How Can Indian Banks Comply with RBI cybersecurity Guidelines

Transcription

1 How Can Indian Banks Comply with RBI cybersecurity Guidelines Understanding the new RBI guidelines and how Cyberbit helps financial institutions achieve compliance White Paper

2 Table Of Contents State of Cybersecurity in India s Financial Sector... 3 The RBI Guidelines... 4 Overview Weighing the Omnipresent Risk of a Technology Cyber Crisis Management Plan and Acclivity of Technology Empowering Incident Response and Management Keeping up with Cyber Awareness and Preparedness The Cyberbit Cybersecurity Portfolio... 6 SOC 3D Orchestration and Automation Cyberbit Endpoint Detection and Response Cybersecurity for Smart Building Critical Systems Cyberbit Range Achieving Compliance to the RBI Guidelines... 10

3 State of Cybersecurity in India s Financial Sector As consumers continue to advance towards digitization, pressure mounts on the IT infrastructures of financial institutions. They must race to provide innovative digital services while also ensuring robust information security standards are in place to protect and benefit both consumers and the bank itself. In turn, banks are facing an unprecedented challenge of cybersecurity breaches. McKinsey predicts the cost of implementing and managing cybersecurity infrastructure is predicted to increase 40% by According to the Indian Emergency Response Team (CERT-In) approximately 28,000 cybersecurity incidents were reported in June The Reserve Bank of India (RBI), has provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds. The guideline is intended to facilitate proactive response and management of cyber incidents. 1 The Future of Bank Risk Management, McKinsey & Company, July How Can Indian Banks Comply with RBI Cybersecurity Guidelines

4 The RBI Guidelines Overview Following the announcement in the April 2010 Monetary Policy Statement, a working committee was constituted to change the measures and outlook from static to a much more proactive and cyber aware approach by modifying policies and procedures with the current trends. The guidelines provided by Reserve Bank of India focus on speeding implementation of new developments and emerging concerns in cyber security. Weighing the Omnipresent Risk of a Technology The size, systems, technological complexity, digital products, stakeholders and threat perception varies from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. - RBI Cybersecurity Guidelines There are several types of risks that must be considered, such as; operational risk, infrastructure risk, data loss or design risk before adoption, alignment with business and regulatory requirements, methods of delivery, organizational culture and internal and external threats. Based on these parameters, each technology is assigned a risk level (low, medium, high or very high) in terms of adoption and usage. Cyber Crisis Management Plan and Acclivity of Technology In contrast to security incident response plan that focuses on day-to-day security issues and its resolution, a Cyber Crisis Management Plan (CCMP) focuses on a contemplated process and plan for continuous improvement, corrective measures and fortification of infrastructure, technology and services. The goal is to proactively defend from unknowns and advanced cyber threats including, but not limited to zero-day, remote access threats, targeted attacks, ransomware, crypto ware or destructive malware. CCMP addresses four aspects of detection, response, recovery and containment with an overall goal of establishing a cyber resilience framework. Empowering Incident Response and Management It is imperative to have a robust incident response framework for effective remediation and response of a threat and at the same time support the cyber resilience objectives of a financial institution. The goal of incident response is rapid recovery from cyber-attacks and safe resumption of business operations. Every Security Operation Centre (SOC) must have a well-defined incidence response framework, with clear roles and responsibilities for all team members. Access to historical data, coupled with powerful analysis tools proactively provide insights from past outbreaks that help the SOC continually reduce time to respond (TTR) over time Empowering SOC involves integrating various log types and logging options into SIEM; ticket management, workflow and case management, big data repository for natural search, integration of various threat intel and security tools, and customization based on risk and compliance requirements of a financial institution as per the RBI guidelines. Cyber Security Framework in Banks, Reserve Bank of India 4 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

