Director general of information technology, changan bank
With the development of financial science and technology, the emergence of various types of technology-driven financial innovation and the close integration of traditional banking finance with emerging internet technologies, this convergence has contributed to the transformation of banking finance models and service channels, but at the same time poses a growing information security threat challenge. The level of information security has been at the forefront of information security by large banks with their heavy scientific and technological inputs, compared to the fact that the development of information for small and medium-sized banks is lagging significantly behind business development needs and that information security management is more at risk。
Difficulties and challenges in information security for small and medium-sized banks
First, there is a shortage of scientific and technological personnel and an overdependence on outsourced service providers. Small and medium-sized banks have insufficient technical skills and capabilities to quickly master core technologies, especially in the area of information security, and to deal with sudden information security incidents in a timely manner. Small and medium-sized banks have a weak science and technology base, resulting in reliance on outsourced service providers for core business maintenance. At the same time, small and medium-sized banks often lack outsourcing risk controls, with varying degrees of risk arising from outsourcing irregularities。
Second, online operational information security issues are prominent, but protection capacity is weak. The speed at which small and medium-sized banking lines are being updated is largely the same as that of large banks, but the capacity to address deficiencies varies considerably. The significant increase in online operations in small and medium-sized banks also means that security gaps have increased. In the era of internet finance, on the other hand, hackers are no longer subject to time and space restrictions, exposing small and medium-sized banks to more forms of attack and making information security even more critical。
Thirdly, the low alignment of defence systems does not allow effective warning of new types of attacks. The banking sector has become one of the most important targets in the already disclosed high and persistent threat attacks (apt). Meanwhile, security incidents caused by apt are on the rise in the banking sector. However, most small and medium-sized banking defence systems are more focused on single-point defence, with no information on linkages between equipment, and are unable to provide a higher level of early warning of new and “zero-day” porosity attacks, making it more difficult to grasp the overall posture。
Fourth, the information security system was inadequate, particularly in the areas of business continuity and asset management. Small and medium-sized banks have started at a later stage of computerization, focusing only on increasing the level of informationalization and neglecting the overall development of information security systems. The plan for the construction of a small and medium-sized bank information security system and the implementation strategy fall short of industry-wide standards in terms of both quality and content, particularly in business continuity and asset management。
Recommendations for information security responses for small and medium-sized banks
1. Strengthen the capacity of the scientific and technological workforce and strengthen the capacity for outsourcing control
The first is to promote the development of vocational skills in the medium and long term, to improve the quality of science and technology personnel and to enhance the development of their scientific and technological workforce. Second, the risks of it outsourcing are further addressed through market, technology, trade, strategy, etc., and through good access, confidentiality, prevention and product testing. The third is to clarify the orientation of incentives to motivate staff to quickly master core technology and reduce reliance on outsourcers。
Moving the risk level forward and strictly implementing the “triple synchronized principle”
The first was the introduction, at the design stage, of attack-reduction measures, the introduction of security elements throughout the entire life cycle of information systems and the promotion of operational access in strict compliance with the “triple synchronous” principle. Second is the implementation of a system of regular on-line business systems assessment, change assessment and business wind system assessment to ensure real-time control of risks。
3. Emphasis on the concept of reciprocity and early warning systems
Strengthen capacity-building for “know-your-own” from a “reciprocal” perspective and develop a holistic early warning system. The system breaks down the information isolation islands, introduces external intelligence, and uses big data technology and associated analysis techniques for early warning, with maximum protection against downside shocks。
4. Implementation of security accountability and phasing of information security systems
The first is to strengthen the organizational security system, implement the responsibility for safe operations and minimize operational risks. The second is to ensure that security planning is consistent with strategic and operational development and that the building of a security system is progressively advanced and the building blocks of security are firmly established at all stages。
Small and medium-sized banks, while advancing the information security response, ensure that early warning systems are built as a minimum guarantee of information security. In march 2018, changan bank completed the development of an information security threat management and early warning platform (the “platform”), which enabled me to develop a passive defence system into a proactive early warning system. As the early warning system continues to improve, the platform is able to protect against known threats and to deploy them in a manner consistent with the unknown, providing solid guarantees for the smooth operation of information systems。
Practice of an early warning system for information security threats
As a member of small and medium-sized banks, changan bank actively explores information security threat warning systems and platform-building for small and medium-sized banks. The steps, effectiveness and empirical dimensions of the platform are described below。
1. Steps to build the platform
I have divided the platform into six phases, based on the principle of integrated planning and step-by-step implementation。
(1) information interactive phase. The objective at this stage is to achieve rapid data retrieval, searching and interactive analysis by security analysts, to ensure that security analysts can check and locate fast holes and to reduce reliance on technology。
(2) early warning of border visits. The objective at this stage is to provide real-time early warning of unusual access attempts to breach network boundaries and secure domains, ensuring that early warning can be triggered when attempts are made to breach network and secure boundaries。
(3) application of area access control early warning. The objective at this stage is for the real-time early warning information system (appliance level) to break through unusual access to the level of access, to combine the rules of engagement and assembly, to form associated alerts and to ensure that low-security-level applications can be warned when they attempt to attack high-security-level applications。
(4) early warning of journal behaviour. The objective at this stage is to target the behaviour presented in the logs as an analysis, to provide early warning, based on normal behaviour baselines, of operational behaviour that goes beyond routine operations and limited state manoeuvres, and to ensure that the attackers are accurately warned when they expand the impact of the attack horizontally。
(5) operational data is popular as early warning. The objective at this stage is to target the behaviour of data streams for analysis, to determine the deviation from normal data streams resulting from the attack process and to enhance early warning apt capabilities。
(6) attack feedback phase. At this stage, the target of the attack may stop or respond to the attack as directed by the platform, ensuring the safety of the target。
2. Effectiveness of platform-building
The platform initially developed a proactive early warning system based on information sharing, joint testing, proactive detection and overall threat assessment, with the following results。
(1) multi-source isomeral data integration. The platform uses multi-source isomeral data integration techniques based on large data, resulting in the collection, modelling, filtering and aggregation of big, multi-source, isomeral data. The platform has harmonized log information formats that could only be read by professionals into normative logs. This process enhances the accuracy of analytical sources and reduces the dependency of personnel on skills. Currently, the platform has supported the collection of 31 types of logs, including servers, networks and security equipment。
(2) improving the efficiency of information security. The platform uses automated linkages and smart analysis techniques to reduce gap-processing windows and daily inspection time and to improve the efficiency of the work of transport personnel. One is that the platform, as the core catcher of the mission, can conduct a one-click equipment inspection, which can be reduced from 2-3 hours to 6-7 minutes. Second, during the window period in which a loophole is lost to use, the platform can, within minutes, achieve automated linkages and intelligence analysis between security incidents, loopholes and assets, and provide accurate asset positioning and loophole repair for transport personnel。
(3) improved identification of unknown threats. Using artificial intelligence algorithms such as random forest algorithms and limited-state self-mobilization algorithms, the platform analyses network traffic and log sources, manages the fragmented protective systems in an integrated manner and further improves threat identification accuracy. The platform currently assists changan bank in the early warning and management of 164 security incidents, including mining horses, wannacry extortion virus, https openssl heart haemorrhage leaks, etc。
(4) strengthen capacity to manage and use threat intelligence. Threat intelligence is an effective complement to traditional forms of defence, relying on its understanding of internet threats and helping transporters to better identify them. During the 70th anniversary, the platform automated early warning of malicious attacks at 19 ip addresses and attempted 123385 attacks. However, security incidents of “zero” were achieved by the timely blocking of ip addresses based on threat information。
(5) intuitive decision-making support for management. The platform assesses the overall cybersecurity of changan bank from a macro-level perspective and provides decision-making support for our security plans. The first is that the security alert incident gradually subsided from december 2019 and that the next stage of the platform will require access to new analytical sources or refinement of analytical rules. Secondly, during the reinsurance period, my threat posture changed to guide later re-insurance. During the 70th week of the national day, the attack was focused on september 30, at 14:00-16:00, rather than on the day of the national day; the attack was stable during the 2020 biennia, with no significant change in the early warning event as at any other time。
3. Platform-building experience
In building the platform, we have accumulated some experience. The first is that the construction of a defence system must be guided by the line of design, making full use of the “home field advantage”, strengthening the “know-your-own” capability and determining abnormal behaviour by depicting normal behaviour. Secondly, building an active defence system presupposes that the institution has infrastructure security and a deep defence capability, otherwise platform building will rely heavily on expert rules for its “passive compliance” capability. Third, the principle should be implemented at an early stage of the platform's construction by increasing the technology of big data integration (the traditional mass-processing method based on sliding windows is certainly not feasible) and reducing the use of smart technologies. If the first phase of construction targets are completed, it is recommended that threat management and early warning capabilities and automated response capabilities be upgraded in combination with non-a priori knowledge. Fourth is the desirability of building the platform on the basis of leadership accountability, the implementation of weekly reporting, and the redeployment of liners to form emergency response teams, focusing on issues in closed loops. Fifth is the phased optimization and refinement of rules using the principles of “first-in-first” and “step-by-step” design. Sixth is a separate alert for local high-risk attacks, rather than a macro-profile one。
