A public-private group that provides intelligence to the financial services sector has revamped operations to adapt to new security challenges.
On Super Bowl Sunday last year, millions of Americans sat in front of their televisions to watch the Tampa Bay Buccaneers take on the Oakland Raiders. But some four dozen security professionals from a range of financial services organizations were not watching the big game. They were on a conference call discussing Slammer, the computer worm that had just begun to maraud its way across the Internet, posing enormous risks to their networks.
The call was set up by the Financial Services Information Sharing and Analysis Center (FS/ISAC), a high-tech group designed to allow the industry's security professionals to share threat and mitigation information. The conversation about Slammer was by no means restrained or formal, according to one participant. Instead, this group of peers spoke openly and in great detail about what they were seeing, how their networks were being hit, and what they were doing about it.
The group's original mission was to collect information about cybersecurity threats, risks, and vulnerabilities; analyze these to assess their criticality for the financial sector; and then deliver alerts to participants. But the terrorist attacks of 9-11 made it clear that the group would need to expand its focus beyond cybersecurity. The mission now includes researching and distributing information on physical threats as well. What follows is a look at how the FS/ISAC gathers, analyzes, and disseminates security information; how it is making the change to incorporate physical security expertise; how the government fits into the picture; and how the financial services sector is responding to the next-generation FS/ISAC.
The FS/ISAC starts by collecting an enormous amount of threat data. This intelligence powers the group. The information is collected and analyzed by the ISAC's secure operations center (SOC) run by Science Applications International Corporation (SAIC), based in Reston, Virginia. The SOC comprises three separate locations, two on the East Coast and one on the West Coast. Two are round-the-clock operations. From 10 to 30 cyber- and physical-security analysts working at these sites are helping the FS/ISAC at any given time.
Incoming intelligence. Jim Jones, SAIC's chief technology officer, oversees the work done for the FS/ISAC. Jones explains that cybersecurity intelligence comes from member reports on subjects such as new virus attacks or an unusually high number of probes of particular ports.
Reports can be filed in several ways. "One is via the ISAC Web site," Jones says, "and they can do that anonymously or attributed." Members, who also use the password-protected site to get detailed information on current and emerging threats, can share (anonymously, if they choose) details of physical and IT attacks or threats that they've experienced. If they choose to remain anonymous, Jones says it is impossible even for him to ascertain who submitted the report, though he adds that if necessary, he has "double-blind access" back to the submitter. This allows a message (asking for more information) to get back to the submitter but still does not reveal his or her identity. Those who choose to be identified when they submit reports can also e-mail the SOC analysts directly, contact them by phone, or send a fax.
By offering anonymity to submitters, the FS/ISAC helps mitigate the fear of some in the financial services sector that their competitors might exploit knowledge of a weakness. However, Jones says, it also tends to diminish the credibility of the submission. "We do whatever corroboration or verification we can of the event" if it's submitted anonymously, Jones says. "If we can corroborate it from a more reliable source, we'll up the credibility on it."
According to Byron Yancey, who serves as the executive director of the group, the database contains nearly 5,000 events, of which several hundred were submitted by members. That's a huge improvement from five years ago when "there probably weren't ten" member submissions. Whatever isn't submitted by members is gleaned from public sources of information and from several commercial providers with which the ISAC has arrangements to receive information, says Jones. Information from commercial providers--typically vulnerabilities and threat information--comes already ranked in terms of severity, and those ranked highest reach the SOC's analysts first.
Analysis. All incoming information is first stored in a database, Jones says, and then sent to analysts for review and scoring. He explains that the analysts are organized in a pyramidal hierarchy. At the bottom level are junior analysts crunching the raw data. Analysts rank any event or incident against an empirical score sheet that checks severity through a list of questions. There are two criteria that cause them to immediately escalate new information to the next higher level: severity and unfamiliarity (in terms of types of incidents or vulnerabilities).
For a vulnerability, one question might be: Is it remotely exploitable, or would an attacker need to have an account on the system for it to work? The former case might indicate a high threat and thus receive a higher score; the latter might not be so immediately threatening.
New or unusual types of submissions also cause higher scores and move up to the next tier quickly, although Jones notes that as junior analysts gain experience, the number of such submissions they need to escalate begins to diminish. Once a score hits a certain threshold, it is automatically escalated to the next tier of analysts.
