« Exchanges at Goldman Sachs

An Evolution in the Cybersecurity Landscape

2021-11-10

How has the surge in cyberattacks—and companies’ efforts to counter these efforts—evolved? Matthew Chung, Goldman Sachs' Chief Information Security Officer, Wesley Williams, head of the firm's Security Incident Response team, and Andy Boura, the Chief Information Security Officer for the Consumer Banking Business explain how cybersecurity is adapting to new threats.

This is an unofficial transcript meant for reference. Accuracy is not guaranteed.
Is, is a common sacks in seeing a shy, Justine Goldman Sachs Research? in this episode. Working behind the scenes are common sacks to explore the surge of cyber attacks and how companies efforts to counter these threats have a lot to do I join my Math Chung common sacks of cheap information security officer was glance at the firm secure It's not response team and Andy Bora, the chief information security officer for consumer banking, business that wasn't Andy welcomes the programme itself in. Thank you man. Let's start with you, you have more than thirty years of it. periods in technology operations and really cybersecurity across Wall Street Cyber attacks. Are increasingly getting more sophisticated and destructive start by said
the stage and how you ve seen companies about their approach to cyber security. I think it's change suitably over the years. I remember Ten years ago I was working in the UK as a global system for large financial institution. We are called by the UK government down to ten Downing Street to talk to about a stable Jones, who was the newly appointed UK, Cyprus and the garden had invited twelve of the top high street banks were their specific. We talk about the increasing for cyber and how the public and private sectors could work together and meet that threat. and I remember, being in ten Downing Street ruins big office that baby table and Baroness Ashton something well. Let's talk about the state of where we all are in the banking sector and Cyprus sense that nobody wanted to talk. Nobody wanted information be actually considered cyber defence as a competitive edge. I was one of the shortest meetings remaining on the topic of cyber when you fast forward now,
Mason sharing is an absolute must. Cyber threat now that the tactics and tools and procedures will be granted. You guys have done quite sophisticated. They become quite destructive and no one company and defend the whole field Oh, we rely on appears to sharing for me and we rely on governments whether in the? U S, UK, etc to provide us with fright intelligence and give us some help when necessary, and so I think that's been, the biggest change in terms of asylum since posture thing it's that willingness to share- and there are a couple of farms within the financial services sector dedicated to the sector that I think are quite effective deficit, sack, which is the financial services, information sharing and analysis centre, and at the start now, is called the Ark once you, the analysis and resilience and of these organizations that are geared specifically for sharing information amongst the members of the sector is about these events. I think we're training in the right direction having more mission sharing is necessary, think now or not to sharing, sort of threats, but we now stand.
Sure data was going to. I think this is the future of cyber defence. Hence we are throwing curveball, of course, that the pandemic and the hybrid work environment employs constantly shifting positions. Did that change the cyber security landscape for security chiefs absolutely I think, no one. Ever you have a remote workforce. It introduces a new set of threats. The first one is that the big Since then, a working from homer, maybe I'm working on a laptop Starbucks. Those networks tend to be less secure. Its number one never to rethink devices that folks are using it. I'm talking broadly. Not. U concept is broadly the hardware. The computers laptops folks are using to connect to their companies, who think that they may not be as secure as well. Maybe compromise plan of There is a physical security angle, which is usually don't knows, on yellow sign that people
running analytics around anomalous behaviour. Looking for I play for people belonging and now, instead of having maybe ten thousand a day now you I'm on his hands and so comes guide difficult from an annex perspective to be able to tackle. Some of that- and I think pride of final thing in its I'm not talking about much, but when you're sitting in your ass in your laptop, your planet by yourself and you get efficiently an example. Would you turn to ask eight, as is look Archie desisted suspicious to you you're, on your own sort of information sharing among your team or your group or wherever that doesn't really existed in remote working. But so do we honour, for example,. ninety five percent of all cyber beaches start with a fishing attacks. Imagine you get something that really looks like, gentlemen email, but maybe in the back of your mind, you're, not quite sure what you call you asking you workin where's the fire when the biggest and was you manage our twenty four seven threat management centre so
given everything matter said how The evolution of the space in these attacks the way you approach your job on your team. for sure, and I think it's clear, there's been so many different types of attacks to consider it right that so many different dimensions, but whether it be our cloud assets, containers on premises. Assets were not even to think about brand reputation, website, attacks, supply chain attacks, weird thing for extra to introduce malicious software libraries into your code, business email compromise now aware. Folks are trying to manipulate you into sending to an unintended destination, need us attack regularly make the news trying to inhabit sites, availability and then ran somewhere. I think that's primary topical as well, so I think we got a combination of all these things- is gonna. Let us to converge on a virtual fusion centre, sort a multi disciplinary approach really to make sure
