How To Defend A Bank, Part 1: Fusion Centers

Banks & other financial institutions face a variety of security threats: from state-sponsored cyber-attacks, to smaller acts of fraud, to thousands of random malware attacks from the web. To survive in this hostile landscape, these organizations turned to the military for inspiration.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Sam Curry

Chief Security Office at Cybereason

Experienced Senior Security Executive with a demonstrated history of working in the computer and network security industry: product, engineering, security experience. Extensive publications and patents, big company and entrepreneurial track record. Multiple awards from industry, public sector and academic institutions. Personal mission to fulfill the obligation of security to the world.

How To Defend A Bank, Part 1: Fusion Centers

On March 22nd, 2019, Paige Thompson broke into the databases of Capital One bank. The next day, she walked away with social security numbers, bank account numbers, and other personal information for over 100 million people.

How could one person steal so much information from an institution of this scale? We, the public, have to trust banks with our most sensitive personal data. Yet, something was obviously wrong with how Capital One protected that data. Like a babysitter who lost the kids, Capital One breached the public’s trust.
Except, Capital One’s story isn’t only about corporate negligence. Large-scale cybersecurity, particularly in the financial sector, is much more complicated than it appears at first glance. Banks are huge targets, fending off hundreds of thousands of threats per day. When one hacker manages to slip through the cracks, it tells a small part of a much larger story.

Banks hire people to prevent hacks. Some of them–such as those implicated in Capital One’s hack–have failed miserably. Others have done much better thus far. The approaches they’ve come up with are, in some cases, quite extraordinary.

Capital One

Failures provide opportunities for learning and improvement. Last year’s hack of Capital One provides insight into how not to protect banks against cyberthreats. So what exactly happened?

In this case, Capital One used Amazon Web Services (AWS) to house customer data in the cloud. The data was protected by a Web Application Firewall, designed to prevent common cyber attacks. But Capital One’s firewall was improperly configured, so it didn’t properly validate the commands it received. This vulnerability allowed Paige Thompson to forge a request to the improperly configured servers, and have them exfiltrate all user data.
But only a certain kind of hacker would’ve known about such a vulnerability. The kind of hacker with insider knowledge. Like Paige Thompson, whose most recent job was as a software engineer for AWS.

[Sam] “It’s the old quis custodiet ipsos custodies, who watches the watchers in Latin, right?”

Sam Curry is the Chief Security Officer at Cybereason and a frequent guest on our show.

[Sam] “It’s the who guards the guardians and at some point, you’ve got to trust someone. I hear Zero Trust bandied about this language a lot. Zero Trust is truly difficult to get. I think of it like in calculus as a limit. As you approach Zero Trust, the security gets better. It also gets incredibly difficult and expensive to do. So former employees are a big source of weakness. The only way you can really secure against that is to put in some checks and balances, to segment what they have access to and this costs money. It can impede business. This was embarrassing to both Capital One and to Amazon. That it’s very difficult to secure especially former employees their knowledge. You can’t exactly scan their brain and say, “What do you know about this place and how might you use it?”

Because the Capital One hack really was so seemingly straightforward–one hacker, one company, one software vulnerability–it made for a good news story. Also, of course, because it affected so many people. Our own Senior Producer, Nate Nelson–who, you may remember, fell victim to the Equifax hack only two years ago–is a Capital One customer. He’s only 24 years old, which means he’s really only had “hackable” personal accounts for around five, six years. That’s one breach every three years. Not a good rate for someone who produces a cybersecurity podcast!

It would be easy for someone like Nate to get angry over a story like this. In fact, he informs me, he very much has. But even if the Capital One story were so clear-cut, there is a danger in reducing major cybersecurity events down to simple terms.

[Sam] “Well, the temptation is always to look for failures, to blame someone and in the end, somebody has to be responsible whether or not there’s negligence. I think the most important thing is number one, we weren’t there. Nobody on the outside of the Capital One breach was – really knows what it was like unless you were in the moment. The details are important.”

The root causes that allowed such a simple hack to occur involve many moving parts–employees, teams, ideas, and software–fitting together in a complex web. Understanding how to stave off a major corporate hack is something that eludes most who haven’t had firsthand experience in the field.

Threat Landscape

Luckily, Sam Curry has experience in the field – and he’ll be our guide in understanding the threat landscape for financial institutions.

[Sam] “Well, the first thing I do is I would characterize threats broadly as two sets that partially overlap. The first set is fraud and this is very specific channels. In fact in most banks, the line of business is ahead of the IT security group and it’s a real number on the P&L. They say here’s how many basis points of loss we faced in this channel. It could be ATM. It could be ACH, Swift. It could be any number of ways the bank does business with the public and they think about it in a channel-specific way.

That’s fraud and in that set, we could think of it like organized crime. It’s logical. Game theory applies. We can predict the moves those people will make.

The other side is because banks are part of critical infrastructure, they’re also targeted by non-financial attacks. What I mean by that is it’s not dollars per hack. It might be economic motivation. It could be – think of nation states and hacktivists that have an ethos, an agenda like cyber-terrorism, meaning terrorism that uses cyber as a means of achieving ends.

