Cybersecurity On The Front Lines

Editor’s Note: This podcast discusses the usefulness of the CIS Controls, but it was recorded before Version 8 was released. For a review of the latest release, check out our blog here.

For obvious reasons, financial institutions have always been a top target for cyberattacks, and almost one half of all cyberattacks target small and medium-sized businesses. So, it stands to reason that if you’re going to be in charge of security for a regional bank, you’ve really got to know your stuff.

Today we’re chatting with Tyler Morgan, Chief Security Officer for Farmers and Merchants Bank, a regional bank based in Arkansas. As the CSO with a small team, he has responsibility for fraud, vendor management, physical security, and cybersecurity. He spends his time both in the weeds with the technology and at the 30-thousand-foot level, segueing from day-to-day incident response issues to higher-level priorities like compliance and security frameworks.

Episode Table of Contents

• [01:08] IT and cybersecurity at Farmers and Merchants Bank
• [04.56] Compliance and regulatory environment during the pandemic
• [11:30] CIS Controls framework promotes security hygiene/li>
• [24:40] Software-as-a-service is major attack vector

IT and Cybersecurity at Farmers and Merchants Bank

Tyler Morgan: I’m the Chief Security Officer, so have some responsibility across different sectors. A little bit of fraud, vendor management, physical security and cybersecurity. I have been in the cybersecurity space for quite a few years now in different roles. Have done some consulting in the past. Then ultimately, decided that managing cybersecurity for one client was the direction I wanted to move.

The organization sits in the financial sector, banking sector specifically. We have about 350 employees. We are currently spread around a medium sized state in terms of geographic area. We offer you full-service stack of banking services. From a cybersecurity perspective, it’s our role to protect all of that.

Ted Gruenloh: There are physical locations and online services, correct?

Tyler Morgan: That’s right. What you would expect from a typical, legacy, brick and mortar bank that has moved into the 21st century and is doing some different types of services online, and looking into offering more every day.

Obviously, with the challenges of the pandemic, we’ve had to be adaptable. That has pushed us even further toward looking at visual experience and things of that nature. In terms of locations, I think we have roughly 30 physical locations.

Ted Gruenloh: This is the question everybody gets asked around this time — what in that stack changed because of the pandemic? How do you think that’ll change moving forward?

Tyler Morgan: In terms of the pandemic, luckily, we weren’t necessarily a traditional VPN type shop. I know you have a lot of different organizations out there that participate in sort of a traditional roaming device-type of remote access, or even going as far as BYOD.

We were more a remote access Web portal to more of a what you’d consider more like a VDI type experience on the back end. From a security perspective, that was valuable because we were able to immediately spin up as much access as we needed.

It was sort of access on demand, so we didn’t have the problem of, ‘well, we got to get laptops to all these different people’ once the pandemic got going. In terms of that, it hasn’t been bad. The challenges have really been around personnel and keeping staffing levels where they need to be and keeping personnel where they need to be.

From a security perspective, that puts a lot of strain on your traditional processes of granting access. For example, now you have people that maybe used to participate in a certain role, but because you’re spread so thin due to pandemic pressures, you need to expand your access roles. You’ve got to be quick in that regard.

I think one of the big challenges from a strategic perspective for everybody probably in the security space is trying to maintain governance once something like this occurs the strain that this puts on your governance controls.

That’s been quite a challenge, but we’ve been able to meet the challenge and go forward. We’ve even continued to expand some of the security stack while we’re doing that.

Compliance and Regulatory Environment During the Pandemic

Ted Gruenloh: Did any of the governance or compliance organizations reach out to you or there were any temporary restrictions? I don’t know how quickly this stuff turns over or how often you’re audited, but just wondering.

Tyler Morgan: From a regulatory perspective, I would say not so much. I think the regulatory agencies or whatever, it’s a big shift to try to turn. A lot of times, they’re trying to track what’s going on and then being responsive after the fact.

In terms of the intel agencies, if you look at people like US CERT, the different ISACs, the intel as it related to COVID-19 and the huge amount of cybersecurity incidents that we were seeing, I would say they’ve done a great job in terms of being able to keep communication up and keep communication out there and allow us to respond to things before they were impactful.

I would say the plus side is that those agencies which are built for that real time responsiveness have been able to maintain that during the pandemic. Now I will say, on the regulatory side, there has been some flexibility from the governmental perspective, which has been nice too to realize that and to recognize that organizations are in a sort of precarious state. That has been of benefit in that regard.

Ted Gruenloh: Yeah, that makes perfect sense. I always think of the regulatory as…I don’t mean this negatively, but lagging behind in terms of where a lot of people are in terms of how they’re protecting their network.

That’s an excellent point that you made about the threat intel sources and the ISACs staying on top of it. That’s probably the most obvious place where you would see the shift based on everything that’s happened the last year.

Tyler Morgan: Yeah. I would say for me, that’s something that I’ve come to experience more and more over the course of my career so far, is the value provided by the intel agencies. Most of that data is free. You can subscribe to it as well as just some the listservs and stuff like that that are out there that you can participate in.

There’s so much intel that, I’m going to knock on wood when I say this, but for the most part, if you’re paying attention to those, you don’t have to worry so much about individual vulnerabilities and things like that if you’re paying attention to those listservs and those intelligence feeds.

I know you guys watch that from the Sentinel perspective to update the IPS and things of that nature and so just tying this back to one of the products from a Sentinel perspective that’s nice to have. We know that when that information comes out, those IPs that need to be blacklisted or that signature traffic that needs to be adjusted for is accounted for and we don’t have to do that internally.

That’s been valuable too in some of these security incidents that we’ve seen come to pass during this time period.

Ted Gruenloh: Those organizations help you stay on top of that. OK, if you don’t mind, I’m going to shift just a little bit. What I’m curious to know and what we’re trying to learn in these podcasts is about our customers’ philosophy on cybersecurity and what they’re doing on a day to day basis.

If you wouldn’t mind, and we don’t have to name names at all, but if you wouldn’t mind walking through your stack. I’m looking for two aspects the stack itself, the technology, maybe starting at the endpoints. You already mentioned that VDI is a player for you.

Starting at the endpoints and moving all the way out past the edge to the cloud, however that applies to you, and then also, I’m looking for a flavor of maybe the team you work with and how your day to day transpires.

Tyler Morgan: I’m in an organization where I report directly to the CIO. My counterpart, my peer, is the director of IT. I like that setup. There are different configurations, different places you go.

I would say that for me, one of the things that I’ve found to be most beneficial is when you have a good interplay and good communication between operations and security. For any security problem, I’ve found, that you’re trying to solve, it’s almost impossible to solve that problem if you don’t have good collaboration with your operations group.

I’ve gotten to where, in a lot of cases, when I approach a problem, the first thing I’ll do is I’ll go to the IT team and say, ‘look, guys. This is the problem we have. How would you suggest we solve it?’

That saves us a lot of headaches, I think. In my mind, the core thing that I try to focus on day to day, is hygiene. I think a lot of it goes back to security hygiene. What are we doing in the different sections of the architecture, and really trying to take a preventative posture?

I know detection is of course important, but I’ve heard a lot of vendors say it’s not if, but when, and you need to spend your money on detecting these things. I do believe that detection is very important, and we invest a lot in logging and log analysis. At the same time, if you give me a dollar to spend on prevention versus detection, I’m probably going to spend that money on prevention first.

The IPS and IDS are good examples of that. I’m probably going to spend my first bucks on the IPS, and then I’m going to implement that IDS so that I can see that lateral internal traffic and things of that nature.

CIS Controls Framework Promotes Security Hygiene

Tyler Morgan: In terms of what we look like from a security stack perspective, I won’t go in any detail on product names, but just the generic terminology. We, I’d say, number one, try to look at, what are the most effective controls we can implement to stop the most threats?

That’s where we start. Where’s the most bang for our buck? One of the control frameworks that we like to use is the CIS Center for Internet Security Critical Security Controls (CSC). Those are outstanding. If you put a lot of value in security hygiene, that’s a great control framework.

Another recent incident that happened was the SolarWinds incident that’s been in the news. One of the things you look at there is, a lot of what I would say are your advanced threat, your machine learning, things of that nature, endpoint agents and things like that that are really more advanced in terms of what you think about in terms of capability.

From all the breach data that we’ve seen and reporting that we’ve seen, you have to scratch your head and say, ‘why weren’t some of these things caught by those tools?’

I think a good response to that is, “We’re probably going to have to give that some thought, and that’s going to take some time to play out. We’re going to have to know more about what happened.”

In the interim, you can point to several things that could have been done that while maybe not have prevented the malware to make it into the environment to start with, would have prevented some of the lateral movement in terms of preventative controls.

That’s why again, hygiene, I think, is very important. You start with those CSCs. You look at things like, ‘do we know what’s in our environment? Do we have a solid inventory? Do we control the level of privilege on the endpoint? Do we do basic things like enable the Windows firewall natively?’

If you look at the Windows stack, there are a lot of platform tools that can be enabled that are just generically packaged that don’t cost anything extra. We’ve tried to enable those things.

In terms of log analysis, we try to log everything in that environment that we think is of any significance, be it a workstation, a server, the Sentinel IPS and IDS we pull those logs in. Anything that can send us this log, we pull that data in so that we can parse it.

Then in the event that anything happens, from a forensic perspective, that becomes then your detective mechanism. I can get confidence now that I can put whatever happened behind me because I was able to go in and validate that it occurred.

I would say we start with that very baseline stuff, making sure that we’re patched, making sure that our vulnerabilities are addressed, locking down the workstations, disabling unnecessary services. Then we start to add things from there out.

I think it very much in our mindset starts at the endpoint. Let’s lock an endpoint down as much as we can and then work out. I think too many times, and in the past, we were especially bad about saying, ‘well, there’s a firewall there on the perimeter,’ and that being your control that firewall.

A lot of the regulatory documentation and the questionnaires you answer are still geared that way. ‘Do you have a firewall on the perimeter?’ Well, I think we’re way past the point where that is sufficient from a security perspective, so we have continued to make sure that we evolve the stack.

At the same time, it takes a lot of nuance to get it correct because you can’t have something that is breaking the operational area every day. You make their job a complete pain around the clock, then your tools they’re not going to be in place for very long because they’ll make sure they’re removed.

That has been something that I’ve learned over time too. I think we’ve struck a good balance, and we’re just continuing now that we’ve got the baseline, I think that’s the first thing. Get the baseline.

Now, we’re continuing to add tools onto that stack to get more visualization, to add more preventative control where we can. Then, just make sure that security is as seamless as it can be, that it is not an inhibitor, but more a contributor to overall success from a technology perspective allows us to do things that maybe we couldn’t do otherwise.

Ted Gruenloh: There’s just a couple things I’m going to pull out from that. It sounds to me like you do have a good structure and relationship in place. In terms of you being on a similar plane with the director of IT and you both report to the same person, I think from my conversations with other people, that’s a good way to handle security.

Also, from your perspective, you know how to play…I call it “the game” of getting some consensus with your colleagues there in terms of how to handle it. I don’t think the importance of that could be overstated when you’re trying to get these things done.

Then, the other thing I was going to ask you just back down diving down into the weeds. You’ve mentioned logging and analysis and that sort of thing. Did you guys roll your own SIEM, or do you have a managed service behind the scenes there, or what do you have on the logging side of things?

Tyler Morgan: On the logging side, we did not build our own. We did, but we bought a cloud based SIEM that we’re utilizing. We went with that solution. Really, our solution, it’s more of a hybrid solution. It’s not focused just on security, but it’s also used for things like DevOps logging and things like that.

We went with a solution that we felt like would allow us to connect open APIs and things of that nature because we do have a lot of software-as-a-service applications now. Most of those put forth open APIs, and you can pull their logs that way.

This platform allows us a way to aggregate that data across multiple sources, not just the traditional workstations, network devices, and things like that. Also has the ability to do a Curl PUT to their API to send files up if you have a system that outputs CSV. It’s just has a lot of capability from a RegX parsing standpoint on the logs.

It’s a commercial solution, but we do a lot of the build in house ourself because it’s now easy enough to do that, and we don’t have to spend a lot of time on the infrastructure because it is cloud based.

I’ve done managed service provider in the past as well, which is good in a lot of cases, too. I think it just depends on where you are, what size you are.
We do have some managed security products, and the nice thing is, most of those make their CIS log available, and so we’re able to port those into our SIEM and get that added benefit.

I can’t emphasize enough that that’s a very important thing because we’ve dealt with a lot of managed service providers in the past who didn’t necessarily have that capability available. They wanted to send you an email alert for every alarm you had or whatever.

That’s just not practical if you’re a large organization the number of alerts and trying to parse through that. Then you don’t get that data in your SIEM, so you can’t parse it out with the rest of your logs. You really need that ability to CIS log that information.

Ted Gruenloh: Yeah. It’d be really hard to do any sort of incident response or threat hunting or whatever buzzword you want to use these days for it if you don’t have all that in one place. It makes your job a lot harder. How big is your team on your side of things, on the security side?

Tyler Morgan: On my side we’ve got basically three employees full time and then we’ve got a posting out for another one, so four, and then myself, which is a little bit larger, probably, for our size than you would find sometimes dedicated to security, but like I said, we also have the fraud torch and the physical security torch and stuff to carry as well.

That’s a little more expansive than you might find if you were just focused on information security. In my past, the organization I came from, I think at the time I left there, we had around 2,500 employees, and the security team was around 25 employees.

Ted Gruenloh: Just roughly, how many IT employees are on the other side of the house there, under the director of IT?

Tyler Morgan: I believe there are around 12 IT employees currently.

Ted Gruenloh: Just trying to get a good shape around how you’re organized. Moving out of the weeds in the tactical nature of everything, you already mentioned, strategically, you use the CIS Controls. You want to talk about that just a little more? How long have you been using CIS Controls, and how far along in the process are you?

Tyler Morgan: I’ve been a proponent now for several years, really since right after the CSC 20 came out. I’m actually starting to look now at the MITRE ATT&CK framework as well because I kind of like its layout and some of the ways that it can be applied.

I guess the reason for that, if you just look at it from a strategic perspective, is, now, there’s plenty of control frameworks out there, but I’m more of a practical person, and I like what works. A lot of the frameworks are kind of like, ‘we’ll go identify what your risk is.’ Well, that’s easier said than done if you’re talking about the risk of the widget falling off the conveyor belt or whatever, and you have controlled environment that you can calculate that in.

Security risk for a modern enterprise in the cyber frame is much more difficult. There are millions of data points. It becomes a question of accuracy. We know it’s impossible to be accurate. If we could be accurate, we wouldn’t keep having these data breaches and these other incidents that we see on the news all the time.

I think part of that is, we don’t have a computer that’s big enough to process all the real world data points that would be needed to truly understand what’s happening in these environments. They’re overcomplicated. That’s not going away. I think it’s just going to get worse with time. We’ve got to find a way to combat that.

I like the fact that with the CSC, you can kind of say, “OK, we know there’s a lot of really bad stuff out there, but we know statistically, if we go do these four or five things, we’re going to be a lot better off than the organizations that may go spend a ton of money on an advanced endpoint threat agent or whatever.”

We’ve tried to take that approach. I would say we haven’t necessarily implemented every one of the 20 CSCs to the exact degree or recommendation that it should be implemented.

You kind of have to say, ‘ok, this is the problem they’re trying to solve. This is the way they recommend it, but is there something in our environment that would allow us to solve that same problem this way?’

We’ve gotten pretty far into it and have satisfied everything from a baseline perspective and moved past that. Because we’re in the banking sector, we have to do the FFIEC cyber assessment tool.

We account for that as well. We kind of do the old school thing of looking at the NIST 800 53 as our risk assessment methodology. We don’t necessarily subscribe to the one framework.

The downside, I would say, to the CSC 20, is that its focus is really on the traditional LAN or LAN environments. If you think about it, it’s looking at, how are your servers configured? How are your firewalls configured? It’s not saying anything about software-as-a-service, or what you’re doing in the cloud, or anything like that.

You have to figure out a way to supplement those controls if you’re going to have a solid, modern control environment.

Software-as-a-Service is Major Attack Vector

Ted Gruenloh: Sure. That’s a good point. It gets back to that 80/20 rule again because with controls you’re going to knock out a lot of the major stuff, but then it’s up to you to figure out if any of those new controls are missing. Software is a great example.

Tyler Morgan: Software as a service to me is a major threat that a lot of people are starting to come around to. Some of that was saying, if you look at the SolarWinds-thing, again, you look at in addition to that, you had the whole Office365 thing. They had SAML tokens and things of that nature.

You’ve got to think hard about, ‘ok, I’ve got this software-as-a-service thing out there now, what am I going to do to secure it?’ OWA used to be a constant nightmare everywhere.

What’s the point of having data loss prevention at that point from an insider threat perspective, or even from a social engineering perspective? A lot of people have gone multi factor there. How can you sleep at night if you’ve got your data sitting somewhere with single factor authentication to a Web portal, and you know that that data can be accessed from anywhere in the world?

I’ve seen that on a lot of things from HR systems, payroll systems, things that are highly sensitive that from a social engineering perspective would be easily compromised if you had knowledge of what that business would do entirely.

There are different ways to solve that. There’s multi factor authentication. There are CASBs that you can put those applications behind CASB firewalls or reverse proxies that you can put those applications behind and control what goes in and out of that application.

All those things have got to be thought about because a lot of those applications that are out there just natively do not come with what I would call enterprise grade security unless you spend for it to get there.

Ted Gruenloh: It’s a new world. I wouldn’t be surprised to see some of those, particularly the CIS controls gaining popularity.

Tyler Morgan: That’s right. That’s one of the cool things about the attack framework. Like I say, I’m just getting in there, but I’ve noticed the intel agencies release an update almost immediately.

Here’s the updates we’ve added to the attack framework, but that MITRE ATT&CK it’s one of those things that you open it up, and it’s like, ‘well, what do I do with this?’ It’s going to take a little bit of time for the industry to adopt that and learn how to use that functionally.

Also, the other thing is I go back to, like I talked about at the outset, knowing what’s in your environment. You cannot protect what you’re not aware of. You’ve got to understand what’s in your environment, or you cannot expect to be able to protect it because MITRE at the end of the day, if you don’t know what you’re doing, you don’t know what’s there. You don’t know what your attack avenues are.

We hope you enjoyed this unique perspective on cybersecurity from the financial services industry. For more information on how some of our clients prioritize their budget decisions and use various tools across their networks, check out our monthly podcast. We share honest, objective takes from real people fighting bad actors on the front lines.