Conf42 Incident Management 2024 - Online

- premiere 5PM GMT

The Financial Impact of Cybersecurity: How We Reduced Costs by Millions with Strategic Security Initiatives

Abstract

Want to slash cybersecurity costs by millions while boosting protection by 45%? Join me in discovering what strategic security initiatives I have implemented to protect financial transactions exceeding $500 million annually. Learn to reduce risks and optimize your budget!

Summary

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hi all, my name is Baran Mikhail, I'm Cybersecurity Team Lead and today I'm going to talk about how we reduce costs by millions with strategic security initiatives. I'd like to start with a short introduction of myself. I'm Cybersecurity Team Lead with extensive engineering background and experience. I have over decade, of experience cybersecurity. I've led the design and implementation of global security infrastructures. I have extensive experience with risk management in building up a solid and resilient security teams, establishing a security operation center, reducing, cybersecurity risks, and, um. consistently enhancing security and the patient efficiency across international enterprises. today's agenda today, I'm going to speak, about my. experience and how we've managed to build a solid and resilient cybersecurity framework and infrastructure within the corporate investment business, one of the biggest corporate investment business in Europe at the times I'm speaking. And the, All started with the transformative initiative, that, the main goal, was to fortify defenses and, As a result, it also, created the, revenue, savings for our management in terms of, risk reduction and, buffing against the breaches and, other cyber criminal activity. today I would like to share, with you the journey when the took the challenges we faced, the strategies we implemented and the insights we gained along the way. let's start from the beginning, if it should. when I first joined the company, it was clear that the organization was an, an important turning point regarding cyber security posture. at the time when I joined, it was a, solid and global financial institution and a billion of dollars in transactions annually with billion dollars of revenues. and, though it was only the question when the cyber criminals would start to attack it. by creating a, security, roadmap. And as we know, cybercriminals were no longer lone hackers, but organized groups employing advanced persistent threats, zero day exploits, and some of them were even state sponsored attacks. Existing cyber security framework wasn't consistent enough and some of the aspects were overdue to counter modern security threats. That was the first critical point we found out when I joined the company. The lack of consistent unified approach, not only created the operational efficiencies, but also left us vulnerable to a sophisticated attack that could exploit this, disparities. The amount of risks that we found, during the project and during the transformation was enormous. while we were counting the potential losses, we found out that, it could be exceeding 500 million annually. Due to various data breaches, system downtime, and non compliance penalties. Moreover, the threat of losing client trust and market share loomed large. As you probably know, the larger organization, the, the more painful is, such cases are. I'm speaking about mostly about the trust and, relationship with the customers, in terms of, security breaches and in terms of security. measurements that we took to protect their assets and, basically money. Right. the United insurgency, we embarked on a comprehensive project to overhaul our cybersecurity infrastructure. we formed out the goal. The goal was pretty clear. we need to design and implement a unified resilient security framework that would safeguard our global financial ops and ensure strict compliance to. internal, international, security standards such as VFM, PCI, DSS, as a global, again, as a global financial institution, adhering to those international security standards is a must. And none of the, companies, operating globally could not, adhere to them. the main focus and the goal was that. then we started to identify vulnerabilities and the risks. The first step, as I said, was it, we conducted a thorough risk assessment, which involved several key activities. We involved, A lot of people from the business side, management, infrastructure, compliance. So all the departments were there to help us, to start our security transformation. so where to start from, our risk assessment, was divided by five steps. Five critical steps, we've identified those as network vulnerability scanning, penetration testing, security configuration audits, application security testing, and employee security awareness evaluation. we started from the network vulnerability scanning. Why? the answer is Pretty simple. since the, organization is, global, it should be available from any point of the global or the globe. That means everyone could try to attack us, scan us, whatever. So we have to be prepared and, secure our external perimeter as much as possible. we use the advanced vulnerability scanning tools like wallets or kinetics to perform extensive scans of our infrastructure. Okay. We've identified over 1, 000 vulnerabilities, some of them were pretty severe and critical. I don't want to share those, due to, ethics and, NDAs and contracts. but trust me, those was really, severe. yeah, for instance, we found system running outdated versions of operating systems. the problem was that, those systems were externally phased. Which means that, each and every person out there with malicious intent could easily start to hack them. And that means that would result in a significant damage to the organization due to breach. The second step was penetration testing. Once again, it was conducted both in external and internal infrastructure and applications. First of all, we started with validation of, discovered and, identified vulnerabilities. We conducted a penetration testing using tools like Metasploit, Blurb, Kali Linux, and many other testing techniques. We focused on confirming the most critical one. Additionally, our application security team simulated attacks to exploit vulnerabilities. That allowed us to track the events that occur once the external attacker would like to penetrate us. So that also enhanced our security operation center and security operation center playbooks. So