5 Learnings From A Conversation With OP Financial Group's CISO And @mrtuxracer
On 20 January, HackerOne’s CEO, Marten Mickos, sat down for a chat with European hacker, Julien Ahrens a.k.a @mrtuxracer, and Teemu Ylhäisi, CISO at OP Financial Group.
Teemu Ylhäisi, CISO at OP Financial Group.
OP Financial Group is one of the largest financial institutions in Finland. The group offers retail and commercial banking services as well as insurance services.
Julien Ahrens a.k.a @mrtuxracer, hacker
Julien is a full time hacker based in Northern Germany, Julien focuses his hacking efforts mainly on mid-sized companies, since he has strong beliefs about the importance of securing the sensitive data that such companies hold.He regularly blogs about his projects and is an advocate for increasing hacker-powered solutions in Germany.
The discussion ranged from the recent SolarWinds attacks to the best way to prevent phishing. Here are our top takeaways from the webinar:
Transparency is the future of security
The old traditions of securing the corporate perimeter are no longer sufficient when the corporate network has now expanded to millions of domestic networks. We need new solutions, based on collaboration and transparency - after all, it is through sharing information that we can best prepare and protect against everything from software vulnerabilities to nation state actors.
Teemu: “Transparency and trust are a key part of my philosophy. If your security team isn’t open with your organization then the company is not going to understand their worth. Our corporate culture values collaboration and in the Nordics there is a tradition of sharing information pertaining to security within the financial services industry. We all want to help make each other and our industry safer. I am very open with the business about what the security team is doing, and call out the business divisions that are supporting our overall security goal and initiatives. It spotlights our partners and introduces a little friendly competition between divisions.
Julien: “When dealing with hackers, being transparent about your vulnerability management process goes a long way to build trust. I know many businesses are concerned about how much information they can share but hackers need to have enough details to be able to understand the process and the fix.”
Security teams are rebranding as enablers
Security teams are increasingly recognising that encouragement and education are more effective at reducing risk and fostering collaboration than blocking projects or tools.
Teemu: “I don’t want to be ‘Mr. No’. When I joined OP, I set the expectations that I would not be a blocker to innovation or people just doing their work. Working with developers and engineers to uncover security risk earlier in the SDLC is more powerful than banning a tool altogether. It might be more challenging, but the payoff is much higher for the organization. Everyone at OP is responsible for security, from the security team to the staff who diligently report phishing attacks.
Speed is your best defense
It was universally agreed that humans are still the best mechanism for detecting security threats.
Teemu: “I disagree with the idea that cyber criminals have to be successful just once, and defense teams have to be successful 100% of the time. Detection capability and speedy reaction to incidents is key. When a company is targeted by criminals, those criminals have to be successful in hiding every action; if defense notices a single aberration then they get the lead and can start to unravel the operation. The mean time for detecting breach is about 6 months to a year; this is too long, you need to detect it within hours and, if you have the ability to work with that time scale, then you’re in a good position.”
Julien: “I’ve had experiences where I’ve been hacking on a program and their incident response teams have been tracking my actions in real time. There are always flaws in technical solutions that hackers can get around but if your defense teams are fast then they can make a hacker’s and, more importantly, an attacker’s life very difficult!”
Disclosure culture is coming
The US government has already taken steps to mandate Vulnerability Disclosure Programs for federal agencies and our panellists think it’s only a matter of time before the trend spreads, despite resistance in conservative organizations.
Julien: “The most ‘professional hackers’ are more likely to be attracted to bounty programs but VDP’s are a brilliant way to get reports on the things your security team doesn’t know about. However, there is still more education to be done in Europe. I know of an instance where a researcher had a legal case mounted because the company didn’t understand vulnerability disclosure and saw it as a threat. We’re the good guys so don’t scare us off!”
Marten: “There is fear. But, with the U.S. mandating VDP for federal agencies and European countries starting to suggest it as best practice, there will be a time in the near future when there will be overwhelming evidence of the benefits of responsible disclosure. And that’s when we’ll see the real shift in adoption.”
Compliance needs hackers
Compliance and security don’t need to be mutually exclusive. If security reviews required for compliance are not actually spotlighting issues and improving security, then you aren't maximizing your impact.
Teemu: “I know it’s something that really works for other organizations, so I’m planning to get to a point where we can demonstrate compliance for ongoing auditory compliance requirements by running an extensive bug bounty program. We already do pentesting and red team exercises but it is hard to cover everything and stay up to date. If we had a good group of trusted hackers on each system, each would get the attention it deserves and we would also be able to find out which applications have the most soft spots and so where to focus our efforts.
Listen back to the full conversation here.