaten business continuity. Its primary contribution to this fight is to serve as a clearinghouse for any information on security threats, vulnerabilities, and attacks impacting the financial sector. Two geographically distributed Security Operations Centers continuously monitor hundreds of information sources, capture cyber-threat and attack data for analysis, and issue actionable threat advisories to members. Much of this information comes from members themselves, who log-in to a secure portal to share and review threat indicators using the center’s repository.
The FS-ISAC is one of more than 20 non-profit public and private sector ISACs that facilitate inter-sector and cross-sector information-sharing on cyber-activity. It also holds an annual summit, offers education and training programs, conducts simulated readiness exercises, and publishes a series of playbooks that help financial institutions improve security processes.
“If you look across the different sectors, the most targeted are the defense and financial sectors,” said Lacafta. “Why the financial sector? Because we have all the money.”
Those holding the money will always be attractive targets. Early on, FIs responded to cybercrime by taking to the bunker to try to ride things out. That strategy obviously failed, and the FS-ISAC saw steady membership growth. In the last couple of years, though, that growth shifted from steady to skyrocketing. The incentive — regulatory pressure on FIs to collaborate for the common good. Since late 2014, when the FFIEC issued a statement recommending that regulated FIs become FS-ISAC members, the community has added more than 1,500 new members.
“Our membership was growing at a nice rate when regulators started telling FIs that it would be a good idea for them to join the FS-ISAC,” Lacafta said. “Suddenly, we saw this very steep growth curve.”
Membership now stands at nearly 7,000, and is growing weekly. While Lacafta admitted it’s challenging to manage this kind of growth while maintaining the community feel that’s proven instrumental to collaboration, he said it’s a good challenge to have. “The bigger the organization gets, the more information is shared,” he said.
Share and Share Alike
The center has more than 12 million threat indicators in its repository, and processes 10,000+ repository requests per day, according to Lacafta. While not every member shares information, the FS-ISAC uses various methods to encourage everyone to contribute. It’s adopted the Traffic Light Protocol and the “Circles of Trust” model for protecting and routing shared information. All applicants are vetted by an authorized third party, and must sign an NDA that states they won’t use submitted information against another member. Members can share information with attribution or anonymously. And because it’s private sector-controlled, the center’s repository isn’t subject to Freedom of Information Act access.
These layers of protection foster member trust, said Lacafta. “Some newer members may not feel comfortable on day one, but as they see the information that’s shared and discussed, they get there,” he said.
Automating for Rapid Response and Alerts
Building on all the progress made to date, the FS-ISAC, in partnership with the DTCC (Depository Trust & Clearing Corporation), is working on a major threat automation initiative designed to streamline info-sharing and processing, and dramatically reduce response time. A significant amount of information accessible through the center’s portal comes from data feeds that are proprietary to various intel providers. So today, when a member is attacked, the process of identifying an incident type, and getting it into the repository so the SOC can issue a threat advisory, is research-intensive and manual.
“The research required for a security technician to identify an incident type can be significant,” said Lacafta. “Depending on the threat, it could take several hours.” That doesn’t include the time needed to copy and paste the information into the repository to prepare for distribution.
Enter Soltra Edge, developed by Soltra, a company formed jointly by the FS-ISAC and the DTCC. A threat information-sharing platform, Soltra Edge uses industry-standard protocols and a standard expression language to consistently describe and exchange cyber-threat information. Its automation engine then prioritizes actions and routes intelligence to designated technicians or devices.
“If we use standard protocols to connect our decisions with our defensive architecture, we can put intel into play so we can rapidly respond to threats,” said Lacafta.
This is the 8th in our series presenting key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. If you missed the filled-to-capacity event, “Collaboration & Information-Sharing,” you can read the entire series here.