we were ready to act if something like that happens. Further, we are now prepared, this exercise highlighted the potential for a malicious actor to cause significant damage and, that allowed us to, have the, management attention as much as possible to, to close off those risk or at least to, start remediation. Then we began with security configuration audits of our infrastructure. We performed detailed audits of our security configurations, including firewalls, servers, endpoints, pretty much everything that we had inside. we even, assessed our Bluetooth mouse and keyboards and headphones, in the offices, because those could be also. A part of, security, security attack surface, we found several critical misconfigurations is the low, any to the, external, destinations. And this configuration is good. Have a load attackers. Concentrate our network and exfiltrate data without the detection. It also highlighted us a area where it should be focused. On further, to harden our infrastructure. We've used, advanced tools for that. I'll speak about them later. All right. the first one application security testing, we had the in house development team, as part of the development, they, created the web applications, mobile applications, and the rest, of course, external interface, of course, APIs. facing our customers and, not only customers. we started to analyze and test those in terms of security. We used, both static and dynamic application, security tools, Avast ZAP. We've uncovered several critical vulnerabilities, like cross site scripting and secure API endpoints. I'm speaking mostly about the, Improper authentication the requests, especially inside of the, authorized area, right after the client logins, after the client enters his credentials and all the stuff. So inside, mostly those vulnerabilities were found there, as well as, improper input validation on several fields within the registration form in spite of onboarding. All right, so the tips. And the last one, companies consider people as similar asset as the server, as the cash on the balance and the rest. the last point here, but probably the last point in the risk assessment part, but the first in terms of defense. because, as we know, 95 percent of successful attacks started with social engineering, which means that, the, humans are the weakest part in terms of security posture within the organization. We started with, basic phishing tests, and phishing simulations. the results were concerning. Most of the employees, 35 percent of the employees clicked on phishing links and then provided their login credentials and fake, login pages. Which is very bad in terms of, security, gate, the first security gate of the defense, right? Of the defense in depth. that also underscored the need of security, advanced training and security, security awareness management. After we've performed all those risk assessments, we needed to present these findings in a way that would resonate with the executive leadership. By quantifying the risks in financial terms, we've illustrated the potential impact, and you'd be surprised. the financial exposure, the potential losses exceeding 500 million annually due to breaches, fraud, and downtime. Regulatory penalties, non compliance with standards like SWIFT and PCI DSS could result in fines up to 50 million. and of course, reputational damage, loss of client trust could lead to a 15, decrease in market share and that's an equity up to hundreds of millions and loss of revenue. The question was, how are we going to mitigate those? The answer was pretty simple, we had a strategic cybersecurity initiatives. Armed with those information, we developed a comprehensive cybersecurity strategy focusing on several key areas. The first one, related to network, was related to network segmentation and micro segmentation. We divided the network into separate segments based on function and sensitivity using reliance, subnets. using additional compliance checks on the device before they enter the network perimeter office. office when the person comes in person in the office, not the, working from home, kind of thing. The second was micro segmentation. We used software defined networking technologies like Illumio. We enforced granular the workload level. Each application and service was isolated, and communication was strictly controlled. This strategy appeared to be a zero trust model, where no network traffic is trusted by default, and every communication is authenticated and authorized. That was the first break in our cybersecurity framework and strategy that allowed to reduce lateral movement and other risks that were related to insecure communications within the network and potential breaches. So that was more a proactive measure. Rather than the, detective then, using the cutting edge technologies, AI and machine learning, we started to move forward using the S I M. we deployed advanced the same solutions like a, LK with dark trace. And we integrated them both, enhance them with machine learning. Thank you. And, started using AI, which was provided by ALK mostly. We started to analyze the log data in real time. This allowed us to detect anomalies and potential threats that traditional systems might miss. And, spoiler alert, several incidents, haven't happened exactly because of that. again, since the people, the most, the biggest asset within the organization in terms of security, we started to integrate with the user and entity behavior analytics, by establishing baseline behavior patterns for users and device, we could identify deviations. Indicating of malicious activity. For example, if an employee account suddenly started accessing large volumes of data at unusual hours, the system would flag this for investigation. We started to harden our endpoints, by implementing endpoint detection and response, recognizing that endpoints are common entry points for attackers with deployed DDR solutions. And they were installed on all endpoints without any exception, together without our CIM providing real time monitoring and automated response for the threats. That also allowed us to perform an automated isolation, again, in conjunction with, Cutting edge technologies like ML and AI, if an endpoint exhibited suspicious behavior, it could be automatically isolated from the network to prevent the spread of malware. identity and access management. Additional brick in our cyber security framework and our resilient To strengthen our access controls, we implemented multi factor authentication