How to build a Cyber-resilient future | Business and Politics
Maybank Chief Information Officer Marlon Sorongon talks about cyber resiliency and how to cope during a cyberattack or breach in online security. He stressed the need for preventive solutions to fight cybercrimes.
Subscribe to The Manila Times Channel - https://tmt.ph/YTSubscribe
Visit our website at https://www.manilatimes.net
Follow us:
Facebook - https://tmt.ph/facebook
Instagram - https://tmt.ph/instagram
Twitter - https://tmt.ph/twitter
DailyMotion - https://tmt.ph/dailymotion
Subscribe to our Digital Edition - https://tmt.ph/digital
Check out our Podcasts:
Spotify - https://tmt.ph/spotify
Apple Podcasts - https://tmt.ph/applepodcasts
Amazon Music - https://tmt.ph/amazonmusic
Deezer: https://tmt.ph/deezer
Stitcher: https://tmt.ph/stitcher
Tune In: https://tmt.ph/tunein
#TheManilaTimes
#SMNIBusinessandPolitics
Maybank Chief Information Officer Marlon Sorongon talks about cyber resiliency and how to cope during a cyberattack or breach in online security. He stressed the need for preventive solutions to fight cybercrimes.
Subscribe to The Manila Times Channel - https://tmt.ph/YTSubscribe
Visit our website at https://www.manilatimes.net
Follow us:
Facebook - https://tmt.ph/facebook
Instagram - https://tmt.ph/instagram
Twitter - https://tmt.ph/twitter
DailyMotion - https://tmt.ph/dailymotion
Subscribe to our Digital Edition - https://tmt.ph/digital
Check out our Podcasts:
Spotify - https://tmt.ph/spotify
Apple Podcasts - https://tmt.ph/applepodcasts
Amazon Music - https://tmt.ph/amazonmusic
Deezer: https://tmt.ph/deezer
Stitcher: https://tmt.ph/stitcher
Tune In: https://tmt.ph/tunein
#TheManilaTimes
#SMNIBusinessandPolitics
Category
🗞
NewsTranscript
00:00 For our next speaker, it is my pleasure to introduce Mr. Marlon Sorongon.
00:05 There are two types of organizations that exist in our cyberspace, no?
00:11 In this very challenging cyber-theft landscape.
00:14 The first organization are the ones who have experienced cyber-attack and has experienced costly breaches.
00:24 When I say costly breaches, it could impact NPC, data privacy and security breaches.
00:29 The second organization is the one who are expecting to be attacked or to be successfully encountering a cyber-attack which could compromise their systems.
00:41 And eventually lead to a potential fine, regulatory and some other worse impact, no?
00:48 In terms of infrastructure and systems failure and downtime.
00:53 So which organization or company you belong guys?
00:59 It could be your company, my company or everyone else's organization.
01:05 Again, good afternoon. I am Marlon Sorongon.
01:08 I am the CISO of Maybank Philippines and formerly a CISO also of Maybank New York but due to circular guidance released by BSP, I was forced to leave the post.
01:20 My topic for today is about cyber resiliency.
01:23 How to cope up during crisis of cyber-attack and incident that could adversely impact your infrastructures and system.
01:35 We cannot discount and we can always see everywhere else in newspapers, conferences, even in panels or sessions.
01:50 Left and right, ransomwares, even if you recall what happened to PhilHealth, how there are data breaches and they were summoned by NPC, DILG and DICT to explain what was happened.
02:04 Not only PhilHealth, there are several banks that were also affected.
02:08 Our challenging word, I mean the most challenging part of organization is to help counter this common attacks which are most concerned about.
02:24 So number one is ransomware.
02:28 Ransomware is simply like when you encountered a virus in the past, it just destructs the system.
02:38 10 to 15 years ago, the motivation of attackers is simply slow down your system, infect your system with a virus and a Trojan but they are not stealing your money.
02:51 Right now it's different. The intention is to inflict your system with a malicious software, then when you open your system, you can see a ransomware message asking you for money.
03:02 Because if you cannot pay a ransom, they will publish your information in the dark web.