the right stakeholders are brought in to manage the events man's in its and not just engineering but legal compliance, the receipt of vision, privacy, etc. I think another thing that we ve started to see anything that touched on this, a little bit around fishing is were started. Seeing taken fishing campaigns and is the volumes of other security events, so its lead us to think about investing significantly and automation right, elbow send another vendor solutions just to help us managing country ass. These events, mad touch on some there's really really important around just being until lead, so the thirteen his intellect is very cheap and having some of those trusted sharing relationships with other organisations. It helps you gonna, build that margin right. in safety to get ahead of various threats that my dearest to the sector, so that there are several ways we ve evolved. That's the last one is we focus What more on drilling and preparedness right, and I think that
six ordinary important for us and not just tabletop exercise sitting around the table talking about, but actually validating that your tip abilities work as you expect. So if you think you have a capability to isolate host, let's validate that, if you think you have a capable to restore recover. Let's validate the tools, I think those for some. important changes that have happened over the last few years and just to take a quick step back just to give some contacts, in broad terms how many of these various taste of attacks it is an average bank on Wall Street deal with every day you can do with doesnt wrote a sometimes dozens and fishing attacks. a campaign could definite come in and hundreds sometimes and thousands, but we'll see between someone trying to do some sort of business in a compromise attack to someone doing something with our brand fear is the guy, the teams very busy? Yes, I mean clearly there in some very high profile went somewhere attacks, colonial pipeline, There is the solar wins attack, just name a couple answer
lessons learned from some of them examples that you ve been able to hire and general keep on the states that enables reply. I profile attacks rents were attacks. Certainly that occurred against colonial pipeline was also heard most recently about Garcia. They understood more important, so when we talk about a lot, is having the sort of layered approach to cyber security for this, hence in depth approach to cyber security and in some ways what that means is just employing someday practices, drown, hygiene, so wicked practices called at least privileged access right, don't give out more privileged access than is needed. a very, very strong focus on vulnerability management. understanding, we're gonna, build he's our as to your environment and working on litigations patching then closing them, but just having a really good understanding of that fishing testing, but also training having met talk,
ninety five percent of all our tax start with some sort of fishing, so some sort of training there and then just aggressive patching these all help reduce attack, surface gather lesson that was learned and became friends in earnest continues to be. When you look at things like colonial pipelining, Cassiar is organizations are getting really really focus now on the third and fourth party rests right and got them to think about that critical vendors and ensure that those critical nurse have some awareness of those threats and understand how those vendors of mitigating the threats? I think the other thing that come on random. Where is really just having a strong hand on your acid inventory several of the victims around somewhere arts network, we're impacted they didn't have good understanding that this was connected to the network, for this was on their networks. I think there are some key things that were lessens the last piece I would suggest, is organizations who consider participating in a bug, bounty programme cities bug bounty programmes, Basically, incentivize software researcher
the security researchers to report and disclosed vulnerabilities and responsible way on things that are on your internet facing properties. So very, very talented. Researchers focused specifically answered software packages, and then they can let you know that you might have a vulnerability, and I think that also helps in the face. he's. Gonna rents, more attacks in response to these events, There's been a range of proposed. Cyber security legislation has been put on the table. Are there any particular provisions of the proposals that you are gene that you expect will have an impact on the private sector map? Maybe you can answer that was legislation, given that we are watching and are making their way through. Congress is the same reasoning, reporting action, the ransom disclosure act, I think these are worth watching for us and the sector, I think the biggest there we're going to have to come to an agreement on between public and private sector, is what constitutes a cyber instant Rikers
A lot of the basis of these bills are quick, very quick, almost real time reporting of incidents that we have to do I'm with a means, and within them they use terminal. Would you, like a substantial sirens, fear substantial attempt? What does that mean? I think the focus again on his report and I think that's it. We just need to make sure we know what we're signing up for that. It's absolutely crystal clear are responsible You mentioned increase cooperation between the public and private sector a couple of times, Wes me You can elaborate, nor are there more opportunities to see that of collaboration in the space for sure. I think that if we always opportunities to increase this collaboration space, I think they can be done in a couple ways: either direct engagement, also via partnerships, so some of the directive judgment, you can organizations can become members of the cyber information sharing collaboration programmes are the sea. I s sleepy, and it said
of the ages, see Sir said the cyber security infrastructure and security agency, and when you engaged able to share, receive information about cyber threats and also just attend stories. Technical exchanges, there's also routine just engaged, with the FBI through an organization called, B and c after so the national Cyber Forensics Training alliance. That includes one daily information sharing, but also briefly, threat cause, and I would I encourage organizations just to think about direct engagement with the FBI, they're just right. good relationships to form well ahead of the time that you might be dealing with a crisis on the partnership sides there's the ark, the analysis and resilient centre. There's lots and lots of engagement with the. U S, government. On the risk and until side with members of the Ark and then also emphasised. Acts for the financial services and for sharing in analysis centre. They have some sub groups that also- focus on improving ways to collaborate with our partners and our help identify other ways to engage with the governor Andy, let's bring.