That in that set, you’ve got people who want to undermine the legitimacy of banking or the system, who want to deny availability of services and violate integrity of the people there for its own sake to pursuing non-financial rewards, some other goal. So banks now deal with both in ways that 10 years ago they were focused on the lines of business, were focused on cybercrime and fraud. Now they’re worried about all the actors.”

Here we have two paradigms of cyber threat: smaller individual acts of fraud, and larger, existentially threatening forms of cyber attacks. But not all financial institutions face equivalent threat landscapes. Capital One faces every kind of potential attack from every possible direction. A regional bank in a medium-sized town probably won’t have to concern itself with the prospect of a nation state attack.

[Sam] “Well, the ways that banks prepare themselves for breaches and a way that they prepare themselves for attacks various enormously by size. It varies by who their customer base is. It varies by geography and really by the maturity of the organization itself and I mean security maturity.

So for instance a very large bank that services perhaps military is going to be very, very sensitive to security in a very mature organization. A small regional bank that does a lot of outsourcing of its IT is going to be very different from them.

That’s where someone abuses the channel to get money out. But the identity itself hasn’t been compromised. They haven’t lost credit card numbers or PII, Social Security numbers or account numbers. It’s just hey – it’s the same as if an ATM had got – smashed open and money stolen. No identity is at risk from that. No vital data has left the system.

While major corporate data breaches are certainly bigger stories, fraud is also serious, and it can sometimes occur at scales that make it a real, structural concern for banks and credit card companies. the biggest risk I’ve seen in my experience over the years has been an insider risk, bringing a back around to the Capital One incident, right? That a trusted employee has had an issue and therefore has become a risk, either blackmail or bribery.

I spoke with a large bank who has operations in Latin America and the head of security from that bank said to me once every time something happens that’s a little unusual, like an employee has died. I have to go and make sure that it wasn’t a homicide because very often there’s a paper trail and there’s money missing. Someone like a teller in a bank could in fact be somebody getting shot because they had their access and a million dollars is missing. He used to be a police officer for a very large police department. He said he had solved more crimes for the bank involving homicide than he ever did as a detective, which to me was quite telling. It’s the turned insider whether of their own volition or because of external pressure.”

Paige Thompson was an insider threat–someone with knowledge of the systems she was attacking, because she’d been trained on how to use them. Still, we’d place her in the second bucket of threats that Sam described earlier. She was a sophisticated attacker motivated not by petty financial gains, but by a political agenda. Her goal was not to steal any given person’s money, but to undermine the integrity of Amazon and Capital One.

Large Volumes

Paige Thompsons, and especially nation states, are the most formidable foes a company must face. But the overwhelming majority of finance sector security–by sheer volume–doesn’t concern hacktivists or foreign actors. Major institutions have the unfortunate task of having to fend off tens or hundreds of thousands of smaller-scale cyber events every day.

Last Spring, a New York Times reporter visited Mastercard’s cybersecurity headquarters. In the 24 hours leading up to her arrival, MasterCard had logged 267,322 potential cyber threats. That’s about three per second. In the time it took me to finish this sentence, Mastercard has fended off approximately 15. In the past year, they’d have logged somewhere around 100 million.

The majority of threats Mastercard faces in a day won’t be serious, and won’t involve humans actively typing in code on the other end. Much of these are loose programs hopping around the world, looking for host bodies. That doesn’t negate how potentially dangerous they can be—think ‘Conficker’ and you have some idea of the risks in even non-targeted malware. This also doesn’t take away from just how many real people really are working diligently to break into major financial companies.

So whereas “cybercrime” tends to evoke images of an individual, hooded figure at a computer screen, for Mastercard, Capital One and other major finance companies, this image doesn’t do justice. Defending major corporations in cyberspace doesn’t resemble how police defend against criminals out on the street. Fighting 250,000 threats per day is more like trying to stop a tidal wave from flooding a beach house.

[Sam] “Certainly what the most sophisticated banks are doing is really leaning in. They’ve got advanced prevention. They have segmentation in their network. They’ve got disaster recovery down really well. They’re very resilient and then they got a detection mindset. They got people that are saying, OK, let’s presume everything is beaten.

In those organizations, there’s a dialogue and an understanding of security risk happening at the highest levels in the bank. The board level and at the senior management level. They’ve probably been burned a few times and they have an iteration.”

The threats facing Mastercard and Capital One are diffuse, fluid; to beat them, one must implement a large-scale and uniformly secure wall of defense.

Fusion Centers

That includes huge financial investment and government intelligence agency-levels of secrecy. It’s why so many major banks and credit card companies are modeling their security infrastructure after the military.

[Sam] “The bigger banks, the international centers for banking, their sophistication rivals the defense industrial base and in fact many of them recruit CISOs and security executives from three and four-letter agencies depending on the country you’re in.”

Consider O’Fallon, Missouri. It is a pretty place, about 40 minutes’ drive to the center of St. Louis. The population is just under 80,000, forming the seventh-largest municipality in the state. Attractions in O’Fallon include Fort Zumwalt Park and CarShield Field — a stadium you could easily mistake for an Applebees. Beneath those “attractions” sits one windowless, underground bunker.

