We can go back to a quote from the Depression era bank robber Willie Sutton. He had this infamous quote that said, like, I rob banks because that's where the money is.
Old fashioned bank heights aren't so common today, but modern financial institutions protect more than just money, and finance is consistently in the top three most targeted industries when it comes to cyber attacks.
There's accounts, but there's also a lot of strategic information with regards to transactions and the likes, and that's what continues to make financial institutions a target for this.
That's JF Lego.
I'm w chief Information Security Officer at JP Morgan Chase.
As a leader of cybersecurity operations for the bank and its clients, JF thinks constantly about every opportunity that an attacker could exploit, from software bugs to natural disasters.
Whether the scenario will be a technology outage, whether it be whether a threat actor could use that as a lure. We've actually seen, you know, like fake donation sites. When there's a natural disaster right where people are looking to donate to earthquake relief for hurricane relief, the.
Bad guys are there and by setting up fake disaster relief websites, the bad guys can harvest any credentials that come with those well meaning donations. This is just one scenario and a bigger trend that JF seeing where cyber attackers set traps to compromise team accounts.
We're seeing more and more threat actors using you know, search engine optimization to present fake websites. When somebody's doing an online search, the website will come up at the top versus a legitimate when they're looking for and then they get the ability to deliver malicious software. So that's like a really interesting trend that people should think about. You know, we'll use to train people to look for phishing based on like grammar and urgency and things like that. That's changing.
Fishing and browser based attacks are evolving to catch us where we spend our money, our attention, and our working hours, and as work itself happens more consistently in web browsers. JF sees the role of a cybersecurity leader evolving too.
I've been doing this for like twenty five years now. That overall evolution, and we used to call it computer security. Network security was very infrastructure focused, and then there was an evolution to information security. You know, when I look at the role today, a lot of it and most of it is really how do you secure a business? And I think that's where strong cybersecurity leaders are evolving towards, is like how do you interface with your business? How
do you understand the practices? There's an evolution in a variety of technologies that help bad guys sell. You also need to adapt based on the evolution of just the world.
From Bloomberg Media Studios and Chrome Enterprise, this is Security Bookmarked. I'm your host, Kate Fazzini. I've been a cybersecurity professional and journalist for over twenty years, and on this podcast, I'm talking with leaders in gaming, finance, and manufacturing about what security looks like in a workplace that's moved to the cloud. Much of what we think of as cybersecurity
was pioneered in financial services. In fact, a bank created the first CISO rule, and banks invented many of the guidelines that are now standard across a range of industries. According to the IMF, around twenty percent of all reported cyber incidents in the past twenty years have affected the global financial sector. So today I'm speaking with JF about what he's learned as a leader of cybersecurity and finance.
Really, my role is twofold. One is to represent cybersecurity in the lines of businesses, but it's also to hear where they're heading towards from a business strategy standpoint.
And I'll find out why he's flipping the script on enterprise security from simply defending the perimeter to transforming whole teams into early detection networks. Then I'll chat with David Adrian, security product manager for Chrome, about how businesses can implement this kind of strategy and set up a strong monitoring system to protect their teams. Going back to the trend of cyber attackers using fake websites as phishing lures, JF talked me through each step of their attack path.
A lot of it starts with the endpoint. It starts via email or web browsing. Credential theft continues to be a driver of this and phishing phishing from two standpoints, either the credential theft that I mentioned, but also delivery of malwer via those channels is normally step one. What we continue to see in terms of exploitation is things like you know, not having multi factor authentication on remote access, on remote log in, or an element of like push fatigue.
There are multi factor authentication solutions that send a pop up and then people just end up hitting the yes button somehow because they're just tired of seeing it.
But tricking someone into signing into a website is just the first step, and.