That next tier similarly analyzes the data and forwards to the next level only those events that merit additional attention. "That lets us do it in a pretty cost-effective manner, because we have our least skilled analysts at the bottom basically doing data processing," says Jones. The entire operation is online and secure, he says, so that alerts can be processed from any of the three SOC locations.
Once a vulnerability or incident is analyzed, it can be categorized as normal, urgent, or crisis, depending on the risk to the financial services sector. Then, members can be alerted. This is done using a membership profile that allows recipients to choose precisely the types of alerts they wish to receive. For example, an organization running the Unix operating system may not care to receive alerts about new Windows vulnerabilities.
Currently, all users receive alerts via e-mail. Detailed alert information is not always found in the body of the e-mail message. Alerts relating to sensitive information only contain a link to the Web site; to obtain the information online, users must use strong authentication to enter the site.
Members have different levels of access to the site depending on their level of membership. Two-factor authentication--with usernames and RSA SecurID password tokens--is required for members with top-level access. (These tokens have a random six-digit number, synchronized with the central server, that changes every 60 seconds. This number is the user's personal identification number.)
Recognizing that a serious incident could knock networks offline and thus prevent an alert from being reached, Jones says that a future iteration of the alert mechanism will include other methods of communicating with members, such as telephone. He says that this system will be difficult to implement, because there needs to be a way to authenticate the recipient using an out-of-band channel. This project, with financial support from the government (described in more detail later), is underway.
Alerts typically contain not only the details of the threat but also information about how to mitigate the threat. For example, the solution might be a link to a vendor's patch if the vulnerability is in a software program. In some cases, Jones says, an alert might also set up a conference call with the vendor: "That's something we do for all the serious stuff on the cyber side," he says. Such conference calls (which might include the Microsoft engineer who created a patch) are available only to members at the highest levels.
Timeliness. Keeping the alerts timely is a critical element of SAIC's work for the FS/ISAC; the speed at which cyberattacks cross the Internet means that any delay in sending alerts could make the difference between an organization's blocking a new virus or being victimized by it.
So how much time does it take between the arrival of a new piece of intelligence and the sending of an alert? "Always less than an hour," Jones says, adding that it's typically significantly less than that. For example, if a report of a problem comes in from a commercial partner, and if it is credible and accompanied by a solution such as a workaround or a link to a vendor patch, it might go out as an alert to members within minutes, he says.
But the process is often more complex. One reason is that the SOC sometimes receives reports that look like separate computer security problems but are in fact the same vulnerability. To avoid this problem, the SOC's analysts use the Common Vulnerabilities and Exposures (CVE) list maintained by the MITRE Corporation; this is a database of the common names of vulnerabilities and exposures that Jones says allows analysts to "glue together" reports that come in that represent the same attack.
Sometimes a report of a new worm or vulnerability comes in but the specifics are unknown, Jones says. In that case the analyst might send out an immediate alert about the report and advising members to "stay tuned" for a follow-up.
Naturally, with so much sensitive information at risk, SAIC's facilities need to be well protected against both cyber and physical attacks. "The systems are secured with firewalls, intrusion detection systems; they're hardened systems," says Jones. "Access to that system is physically tight; there's a separate data center with the appropriate physical access control, and logical access to that data is all two-factor identification," again RSA SecurID password tokens.
The FS/ISAC is managed by a nine-member board of directors from traditional financial service businesses such as Goldman Sachs, Morgan Stanley, and Merrill Lynch. But Yancey says that as part of the organization's evolution, four more board members are being added.
"The goal is to bring in what I would describe as the icons of the industry in physical security and begin to create programs to address the schism between physical and cyber security," he says. One such icon, William R. Wipprecht, CPP, senior vice president and director of security at Wells Fargo Company in San Francisco, was the first such expert appointed to the FS/ISAC board. Future members may include those who have expertise in traditional security matters such as fraud and money-laundering issues that are of particular interest to members.
Wipprecht explains that his background includes work as a security consultant for several major data centers, experience that he believes gives him a balanced perspective of the threat to data. He expects this perspective will serve him well as a conduit to the physical security industry. "While the data and firewall experts believe the 'attack' will be from cyberspace, more realistically it could be a physical attack against the components that drive the network," he says.
Yancey says that reports on physical security issues will come primarily from two sources: the membership and daily Department of Homeland Security briefings. Private groups will also be providing assistance.