03:07 Dark web is a different type of gameplay.
03:12 These are information that are normally unauthorized access and was provided by hackers with an intention of inflicting damage to organization due to regulatory or compliance issues.
03:27 Number two is malicious insiders. These are common among banks.
03:31 That's why it's important that we do a background investigation by employee so they can collude with attackers.
03:39 And if I can just share something, there was also a post in dark web.
03:46 They are asking an information security professional working in a bank or a CISO to collude with them and they are going to give them 2 million dollars.
03:56 Imagine the pay, the money that will be given to the CISO just to collude with those attackers.
04:05 So this is very important to do or conduct some due diligence in your employees.
04:12 Before you hire someone, make sure that they are being cleared, background investigation, and check your previous employer's history.
04:22 Social engineering fraud is also one of the most challenging day-to-day things that we always encounter.
04:34 During our review of our top risks, fraud risk is one of the top risks that was commented by our board that should be invested heavily in terms of security automation and integration.
04:51 Later on, I will explain much more about these controls and technologies.
04:55 Third party supply chain is about vendor management.
04:59 We have partners, we have vendors that work together to make sure operational sustainability within banks are achieved in a more resilient and stable manner.
05:12 So they are also important to conduct due diligence.
05:16 These are the most common kind of cyber challenges that we encounter.
05:21 Now, allow me to give you some valuable insights on how to overcome these challenges by introducing a cyber resilient structure or strategy.
05:33 Our current cybersecurity threat landscape remains dynamic and challenging.
05:43 There are several adversaries that have already emerged.
05:46 Imagine the introduction of generative AI and machine learning.
05:50 They are using AI to introduce a more sophisticated attack.
05:54 Using AI, you can simply automate an attack and it can generate simple phishing or spear phishing in seconds.
06:04 For example, I can ask AI, "How can I send a phishing email to Manila Times?"
06:12 It can generate an answer in seconds.
06:15 Then, "Can you help me create a phishing email?"
06:20 Like, I'm an employee of Manila Times sending to all employees of Manila Times that they are not going to receive a bonus.
06:31 So imagine, if you receive that kind of email that you are not receiving a bonus, you will panic.
06:39 It's a behavioral and psychology kind of attack.
06:42 Definitely, some of you will click the link.
06:45 It's just an example, but it's effective, by the way.
06:49 Creating this kind of sophistication will make our work difficult if you're not prepared or you're not anticipating this kind of threats.
07:06 Information security professionals are heavily investing, especially in banks.
07:11 We are what we call the trailblazer.
07:14 I know Sir Lito is a trailblazer in terms of digital transformation, not only in financial but in our country.
07:24 Historically, banks, because we are heavily regulated by BSP, we introduced the first-class technology to put or implace controls to help combat security and fraud attacks.
07:46 But, DXC technology, this is just an information that I captured from an article in a weekly IT magazine article.
07:56 Resiliency cannot be achieved by creating process and technology alone.
08:00 What makes an organization resilient is the people.
08:06 In charge of its assets and its data, I believe firmly that there are three pillars that we need to maintain.
08:14 To make it stable, you have to put balance in those three pillars.
08:19 The people, the process, and technology.
08:22 They always equate.
08:24 Without people, no one will manage your process and your technology.
08:28 Without technology, people can no longer use tools.
08:33 They cannot utilize tools to support these processes.
08:36 Without processes, you don't have standards or policies.
08:39 You need to follow so that you can define a universal set of practices.
08:43 So, this should equate.
08:45 So, it's like triangular kinds of pillars.
08:49 In terms of transformation, these three pillars as well are important.
08:53 Now, to become more resilient, there's what we call reactive strategy.
08:59 Sorry, proactive strategy.
09:02 So, we try to transition from reactive to proactive strategy.
09:07 It becomes a more status quo kind of processes.
09:13 Now, as a result, financial industry started to look more effective ways on how to become more resilient.
09:30 I used to recall in the past, there are so many manual processes that we do in banking.
09:36 Especially, patch management, firewall review, enterprise, sorry, there's no enterprise architecture yet.