I think what's important for organizations is that there's multiple steps that are carried out by an actor. I think understanding these attack paths of how actors operate and carry out their activity is hugely important because the more you understand, the more you can design layered control. So what if an actor is able to obtain credentials, Well, those credentials, if you've got multi factor, they won't work right. They might get them part of the way, but they won't
get them logged in. Let's say they're able to get logged in. Well, actors are going to start carrying out some element of reconnaissance on the network. So how would you detect that reconnaissance or how would you detect them setting up a foothold on the network. So it's really about as early detection as possible and understanding those early indicators of an adversary being present on the network.
One of the biggest threats that JF and I talked about was an ongoing rise in ransomware attacks, where attackers don't go directly after a bank's money or even its data. Instead, they try to paralyze the bank itself, which can have serious consequences for the greater business world.
The financial services ecosystem interfaces with utilities, infrastructure, all of the clearing and settlement, payment providers, the third parties that we rely on day to day.
And protecting that entire ecosystem at a global scale that's daunting. So I asked Ji of how to secure a high stakes perimeter that goes way beyond the bank.
Fauld.
What's made this so interesting for bad guys is when you look at organizations that are historically stored sensitive information or process sensitive information, they have been highly regulated, they've had a lot of focus in terms of building up
security controls. But by focusing on the disruption the availability aspect right like, ransomware, operators are now able to target a variety of organizations that don't store transactional information, that don't store personally identifiable information, and that causes broader disruption and I think that's why we take our role incredibly seriously in securing the broader financial ecosystem.
That is a great answer because I think to the consumer or the banker who needs availability, it kind of doesn't matter if it's down because of ransomware or a hurricane. It's just wait, is it coming back up? And what is the alternate?
Yeah, and I still remember back in my early days, we had one vendor that had a data center in Florida and another women in California. So you basically have a data center in hurricane territory and you have another
one in earthquake territory. And you might go like, why is this part of your role to think like site resiliency strategy with clients, Well, our clients operate in a bunch of different industries and if they can't move money because people can't go into the office and they can't work from home, that has a direct impact on their
day to day operations if they can't move money. And I think that's why ransomware has had such an impact because it attacks confidentiality, and integrity and availability, so actually three elements of the CIA triad, and that causes broader disruption and I think that also gains more focus because organizations are actually stricten as a result of these attacks.
You know, businesses are always online now, especially after COVID, lots of people working remotely having to be on at all times. Customers expect you to be available at all times. Another source of constant surprises, I imagine is the third parties that you had to work with, and the hundreds and thousands, maybe hundreds of thousands. So how do you manage resilience when there are all of these other factors in the form of vendors and other companies that you're hinging your
operations on. How do you deal with that in terms of resilience.
You know, you mentioned the pandemic. The pandemic was a vector for adversaries. Everybody was after information for the pandemic, right, so it became a very interesting lure for bad guys to send like phishing emails, set up fake websites, So
it became like a lure for social engineering. And then companies shifted very very quickly to work from home, and by doing so, they may have exposed infrastructure that may not has been as secure as it should to be exposed to the Internet and that gave threat actors a path into some organizations, but it also affected business practices. There were organizations that were ready for it, that had
been working their resiliency plans for years for pandemics. The financial services sector is one of those areas where it's basically part of our DNA to build out strong resiliency and recovery mechanisms. And our role is to work with our business to rethink some of the controls and get the message out, the awareness message out to our clients. And it gets really interesting when you start to break down resiliency and recovery for organizations as a result of things like a ransomware event.
Then I am also thinking of vulnerability management, which we kind of never it's not very fun to talk about.
I think vulnerable management foundational to everything, right.
The patching, the kind of day to day You know, there's a lot of talk about alert fatigue, but you have people who need to access the web, who are on their browsers from wherever they are all the time. How do you deal with web browser security? What is sort of the best practices today versus what they were when you first started.