"We are neophytes in developing a platform and an access to the physical security side of the business, so to the degree that we can work with ASIS International and other organizations to make that more robust, that's definitely the direction we're going in," he says. He adds that a series of physical security experts will be hired for the SOC "to enable us to provide 24-hour access in that area."
The two groups--the IT and the traditional security professionals--don't always communicate well, Yancey acknowledges, but FS/ISAC is taking steps to rectify that situation. One such effort took place in early March when a large New York City investment bank sponsored a program that brought together about 50 cyber and physical security officers for discussions and to hear from representatives of government groups such as the Secret Service.
Suzanne Gorman, chair of the FS/ISAC, who calls the meeting "a good step forward for all of us," says that she expects this event to spawn many follow-up gatherings. She says that most presentations at the New York program focused on the overlapping areas of physical and cyber security, such as cyberattacks on an organization's infrastructure: "If you get into the part of the organization that controls the water supply, the air conditioning units, and so on, you then have cyber really impact physical" security, she says.
Another meeting was planned as a large-scale tabletop exercise. Gorman explains that the two-day event, intended for both cyber and physical security professionals, would put "people in high-stress situations to see how they would deal at a time of a disaster." The mock disaster was planned to grow progressively more complex, she says, introducing both physical and cyber attacks. She says the exercise's "value added is that you can go back to your own organization immediately and start making changes to your incident response plan."
Wipprecht is enthusiastic about the tabletop exercise plan. "I think it will generate a broad perspective of challenges and ideas to the participants," he says. "My experience has been that in a major incident, all lines of business must participate. From response to recovery, no one group can do it all; it's truly a team effort."
Paying the bills.
The FS/ISAC offers five "service levels" at which members can join. The first, Basic Participant, is free and allows a single representative from the organization to receive urgent and crisis alerts (but not normal alerts) and to log in to the Web site to make anonymous or attributable e-mail submissions. Core members can join for $750 each year, which gives limited access to the Web site to four users; provides normal, urgent, and crisis alerts; and allows the member to complete a profile (as described previously) to define precisely the types of alerts it wishes to receive. Yancey says that this level is "extremely reasonable" considering the benefits given, but emphasizes that "we cannot sustain the organization on that level."
Premier membership costs $10,000 a year, gives RSA SecurID dynamic password tokens to 25 users (standard for members at this class and above), grants full access to the Web site including search capabilities, and allows members to participate in the type of crisis management calls described at the beginning of this article.
Gold founding members pay $24,950 annually for 50 individual membership credentials, 25 hours of free event-consulting in an incident, and entry to quarterly board meetings. Platinum founding members get unlimited credentials, a named senior analyst to contact, and 50 hours consulting free for $49,950 per year.
The ISAC has some 650 members, including nine gold and six platinum founding members. Yancey says that the group's goal by the end of this year is to have at least a thousand core members and 200 or more members at the premier level and above. "That, from a numbers standpoint, would allow us to be on the brink of break-even for the FS/ISAC," he says.
Yancey notes that there are about 25,000 firms in the financial services sector. "If we can get many thousands in the basic category, a thousand core members, and 200 premier and above members," it would allow the group to become self-funded, he says.
Help from Treasury.
The FS/ISAC's efforts have received tremendous support from the federal government. Michael Dawson, deputy assistant secretary in the U.S. Department of the Treasury's Office of Critical Infrastructure Protection and Compliance Policy, explains, "As part of enhancing the resiliency of the economy and the financial services sector, we have been enhancing the technology that supports the FS/ISAC" and supporting efforts to expand the organization's capabilities. A recent $2 million investment from Treasury will help these efforts, he says.
"What it's intended to do is be a one-time investment in the infrastructure that supports the FS/ISAC, to put it into a position where it can reach every financial institution in the United States and demonstrate its values," Dawson says. The money is for several projects that will help the ISAC grow and demonstrate its worth.
"One project was to put into place a set of metrics that could be captured through electronic processes and then presented in a simple graphical user interface so that the managers of the FS/ISAC, the board, and Treasury officials could see how the FS/ISAC was doing in responding," says Dawson.
Metrics collected by the ISAC show Treasury how well the effort is working. "How fast are they getting alerts out? How many financial institutions are contributing information back into the FS/ISAC? Is this becoming a two-way street or a one-way street? We want to make sure that it is as much of a two-way street as possible, that the institutions are putting information back in and sharing with each other," Dawson explains.
