Security Operations – Operating Beyond IT Security
- Lars Wittmaack, QuoScient Security Operations Principle Consultant
Recently, three Chinese citizens were charged in the U.S. courts after it was found that they hacked U.S. law firms and then used the stolen information for insider-trading that netted them $4 million dollars. This is a prime example of "clever" hackers earning money on the financial market, but not by hacking a bank. It also illustrates the value of law firms to hackers.
Within the financial sector, due to the security requirements that are demanded by financial regulations in the various regional jurisdictions, one of the biggest challenges for organisations is how much to spend on security. Regulators such as the European Central Bank expect security to be an integral part of financial businesses – sometimes with a simple reference to confidentiality, integrity and availability; sometimes with detailed expectations. In any case, the trend is towards a cyber security framework that regulators perform audits against. Essential part of today’s cyber security is threat intelligence and sharing. Besides understanding when it would really hurt and where, and if the threat is increasing; regulators want to be notified about security incidents and see sharing initiatives as the cornerstone to reducing exposure to financial markets. Compliance can be understood as ticking a box, but it is ultimately about establishing the right people, processes and technologies to minimise financial markets manipulations.
These regulatory-driven security requirements feed into the policies and procedures of financial institutions and are a part of contracts and Audits with third parties, including law firms. Banks expect partners, such as law firms, to adhere to their institution’s security policies and/or have adequate organisational policies and security of their own to reduce the threat exposure of their business. Typically, banks’ contracts with law firms contain clauses that allow the financial institution to audit their legal services providers.
Policies in the first place must meet internal and regulatory requirements. If there is no specific vendor policy or other policy defined by contracts, law firms obviously inherit the security expected from financial regulators. So, for the law firm, it can be tricky – what is the right level of security to have in order to meet the contractual and audit requirements of their bank? In any case, as for any Audit, it is essential that law firms are able to factually demonstrate the execution of the policies and controls that were accepted as part of the contract.
From a contract perspective for law firms, it’s about where the liability is; from a compliance perspective, it’s about whether the agreed controls are in place; from a security perspective, it’s about identifying, preventing, detecting and responding to changing threats to ultimately reduce financial market manipulations. This is important as cyber criminals are continuously adopting different tactics to breach security and today, they are shifting to indirect attacks like in the Chinese example mentioned above.
Therefore, a Security Operations-led approach is needed, going beyond traditional IT security. In analyst house, Gartner’s words: ““Security operations centers must be architected for intelligence, embracing an adaptive security architecture to become context-aware and intelligence-driven. Security leaders should understand how intelligence-driven SOCs use tools, processes and strategies to protect against modern threats.”Intelligence-driven Security Operations cover the full life-cycle of threats so that reactive and proactive threat management become par for the cause. It delivers Adaptive Threat Processing encompassing everything from assessing new relevant threats, adaptive controls, detecting manifesting threats, mitigating the impact and monitoring threats and their evolution. A ‘big’ picture, as facilitated by Security Operations is essential to mitigating threats.
Note: This is a summary of Lars Wittmaack’s presentation at the recent Ascertus Cyberthreat seminar in London.
About Lars Wittmaack
Lars Wittmaack heads up QuoScient's Security Operations Consultancy Services. He has 15 years of experience in the IT Security industry. Lars started his career as security consultant for a company with expertise in cryptography. For six years, he headed a large international financial institution's Security Operations Centre including Security Incident Management.