That's a great question. I get the point around alert fatigue and volumes. But it's really about thinking through the entire life cycle of that attack. So going back to like, how do you drive awareness for employees not to click on links. If they do click, how are you filtering the sites that they're going to that could be malicious. Interestingly enough, most systems that assist in like categorization of
websites have a functionality that blocks. Uncategorized websites mean websites that are too new to have a category associate with them, and oftentimes these are the ones that the threat actors have just recently set up to look like a legitimate website that you know somebody will click on, and you can actually see a significant reduction of that browsing risk if you're eliminating websites that are too new, that have just been stood up, that have like a certificate mismatch
and things like that.
When you think about enterprise security and finance, and especially about protecting teams, what are the most critical threats that you're watching out for.
I think there's two aspects to this. We often talk about how do we protect the workforce, but it's also like how do we use our workforce? As the first indicator of an attack or of targeting. So you know, one of the things that's like hugely important is how do you mine the reports that you're getting from end users around cyber issues or targeting. We test our employees
for phishing on a quarterly basis. The first thing we were doing was we were measuring click rates and then we thought to ourselves, well, let's start measuring the reporting rate because what we want to know is if somebody is going to get this, are they going to forward it to us? But then it was also measuring the forward rate, meaning people's reaction often with a phishing email is they send it to their colleagues and they go,
is this legit? So they're actually amplifying the adversaries reach by forwarding it to a bunch of people who may click on it who would have never gotten it. So it's really how do you think through the awareness for people with the most common types of attacks, But also so how do you turn your entire workforce into early detection sensors where they're reporting what they're seeing to the cybersecurity organization so they can promptly take action on it.
And that is a game changer in the early stages of an attack because people will notice, hey, there's something wrong here. I have never seen this happen before. It might be a glitch, but it also might be a bad guy, a threat actor that's doing something that's absolutely unexpected that just revealed their presence on the network. Organizations need to be ready and continuously adapting to the threat landscape.
Jf's strategy called out the importance of monitoring for potential threats and risky activities, but when monitoring means catching a fake disaster relief website leaders need to recognize how opening a browser for work shapes people's behavior.
Security certainly isn't top of mind for most users. Most of the time, they're trying to get their work done, and they're probably also trying to get their life done.
That's David Adrian, security product manager for Chrome.
For most people, browsing the Internet may not seem like a big deal, But if you're an administrator for a bank or other organizations that have a lot of customer data, then keeping your employees safe on the web should be even more top of mind.
He told me how he would approach protecting teams from cyber attacks that take advantage of search.
Chrome runs a feature called safe Browsing, which attempts to warn on sites that are known to be fishing, sites known to be malware, and it doesn't reveal what sites that you're visiting. You can opt into a version of it called Enhance Safe Browsing, which is able to do the checks in real time by sending them back to
the safe browsing server. That could be a good sort of trade off to make if you want additional protection against malware and against phishing, regardless of they're being fished at work or fished at home on their work device. And in fact, safe browsing is like such a popular feature that it's also an open API leveraged by some other browsers.
So of course you're dealing with data on these vulnerabilities that is at the scale of Google, So you have access to a great deal of very relevant data about vulnerabilities. And not only that, but what of those vulnerabilities can actually lead to a problem.
Absolutely. Yeah, Google is crawling the web every day for its search engine, and as part of that, it's also seeing malware, and that sort of same crawling is powering safe browsing, and safe browsing is something that you just get out of the box with Chrome, among other end user features like site isolation, then we have other features
that are built with enterprises and businesses in mind. For example, with Chrome enter Price Premium, you can implement filters based on website categories that you've defined, and you can get reporting that shows how your teams are handling those filters. So, for example, our people get fatigued by their alerts and clicking through regardless. Having that kind of information means teams can get visibility into what's happening in their fleet and they can take action based on their findings.
This is great because one of the big intractable long time problems in cybersecurity is just a lack of visibility into process and how things are working in the web, apps and web browsers, which is realistically how people are actually working today in the modern office workspace.
Absolutely, And like the old way of looking at this would just be what programs did you launch? And it'd be like, oh, well you launched a web browser and it's like okay, well what does that mean? Right? You could have done anything inside of that now, So you need to know what's happening inside.
Yeah, and thinking about where the work is actually happening right, because too often, I think in security we've gotten used to looking at the people in a certain way. They're just people making mistakes, people forwarding emails, people clicking on dangerous links. We look at people and see them as weak points. But so we could be treating every one
of those people as a point of defense. What do you think about this growing emphasis on resiliency and managing threats and what is the role of teams in creating that resiliency.
Yeah, I think this idea of cybersecurity resilience is becoming more and more popular, especially in the financial services sector where the stakes are really high. Breaches are going to happen, and mitigating and responding to them should be something that takes five minutes, not five days or five years. I talked last time about how strong an identity is really important. Once you have strong identity, you can start doing access controls and authorization and limiting who has access to what
instead of everyone having access to everything. The more that you can do that, and then you conpair that with audit logs. Audit logs are the key to any security monitoring.
Yes, and whenever you compare different pieces of information that you have vulnerabilities. With audit logs, for instance, you start to get that matrixed view which allows you to take action in a much more meaningful way.
What you want is that people regular day to day web browsing is instrumented and understood as a baseline, so that when something anomalist happens, it's detected as being anomalists. You can't have an anomaly without a baseline. Ideally, you want that detection to happen automatically, whether that's just because you've it's something very simple like blocking a copy paste from your CRM and it's some sort of public document, or it's something more complicated about detecting a download from
a site that normally doesn't have a download. And then where Chrominer price premium can really help is identifying the
non standard usage, is the anomalies and remediating those. You can get an audit log of all of the events that are happening in Chrome, all of the user interactions and so on, and that is exposed through the cloud, either directly to you via APIs, or it can integrate with a sort of third party sim provider and hook into your security team's workflow to look for anything out of the ordinary, whether that's through integrating with data loss prevention or just more specific rule sets on hey, this
thing looks different than normal. And then in that world, you're not relying on the users to always make the right decision, but you're trying to detect when the users haven't made the right decision or are doing something weird. And then if you've paired that with all of the other best practices, then hopefully your time to mitigation is very fast and it's actually a very low impact event if something bad did happen.
Yeah, I know, we have so many amazing technology solutions now, but it also reminds me of how difficult it can be for a security team to implement the new technologies that they want to have. And that's where again we
go back to the people involved. You really have to have strong leadership who are listening in to their security teams and their experts and able to make the right decisions for the company in terms of what kind of security measures are going to work the best for them and the level of visibility that they want.
Absolutely, I think that's this move to management becoming something that the security team or whoever is responsible for security, that the management of the web browser or of a phone or of the device is actually a security product, like rather than just an IT product, because all of sort of modern security operations is about identifying who's logging in a web browser and securing that web browser, whether that browser is on a laptop, that browser is on
a phone, it's on a company owned phone, or it's on a personal phone. It's ensuring that whatever device the user is going to, some browser signing it on has some minimum security posture. You've strongly authenticated them, you can
wipe data if you need to. And all of these things might have previously been something that you'd just been like, oh, that's something that just it has to deal with for IT related reasons, and it's like, you know, actually, these problems are really deeply central to the security story of a modern workplace as well.
To learn more about how the most trusted enterprise browser can help protect your organization, visit Chrome Enterprise dot Google. Next time, on security Bookmarks, i'll talk to Curtis Minder, a renowned ransomware negotiator, about the security challenges he's tackled. In the manufacturing industry.
We have been the manufacturer of this particular product for almost one hundred years, and the way that we manufacture this product and the materials we use to manufacture this product are our trade secret. I am concerned that that information has left the building, and I won't know about that risk for some time until a competitor of mine makes the exact same product in five years from now and puts me out of business.
Security Bookmarked is a podcast from Bloomberg Media Studios and Chrome Enterprise. Subscribing your podcast app so you don't miss our newest episode. I'm Kate Fazzini. Thanks for listening.