As the times change and the threats evolve, financial institutions face relentless cyber threats from an ever-expanding number and variety of attack vectors. While individual resilience is important, the heavily interconnected nature of today’s financial services industry demands a unified approach to defense where all participants actively engage in Cyber Threat Intelligence (CTI) sharing for the greater good.
In a recent ThreatQ Cyber Forum session, “The Evolution of Sharing CTI in the Finance Industry,” ThreatQuotient’s VP of Worldwide Sales, Gigi Schumm, moderated a panel discussion exploring how collaborative CTI can strengthen cyber resilience at the strategic, tactical, and operational levels. Experts included Rob Dartnall, CEO of SecAlliance, Rebecca Gibergues, Regional Director at FS-ISAC, and Yann Le Borgne, VP Threat Intelligence Engineering International at ThreatQuotient.
Live audience polling provided real-time insights into attendees’ current focus, benefits, and challenges with respect to CTI sharing.
Following are some key takeaways from their conversation. We encourage you to watch the session on demand for all the details.
Strategic Aspects of Threat Intel Sharing
The financial services industry is at the forefront of threat intelligence sharing, but what is shared, how it is shared, and for what purpose continues to evolve. Beyond sharing indicators so organizations can better defend themselves, other drivers now include compliance and strategic business objectives.
Threat intelligence sharing enhances the ability of financial institutions to comply with legislation including the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA), and rules and regulations from the Swiss Financial Market Supervisory Authority (FINMA) and the Saudi Arabian Monetary Authority (SAMA). It also helps to leverage threat intelligence-based frameworks like TIBER.
CTI sharing is also being used as a strategic tool by financial institutions as they look to expand into new markets or regions. Participating in information sharing networks with other organizations that have experience in those areas can provide valuable insights and enable enterprises to proactively put defenses – technologies and processes – in place to mitigate risk.
However, there’s a more fundamental strategic benefit to threat intel sharing: the herd immunity that results. Financial institutions’ supply chains and financial market infrastructures are interwoven, so sector resilience is a prerequisite for individual financial institution resilience. Expanding from machine-to-machine sharing of IoCs to community sharing that also includes best practices improves sector resilience.
Poll Results: When asked how confident they are in their organization’s current level of CTI sharing, 50% said they were somewhat confident, but a concerning 17% said they were very unconfident.
Poll Results: Confidence level in CTI sharing.
To help address strategic concerns around what to share with whom, breaking down communities into smaller groups of interest can lead to more fruitful discussions. Conversations around lessons learned for dealing with attacks, conducting assessments, and other best practices build trust and a multidirectional exchange of information and insights that helps raise maturity levels and improve collective defense.
Tactical Aspects
A lack of confidence in CTI sharing may also be a result of tactical challenges. Taking a closer look at the tactical aspects of intelligence sharing, specifically the how and what, our experts shared advice, including:
Operational Aspects
Poll results: When asked which types of threat intel sharing they believe are most beneficial for the financial industry, 80% of the audience said a combination of communities of interest, private initiatives, and public initiatives provides the most value.
Poll Results: Which types of threat intel sharing respondents believe are most beneficial for the financial industry.
With so many sources of threat intelligence, some of which may be conflicting, how do organizations make the most of it and operationalize it? Our experts recommend the following:
Final Remarks
Poll results: When asked about their organization’s primary focus when sharing threat intel, answers were evenly split between technical details (33%), contextual information (33%), and a balanced mix of both (33%).
Poll results: Respondents reveal their organization’s primary focus in sharing threat intel.
We can all agree that sharing remains foundational to strengthening the financial services sector’s defenses, but clearly there are challenges that get in the way. Processes, policies, and tools are great, but people are essential. These experts can serve as a great resource to help you continue to mature your level of community sharing in a way that meets your requirements and advances the greater good.
Watch the session for more insights and to better understand how they can help.