09:43 IT architecture and security architecture.
09:48 So, to simply define, it's like you're designing a building that has security in place before you build that building.
10:00 So, right now, we call it security by design.
10:04 So, these are some of the things that health has allowed.
10:10 Identify our organizational profile in terms of being a resilient organization.
10:18 So, what's the benefit of being a cyber resilient organization?
10:25 Sorry, please bear with my throat. I'm having a problem.
10:29 So, these are the benefits of a cyber resilient organization, of course.
10:35 Now, in banking, sometimes we tend to innovate and introduce something that would allow our client to be more interested in our products.
10:51 But somehow, when we try to innovate and introduce these transformations, we compromise a lot of things.
11:03 Especially, the securities.
11:05 But of course, these kinds of initiatives, we can always put balance in that by simply looking at strategies that won't compromise customer centricity.
11:17 So, it is important that while you innovate, you introduce products and attract customers, do not compromise controls.
11:25 Why? Because we also tackle several areas.
11:30 We want to reduce financial losses by combating fraud.
11:33 We want also to achieve legal and regulatory compliance like BSP, NPC, DICT.
11:41 Then, we want also to improve our security culture and internal process and protect the bank's reputation.
11:48 So, what is our focus right now?
11:53 To become more resilient, we focus more on better detection and proactive strategy, which is a key part of our cyber resilience program.
12:02 So, later on, as I move forward with my presentation, I will introduce some strategy that allow you guys, once you go home,
12:18 and you guys decide whether what I've said is really something that you have to perform in your organization or put in place in your company.
12:29 But before I proceed, let me just describe to you what is cyber resilience.
12:34 Cyber resilience, according to World Economic Forum, which I get from the article, version 2022, it is the ability of the organization to anticipate, withstand, recover from, and adapt to any stress, failures, hazards, and threats to its cybersecurity resources within the organization and its ecosystem.
12:58 In short, just remember these four words, anticipate, withstand, recover from, and adapt to.
13:06 In my personal opinion, it's like a company's grit. Grit is your ability to recover from any challenging situation.
13:16 Once you encounter that, you know how to do something, you know how to improvise, and later on, recover from it.
13:25 That's what we call cyber resiliency.
13:28 Now, it has so many aspects. It also needs a holistic approach from top to bottom.
13:37 I'm not trying to tell everyone here that what I'm doing in Maybank is perfect, but based on my 20 years of experience, these are the most common strategies that we put in place, not just in financial, but also other industries.
13:57 And I know some security practitioners know this well.
14:04 So how to achieve a cyber resilient culture? This equates the three pillars. It includes the people, technology, and the processes.
14:15 The first thing that you have to put in mind is always invest in technology. Why?
14:21 A big chunk of our cybersecurity controls are driven by technology.
14:29 It's like an anti-virus manual. Normally, it's automated. When it comes to automation, only IT can support it.
14:37 When it comes to IT, it's technology-driven.
14:40 Then, the so-called firewall, IPS, and other technology devices that allow us to put controls and evaluate our security risks, those are driven by technology.
14:55 Next is Crown Jewels, the continuous risk assessment, cyber incident response, awareness, risk management, crisis management, governance and third-party risk management.
15:09 These are areas that I would say are critical for the organization to make them resilient in terms of cyber attack and incident response.
15:21 Let me give you some brief concept on what are those technology tools that I was referring earlier.
15:29 Invest in technology and adopt a zero-trust principle. Zero-trust is a bit new. When you say zero-trust, don't trust anyone unless they are verified and validated.
15:41 Then, combine technology controls such as multi-factor authentication.
15:49 Authentication simply defines, once you're authenticated, you ask again another level of authentication.
15:56 That's what you see sometimes, OTP or SMS, additional verifier to allow you to access something.
16:06 That's what we call MFA, multi-factor authentication.
16:09 Email and web filtering security, sometimes it's hard for you to send an email, it's blocked.
16:14 You cannot access your personal email because it's blocked.
16:18 These are controls that are normal to the banking industry and sometimes there are exceptions for that, especially for the VIPs.