Much of the metrics project is already complete, says Gorman. For example, a "metrics dashboard" inside the password-protected area of the Web site gives statistics on how quickly alerts go out, the number of financial institutions receiving urgent and crisis alerts, and the number of reported vulnerabilities and alerts. However, in the future the project will expand. Gorman says that the board is talking about setting up different metrics for particular audiences, such as membership statistics for board members, and putting a more limited metrics dashboard on the site for any visitor to see.
Another project is a more robust notification system. This is known as the Critical Infrastructure Notification System (CINS).
"If you give us ten ways to get in touch with you, we'll walk down the ten methods until we get a confirmation that you have actually received the message," Yancey explains. "If we send out a crisis alert, then we'll be able to say to the membership and to the government that we have contacted X-thousand firms and we have confirmation" that key contacts received the information.
"It's in the process of being built," Gorman says. She says it is on track to be up and running by early November.
Dawson says that another project, the New Feeds and Data Collection project, will "create a secure, confidential, anonymous platform where financial institutions can exchange information in real time as they try to respond to the threats they face." This will be of particular value when a vendor releases a software patch because there can be unintended consequences when patches are implemented.
It may break something else or perhaps not work as intended, Dawson says, "so it's very useful for financial institutions to exchange information about what's happening as they respond in real time to a threat." Gorman expects this project to be completed by the end of September.
Despite the government's financial largesse, FS/ISAC and Treasury officials are quick to point out that only summary data is shared with the government. Dawson explains, "We want the financial institutions to run [the ISAC] for their own interests and to feel comfortable and confident that they can share information in confidence without it ending up in the hands of their regulator."
Nevertheless, the summary data are important to the government, he says. "Information in aggregate form can be very useful to us to give us a sense of how the industry is managing a particular threat," Dawson says.
Though the growing membership of the FS/ISAC is an indicator that it enjoys support from the financial services sector, that support is not universal. For instance, the fraud-risk manager of a large midwestern bank says that his organization has not joined, in part because he still doesn't see the value. "There are a lot of services out there that are just springing up that are trying to provide the same type of information at a variety of levels," he says, and indeed, some of these services are the same commercial partners that are providing cyberalerts to the FS/ISAC.
This manager originally questioned the usefulness of the next-generation FS/ISAC, which brings more of the traditional physical security expertise to the table. "There have not been a lot of physical threats to the financial services industry, even post 9-11," he said, adding that if banks face a risk of physical attack from terrorists, it's probably in their overseas branches, which are as yet not part of the FS/ISAC focus.
But contacted again after the Department of Homeland Security released intelligence in early August which revealed how al Qaeda operatives were surveilling financial institutions for possible attacks, this executive changed his mind. He now supports the FS/ISAC, and says, "If their response to physical security threats is equal to their response on the cyber side, then financial institution security professionals will gain tremendous value in FS/ISAC membership."
Supporters say that because the group's members are all financial-services-sector organizations, information is particularly relevant and trustworthy. "The vetting process is another cornerstone," Yancey says, "which means we go through a series of steps to ensure that you are who you say you are and that you are a reputable firm in order to become a member" at any level. This means that when a report comes in, members can be assured that it is from a trusted source.
The technical director of information security for a Washington, D.C.-based financial services organization added that most firms--including his own--will continue to "pay for other stuff and get other alerts. But just the fact that I can submit things and see what's going on with my peers" is value added.
Another member-- the security operations manager of a large Texas-based financial institution--says that his organization finds FS/ISAC useful. "We are all excited about the tiered approach of the new FS/ISAC, its affordability, and, most importantly, its willingness to blend cyber and physical issues, since both types of threats are common and have a significant impact on our day-to-day operations all over the nation and world." He adds that that threat analyses and alerts he's received have been timely, on occasion even arriving before alerts from the commercial provider of cyberalerts.
The FS/ISAC has ambitious goals and the confidence it can reach them. It's aiming to become completely self-funded. With physical security experts on the board, it's trying to further increase the value-added proposition for members. And by year-end the group expects to be able to deliver urgent and crisis alerts to 99 percent of the sector within an hour. "That's extremely aggressive," Yancey says, "but we're talking about the protection of the infrastructure of the United States."
Bank professionals know the value of good investments. The FS/ISAC intends to show them the value of good intelligence. When it comes to financial security, there's more to defense than dollars and cents.
Peter Piazza is associate editor with Security Management magazine.