Moderator

Panelists

Protecting the Castle -

Moats Don’t Work Anymore Mike Rizzo, Chief Information Officer, Boston Financial Kevin Hutchinson, Information Security Director, DST

“A Journey Through Time…”

10 Years of Information Security at Boston Financial Mike Rizzo, Chief Information Officer, Boston Financial

3

The Beginning

Let the good guys in and keep the bad guys out.

A Simple Theme in 2004…

4

Trojans

Spyware & Malware

Identity Theft

Internet Hacks

Viruses

Our Common Threats

5

Our partnership to enhance security

Global issue requiring collaborative effort

Join in creating a “community defense”

Partnerships

6

What We Did…

7

Our Security Strategy

Defense in Depth!

8

What is a Strong Password?

1908

goat

Cubs

Sox2004#1!

Back2Back!

#34Mvp05!

9

Firewall

IDS

Configuration Management

IPS

Patch MGMT

Change Control

Antivirus

Targeted Solutions but Silo Focused

Reconnaissance Spear Phishing

Credential Loss Malware

Multi-Factor Authorization

10

Managing multiple, emerging “Threat Spheres”

Making effective use of security monitoring and log review

Portable device control and auditing

Data leakage control at the desktop and the perimeter

Creating an effective wireless strategy

Enhancing security standards as businesses and networks go offshore and offsite

The consumerization of the network: controlling I-pods, I-Phones and Web 2.0

Dealing with emerging security threats and attack trends

Involving our vendors and business partners in privacy-related communications and strategies

What Were Our Biggest Challenges?

2006 to

2010

11

Email Encryption

Persistent Vulnerability Scanning

Web Extranet Applications 3rd Party Pen Test

3rd Party Firewall and Router Review

Centralized Device Control for all Workstations

Vericept Data Leakage Monitoring

Qualys Subscription Scanning Service

Merging of Intrusion Detection and Anomaly Detection Systems

Laptop and PDA Encryption

Voltage - Identity Based Encryption

Encryption Requirement for Transportable Media

USB Thumb Drives Restricted to Authorized Use

Two Factor Authentication - Remote Access

Single Sign-on DST Applications

Enhanced Due Diligence with 3rd Party Providers

What Were We Doing About It?

12

Our View of the 2011 - 2013 Landscape

92% of email spam contains a web link

74% of those links are malicious Multiple vehicles are possible to

deliver malware, PDF, Java Apps Adware is primary offender

Malware

90% of employees including executives use mobile devices

Less than 50% employ security policies on the devices

Malware targeting mobile devices grew 155% in 2011

Mobile Devices - BYOD

Data Leak Prevention (DLP)

Identity Access Management

Country Sponsored Attacks Profession Hacking Organizations

State of the Electronic Communications Environment

Secure the information and the access to that information but be device agnostic

Who can access what info from where and what can they do with it

Access to external email accounts via corporate network

Compelling new apps, e.g. social media make it easy and ‘normal’ to share information

eMail Spam Volumes and Complexity Proliferation of Internet Accessible Devices

13

Know Thy Adversary…

Sophisticated Criminal Networks

Using Online Shadow Economy -

Offering Diverse Services Replete

with Biz Models, Service

Guarantees…

The Explosive Proliferation of Malware

Botnets, iFrames, Trojans, Password

Harvesters…

External Threats

A Sophisticated,

Ever-Moving Target

Who Is The Enemy?

Subversion of Legitimate

Websites using iFrame Vulns

?

14

Know Thy Adversary…

Sophisticated Criminal Networks

Using Online Shadow Economy -

Offering Diverse Services Replete

with Biz Models, Service

Guarantees…

The Explosive Proliferation of Malware

Botnets, iFrames, Trojans, Password

Harvesters…

External Threats

A Sophisticated,

Ever-Moving Target

Who Is The Enemy?

Subversion of Legitimate

Websites using iFrame Vulns

? Criminal Hackers Evolving Faster than Internet Users

Risk was moving from Perimeter to the Desktop

!

15

We thought our primary threat was Malware, so we took these steps:

Implemented Dynamic Content Filter Solution

Implemented Next-Gen Firewall Technology

Implemented Hybrid Email Protection

Implemented Browser Sandboxing Solution

Implemented Phase 1 of Identity Access Management

Infrastructure

At the End of 2012

16

Our View of the Landscape Today

Fundamentally the landscape hasn’t changed that much since 2005. The threat vectors are similar.

Pace has changed dramatically

Complexity and persistence has increased significantly

There are more points of exposure now

Adversaries are smarter, better funded and have better tools

So are we, and now we are starting to see a community of defense form to combat a common enemy

But…

But…

17

Intelligence Sources Output Evaluate, Correlate & Prioritize

Recommendations & Response

Financial Services Information Sharing and Analysis Center (FS-ISAC)

Financial Services Sector Coordinating Council (FSSCC)

Advanced Cyber Security Center (ACSC)

Federal Entities and Agencies including the , FBI and Homeland Security

Verizon

FireEye / Mandiant Report

Vulnerability Indicators

Threat indicators

DDoS Alerts

Cyber Threat Alerts

Analysis Requests

Emerging Threat Warnings

Critical Infrastructure Protection Guidance

Security Policy Guidance

Enterprise Information Security

ISO

Information Security Threat and Vulnerability Analysis Team (ISTVAT)

Internal Task Force

Managed Security Services

Shared organization Info

Security Operations

Threat & Vulnerability Analysis Team

Threat Warnings

DDoS Alerts

Malware Signature Updates

Social Engineering Awareness

Educational Awareness

Security Policy Updates

Input for Patching Prioritization

Client Response

Crisis Communications

Operationalizing Cyber Intelligence at Boston Financial

18

Data Exchange Layer An innovative, real-time, bi-directional communications fabric providing with product integration simplicity. Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products enabling security intelligence and adaptive security.

Information Security Environment at Boston Financial V10.1

Asset

Threat

Identity

Activity

BPM

Risk

Data

Location

An Orchestrated Defense

19

Risk Mitigation: Requires on going investment in solutions to improve our effectiveness in preventing or rapidly containing existing and emerging threats

1. Network Edge control – Honey pot technology - Complete

2. Data leakage prevention (DLP) solutions for email - Complete

3. Email encryption (McAfee) - Complete

4. Automate identity & access management processes – Phase 1 Complete

5. RSA Archer Governance Risk and Compliance (GRC) – Phase 1 Complete

6. Upgrading Incident Response Capabilities (3rd party partners) – In process

7. Network Access Control within our internal infrastructure - Complete

8. Implemented Risk Based Authentication for VPN connection - Complete

2015 Cybersecurity Strategic Investments

20

Strategic Plans for 2016 - 2017

Incorporate Security Incident and Event Monitoring (SIEM) within infrastructure

Enhance our endpoint to help prevent malware and zero day threats

Partner with our ISP to implement Distributed Denial of Service attack mitigation to our infrastructure

Partner with Third-party for enhanced phishing training

Enhance mobile device protection

Continue to align with the NIST standards

Upgrade/replace the Intrusion Prevention System (IPS)

1

2

3

4

5

6

7

Information Security

Privacy and Risk Overview Kevin Hutchinson, Information Security Director, DST

22

Vercie Lark Executive Vice President & Chief Information Officer

Business Unit (Product Dev.) Chief Information Officers

ALPS - B. Szydlowski AMS - M. Stubblefield Argus - M. Gentry BPS - D. Sherry Blue Door - Brokerage - W. Tyner Comms. - M. Miller & W. Marinko IFDS UK - Simon Moorhead Health Solutions - T. Hurley Retirement - L. Carnesecca

Enterprise Services Executive Leadership

Information Protection

Don Ainslie Technology R&D

Peter Clark IT Services (WWS)

Ian Harris

Chief Data Officer

Recruiting

Quality & Compliance Officer

To Be Hired

Infrastructure Alex Burbatsky

Business Planning Bill Chisholm

ERP Development Archie Wesley

23

OPEN Chief information Security Officer

Mike Mahoney Physical Security

Director

Dan Thomas Chief Privacy Officer

Derek Bridges Enterprise Risk

Officer

Amy McVay Director, Crisis

Management & BC

Information Protection Executive Leadership

Don Ainslie VP, Enterprise Security, Privacy and Risk

Kevin Hutchison Director, Security

Operations

Brian Kemp Manager, Security

Architecture

Oct 2015

24

Integrated security policies that are aligned with ISO 27001/27002 framework and migrating to the National Institute for Standards and Technology (NIST) Cybersecurity Framework

Managed through tiered enterprise governance model aligned with strategic goals and mitigating risks associated with information management

Enterprise security program for governance, risk and compliance, ensures that all associates follows the same guidelines and practices when handling customer information

Defense-in-Depth, layered approach augmented by more holistic “Threat Intelligence” and Information sharing strategies, provides multiple layers of not only protection but prevention

Information Security

25

DST Security Model

Risk Assessment

Architecture Policies & Standards

Training & Awareness

Configuration Compliance

Proactive

Surveillance

Proactive Operations

Governance & Audit

Continuous Improvement Life Cycle with a focus on getting

back to the basics

Areas of Emphasis 2015 - 2017

Risk and Compliance

Management

26

Personal Devices Desktop Login Authentication (Strong Passwords) AntiVirus, Anti Spyware, Encryption, USB Port Blocking Security Patch/ Configuration Management

Networks (Internal & External) Network Login Authentication (Strong Passwords) Firewalls & Network Access Controls & DDOS Services Data Encryption & Data Loss Prevention, Web Filtering Vulnerability Scanning & Penetration Testing Security Patching & Configuration Mgt./Auditing

Data Centers Perimeter Access Gates & Bollards, Security Guards Biometric & Badge Access Controlled Rooms 24x7 Surveillance

Servers Server Login Authentication (Strong Passwords) Vulnerability Scanning & Exploit Remediation Data Encryption & Access Monitoring/Auditing Security Patch Configuration Management

Applications & Databases Application Login Authentication (Strong Passwords Vulnerability Scanning & Exploit Remediation Database Access Monitoring/Auditing Security Patch & Configuration Management

DST Information Security – Layered Defenses

27

Proactive Risk Management: Requires proactive investment in solutions, infrastructure and skills to prevent and eliminate emerging risks while maintaining industry compliance

DST Information Security – Strategic Programs

Risk and Compliance

Management

Incremental investment in security tools and services Target

1. Application source code scanning Complete

2. Data leakage prevention (DLP) enhancements Complete

3. Database access monitoring enhancement Complete

4. Identity & access management solutions WIP

5. RSA Adaptive Authentication Solutions FY 2016

6. Security information & event management (SIEM) On going

7. Talent acquisition & recertification On going

8. Vulnerability scanning & penetration testing On going

28

DST Security & Compliance (2015 - 2018)

Strategic Programs (2-3 Years) 1. Active counter measures (Intrusion prevention)

2. Application security coding standards & certification

3. Enhanced security training & awareness programs

4. Global privacy & data leakage prevention

5. Global risk & crisis management programs

6. Logical access management enhancement

7. M&A playbook (day one & post integration standards)

8. Strengthen 3rd party security management processes

Risk and Compliance

Management