Reserve Bank of India Cyber Security Framework

Transcription

1 Reserve Bank of India Cyber Security Framework HOW SMOKESCREEN HELPS YOU COMPLY

2 RBI Cyber Security Framework How Smokescreen Helps You Comply Table Of Contents Executive Summary 3 About the Framework 3 General Compliance 4 Annex 1 - Baseline Cyber Security and Resilience Requirements 5 Annex 2 - Operationalising Cyber Security Operation Centre (C-SOC) 7 Annex 3 - Template for Reporting Cyber Security Incidents 10 About Smokescreen

3 RBI Cyber Security Framework How Smokescreen Helps You Comply Executive Summary The RBI Cyber Security Framework specifically calls for implementing counter-response and honeypot technologies that Smokescreen offers through our pioneering IllusionBLACK decoy technology. The systems that need to be put in place as a part of the Cyber SoC requires the following aspects to be addressed Counter response & honeypots RBI Cyber Security Framework - Annex 2 This white-paper explains how IllusionBLACK also helps you comply with more than 20 other points in the RBI framework. About the Framework In the light of growing cyber risks against banks, the RBI s new cyber security framework seeks to improve resilience, define baseline security controls, and move banks to pro-active defence. It mandates that the cyber security policy must be distinct from the broader IT and IS policies currently in place. The framework specifically calls for banks to move their thinking to assume breach, act pro-actively, and focus on detection, response and containment rather than just preventive capabilities. It also details capabilities around information sharing, reporting requirements and cyber crisis management. The policy is divided into general guidance followed by 3 annex sections which contain the details of the prescribed controls. The following are the Annex sections: 1. Baseline cyber security resilience requirements Covering the minimum security controls that banks need to implement in their policy. 2. Setting up and operationalising Cyber Security Operation Centre (C-SOC) Describing the specific capabilities that are expected from the bank s security monitoring and response center. 3. Template for reporting cyber Incidents A format for structured documentation of incidents for reporting to the RBI. 3

4 General Compliance The first section of the framework covers general guidance on how banks should approach cyber security at a strategic level. Smokescreen helps comply with the following points: Framework Reference Introduction Point 6 Framework Requirement Continuous surveillance How Smokescreen Helps Smokescreen s IllusionBLACK works 24/7, monitors the network in every single subnet, and is the only solution that covers the entire kill-chain (life-cycle of an attack). Introduction Point 6 Regularly updated on the latest nature of emerging cyber threats Smokescreen s IllusionBLACK detects the intent and behaviour of an attacker, and is agnostic to attacker s methodology, so it stays effective against any new type of threat. Introduction Point 12 Cyber crisis management plan should address detection, response, recovery and containment Smokescreen s IllusionBLACK is specifically designed for rapid detection, response and containment of advanced threats. We focus on reliable attack detection and minimising response time. Our integrations allow containment actions to be automated to stop attacks as soon as they occur. Introduction Point 14 Sharing of information on cyber security incidents with RBI Smokescreen's IllusionBLACK allows both human readable and machine readable export of threat intelligence in industry standard sharing formats such as STIX and CSV. Our ThreatPARSE natural language reconstruction automatically translates raw intelligence data into simple English. 4

5 Annex 1 - Baseline Cyber Security and Resilience Requirements This section deals with the specific requirements to be put in place by banks to achieve minimal cyber security resilience. Framework Reference Network and Security Point 4.9 Framework Requirement Security Operation Centre to monitor the logs of various network activities and should have the capability to escalate any abnormal / undesirable activities. How Smokescreen Helps IllusionBLACK provides complete network monitoring down to the subnet level and has built in manual and automatic escalations. Decoy technology has the lowest false positives of any security solution, avoiding event overload, and making the SOC monitoring highly effective. User Access Control / Point 8.2 Carefully protect customer access credentials such as logon userid, authentication information and tokens, access profiles, etc. against leakage/ attacks Decoy technology can create fictitious customer access account details, credentials, login passwords and so on. These decoy credentials are distributed across the bank s IT environment and trigger when an attacker attempts to gain access to them. User Access Control / Point 8.5 Log and monitor privileged/ superuser/administrative access to critical systems (Servers/OS/DB, applications, network devices etc.). IllusionBLACK s credential theft decoys create fake administrative credentials that can be placed on servers and endpoints in such a way that attackers find them easily. These dummy credentials appear to offer privileged access, however, they raise an alarm when an attacker attempts to use them. User Access Control / Point 8.7 Monitor any abnormal change in pattern of logon. Same as for Point 8.5 above. 5

6 Advanced Realtime Threat Defence and Point 13.1 Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. IllusionBLACK deception defences can detect the spread and execution of of malicious code in every single subnet of the network. The solution can also analyse the actions that the malware takes, and monitor its attempts to communicate with command and control channels. Data Leak Prevention Strategy Point 15.1 and 15.2 Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential) business and customer data/ information. This shall include protecting data processed in end point devices, data in transmission, as well as data stored in servers and other digital stores, whether online or offline. IllusionBLACK creates data decoys that are decoy documents that appear to contain confidential information. These documents can be placed on the systems of highvalue targets (such as senior management), on servers, or on critical systems such as in the treasury or IT operations. Any attempt to access these data decoys will trigger a silent alarm. Furthermore, the decoys can track an entire nexus as the data is passed from one person to another. Incident Response and Point 19.6 (c) Establish and implement systems to collect and share threat information from local/ national/international sources IllusionBLACK can export industry standard threat intelligence that can be consumed by other systems. Additionally, it can integrate with practically any other security device in order to automatically push or pull threat information in real-time. Lastly, Smokescreen customers benefit from the wisdom of the crowd, where attacks seen against one bank create intelligence to protect all the others. Forensics Point 22.1 Have support/ arrangement for network forensics/forensic investigation/ddos mitigation services on stand-by. Smokescreen offers on-call triage and forensics services both independently and along with IllusionBLACK. Customers of our managed services model benefit from immediate attack analysis, system triage, containment recommendations and full-blown forensics. Our forensics services are on-demand with a pay only for what you use, when you use it commercial model. 6