5 The sequence of tasks performed by SOC personnel may vary per incident when implemented by humans, but a defined workflow for an incident category will always be consistent. Hence, incident response should be automated, either partially or fully, according the RBI guidelines. At the same time, the cybersecurity skill shortage has fuelled the exploration of simple yet effective tools that can be used by less experienced SOC personnel. Well-defined automation of repetitive tasks is the best way to reduce SOC workload. Keeping up with Cyber Awareness and Preparedness It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. R.Ravikumar, Chief General Manager, Reserve Bank of India It is also observed, that if you ask SOC personnel about a threat such as SQL injection or ransomware, he/she may be able to define it by name and nomenclature, but when it comes to explaining micro actions of a threat, there is a lack of familiarity and detailed knowledge necessary to effectively respond to a cyber threat or incident. This information gap helps the attackers gain enough of a time advantage to achieve their malicious goals. Financial sectors can improve their level of preparedness and ability to defeat the adversary by using real simulated trainings over different attack vectors. Simulation training allows SOC personnel to quickly improve both knowledge and hands-on skills so that when things get chaotic, they are ready to respond the moment as a live cyber-threat gains foothold in the environment. At the same time, awareness and knowledge should be inculcated about cyber-attacks, threat vectors and do s and don ts of cyber awareness with the top management and board to keep them on the same page of all nuances and familiarize them for fair degree of cognizance. 5 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

6 The Cyberbit Cybersecurity Portfolio SOC 3D Orchestration and Automation SOC 3D is a security orchestration, automation, and response (SOAR) platform, which enables information security organizations in to automate and orchestrate the entire incident response lifecycle, reducing time to response by 90% and tripling the efficiency of the security operation. SOC 3D integrates all sensors, data feeds and tools in the SOC, to create a single point of control for security operations in financial institutions. SOC 3D provides advanced investigation, reporting and customized dashboards powered by big data for forensic analysis and reporting. SOC 3D - Centralize and Automate Incident Response 6 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

7 Cyberbit Endpoint Detection and Response Cyberbit Endpoint Detection and Response is a detection and response platform made for and used by critical government infrastructure and defence organizations. Cyberbit EDR solves the most pressing security challenges of detecting unknown and advanced threats. Cyberbit EDR - Visualize the entire attack timeline to investigate incidents and get to their root cause within minutes 7 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

8 Cybersecurity for Data Center Control Systems Financial organizations often employ ICS/SCADA control systems, which provide digital control of physical devices. For example: to control air conditioning, electricity, elevators and more. These systems have become prime targets for cyber threat actors. For example: a cyber attacker can easily tamper with air conditioning control systems, increase the temperature in the organization s data center and take it out of service. Traditional IT systems are challenged in protecting these environments as they use unique devices and communication protocols. Cyberbit s SCADAShield platform helps financial organizations address this new challenge by monitoring control system network and detecting threats and configuration risks. SCADAShield integrates with other Cyberbit systems to provide consolidated detection and response across all environments. SCADAShield - real-time network visualization: device mapping, communication protocols, IT/OT touch-points, and risks 8 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

9 Cyberbit Range Cyberbit Range is a training and simulation platform that increases security team efficiency and addresses the talent shortage gap by actively training security teams in simulated attack scenarios. The training involves identifying an issue, spread of an attack, finding footprints and collaborative effort of resolution and remediation. Controlled through a guided User Interface gives the SOC instructor the ability to gauge and find pitfalls in skills of a SOC personnel undergoing training. Cyberbit Range - Instructor view of simulated cyber-attack and defence 9 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

10 Achieving Compliance to the RBI Guidelines Cyberbit understands the challenges of banks and financial organizations and has developed a unified cybersecurity platform focused on strenghtening the core aspects of a cyber resilience framework and fulfiling RBI guidelines. The following table highlights key RBI guidelines and how Cyberbit s products organizations address them: Circular: RBI/ /418 DBS.CO/CSITE/BC.11/ / Point Guideline Achieve Compliance 5 The size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. Riskiness of the business component also may be factored into while assessing the inherent risks. Unlike conventional detection products, Cyberbit products can all be deployed completely on-premise, in air-gapped environments, while retaining their functionality. This minimizes the customer s risk because data does not have to leave the organization for analysis, threat intelligence, etc A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. Banks are expected to be well prepared to face emerging cyber-threats such as zero-day attacks, remote access threats, and targeted attacks. Cyberbit EDR is built to provide detection of zero day, unknown and targeted attacks and responding to these threats post detection for achieving recovery and containment. 17 It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high-level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. Cyberbit Range is a training and simulation platform that trains security teams at all levels, from junior to executive, in cyber emergency scenarios, and to gain complete awareness on different threats and attacks. As a result, banks can raise awareness of an attack or threat, including at all levels of staff, executive management and the board. Annex Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications /software/libraries, etc Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices endpoint and servers Enough care is to be taken to capture audit logs pertaining to user actions in a system. Such arrangements should facilitate forensic auditing, if need be. Whitelists can be created and maintained on Cyberbit EDR and SCADAShield, to monitor and control use of authorised or unauthorised software. Serving as the last layer of defence, Cyberbit EDR detects installation, spread, and execution of malicious code through EDR agents installed across the organization. Cyberbit EDR performs behavioural analysis and machine learning on recorded information across different layers on endpoints and servers. The audit maintains a trail of all actions for review and examination. 10 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

11 Point Guideline Achieve Compliance 18.1 Periodically conduct vulnerability assessment and penetration testing exercises for all the critical systems, particularly those facing the internet Conduct targeted awareness/training for key personnel (at executive, operations, security related administration/operation and management roles, etc.) Cyberbit Range supports replication of existing network in the virtual test bed for penetration testing exercises without compromising on uptime of the actual network during testing. Cyberbit Range can be used by all members of the organization for cyber awareness training and practice responding to cyber crises Evaluate the awareness level periodically. Cyberbit Range stores performance metrics for all trainings of every trainee or attendee that can be used to evaluate improvement or downgrade of skills in past and present Establish a mechanism for adaptive capacity building for effective Cybersecurity Management. Cyberbit Range provides a mechanism for adaptive capacity building. The simulated platform comes with a robust library of scenarios and the ability to easily develop custom scenarios. Annex 2 4 The systems that NEED to be put in place as a part of the Cyber SoC requires the following aspects to be addressed. Methods to identify root cause of attacks, classify them into identified categories and come out with solutions to contain further attacks of similar types. 4 Incident investigation, forensics and deep packet analysis need to be in place to achieve the above. 4 Analytics with good dash board, showing the Geo-location of the IP s 4 Ability to assess threat intelligence and the proactively identify/ visualize impact of threats on the bank 5 Integration of various log types and logging options into SIEM, ticketing/workflow/case management, unstructured data/big data, reporting/dashboard, use cases/rule design 5 Technology for improving effectiveness and efficiency (tracking of metrics, analytics, scorecards, dashboards, etc.) SOC 3D provides analysis dashboards to identify root causes and classifies each based on categories. SCADAShield identifies vulnerabilities and root causes in physical control networks including smart grids and air conditioning control systems and more. Cyberbit EDR provides incident investigation, forensics and treat hunting. SOC3D automates and orchestrates the incident investigation and provides advanced investigation dashboards. SCADAShield provides deep packet analysis on numerous protocols to achieve rapid and accurate detection of threats and their cause. SOC 3D dashboards show geo-location information. Multiple dashboards are available, for example for mapping ATM threats and Point of Sale (POS) attacks. SOC 3D and EDR can integrate with subscribed threat intelligence as an enrichment to provide details and impacts of a threat. SOC 3D can ingest SIEM data and additional logs in multiple formats. SOC 3D investigation platform provides multiple KPI dashboards for tracking SOC efficiency. 11 How Can Indian Banks Comply with RBI Cybersecurity Guidelines

12 ABOUT CYBERBIT Ltd. Cyberbit provides a consolidated detection and response platform that protects an organization s entire attack surface across IT, OT and IoT networks. Cyberbit products have been forged in the toughest environments on the globe and include: behavioural threat detection, incident response automation and orchestration, ICS/SCADA security, and the world s leading cyber range. Since founded in mid-2015 Cyberbit s products were rapidly adopted by enterprises, governments, academic institutions and MSSPs around the world. Cyberbit is a subsidiary of Elbit Systems (NASDAQ: ESLT) and has offices in Israel, the US, Europe, and Asia. sales@cyberbit.com APAC Office Temasek Avenue Centennial Tower, #21-23 Singapore Tel: Israel Office 22 Zarchin St. Ra anana Israel Tel: