Panel | Forging Stronger Shields - Collaborative Strategies to Defend Against Cyber Criminals

We have a panel closing out that sort of first session in the morning before we break for networking. And I would like to welcome on stage three very experienced cyber experts and I'm happy to talk about forging strong shields, collaborative strategies to defend against cyber criminals with Max Ibel. Max is the deputy group CSO for N 26.

Sunil, you Sun is one of the leading cybersecurity experts in the world. He created the cyber defense metrics and is one of the most influential leaders in the world. And then Alexei Kleberg, senior fellow, he's leading the Hawke Center for Strategic Studies. Also very experienced working, leading the cyber expert group for World Economic Forum for quite some time. So thank you for being on stage. And we have four seats so I can sit down as well. So to sort of break the eyes a bit, and I know reading the title is probably as difficult to understand in the first infant than reading it.

So maybe a bit of a warmup, forging stronger shields. Let's talk about that. What does that mean to you? What does it tell you? What do you want to share around that? I start to my right.

So now, Sure. So I think that we all generally agree that we're in this together and a, a quarter of three strands is stronger than each one on their own.

So I, I think at the end of the day, we all recognize it. I think the, as Sergey put it earlier, it's not a question of whether we know what we to do.

It's, it's a question of execution. So how do we execute against that? And I'll share more about, I think some perspectives here, but the, there are laws and regulation that actually hinder our ability to do this as well. And so I think we need to have a conversation about what makes sense.

Okay, Good. Thanks Max. You few. I think I'm also very aligned with what you already said. And from my picture, this matches really well with the shield perspective because I think what we need to really come up with more and more with insecurity is this kind of spartan fangs that they did where they were all in a row, right, all keeping up their shields against the enemy. And only because of that, only because everybody did it the same way and they all worked together. They had this strong shield. And this is exactly what we kind of need to establish.

Alexei last, but definitely not least. Yeah, I'm, I'm wondering about the topic question exactly, but I guess to answer to all your questions, there's always information exchange. So that's been the case since the very first document on critical infrastructure, pro protection was produced in the late 1990s. Every four or five years revisit the topic again. Every couple of years somebody throws up their hands saying, I can't hear the word information exchange anymore. And we're still at that topic.

So it's probably still the most important thing that we need to discuss is irritating as it might be for people who have been in this field for a long time. And, and yesterday to some degree I actually made a challenge to that, that we should stop information. I I think we should actually stop information sharing.

Oh, could We have a discussion? Yes.

And I, I refer back to the DIKW pyramid data information knowledge, wisdom, which is stop data and information sharing. Because for the most part that is actually not as helpful as knowledge sharing. So how we do things is much more, I think, much more important than the specifics of what comes out of how we do certain things. The example being how do I look for malicious actors versus what are the outputs of what I find from that execution of how I look for it. So I would see it on a more practical level.

So like for instance for when you talk about knowledge, knowledge might be for me, TTPs, right? Like and, and but we do need to also have IOCs, we need to have indicators of compromise. We need to also have some tactical data that we're exchanging. You can always argue that TTPs maybe be something that can be communicated separate from the IOCs and, and also should be, but I'm not necessarily convinced that's the case. But we do have a level above that, which is the general threat intel, which is, hey, what are you generally seeing from this block?

What kind of general trends are you saying that sometimes helps, but not always. And essentially the only way we make any progress in this field is if we rapidly share indicators of compromise in indicators of there's different, a lot of different indicators these days. Not only IOCs, right? That's just one of many. And I that's to this day is the most important, the most important factor. And once we stop sharing IOCs or we stop sharing DTPs, that's instantly the point where we fail. So there are always concerns of how one does that sources and methods can be quite sensitive.

Not only on the government side where you don't wanna reveal your super secret intelligence capabilities, but also from our point of view because we don't wanna reveal that we maybe are violating data protection practices when we look at stuff. So it's, you have to be careful about that. But the solution to that are super secret informal groups, which most high class information security professionals are part of. And we've been part of these groups for decades. They're mailing lists encrypted. You have to be triple vouch to get in.

And if you name, if you name it, you immediately get struck by a bolt of lightning. And then we use the traffic light protocol. And if you say if it's TLP, red traffic, light protocol red, you may not talk about it ever, ever, ever, ever. And that's one of the challenges because then you have a person sitting in a major company who effectively has been informed about something and they can't share it. You only can act on it. And that's a problem of course that one has.

And national security all the time when you're dealing with situations outside of cyber where you have one person who's informed about the super secret stuff but they aren't necessarily the person who can make the change. And that's the problem that we have when with information sharing in my opinion. The other stuff in terms of having to share TTPs and IOCs and just general data, I think is the most fundamental part of cybersecurity. Keep on going. Okay.

Yeah, I will not ask any further question. Just keep on going. Just make sure Max is involved this way.

Yeah, I feel a bit stuck in the middle of right here. But I again, right, I kind of agree with both of point of views, especially the immediate sharing of IOCs and and TTPs because that's kind of the foundation that we all need for acting against something that is already happening. But what you said as well is the knowledge part of how do we share knowledge of what is working in terms of processes, right? What is working in terms of solutions that we have implemented and that actively were, were going against some attacks, right?

So positive knowledge sharing also is this mindset of what we heard yesterday by the, forget what bergermeer means in in English, the mayor, thank you. The mayor of Frankfurt here told that they're also distributing certain knowledge sharing activities with their local cities and their councils to get them on BCM trainings and stuff like that. It's a good next step, right? Because they need to be aware of the topic in itself, the knowledge to have that. But then you still need the foundation, the base level of what you're saying in the information in the data that still needs to be shared.

But of course needs to be also consumed by parties that can consume them. Because if you're just sharing data out there and you have parties that sit there and have no idea what even to do with those, there's of course no benefit in that as well. So let me offer an analogy of what we're actually sharing today. So let's suppose I baked a cake, okay? And that cake I think is delicious and it helps me find all these amazing threat actors. And I then say, okay, I would like to share something here with you.

Now you would think in our, in the way we're thinking that I'm actually sharing with you the cake, but no, actually what I'm sharing with you is the residue powder and the broken eggshells that I don't need anymore. 'cause I've used what I needed to do and I'm now sharing with you the remaining artifacts that I don't really need. Now is there value in broken eggshells? Is there value in a little bit of the flour that remains? Sure there is, but what you really actually wanna know is not even actually what you don't, what you want is not even just the cake.

You actually wanna know how to make the cake because whatever you the best threat intelligence in the world, is that what you discover yourself? If you're getting someone else's threat intelligence, yes there is some value there, no question whatsoever. And to the degree that we don't have an alternative, we should absolutely continue to do that. But let's go back to the original question.

If we are trying to defend against criminals and other actors that actually do not have that same constraint in terms of being able to share how they do certain things, then what we are fighting with very weak versions of shields that will ultimately be circumvented very quickly. We are trying to find a way to essentially work together. And there absolutely are very tight knit trust groups that I hope senior leaders at various organizations are a part of. But there is gonna be, there is going to be a need to scale that. And that's really hard. Scaling trust groups is really hard.

Anybody who's been through a trust group and seen failures of that, you know, it's how hard it is. But that's something that we need to figure out because the attackers have already figured that out and they do it out pretty. And I think you have a, you have a really good point Sunil, because at the end of the day, I'm member of an EA board for one of the biggest sharing communities in the world.

And a discussion we had there recently was sort of on the German market where we're in German financial market, you have the big banks who have their threat intel function and all the knowledge base that you are talking about. And then you have smaller banks. Even if you provide them threat intel, they wouldn't probably know what to do with that because they're just not skilled for it. They don't have the sort of mechanisms that we all have to do it.

Some do, I mean N 26 is not a big player, but different animals. So you guys do, but it's really around the knowledge that you need that intel isn't enough.

It's, it's great. And I strongly believe that sharing is a big asset in our community, but I'm completely with you. It needs to be around knowledge. So if we think about that and Mac max and Alexei in a, in a second, but if we sort of summarize what we've heard right now, we all believe sharing is important, collaboration is important. It sounds like the way how we do that is the critical success factor. So some thoughts around that. How do we do that after what we heard right now? How do we make that a critical success factor? Yeah.

So that follows up On the, on this previous discussion, just so, so three thoughts to that, which concludes with your question, I guess. So sticking with the, the recipe analogy, because I get stuck on analogies very easily.

I I, first of all, I I, I'm not so sure if what we share is really just to crumbs and the eggshells. If you do that then you're a bad actor. You're supposed to really share stuff that happened. But I do completely agree with what you said is that sometimes you're gonna be sharing stuff that is in the US government, the term is nobus, it's nobody but us can use it. It's like it's too complicated. It's like we're, and then you and or you tell yourself this is way too complicated. I'm never gonna understand it. That's why we don't share it, right?

So I you're, you're supposed to share stuff that is actionable and normally when you're in a group of peers you're able to do that. The second problem is that very often the information in these trust groups does not go to the ciso.

In fact, I know people who when they become CISO, step out of these groups so they don't have conflict of interest or reporting requirements. So similar because it's just too risky, right? So balancing for me the biggest issue is how do you balance out the requirements of that individual who for instance sits in these trust groups and does the information exchange and his obligation to his employer or maybe even FI responsibility to the investors, right? That one's very complicated and there's been attempts to to square that. But I don't think it's really worked out.

I actually really like where we were going with Max's point also and what you mentioned in terms of what more or less the end stage could be in terms of the recipe. Maybe let's talk about the recipe. Is this really a good recipe altogether? Which for me would more or less imply does this type of product mix work And that's actually a lot more disadvantageous to the vendors 'cause it's vendor critical. It's about saying not only oh do what do we think about, you know, XDR and EDS and CMSs. It goes down and says specifically products.

So it basically what I'm thinking about is a trust group that excludes vendors, maybe even excludes the consultants and only deals with the supply side and they exchange the recipes and you have to be rigorous about it because if any one of those guys gets into it, you're gonna ruin the cake, right? So analogy cake, very good. I think the, the main message and that is context is king, right?

This is what it's all about because we must have an established process to define what kind of context do we deliver with that kind of knowledge so that certain parties can use what that recipe tells them, right? Because someone might have an oven that is electric, others with gas, so the heat must be different, something like that. But they gotta be aware of that. So you gotta deliver this kind of context while delivering your recipe. And I guess what you said Carson, with these interest groups and, and how do we proceed further?

I mean especially in our financial services industry, we have Dora coming right? And Dora is now one of those very first regulations, espec, especially in our market that says there is a paragraph that states there's gotta be information exchange. I don't believe they have worked out the, the technical standard yet on what exactly needs to be shared and everything like that because that will be whole book in itself probably. But there's one paragraph that will state this and that will be live in 25. So we gotta work on that.

How do we do this now right now and have hopefully also a system in place that is also usable cross finance industry. Because if, if we just do that within the finance industry, fine that's nice. But what about everybody else who is kind of dependent on our industry as well? And so this gotta be a solution that's really usable and also kind of efficient for for other parties as well.

Yeah, and let me add, I think even with, so we have the desire to do this but as I mentioned a moment ago, there are some inst both institutional and regulatory guardrails that limit our ability to do this. So I think in our dream world we would have this well-functioning collaboration even internally within our own bank amongst AML fraud and cybersecurity and the data privacy people, right? And we have these four different functions that live even within the same organization that can't collaborate. What hope do we have across different organizations?

And part of the reason why we, we have both institutional barriers but we also have regulatory barriers that keep those separate as well. And so we have two hurdles to leap over. So let's just, let's just assume for whatever reason the regulatory barriers just go away again internally we'll have this power struggle now in terms of who's gonna lead that initiative to bring these people together.

So I, I think it's an interesting challenge but one that again we have to solve because the attackers have figured out they, they know how to navigate AML fraud data, private, they don't care 'cause they don't care about any of those laws, they just violate them at will. But then it's up to us to follow those laws and guidelines and, and as much as possible to eliminate or create the na the, the conduits for the proper collaboration across those different functions. Both from a regulatory standpoint as well as from a internal standpoint.

And I, from the Deutsche bank standpoint, I'm, I'm sure you see this as much as I saw at that Bank of America. Absolutely. So I 10 questions that came up in my mind whilst you were talking and we can't tackle them all but let's go on the last point you made the interesting bit is that if I look at the financial industry and how the financial industry is sharing, nobody sees that as a competitive advantage.

We call each other CSOs and talk about something that we are seeing and we share that openly and we are allowed to, that's within the regulations when it comes to internal, I mean what you talked about literally is the concept of fusion centers that are coming like waves. Every bank is trying to do that once in a while and then recognize how difficult that is. That's internal politics. Nobody wants to sort of give up their remit and probably it's because it's crossing boundaries. Yeah. So that's why is I like that concept of the financial industry sharing with each other.

One more point and then over to you Max the, what you mentioned about that level of trust in FS iec, we had an interesting discussion around we need to get the critical vendors more involved also because of dora because they are part of dora. So we need to get them further involved. But I think you need to sort of stagger that from a trust level perspective what we've started to do in DOCHE as well. We have smaller communities where we share, that's probably more where we share the cake than the actuals.

And then we have product communities where you share but in a different meaning and probably then also involving the critical vendors. So what about those steps? So just to pick up on the FSS ISAC point because I was a little bit confused because I thought the whole FSS ISAC model was intended to jackle some of those things and it's now become too big sometimes for its own purposes. But this doesn't mean one can't build on it and improve on it. And the standard practice in industry of course is to have birds of a feather group and have like your own s small trust groups within those groups.

And my experience is that they work really well. Yeah, I mean the, that's actually you ha so it's, it's, it's just being flexible on this and I think, I think your point that you made before and is the most important, how do we find process where that is encouraged but protected in particular from regulatory legal like encroachment and in the US they even tried to to set up an entire government program to work with that.

So you know, of course there's ISACs, the UK calls 'EM warps and similar but they also try to create ISOs and the whole point of ISOs was to work with these informal trust groups but the trust groups just basically to the extent that they had a person to talk to just turned around and said yeah, no thanks, right? Because the chances were just too high that they were to get fired, get put in jail, get sued. So in the end of the day they still styles are still around but there's something else now and they just don't work.

And I think your question about how to deal with internal politics might be solved now with new SEC regulations that I talked about yesterday at quite some depth, the eight k re reporting, the new eight K reporting requirements, which are pretty detailed and does do mean you'll be sued on the board if you do not actually regularly appraise yourself of cyber risk, not only the oversight of that risk 'cause that's been in there for a while, but you need to show that you yourself know what you're talking about. Yeah. Not just getting briefed, right?

I don't know how they're gonna test that, but it'll be interesting And it's in NIST two for that matter. So it's already happening before Dora and that's gonna be in some ways our magic sort. Although frankly it might end up being a magic needle because you know, it's, none of these things really solves a problem. Right? Completely. So I I knew this will happen. Thanks for the lively discussion. A closing word from everybody sort of around the, the, the chairs because we're running out of time and that usually happens if you get into a lively debate.

But I did like how that was going with one question. We got you all excited. You wanna start with the last words on the topic? So going back to Stanley Kubrick, I think we should all stop worrying about information sharing and love the DIKW pyramid. I would say because we had this, this topic just earlier that even internal teams are sometimes not speaking with each other. So why bother of external parties talking with each other? Which is why I sometimes refer to the CISO as the chief internal speaking officer and not information security officer.

But let's find a system that works not just for certain industries, but is cross usable and yeah, it it's alternatively important. So I have a longer con longer, longer thought but it's, it's can be summarized with information I saw. Information security is basically go and not chess And it's quite simple that in, if you think about it in higher government or governance frameworks, you have things like whole of government, whole of nation something called whole of system. Different frameworks of cooperation.

And one of the tricks that I figured out when working together with government, 'cause governments don't talk to each other, right? Very, the ministers don't talk to each other, the minister, the ministerials don't talk to each other. The way you get them to talk to each other is you make it a whole of nation discussion.

So, and when you do that, it's kind of amazing because I have done a whole bunch of these discussions. I run a framework, we call it boots, suits, sandals and spooks. You get all these people together and it's actually the government start talking to each other 'cause like this is great, we can finally talk to each other. We don't have a formal format. We have to make it about a whole of nation format to make it whole of government.

But yeah, so I would recommend to you CISOs, 'cause this is what I've done at the World Economic Forum where I wasn't head of the expert group, I was the executive in charge of the Center for Cybersecurity. This is what we kind of do is that we try to externalize the discussion, we involve others hopefully up to encourage our internal communication. 'cause of course it's always the most important factor and we will all agree about that. But see the external need to communicate as a possibility to improve your communication internally. That's my plea. Great closing word.

Again, thank you very much for the lively discussion. And we do a network break so everybody has the chance to walk around to ask further question on the topic to our three panel members. And then I think we will conclude again 10 45 or something like this. Thank you very much.