FFIEC – has compliance caught up to security?
History has taught us that regulatory compliance does not equal cybersecurity.
The traditional objection is that compliance is a checklist exercise, a point-in-time assessment of how you meet regulatory standards. Security professionals view these regulatory standards as outdated, inadequate, and often only meet the minimum requirements for security.
The threat landscape is constantly changing. Security teams are faced with one million new malware variants per day. New multi-vectored fileless attacks and emerging global attacks are hiding in the dark web.
There will always be a delay between when a new threat emerges and when compliance standards can catch up. To compensate for this delay, compliance is evolving new controls that drive organisations to adopt new technologies, processes and skills that enable a more agile and proactive security posture. The Federal Financial Institutions Examination Council (FFIEC) compliance controls provide a good example of this evolving security-centric approach.
The goal of FFIEC is “helping to make banks less vulnerable and more resilient to cyber attacks”.
Thomas J. Curry, Comptroller of the Currency and FFIEC Chair, 5/8/2014
Banks are seeing a change in the types of questions that FFIEC regulators are asking. Baseline questions are still being asked. Did you do a pentest? How often do you do vulnerability scans? These are important, yet more compliance-centric questions. In addition, FFIEC regulators are challenging banks with more complex security-centric questions about their readiness to prevent, respond and mitigate an attack. They are looking beyond the tools and processes banks have in place. They are investigating how the tools are used to respond quickly and to prevent lateral movement across the network or exfiltration of data.
A great example of this are the controls related to threat intelligence. “Threat intelligence is automatically received from multiple sources in real time (D2.TI.Ti.A.3).” This involves building a threat intelligence platform (TIP) that collects threat indicators using a vendor application programming interface (API) or utilising the STIX (Structured Threat Information eXpression) format over the TAXI protocol. Threat indicators need to be ingested at the time of publication and automatically stored within the TIP.
But that’s not enough, FFIEC regulators will want to know how this information is used. “A threat intelligence team is in place that evaluates threat intelligence from multiple sources for credibility, relevance and exposure (D2.MA.Ma.Int).” Banks must prove they have access to experienced threat researchers in-house or through an external partner. They need to demonstrate how they are using threat indicators to identify and correlate malicious events into meaningful and actionable incidents.
Regulators want to understand how organisations detect and respond to security threats. “The institution has the ability to discover infiltration, before the attacker traverses across the systems, establishes a foothold, steals information, or causes damage to data and systems (D5.DR.De.Int.2)” and “Incidents are detected in real time through automated processes that include instant alerts to appropriate personnel who can respond (D5.DR.De.Int.3).” Banks must validate they have specific signatures and correlations capable of detecting credential and account compromise and lateral movement throughout the organisation. Regulators will look for automated playbooks that generate alerts and help qualified security analysts to respond and mitigate in near-real time. This goes beyond just having a next-generation antivirus platform.
The FFIEC recognises the growing sophistication of today’s attacks. “Network and system alerts are correlated across business units to better detect and prevent multifaceted attacks (D5.DR.De.Int.4).” Banks must demonstrate the ability to correlate multiple sources of environmental telemetry within the bank to detect and prevent complex attacks from multiple simultaneous vectors. Can the organisation “connect the dots” between events at the perimeter and the endpoint?
“The information security program is more effective with security processes are deeply embedded in the institution’s culture.”
These are just three examples of how evolving FFIEC controls are driving organisations to enable an agile and proactive security posture. The challenge for banks is how to operationalise all this. What tools do they use? What processes need to be implemented? Do they have the right talent to investigate, respond and mitigate threats? Many banks are turning to outsourcing. An MSSP can fill all or portions of a bank’s security gaps when they can’t hire the right talent, procure the right tools or get up to speed quickly.
Not all managed security service providers (MSSPs) are the same. Banks need to select a partner that has policies and playbooks that address the most complex FFIEC controls. For example, building a TIP will be costly to implement and manage. Meeting that requirement with an MSSP, along with threat research expertise, will save time and cost, while dramatically improving the bank’s security posture and ensuring successful FFIEC audits.
By Milan Patel, chief customer officer, BlueVoyant