When did the conversation, as I said, you're the chief information security officer for the firms, consumer banking business compared to our industries that consumer metal sectors seem more vulnerable to cyber attacks. Due to the nature of its on my traffic and the design, of course, of its e commerce websites. Can you talk? how cyber attacks and security efforts in the consumer space have about yourself. I say I mean is obviously mirrors the way we seem threats develop more generally, that is the famous bank robber once said, when asked by Rob banks, because that's where the money is an often been erased cybercrime is often actually motivated. He said it, banks are clearly a target nothing that's challenging, because we can't puts me in a huge walls and mouths and obstructions around people's interactions with our side, some without digital services, I'm goin impede the user experience too much in the relationship with customers. So what we need to do, We find a way of balancing the use experiences. The customer with
training these cured posture to prevent fraud, prevention, account, takeovers and that's always a bit of a balancing act to just right and make sure that we are making it difficult for our actual customers access, their accounts by making it difficult for attackers to any other thing is you know they mention previously is grandma fencing debts aspect. One is Things now is that we ve now effectively globalized tax, so many attackers all over the world ledge try and attacking compromise systems, and that means that, if you have a vulnerability is not a question of if it will be exploited sooner or later, someone is going to come across that and they don't try to exploit it, and that makes it wisely We have two friends in debt and that's not just defence in debt from one aspect that defence in tat we ve forgotten to your processed in practice as well as we forgot controls and also your assurance activities. These simple way,
gave around and importance of acting and maybe you'd spoke. He can do that by rebuilding repays environments, where you just saw continually replacing the infrastructure refreshing to date, infrastructure to make sure that its studies well maintained. one way of keeping on top of pensions. But equally you don't stop running a vulnerable. It he's gonna, that's looking to see if there is any honourable systems on libraries it within the environment and then going after those unpatched knows. You won't be running both for those things in order to make sure that you ve got that defence and F gas, your assurance activities, and so we really apply that sort of minds that across the globe building operates, lifecycle of our products. Make sure we have small more mechanism in place to stop any given type of attack or make sure any given activity is working. Aspirate expect the other asked
this is, of course, the rise of cybercrime, makes consumers more reluctant to hand over their data, obviously were living this increasingly digitize world and there's a lot of concerns, that is what our coming he's doing to protect their data while Staging consumers concerns around these issues. I think it is a bit of a mixed one: isn't it because, on the one hand, this reluctance to share patron information, use digital services because the rest, but equally the sometimes data sharing mining fact, sometimes one can actually to arrest. You knew her. You know we shoulda seen through the social media campaigns asking questions which will mean a kind of fun background in either way. You grew up and things, but if those are so secure the questions associated with an account that can be problematic. So I think there is a lot of uncertainty with people in terms of wanting to share and I want to be open, but at the same time they are concerned. I think this been so many large region.
is that, I think is also a little bit of numbness to it now, but I think the key thing is to respond. globalization which will invest in their programmes, they will put customers first, they will be looking for all the options they can to protect. Steamers and in general, I think the banks have a reasonably good track record of succeeding, but that's not by carrying on doing what we ve always been doing. I continually running stay still because the tax involving all the time and we need to involve our programmes in our technology impacts and processes to keep pace. With that statement turn back to you. What are some of the best practices to improve cybersecurity awareness among employees, Think awareness now is much deeper than those may be. Five years ago, the media They have been role a man. I think everyone None of us has gotten that email or that letter that says your information has been breached, and I thank them
our job, a lot easier, as cyber practitioners are, I'm gonna make it what to do about do. I do our that keeping the topic in the forefront is really important. That started the board would see leadership and one is the best methods that I've seen is really things like: fishing testing rights and privacy, forget about training. These are good October cyber month in having the discussions around a cyber, whereas I think those are good. I think testing provides somewhat you need learning moment I had so. Where does the firmness and that she testing nuclear gonna get a pop up? It's his hey that this was a fishing emails. This was a true fishing email and a bad thing that has happened as I think that one of the most effective listeners as mentioned earlier decisions. Typically, owing to the beginnings ancyra breaches and I think we used at too great a fact anything other funds and, secondly, to good effect Let me end with a question for our three view.
How do you see cyber threats and cyber security evolving in the next five to ten years? Matt? Maybe you start the first I had said, as do all that long ago about acted, recalled the shovel. Who stood for a bit of a nation state level. Fools saw that sophisticated chewing is now in the market, they started on the door but sincerely. I think the way we defend has changed. I think some emerging technologies so deep learning, artificial intelligence, machine learning. I think, think about a malicious software, dismal This effort that has enabled them to build the USA descended seen that that's pretty scary, stuff. I would see the new emerging technologies like blockchain in Quantum computing, really impact away firms think about cyber defence, so I think leveraging technology is super. Important and it's a bit of a cat and mouse game between the bad folks in the good books, and I think we ve gotta be able the news, these technologies to defend before the battles, listen to tat
and I think, there's been a lot of progress in that speech here about some of these new technologies, like Mama, more conviction for accountancy distribution by these technologies, jeered, specifically to meet that, I think also One thing I would say moving to the cloud, I mean a lot of companies and Lawrence legacy technologies intact, that meeting the cloud more of asylum. Christine environment, I think, is also a greatly, and so I think what s your very technology, driven, the fence, very data, driven defence philosophy over the next five years, worth anything tat yeah. I think I definite agree with all the world can be employed for a long time in the space, but on a saving vigilance is keeps, I do think, being attacked and targeted. continue to be a way of life right then we ve talked about. There is more connected ass right, there's further digitization of everything, money etc makes for a larger tax service and target opportunity for bad actors. We touch
Things are automation and we're looking at things like capabilities that can basically automate Isaak analysed by all the decisions that a sock analyse my go through when they see a case from a particular sensor. There's companies have a vision to try to automate that's I think, capabilities like that will be key for us free up our animals to focus on more high order. Things like some of the machine learning in the data analysis that not referenced when I'm also optimistic that things by the administration executive borders, but also that committed investment for various companies in government entities to improve cyber security will keep raising that baseline for security and make us all safer. Andy any doubt and the consumers pay site in terms of future state? we want to things is better. I dont not. She subscribe. Two we're losing the battle. Is it worth because yet We see more instance, wishing more mega breaches and greater impact than us.
From a much most Joe baseline me out a few years ago, certainly a few decades ago. That in actual fact, is really an example that the prevalence of attackers and attempted data breaches and the development of business models around that has given the amount of people trying to attack and trying to find one abilities. But the actual number of United Equality is software is getting better from a security point of view, and the policy of infrastructure is getting better that point with regard to United pristine cloud environment, giving you a fresh baseline afresh capability, now meet the key thing. Of course is to make sure that when MR do happen. They can't be immediate exploited by attackers. So I think the race continue decided requirement for defence in depth continues, the management of complexity, the management of supply chain risk and actually making sure that everyone is operating at a really high standard is essential
Otherwise, you know a weakness in one area. Cannot she then have ripples that impact organizations and though they were on a firm footing. But I do not subscribe to. This is something we getting better and you know it's not the sort of thing that you ever from declare you ve won, but we're getting better answer dinner. I think we in the governments of the world needs to help support businesses and Supply chain generally get that strategy together so that IRAN weak links to allow attackers in- where's the Andy. Thank you for sharing your insides on what is really a really rapidly changing space. That concludes this item. Out of exchanges, the common sacks things for listening and if you enjoyed the show, we hope you subscribe on our part, I mean a rating and comments. This podcast was acquitted on Wednesday cover twenty seventh, twenty, twenty one
all price references and market forecasts correspond to the date of this recording. This podcast should not be copied distributed, published or reproduced in whole or in part. The information contained in this part cast, not constitute research or recommendation from any Goldman Sachs Entity to the listener. Neither governments nor any of its affiliates makes any representation or warranty as to the accuracy or completeness of the statements or any information contained in this podcast in any law. Ability, therefore, including in respect of direct indirect or consequential loss or damage, is expressly disclaimed the views expressed in this
Lancaster, not necessarily those of Goldman Sachs and Goldman Sachs is not providing any financial, economic, legal, accounting or tax advice or recommendations in this podcast. In addition, the receipt of this podcast by any listener is not to be taken as constituting the giving of investment advice by Goldman Sachs too that listener, nor to constitute such person a client of any Goldman Sachs Entity.
Transcript generated on 2021-11-10.