16:26 Endpoint detection and response, antivirus, anti-malware, EDR.
16:32 These are common controls that we put in our desktop, laptops and other productivity devices.
16:39 Privilege and access management, I know some of the IT guys here know about access management.
16:47 It's super user, super administrator, root administrator.
16:50 It's important that we manage those access levels as well.
16:55 Security baseline and hardening before you deploy your server, it should be hardened.
17:00 There are what we call hardening guidelines.
17:03 This is too technical, I'm so sorry about sharing this if some of you cannot really apprehend.
17:09 These are technical terms that I use because these are technology-driven type of initiatives.
17:16 SIEM or lag correlations allows you to have a visibility on what's happening to your computers.
17:24 Did you know that when you establish a security operation center, someone is looking at your computer, you just don't know it.
17:36 There are installed agents there, they're looking at your computers, not by the way, look what you do.
17:45 But they're looking at those areas of your PC that might compromise those devices.
17:52 They're not looking at what you're doing, they're not concerned.
17:58 They're just looking at what's happening in your device, maybe there's something infected in your device.
18:04 Obsolescence and monitoring, it's important to monitor your outdated servers, computers and devices.
18:13 If it's outdated, the current version of Windows is 11 and you're using Windows 7, so it's impossible.
18:20 Windows 7 is highly vulnerable now, you have to replace it.
18:24 So it's important as well to monitor those obsolescent devices.
18:28 Then identify your crown jewels.
18:31 When I say identify your crown jewels, each company has different types of risk profile.
18:36 When I say risk profile, what are your most critical assets?
18:41 Our most critical assets of course is the money of our customer.
18:45 We also have customer account number, personally identifiable information, and other information.
18:53 Once leaked, we are liable to our regulators.
18:57 We have different guidelines, standards set by regulators to help secure those information that I've shared.
19:06 There are also other companies that have crown jewels like Meralko, utility company.
19:14 They are not merely concerned about information, but mostly on operations.
19:20 So that's their assets.
19:22 It's important that you know your valuable assets so that you know how to protect your assets.
19:30 Similarly, in cybersecurity, you cannot detect remediate vulnerabilities if you don't know and if you cannot see those assets.
19:38 Continuous risk assessment is also a practice among financial industry.
19:43 That's why sometimes we hire third parties to conduct security audit.
19:47 Because it's better that someone from outside telling us what's wrong with us,
19:53 rather than someone inside telling me what's wrong with me.
19:59 So that it's not like he lost his check-in balance.
20:03 You cannot audit yourself.
20:05 So it's better that someone from outside your organization telling you what's wrong with your practices and processes.
20:13 Now, once you identify a risk, make sure you have to classify your risk according to your severity.
20:21 Once you have these assets, identify the risk of your assets,
20:26 and accordingly, according to criteria and severity, classify them on high, medium, low.
20:33 From there, you can prioritize your risk and define a roadmap which risk you're going to remediate early or as soon as possible.
20:42 So there are low-hanging fruits.
20:44 I've said earlier, you have obsolete Windows 7,
20:49 then you have Windows 10,
20:52 then you also have Windows 11.
20:55 Definitely, you need to prioritize Windows 7 because that is the most high risk.
21:00 Then, maybe Windows 10 is just secondary because that's one way,
21:06 I mean, one down version of Windows 11.
21:09 So these are just some examples on how you prioritize your risk.
21:15 Then, remediation also needs timeline.
21:18 You need to provide the board and the management what's your program in remediating those risks.
21:25 By the way, I don't know if Manila Times as well do this,
21:30 vulnerability assessment and penetration testing.
21:33 This is important to test your security infrastructure,
21:36 how stable and how can evade cyber attacks.
21:42 So when you say vulnerability assessment,
21:44 this is the practice where you identify what are your weakest points and vulnerability points.
21:50 Then, you try to penetrate it.
21:53 Once you can penetrate it, report it to the management.
21:55 These are our loopholes and we need to fix this immediately.
21:59 So you need to define processes and policies in order to do that.
22:03 So these are common practices we do in banking.
22:07 This is also important.