7 Annex 2 - Operationalising Cyber Security Operation Centre (C-SOC) The second annex covers the requirements for operations of a cyber security operations centre, including what must be monitored, and how incidents must be responded to. Framework Reference Introduction Point 3 Governance Aspects Point 1 Governance Aspects Point 2 Framework Requirement Constant and continuous monitoring of the environment using appropriate and cost effective technology tools Board briefing on threat intelligence Dashboards and oversight How Smokescreen Helps IllusionBLACK is one of the most cost-effective solutions for monitoring a large environment. On average, our decoy monitoring solutions are 2 to 3 times cheaper than traditional monitoring. Additionally, the system requires minimal maintenance, freeing up existing resources to work on other priority areas. Smokescreen's private threat intelligence decoys give information about threats that specifically target your bank, not just companies in general. This information about who is seeking you out is of tremendous value to the board and helps define security priorities. IllusionBLACK has a highly accoladed visual dashboard that makes complex attacks easy to understand for laypersons without any technical knowledge. Cyber SOC Points to be Considered Point 1 Cyber SOC Points to be Considered Point 4 (b) The approach and methodology required to be put in place has to necessarily take into account proactive approaches rather than reactive approaches and have to also address possible unknown attacks. Incident investigation, forensics and deep packet analysis need to be in place to achieve the above. Our dashboard is regularly presented to senior management, and features replay capabilities to visually help understand the chronology of an attack. Decoy technology falls under the category of Active Defence, which is the new pro-active approach to security. Instead of waiting for attacks to complete, active defence solutions try to bring the attack to light with extremely rapid detection and response. Decoy technology is also agnostic to the attack methodology, so it stays effective no matter what the bad guys try tomorrow. IllusionBLACK has full packet capture of all attacks seen by the decoys. It also maintains full forensic evidence, and creates IOCs (indicators of compromise) to help find more instances of compromise. 7

8 Cyber SOC Points to be Considered Point 4 (d) Analytics with good dash board, showing the geolocation of the IP s IllusionBLACK s intuitive dashboard, and natural language attack reconstruction make analysis extremely simple. The system also geolocates attackers in real-time automatically, saving analysis time. Cyber SOC Points to be Considered Point 4 (e) Counter response and Honeypot services IllusionBLACK is an enterprise honeypot system. We have the maximum deception techniques and most holistic kill chain coverage of any deception technology available. Expectations from SOC Point (b) Ability to provide real-time/ near-real time information on and insight into security posture IllusionBLACK detection and alerts are real-time. They are also so accurate (minimal false positives) that telephone alerts can be configured directly from the system. Expectations from SOC Point (d) Ability to assess threat intelligence and the proactively identify/visualize impact of threats on the bank IllusionBLACK offers unparalleled threat intelligence that is instantly visualised, automatically analysed, and can be integrated with other systems. Expectations from SOC Point (e) Ability to know who did what, when, how and preservation of evidence IllusionBLACK ThreatPARSE automatically reconstructs attacker activity, reducing mean time to know (MTTK) from days to minutes. All attack evidence is forensically preserved in standard formats for further analysis. 8

9 Expectations from SOC Point (f) Integration of various log types and logging options into SIEM, ticketing/workflow/case management. IllusionBLACK has multiple integrations to push and pull information to other systems. If an integration for a particular system does not exist, Smokescreen can build it for you. Key Responsibilities of SOC - Monitor, analyze and escalate security incidents - Develop Response - protect, detect, respond, recover IllusionBLACK and Smokescreen s managed services increase your capabilities to cover all the key responsibilities of the SOC. - Conduct Incident and Forensic Analysis External Integration Threat intelligence feeds from various sources may be provided by the product vendors. Security information feeds from other Banks in particular and the financial ecosystem in general will be quite useful. IllusionBLACK offers the benefit of threat information sharing. Our strong client base in banking and financial services in India means that we often know about targeted threat attempts before anyone else. The benefits of this threat intelligence is shared with all other Smokescreen customers. 9

10 Annex 3 - Template for Reporting Cyber Security Incidents This section of the framework proposes a detailed documentation structure to capture the particulars of an incident for reporting to the RBI. When it detects an incident, Smokescreen s IllusionBLACK can provide information to help complete the following fields from the template: Basic Information Date and time of incident detection Type of incident and systems affected Chronological order of events Root cause analysis Date of resolution CSIR Form Incident severity Type of threat / incident When was the incident first observed? How was the incident first observed? Who observed TCP / UDP ports involved in the incident Affected systems IP address / attacker s IP address Operating system What is the earliest known date of attack? What is the source / cause of this incident? Did the bank locate / identify IP addresses / domain names relating to the incident? 10

11 About Smokescreen At Smokescreen, we use our deep insight into how apex hackers operate to build deception based defences. Our IllusionBLACK is the industry s most advanced decoy technology bringing military deception principles to the digital battlefield. Smokescreen s solutions protect some of the most highly targeted organisations globally, including leading financial institutions, and Fortune 500 companies. info@smokescreen.io Phone: Web: Address Smokescreen Technologies Kaledonia D wing, 1st Floor Sahar Road, Andheri East Mumbai , India.