implemented across all critical systems to add an extra layer of protection beyond classic passwords. Additionally, we've implemented it with Microsoft SSO and Azure SSO, which allowed us to control the access at one point without any problems in terms of revoking access, providing access, Role based access control. Another thing that is pretty much basic. Ensuring that employers have access only to the resources necessary for their roles. Minimizing the risk of unauthorized access and privilege creep. Security orchestration automation and response. Another tool that allowed us to enhance and embrace automation to enhance efficiency. Automated incident response using SOAR platform with automated responses to commonly security incidents. As an example, we've created several scripts for containment after triggers on endpoints and servers. Playbooks, that's a common thing. But when we started, we understood that we have to dive deep, each, case to develop a sophisticated playbook to respond to incidents. Develop standardized procedures for handling different types of incidents, ensuring a consistent and swift response based on metering matrix. And especially for our, we've done that mostly for our SLC operation center. Compliance and standardization. To address inconsistencies across regions. we have to perform, another audit, but more focused on, compliance side. policy standardization, that's the thing we started from because that's the, soil ground for each and every organization. to have basic procedures and policies and standards unified and aligned within the organization. We created a centralized security policy management system. All regions are required to adhere to the same security standards, reducing gaps in our defenses. And of course, international standards compliance. Aligned our control with frameworks like ISO 27001 SWIFT, customer security program, and the others like, NIST, that also improved, security, but also simplified. Compliance reporting, those are worldwide known standards and, those who are created, by best practices and, based on security experience for the past 20 plus years, right? That's quite a solid, term in terms of, experience again. Employee training and awareness. the first thing it's understanding the importance of the human element, mandatory training programs. So of course, no one likes them, right? But still there should be some. We launched a comprehensive cyber security training for all employees. We gamified. our. Users won't be just staring on the presentation on pictures, but they were like games, so they enjoyed it. At the end, they would receive a badge and achievement, so they successfully passed and they could be proud of it. Then we started to perform regular simulation just to train our users. Because even if we, if we see that the user was, successfully phished and, entered his credentials to a malicious website, we still could train him. So that's like the, a chance for both of us, for us to change our. Training system in case it wasn't successful enough and sufficient enough, so the user was over the time, the, we reduced the click rate and fishing numbers from 35 to 5%. And you can imagine how happy we were once we tracked this five person for more than three months. So trust me, that's quite an achievement for any security professional out there. I'd like to share some cases and successes within, Our boss to stable and resilient security within the organization. So the first one was a part in an advanced resistant threat. As I said earlier, that was only a question of time when, APT will target us. And try to breach, we found that one APT group targeted our organization, attempted to infiltrate our infrastructure through spear phishing emails, containing malicious attachments, exploiting zero day vulnerabilities. That was, our, one of our C level employees. For, some period of time, he received several phishing emails. And accidentally clicked on it. we use detection tools, as I mentioned, AI and ML powered SIM, ELK, detected unusual email patterns and flagged them for investigation. additionally, we found in our threat intelligence that, compute PC of, our employee tried to reach, IP with a bad reputation. Our automated SOR playbooks, for untied the suspicious emails and alerted the security team. but only after the email was clicked, unfortunately, but by neutralizing the threat before any damage to cure, we prevented potential losses. between the. Email was still open, but after it was open, it was quarantine and the. The device was isolated for further investigation as soon as possible. So there were no damage. yeah, that was one of the cases where all of our bricks, except again, first one, the people, succeeded. The second case I would like to share, it's also related to, cutting edge technologies, and, how they, Increasing efficiency in terms of responding to threats. an employee inadvertently downloaded ransomware that attempted to encrypt network shares. that was a, I remember it as today. That was a late evening. I received the email and, alert that our EDR system, identified that no file encryption activities on one of our, network shares. devices and, network shares, try to access network shares, with, elevation, pre reached. the infected endpoint was automatically isolated and files were restored from, secure backups, storage. Again, that's the, an example when the threat entered our infrastructure by phishing, phishing, social engineering, right? later on we've identified that was a fake, adverts, advertisement about one of the popular messengers out there. So yeah, this is again an example of how ML and advanced AI technologies could help you with identifying and react proactively. to, to issues and to threats that could reach your infrastructure. Outcome was pretty simple. It was pretty straightforward, right? Zero data loss and no runs on failed, saving approximately 5 million on potential costs. Later on in the news, we found out that several companies in our, industry faced those issues and, some of them paid, some of them, faced, significant disruption of, services provided to the customers and therefore lost revenue and customer trust as well. Through this experience, we gained valuable insights. First of all, proactive risk management is essential. Automation enhances efficiency. Standardization reduces vulnerabilities. Aligning security with business goals. I'll start with the proactive risk management. It's an essential thing within any organization. Regular