The bunker is the brainchild of Matt Nyman, a veteran of Delta Force–the single most highly-trained U.S. military unit next to Seal Team 6. Nyman used to work in Iraq and Afghanistan. Now he works in O’Fallon. In an interview with the New York Times, he explained why. Quote: “This is not that different from terrorists and drug cartels. Fundamentally, threat networks operate in similar ways.” End quote.

Nyman equates cybersecurity with military strategy, and that perspective seeps into his work. His team mimics a military intelligence unit. He commands his team of MasterCard security professionals with the experience and deft hand of an army captain.

The O’Fallon bunker is officially referred to as a “fusion center”. The Department of Homeland Security first devised the concept of “fusion centers” after 9/11. They were designed as hubs for crime-fighting and intelligence sharing. And they worked very well, very quickly. Because different kinds of officials were brought together from different agencies and departments within the government, information flowed quickly and efficiently. According to Nyman, where the government used to conduct around three counter terrorism operations per month, with fusion centers in place, they could conduct ten in an evening.

Now fusion centers play a similar role in the financial sector–as a place where IT personnel of all kinds come together to combat cyber threats in real-time.
Mastercard’s fusion center was built in the Fall of 2017. It consists of rows of desks with two computer monitors each, all facing one end of the room, where three flat screens display data feeds, social media, news streams, graphs, and world maps. One wall separates the fusion center with Mastercard’s larger Security Operations Center. That wall is designed to be able to slide out in crisis cases, where even the mere distinction of having no wall in place is critical to facilitating teamwork and rapid response.

Those who work at the center handle both fraud prevention and company-wide security. In an interview with Security Magazine, the company’s CSO, Ron Green, explained that the O’Fallon bunker is much more than a hot room full of IT guys.

“The Fusion Center actually pulls together teams from across Mastercard, so it’s not just security, and when something happens, we have all the right people there at the same time [. . .] Stakeholders in the Fusion Center include Intelligence, Corporate Resilience (including crisis management, business continuity and technical recovery), Corporate Security (vulnerability management, corporate security and investigations), the Security Operations Center, Account Data Compromise (which leads investigations after a customer breach), Fraud Intelligence and more.”

Even non-security personnel have their role in the fusion center. We know that whenever a major cyber incident occurs, it doesn’t just affect the folks in the control room. Lawyers have to deal with the fallout. Customer service representatives have to liaise with affected customers and clients.

All of these folks meet in one place: experts with different skills, backgrounds and jobs all communicating, informing and helping one another towards one, common goal. The result is that information flows fast, and informed protectionary actions are executed more quickly than they ever could have been before.
It’s what allowed Mastercard, in only the first quarter of 2018, to prevent approximately 15 million dollars worth of potential fraud. Most major financial institutions now have these kinds of centers, because they’re so useful. U.S. Bank’s Cincinnati fusion center predates Mastercard’s. Visa’s Virginia-based fusion center quickly inspired the company to build more: one in the U.K. and one in Singapore. Other institutions have also taken an international approach. Mastercard, in addition to its O’Fallon location, runs a fusion center in Waterloo, Belgium, and as of 2018, was developing plans to add locations in Singapore and London.

These facilities require high levels of kinetic security–no windows, locked doors, external drives vetted before entering the premises–so that sensitive data doesn’t leak out, and harmful malware doesn’t seep in. On top of its literal application, approaching cybersecurity with a military mindset sets a precedent that can influence an entire organization. The Times reporter, in visiting O’Fallon, recalled that, quote: “The centers also have a symbolic purpose. Having a literal war room reinforces the new reality.” End quote. Mastercard, Visa, and major finance companies around the world are building militarized fusion centers because they take cybersecurity seriously.

A Potential For Chaos

Bank of America spent 600M dollars on cybersecurity in 2018, and it’s the only department in the company that operates without a budget limit. Yet, while writing a blank check demonstrates a level of dedication, it is not itself a solution.

In the early-to-mid 2010s, Equifax invested millions into building its cyber operations hub, just like Mastercard, Visa, and others. They outfitted their facility with highly sophisticated anti-intrusion software tools and staffed it with respected industry personnel. But management was poor, the software wasn’t used effectively, and the security team started to thin out early. Then, in 2017, Equifax became the victim of arguably the most severe data breach in world history. If you’re interested, we dedicated two episodes of Malicious Life to that story. We weren’t exactly kind to them in those episodes. Anger, frustration, and apathy were in abundance in that story. We brought our producer Nate onto the show just to say things that I, as a neutral podcaster, could not.

Was that fair? On one hand, yes: any company in possession of so much sensitive data as Equifax can’t have any excuses for losing it all. On the other hand, it was revealed just this week that the hackers in that story–as we speculated at the time–were Chinese military officials: highly-trained individuals with government resources at their disposal. With an attack of such sophistication, it’s possible that no amount of preparation would have been enough.

This is that second group of threats Sam Curry was talking about. When your adversary is just better than you, and no matter what you do, chaos will ensue. What can financial institutions do in order to prepare for such chaos? That question will be the focus of our next episode, How To defend a bank, part 2. Stay Tuned.