TruSTAR recently sat down with two seasoned CISOs from the financial sector to talk about the converge of security data and the emergence of Fusion Centers in the private sector. We brought in Jerry Archer, the CISO at Sallie Mae, and Gary Warzala, former CISO of PNC, Visa, and Fifth Third Bank to expand upon this subject.
Jerry and Gary have witnessed first-hand how companies have deployed more technology, processes, and people to defend its applications and systems than ever before… but when pressed, many security operators will admit they still don’t have a firm grip on the security-related data inside their own four walls.
The concept of Intelligence Fusion can be defined as the convergence of cyber threat intelligence with other security data sources, including fraud and physical security data. When implemented correctly, Intelligence Fusion can speed threat investigations and lead to a more proactive security stance.
Below we’ve edited and condensed some of the live Q&A that took place. To listen to the full discussion, click here.
Paul Kurtz, Co-Founder and CEO of TruSTAR: Why is now the time for the Fusion Center?
Jerry Archer, CISO of Sallie Mae: When we began considering a Fusion Center for Sallie Mae, we focused on the notion of how we could achieve a fully converged security organization. This came into focus when we started seeing that the bad guys were acting out both in the physical and the cyber world. In many cases they were leveraging multiple channels to get at the same target. Our first priority was to aggregate all of our security resources and automate them to really focus on what was happening to us.
There's a great deal of opportunity for us to see what's happening across the enterprise across different organizations and business units. We had threats coming in from all kinds of different sources, like call centers, fraud detection, fraud management, and cyber environments. The idea of bringing all this information together in a single location was compelling.
At the end of the day, having a big data lake with all of this data empowers our ability to detect a precursor behavior, being able to react quickly. We have so many sources of intelligence now – both internal and external – that we can integrate into that. And then obviously the second component is having the right kind of staff that can look at the and the analytics that go around it, to really be predictive.
Paul Kurtz, Co-Founder and CEO of TruSTAR: Gary, from your point of view, what are some of the drivers that you've seen in the financial community that have triggered more discussion around Fusion Centers?
Gary Warzala, Former CISO of PNC, Visa, and Fifth Third Bank: For me it always started with organizational maturity. I’ve always been concerned about not having the awareness, not having the visibility that's needed, to protect the enterprise. I think Verizon used to call it the unknown unknowns.
To address the concern, it was always important for me to have a robust threat intelligence program. This program allowed my organization to get ahead of the threats, to be more proactive than reactive. Then, ultimately, to better manage cyber risks. The fusion of people, process, and technology really allowed me to take a step at addressing that concern.
Paul Kurtz, Co-Founder and CEO of TruSTAR: Both of you have had experiences with Intelligence Fusion and bringing those elements together. Was there something that triggered this decision for each of you? The need to move from a siloed environment to a more converged environment?
Gary Warzala, Former CISO of PNC, Visa, and Fifth Third Bank: You know, Paul, I think we've been doing this for a long time. When I was at Visa we would have people go through our data centers. High profile people, high wealth people, politicians, boards of directors, and they would be eyes wide open when they'd look at the physical nature of security at Visa. Everyone loves a man trap. Cyber was probably a bigger risk, yet we had no way to really paint a picture for what we were doing. I think it was the combination of formalizing work that was already being done across the organization, and painting that picture so that we could demonstrate to people who were interested in the enterprise, what we were doing, the seriousness that we were taking cyber, and how we were addressing it. That's how it started for me.
Jerry Archer, CISO of Sallie Mae: For us it was the exploitation of resources. We had a physical security program. We started looking at insider threats and realized that was an easy opportunity where cyber began to integrate closely with physical.This generated the notion of aggregating everything security in one place.
The strategic path we began heading down was that we were going to be far more efficient and effective if we integrated physical and logical security together. The additional capability of being able to automate using new tools gave us the opportunity to move quickly in our environment.
What triggered it for us was the idea of an insider threat. The notion that you can have as much of an issue from a workplace disruption event, as you can from a cyber event, from a big cyber event. They're now becoming the same thing.
The other thing that we found was that there was a great deal of precursor activity. If we could pull all of our data from both external resources and internal resources together that we would be able to detect precursor activity to something that was going to happen. We were able to set up our array our defenses in a way that were preventative, rather than reactive.
Paul Kurtz, Co-Founder and CEO of TruSTAR: That’s a good segue. What are the first three things you should do to set-up a Fusion Center capability? What are the building blocks, so to speak?
Gary Warzala, Former CISO of PNC, Visa, and Fifth Third Bank: If you’re going to be significantly affecting a number of different business units within the organization you have to get buy-in.
What I found is, when you talk with the fraud team, or the physical security team, and you bring up this concept of Fusion Centers, no one can really dispute the ideas behind it. The problem is, when you try to formalize it and bring resources together, you start getting pushback. “We don't have the headcount.” Or, “We've got other priorities.” So, you really need to get everyone onboard, and that's going to include senior management. So, start with your peers, really introduce the concept through governance channels, get everyone onboard, create critical mass, and then take it up to the executive team.
Once you have the buy-in, once you can get the approval from the executive team, then it's really around collecting the data, and integrating your data, directing the quality issues with the data, and I think that takes time. For me, it took time to normalize the data, and in order for it to be actionable. A lot of the legacy data that you're going to have is not going to have the needed metadata. For instance, the tagging that makes it so valuable. So, takes some time to get the fidelity that your intel team is going to want.
Jerry Archer, CISO of Sallie Mae: I think for us what you need to start with somebody with expertise. You need somebody that has the vision to lead that Fusion Center and and the operational ability to execute. We were lucky in the sense that we were able to hire somebody that had that high-level experience as well as the logistical experience to help us begin our transition into a cloud-based environment, which requires managing a lot of security feeds.
I will tell you, today, that we're pumping more than a billion events a day into our systems to run analytics and behavioral analysis. There were also other events that helped accentuate the fact that we needed to be cross-channeling and crossing organizational boundaries in terms of cooperation. That's what's led us down this path.
Gary Warzala, Former CISO of PNC, Visa, and Fifth Third Bank: Yeah, Jerry. I'd agree with you, too. It's going to be really important to have a person who is really going to drive a Fusion Center mission across the enterprise. They're going to help set the priorities for those financial crimes in the enterprise that have the highest priority, and really address those activities, create those workflows, and demonstrate the metrics that we're making progress in those areas. It's the key to everything, to have someone who believes in it, and is going to drive it.
Paul I’ve heard you refer to this as an Enterprise Intelligence Officer, and I think that is a really good name for it.
Paul Kurtz, Co-Founder and CEO of TruSTAR: One of the issues in some of our conversations with people has been, “Well, if I've got all these disparate internal sources, and I've got these external sources, how do I normalize that data?” How do you approach this?
Jerry Archer, CISO of Sallie Mae: In our case, it's more rule-based machine learning models. As we integrate data streams into our environment, it's about taking that data stream, and then writing a rule set around it that converges it with other data. We're essentially writing the rules for a machine learning environment, and then leveraging that to identify potential threats, and fuse both data streams together.
Gary Warzala, Former CISO of PNC, Visa, and Fifth Third Bank: We've traditionally started with looking at our internal data sources, first. Writing the sources that we felt could add the greatest value, and really just starting with traditional data coming from the SIEM, or our end user behavior platform. Our identity platform was really critical.
Then, we would take data from our endpoint detection and response platform and fusing that with any kind of case management information that we have. It takes a while to be able to accomplish this. One of the things that we found was, if we could create a small engineering team with some good development skills, they were extremely helpful in accelerating this fusion and automation process.
Paul Kurtz, Co-Founder and CEO of TruSTAR: Is there an outlier of internal or external data that you think sometimes people forget? Or, is this really a pretty straightforward exercise? Most every enterprise is running a SIEM. They may have a case management system. They may have some sort of orchestration platform. Endpoint detections. Those are the basics. That's straightforward, and then you look externally. Is there a certain feed, or source, or tool here, that might be more important than another?
Gary Warzala, Former CISO of PNC, Visa, and Fifth Third Bank: I would say there are three. The SIEM, end user behavior analytics platform, and case management systems . Those were the three critical ones for us. It's important to incorporate the case management systems from the fraud organization, as well, not just the security organization. So that's, honestly, where we started.
We really wanted to focus first on internal intelligence, and then once we reached the desired level of comfort and we felt we had good fidelity, and we were starting to bring in some of our outside sources.
Jerry Archer, CISO of Sallie Mae: I'm going to plug TruSTAR here for a minute. We get clear intelligence feeds from TruSTAR and FS-ISAC. I see those as much more predictive.
We also take advantage of our SIEM, which feeds a global SOC that sits across a very large customer base. We get feedback from the global SOC that tells us about what its seeing across the environment. That feeds into our discussion around our environment.
Case management tends to be more of looking at repetitive kinds of events. We use our case management system for the storage of forensically-correct cases so that if we present a case to law enforcement it's been stored correctly, and it's managed correctly, with a chain of custody and so forth. So that, tends to be much more historical in nature.
So we're looking at Fusion Centers more from a historical perspective. We see behavioral analytics as an output into the Fusion Center so that we have a huge data lake. We're feeding it with a billion events a day, and its output really feeds the analysis within the Fusion Center. We fuse all of our intelligence sources and determine if there’s any predictive behavior.
Thank you Gary and Jerry for this valuable insight!
The full webinar can be accessed here.