risk assessments and continuous monitoring are critical. Being proactive can help you to identify and address vulnerabilities before they are exploited. But what if any vulnerability is still there and is being exploited? Like zero day, right? Automation doesn't replace human expertise and such, but by automating routine tasks, responses, basic security tasks, our security team could focus on more complex threats and strategic initiatives. Standardization within the infrastructure, within the assets, within the everything inside the organization. Consistent security practices across all regions eliminate gaps that attackers could exploit. It also simplifies compliance efforts and audits. Once again, plenty of the standards would simplify cybersecurity team life within the organization quite much. I'm speaking about ISO, NIST, and other regulations that are worldwide known and could be used in each and every organization. Those could be tuned based on your needs. Your organization could start benefit from those right from the beginning, right from the start of the implementation. The fourth one, it's aligning security with business goals. Again, security is more a support department, I would say, right? Security should not interfere with the business. Security initiatives should support business objectives, not the otherwise. By demonstrating how security enhances customer trust and protective revenue, we gain support from leadership and stakeholders. Which means they have, we are able to prove management that security really works and saves money. Saving money is one of the point in increasing revenue. So for business, it was quite straightforward. We save money, we increase our revenue. We increase customer trust, we increase revenue. If you fail. That means our revenue goes down. So the security is quite important. so by analyzing those, we analyzed and came to a point where we should present the financial impact that was created by security initiatives. we avoided losses. Operational savings, downtime reductions, and return on investments. The, what it was, this were over 90 millions. That was quite impressive, but financial impact is not the only thing that was increased and improved after we performed all those and completed all those. security initiatives. Our efforts also bolstered our reputation. We achieved compliance, we obtained ISO 27001 and completed SWIFT, enhancing our credibility with our customers and within the business industry as well. So we really made one step up in terms of our maturity as an organization. Customer retention, client confidence led to 7 percent increase in customer retention, contributing to revenue growth that's related not only to, business customers, I mean like financial organization, but regular clients as well. It's all I've said. I would like to share the recommendations for implementation of the sharing all this journey and all these obstacles and problems I've mentioned. So the first and most important thing is to invest in. Security and investing in advanced technology. These technologies can process vast amounts of data and identify patterns that humans might miss. That's one more important topic here. I'd like to mention, we are all people, right? all people have, a maximum amount of energy they can spend during the working day, right? People can't work 100 percent efficient, throughout, 8, 9, 10 hours. This is where technology and advanced technology like AI and machine learning comes in handy. The second one is implement layered security, of course. It's adopted in defense and death strategy. Zero trust, using multiple, security measures and, different layers to protect against various types of threats. That's That will become basic in, I would say in one year that will become base, a basic thing for each and every organization, even in startups. The third thing, there should be a standardization. You have to standardize security protocols, ensure that security policies and procedures are consistent across all regions and departments. Of course, there could be deviations based on, local government, local government rules, policies, internal policies, and the rest. But still those should be standardized, standardized, this reduce vulnerabilities and simplify compliance. The fourth point, foster a security conscious culture. again, people is the main asset within the organization, similar to cash on the balance, and, as confirmed by two cases, that's the weakest part in every security within the organization, within any organization. Each company should invest in regular training and awareness programs, empowering employees to be the first line of defense against cyber threats. And the fifth point, alignment. Alignment of security strategy with business strategy. Strategy and, value of cyber security should be communicated in business terms. None of the business representatives within any department except technology do understand the risk of, for example, lateral movement. my advice here is to demonstrate how security initiatives protect revenue, enhance customer trust, and support growth by quantifying the risk of lateral movement. and quantifying the measures that were, developed and how they support the business strategy within the one, two, or maybe three years. It depends on each and every organization again. So I would like to conclude here, in today's interconnected world, vast and rapidly growing. Each and every industry, especially financial industry, cybersecurity is not just a technical issue for the business no more. It's a fundamental business concern. Our journey demonstrates that with a strategic approach, it's possible to significantly reduce risks and achieve substantial financial savings. By identifying vulnerabilities, implementing advanced security measures, and fostering a culture of security awareness, we protected our assets and supported our company growth. I hope our expertise provides valuable insight that you can apply within your own organization. Cybersecurity is a continuous journey, and staying ahead of evolving threats requires commitment, innovation, and collaboration. What are your thoughts about the conference today? I am happy to answer any questions you might have. And thank you for your attention. It was lovely to have you. Thank you.
...

Mikhail Baranov

CyberSecurity Team Lead @ ZFX

Mikhail Baranov's LinkedIn account



Awesome tech events for

Priority access to all content

Video hallway track

Community chat

Exclusive promotions and giveaways