Sapienza Università di Roma Dipartimento di Informatica e Sistemistica Middleware Laboratory MIDLAB Information Sharing for the Financial IT Infrastructure:

Sapienza Università di RomaDipartimento di Informatica e Sistemistica

Middleware LaboratoryMIDLAB

Information Sharing for the Financial IT Infrastructure: Opportunities and Technological ChallengesRoberto Baldoni

Università degli Studi di Roma “La Sapienza”

[email protected], http://www.dis.uniroma1.it/~baldoni/

Second Workshop on Cyber Security and Global Affairs

Zurich, Switzerland8/7/2010

mailto:[email protected]

http://www.dis.uniroma1.it/~baldoni/

http://www.dis.uniroma1.it/~baldoni/

Mid

dle

ware

Labora

tory

MID

LAB

The case of Collaborative Cyber Security in Financial Ecosystem

■"webification" of critical financial services, such as home banking, online trading, remote payments;

■Cross-domain interactions, spanning different organization boundaries are in place in financial contexts;

■Heterogeneous infrastructure systems such as telecommunication supply, banking, and credit card companies working on heterogeneous data;

Second Workshop on Cyber Security and Global Affairs Roberto Baldoni

Mid

dle

ware

Labora

tory

MID

LAB

The case of Collaborative Cyber Security in Financial Ecosystem■ A payment card fraud (2008)

■100 compromised payment cards used by a network of coordinated attackers retrieving cash from 130 different ATMs in 49 countries worldwide, totaling 9 million of US dollars.

■High degree of coordination, half an hour to be executed

■evade all the local monitoring techniques used for detecting anomalies in payment card usage patterns.

■The fraud has been detected only later, after aggregating all the information gathered locally by each financial institution involved in the payment card scam


Mid

dle

ware

Labora

tory

MID

LAB

The case of Collaborative Cyber Security in Financial Ecosystem

■Distributed Denial Of Service Attack (2007, Northern Europe)

■ render web-based financial services unreachable from legitimate users.

■DDoS attack targeted a credit card company and two DNS.

■Internet restored only after several trial-and-error activities carried out manually by network administrators of the attacked systems and of their Internet Service Providers (ISPs).

■Long preparation time (days), short attack time (seconds)


Mid

dle

ware

Labora

tory

MID

LAB

The case of Collaborative Cyber Security in Financial Ecosystem■Both previous attacks cannot be detected quickly

through information available at the IT infrastructure of a single financial player (i.e., trough local monitoring)

■Need of Information Sharing

■Exchange non-sensitive status information

■Set up of agreements

■Advantages of a global monitoring system

■Damage mitigation

■Quick reaction

■ Sense and respond applications (ATC systems, C&C applications, Business intelligence)


Mid

dle

ware

Labora

tory

MID

LAB

■Sensors

■Event Notification

■Complex Event Processing

■Application level Correctness factors

■Accuracy (no false warning)

■Completeness (no detection of real warning)

■Timeliness (no late warning)

Structure of a sense-respond application

Data Dissemination

CEP

warnings

Basic events


Mid

dle

ware

Labora

tory

MID

LAB

■Sharing resources and data

■Added values (potential):

■Improved accuracy

■Improved completeness

■Better timeliness

■ Additional problems (real)

■ Data privacy

■Data retention

■ Substain High throughput

■Large bandwidth and computing capabilities

The added value of Collaboration


Internet

LLYODS

Unicredit

France Telecom

EDF

AT&T

SWIFT

Events

warnings

UBS

■Barriers to collaboration

■Understanding the economics

■Trust

■Legal Issues

Sapienza Università di RomaDipartimento di Informatica e Sistemistica

Middleware LaboratoryMIDLAB

EU CoMiFin Projectwww.comifin.eu

Internet level

Collaboration Level

Application Level

Mid

dle

ware

Labora

tory

MID

LAB

Collaborative Cyber Security: CoMiFin platform

■CoMiFin offers to FIs a platform for gaining the benefits of community-based collaboration over a “business social network”

■CoMiFin platform addresses needs considered important in the financial operator community (such as: information security, data privacy, SLA, contractual relationship for entering a community, “certified” anonimity, …)

■CoMiFin project had been submitted to three Financial Advisory Board (FAB) meeting evaluation sessions that have highlighted its possible business value in real financial use cases. Some FAB members: SWIFT, SIA-SSB, IMI-SAN PAOLO, BANK OF ITALY, UBS.


Mid

dle

ware

Labora

tory

MID

LAB


■CoMiFin platform can be potentially useful for addressing the following business use cases

■Monitoring and reaction to threats (MitM, Stealty Scan , Phishing, …)

■Black/white lists distribution (for credit reputation, trust level, …)

■Anti-terrorism lists (with name check VAS)

■Anti money laundering monitoring

■Risk management support

■These use cases imply value added services that can be offered by SPs to FIs over CoMiFin


Mid

dle

ware

Labora

tory

MID

LAB


■CoMiFin platform can be potentially useful for addressing the following business use cases

■Monitoring and reaction to threats (MitM, Stealty Scan , Phishing, …)

■Black/white lists distribution (for credit reputation, trust level, …)

■Anti-terrorism lists (with name check VAS)

■Anti money laundering monitoring

■Risk management support

■These use cases imply value added services that can be offered by SPs to FIs over CoMiFin


Mid

dle

ware

Labora

tory

MID

LAB

The notion of semantic room


■Contract

■ set of processing and data sharing services provided by the SR along with the data protection, privacy, isolation, trust, security, dependability, performance requirements.■ The contract also contains the hardware and software requirements a member has to provision in order to be admitted into the SR.

■ Objective

■ each SR has a specic strategic objective to meet (e.g, large-scale stealthy scans detection, detecting Man-In-The-Middle attacks)

■ Deployment

■ highly flexible to accommodate the use of different technologies for the implementation of the processing and sharing within the SR (i.e., the implementation of the SR logic or functionality).

Mid

dle

ware

Labora

tory

MID

LAB

The notion of semantic room


Mid

dle

ware

Labora

tory

MID

LAB

The notion of semantic room: relationship with cloud computing


Internet

Level

Collaboration

Level

Application

Level

■Private cloud

■ Deployment of the semantic room through the federation of computing and storage capabilities at each member

■ Each member brings a private cloud to federate

■Public Cloud

■ Deployment of the semantic room on a third party cloud provider

■ The third party owns all computing and storage capabilities

■Federation of Computing and storage resources: no cloud approach

Mid

dle

ware

Labora

tory

MID

LAB

CoMiFin Testbed


Two Semantic rooms

■Man-In-The-Middle Attack

■Stealthy Scan

Mid

dle

ware

Labora

tory

MID

LAB

Collaborative Stealthy scan detection


Mid

dle

ware

Labora

tory

MID

LAB

Collaborative Man-in-The-Middle attack

PE

PE

PE

PE PE

PE

EventManager

Overlay Manager

CEPEngine

Processing rules

DHT Overlay

Events from SR Gateways

Dissemination of Alerts/Events

Processing results

...

...

Intermediate processing

results

Events

Events

PE

Events/Intermediate processing results forwarded to DHT overlay

Events/Intermediate processing results received from DHT overlay

Event Manager Manages I/O (events/alerts) with the outside world

Overlay Manager Manages the internal communication and distributed storage

CEP Engine Applies processing rules and produces alerts and intermediate processing results


Alerts in the dashboard

Alert details (time, source, target, etc.)

Service effected

Score on the alert

Metrics in the dashboard

Mid

dle

ware

Labora

tory

MID

LAB

Conclusions

■Customizable event correlation on the top of IP network

■Moving event correlation at the edge

■“Locally-aware” computing

■Usage of open-source technologies for event processing and event dissemination (Agilis, Free Pastry, Esper, Jaql etc)

■The the economic value of information sharing for Cyber Security

■Collaboration with SANDIA laboratory (USA)


Mid

dle

ware

Labora

tory

MID

LAB

Information Sharing for the Financial IT Infrastructure: Barriers and Opportunities: (Rome October 12th 2010) (Rome October 12th 2010)

“Cyber Attacks are categorized as an operational risk by the Basel Committee on Banking Supervision in the Basel II accord. Recent evidence of successful Internet-based attacks and frauds involving financial institutions highlights the inadequacy of the existing protection mechanisms, in which each instutition implements its own isolated monitoring and reaction strategy. With the joint advent of web 2.0, the ultra broadband and of the (private/public) cloud computing technologies, a new era is opening concerning the opportunity for groups of trusted parties for sharing, processing and correlating a huge amount of information that can be used to raise the defences of financial institutions. However cultural, organizational and legal issues create barriers to this kind of cooperation.

The aim of the workshop is to bring together people from academia, research centers, stakeholders and regulators to analyze opportunities and risks associated with the sharing of information in the Financial IT world. Our ultimate aim is to influence decision and policy makers to take advantage of these opportunities. The workshop will be formed in two sessions. The first one will include a series of invited presentations providing views on Information Sharing from stakeholders and regulators and conclude with a panel discussion. The second session will introduce a series of technical presentations discussing framewoks for information sharing and modelling the added value of cooperation in the Financial IT world.”

Organized by CoMiFin Partners and SANDIA Labs

Program available soon at http://www.comifin.eu/


Documents

Sapienza Università di Roma Dipartimento di Informatica e Sistemistica Middleware Laboratory MIDLAB Information Sharing for the Financial IT Infrastructure: