This week, Preempt had the opportunity to participate in the annual FS-ISAC Fall Summit 2016 in Nashville, TN. FS-ISAC ( which stands for Financial Services Information Sharing and Analysis Center) is the financial industry's go to resource for cyber and physical threat intelligence analysis and sharing. The Fall Summit brought together over 700 C-level and Sr-level financial services professionals as well as Security executives across the globe to discuss the latest information on threats, sharing of best practices and trends across the sector.
The theme at FS-ISAC this year was about sharing security information (or “Strength in Sharing”). Many sessions on best practices, techniques and tools were designed to reiterate the advantages of well designed and successful information sharing programs.
Beyond this, there were broad themes that we identified from the different sessions and in discussions with attendees that highlighted several areas of focus for many financial institutions in 2017. Here are the key takeaways:
Insider threats and privacy:
Attendees talking about starting up an insider threat program in 2017 was a common theme. Regulations and the number of compromises attributed to insiders was top of mind for many attendees. The fine balance between individual privacy and corporate requirements is still a challenge that is being debated (as I mentioned, information sharing was the theme of the conference). To that end, STIX & TAXII continue to drive discussion while addressing privacy concerns.
Risk will never be zero:
That will be true as the nature of threats evolve and response will change to match the evolving threats. And get innovative to address the problem. Try to change perception where possible. For example, training on phishing is challenging, it teaches users to not trust emails. The goal should be to get users to trust email.
Engage users in security:
Changing of user behavior is possible. Users do not have to be the weak link. Train users to change behavior with introduction of friction in the process and reward positive behavior. Further, create exercise drills, learn and fix. Focus on training so you will be ready in “war” times.
Predictive Security is coming:
Multiple sessions were focused on using data science to help with different types of security problems including threat intelligence, building models for handling incidents and identifying malicious actors and ransomware. But it was also interesting to see predictive analysis and cognitive sciences make their mark at the conference in various discussions.
In addition, there were many practical sessions on improving security practices and deployment strategies. Many were built out of enterprises trying to improve their security posture and some were built through commonsense. Regardless, they were designed to make financial institutions better and more secure.