Why a lack of collaboration between govt and FSIs is hurting our collective cyber defence – David Fairman, NAB, at the Future of Security
Australian government and private sector collaboration in cybersecurity lags significantly behind global leaders and must progress “a lot further” to boost the collective security posture of both industry and the public sector and to take on new and emerging threats, according to NAB’s chief security officer, David Fairman.
Speaking at the FST Future of Security conference in Sydney, Fairman, who has spent much of the last decade traversing the financial services industries of North America, the UK and Europe, said that close collaboration between government and industry's threat intelligence staff – commonplace throughout each of these regions – enhanced not only the defensive posture of all organisations but also delivered a newfound offensive capability that could “launch… pre-emptive action against known planned campaigns and threat actors.”
Much as a rising tide raises all ships, the combined resources and intelligence of government agencies and private sector organisations ultimately enhances the security posture of all stakeholders.
“Sitting side-by-side with those government agencies’ threat intelligence staff, they’re actively working [with] intelligence and leveraging those large datasets so that fusion capability of one organisation, [is spread] across multiple organisations,” Fairman said.
These collaborative efforts overseas have empowered financial services with a formidable ‘first-strike’ capability, which, according to Fairman, has proved “very effective in… disrupting the operations and planned attacks of sophisticated threat actors.”
The Financial Systemic Analysis & Resilience Center (FSARC) – a cybersecurity collaborative between major US banks and law enforcement and national security agencies, including the Secret Service, the Department of Homeland Security, the FBI, and the NSA – serves as an ideal model for Australia’s own future cyber risk mitigation partnership, Fairman said.
Nevertheless, while we still lack a formal collaborative arrangement, Fairman stresses that dialogue between industry and government continues to improve – thanks, he notes, in large part to the pioneering efforts of the National Australia Bank.
“NAB has threat intel analysts sitting at ASD [Australian Signals Directorate] as we speak to start to build that capability,” he said.
Rise of the machine attacker
With threat actors continuing to boost their resourcing and intelligence-sharing capabilities through automated technologies, so too must industry and government further collaborative arrangements to take on these increasingly sophisticated foes.
“Our adversaries are getting smarter,” Fairman said. “We know that they’re using… leading-edge technologies, we know they’re using artificial intelligence, they’re using machine learning. They’re using this to reduce their cost of entry, to make their speed of velocity of sophistication of their attacks a lot faster and a lot more accurate, which allows them to penetrate and compromise us… a lot more successfully and a lot quicker than what they’d done previously.”
Much of this increased capability has been driven by the criminals’ adoption of the very same AI, machine learning and automation technologies now deployed by many of today’s top banks. This bottomless technology toolkit empowers cybercriminals not only by lowering their barrier to entry, but also by boosting information gathering capabilities, increasing access control and ability to identify points of weakness, and offering a sophisticated array of impersonation tactics – seen through a steady growth in robo email and phone scams.
“[Our adversaries are] much smarter, much more organised and collaborative than probably we are as an industry or as a discipline,” Fairman said.
“We’re seeing typical attacks and how they’re leveraging AI and ML to continuously change the M.O. [modus operandi] and the techniques that they’re seeing in their malware.”
Yet, with banks – including NAB – undergoing “massive technology transformations,” Fairman believes that FSIs must turn the same weapons aimed against them back towards their criminal adversaries.
“The same capabilities that our adversaries are using against us, we should be using against them,” he said.
Fairman believes AI and ML technologies are set to be a "game-changer" for security, transforming reactive defenders into proactive attackers.
“One of the key things for me – and something I think is absolutely transformational for our practice and our discipline – is around how do we use AI and ML to automate our threat hunting capability.”
For a discipline struggling to fill a chronic skills shortage, the ability to deploy predictive AI to take on the time-consuming and productivity-intensive task of threat detection will be a major boon for the industry.
“Any time we have to throw human resources at a problem, that’s a slow cumbersome process, regardless of how effective our cyber defence operations are. Our [human] threat hunters are not going to be quick enough when you think about the advances that our adversaries are using."
During an overseas posting, Fairman worked with a local university to develop an AI/ML-backed automated threat hunting capability using an own internal bot network ‘trained’ by threat intelligence staff. This "machine speed" deployment dramatically reduced the burden on cybersecurity staff and significantly improved the security posture of the entire organisation, he said.
“Rather than me having a team of 10 to 15 threat hunters, now I could potentially have 110,000 endpoints that were threat hunters with a machine learning model that was being trained by those 10-15 threat hunters to perform active defence across our organisation.
“I think those sorts of concepts, if we start to perfect them, will be absolutely game-changing for the cyber defence industry.”
Reaping the benefits of integration
Though the concept has been widely adopted overseas, NAB is, according to Fairman, the first bank in Australia to coalesce their enterprise security teams into a single integrated function – a motley assortment of fraud, cybersecurity, identity access management, investigations, physical security, employee surveillance, whistleblower, executive protection functions, among others.
While Fairman sees some progress among local FSIs to integrate their physical security and cybersecurity, he feels there is considerably more that can and should be done to achieve full consolidation.
“That cross-function operating model is extremely important,” he said.
The ability to fuse these distinct, though deeply interrelated functions – and indeed, the simple act of bringing these functions together in a single ‘fusion centre’ room – “gives you an instant uplift in terms of your situational awareness,” Fairman said.
“The teams start hearing about different events and different incidents that are being actioned and spoken about in one function; but they’re sitting side-by-side, they’re intermingling, and they start to connect those dots. They’re looking at the same data on the screen – and that, in itself, creates synergies that probably before have not been realised.”
This ‘synergising’ process also enables teams to extract better insight from existing datasets and become “little bit more predictive” in their threat-scanning capabilities.
“Being intelligence-led and data-driven, if you bring all those functions together, and you break down the silos between those datasets, put that on a big data analytics capability, [you can] start using AI and ML to identify those unknowns.”
Critically, this 'cyber fusion' concept is relevant not just within the organisation, but on a much grander scale. Indeed, for Fairman, the cybersecurity function has a much broader remit than simply protecting a company's own self self-interest – it is, he stressed, a matter of national consequence.
“I don’t see cybersecurity as just an issue for NAB and me protecting my customers or employees – which is, of course, my number one priority. But I think there’s a bigger issue here, which is around national security.”
There are very real economic and social consequences to corporate cyber breaches, according to Fairman. Cyber attacks targeting Australian firms "have had a direct economic impact of $29 billion over the past year", with more than half all organisations (55 per cent) in Australia admitting to being subject to a cybersecurity incident.
With financial services providing the fuel of our economy – “driving financial system, our GDP, and the growth and economic prosperity of the country” – FSIs have direct obligation to protect and secure their systems for the good of not just their own industry, but also of the wider Australian public.
To protect their collective interests, it is incumbent on financial organisations to collaborate and share their cyber intelligence.
“We should, as financial services, be thinking about how do we contribute to a much bigger ecosystem, and how do you contribute to protecting the overall national security of the country.”
“Imagine what we can do as a community together in terms of how do we fight against our adversaries.”