22:10 This is where you can actually evaluate the measure of your cyber resiliency.
22:17 This is what we call the incident monitoring and response.
22:22 So in case incident happens, you must be ready on how to resolve the issue.
22:27 And you must build capability and capacity.
22:32 It's like you write a document telling the management,
22:37 "Yes, we are capable and we have the capacity."
22:40 But when management asks, "Where is your capability?"
22:45 You don't have people.
22:48 So you must realize that before you tell the board of management
22:53 that our CSIRT and monitoring procedures are really indeed qualified
22:59 to respond to this kind of incident,
23:04 make sure what you're telling them is true.
23:08 Because when BSP comes in and challenges you,
23:12 "Where is your cyber drill? Where is the result of your cyber drills?"
23:17 It does not really reflect the true meaning of incident response.
23:21 You're obligated to be accountable to the management.
23:25 So there are many of these.
23:29 We have a CSIRT, we have a BCP, we have DRP.
23:33 But when you tested it, it's not effective
23:36 because you don't have the capacity and capability.
23:40 Of course, the objective is to minimize damage and prevent future cyber attacks.
23:47 Conduct regular testing of your CSIRT drill or simulation.
23:52 A few weeks back, we have our CSIRT drill.
23:56 We simulate that we have a breach already.
24:00 So we assume breach. So what did we do?
24:03 Of course, we know our assets.
24:06 We know where these assets are stored, managed, and processed.
24:11 So basically, once you have the inventory of your Crown Jewels,
24:15 you know exactly where is your ultimate protection.
24:19 So when you have a breach, it means that your circle of protection,
24:23 somebody comes into that ultimate asset that they're trying to protect.
24:29 The hacker will not attack the useless assets.
24:35 They will definitely attack the most critical assets of the company.
24:39 So make sure that when they try to infiltrate your circle of protection,
24:45 we make it difficult for them.
24:47 Put as many controls on our critical jewels.
24:52 Then document. When you do the drill, document all the lessons learned
24:56 and continuously improve that.
24:59 Cyber awareness, this is very important.
25:03 People is our weakest link, but if you give them the right knowledge and mindset,
25:07 and they can discern the threats on their own,
25:11 they could become your greatest allies.
25:13 For example, you have 2,000 employees, and all of them are educated.
25:20 You don't need any kind of technology controls because when they open the laptop,
25:25 and they saw and they understand that this is a threat,
25:30 they will just close their laptop and they won't notice it.
25:33 So what's the risk?
25:35 Sometimes the most weakest part of our organization is the people.
25:41 So we just continue to educate and educate our users.
25:45 Proactive risk management, this is more on investing in technology
25:51 with predictive analysis.
25:53 This is where AI and machine learning takes place.
25:57 So AI can predict something because it has a lot of data.
26:00 But this is somehow expensive.
26:03 If you try to explore this, you need to have a good infrastructure,
26:07 which is the foundational baseline.
26:09 For now, to set up security automation and machine learning platform.
26:15 Then you need to also proactively analyze rather than contain.
26:20 Crisis management, business continuity, and DRP is also critical to the bank.
26:26 So strategize, plan, and conduct this BCP testing regularly.
26:31 Governance and compliance, this is about leadership, tone at the top.
26:36 Make sure your investment, your technology are supported
26:40 so that when you deploy it, no challenge at all.
26:44 And lastly, the vendor management.
26:47 Before you onboard a vendor, you need to conduct due diligence
26:54 because they might compromise your system.
26:56 They might be the reason why you are compromised.
26:59 So third-party risk management is important.
27:02 Sorry, I'm done?
27:06 So I think that's it.
27:13 I was about to end, guys.
27:17 This is my last presentation, so this is about third-party risk management.
27:22 I have a Q&A.
27:24 Thank you, Ciso Marlon.
27:26 We'll be inviting you again on stage after our fifth and last speaker
27:30 for the final fireside chat.
27:32 By the way, sorry.
27:34 Before I end, I would like to thank Manila Times
27:37 for giving me this opportunity to be part of this event.
27:41 Thank you.
27:43 [END]