Industry sign banking maryland form secure
hello everyone thanks for joining us and welcome to addressing this configuration with co and compliance within fintech i'm your host aaron ansari from trend micro i'm glad to uh welcome you and hope you're all having a good afternoon slash morning depend on which time zone you're in hopefully you're all safe and you're you're all well we've got a good one for you today and one in which we're excited about we have two people that are very well versed in fintech in compliance in cloud versed by way of certifications verse by way of relationships with customers as well as activism in the community so really excited to to have this group together with you today hopefully you get value out of this we've got a couple of of batons that we're going to be passing back and forth from a presentation standpoint to one another but please follow along uh please um listen well and um and ask questions and and have discussions as we have going on in in the chat as well so without further ado i'm going to introduce our two or two speakers we've got stacey tucker stacy is the security and compliance public sector practice lead at connect connects a great partner with trend micro uh someone with whom we've been working quite quite frequently from a services as well as a best practice standpoint for our customer um tracy leads the cross-functional expert team that specializes in cloud and security and today you're going to kind of see the governance risk and compliance work that he and his team do for states uh federal local local sort of government um nonprofit and even you know kind of fortune one company fortune 100 companies um he's very focused on digital transformation and uh has worked a long time in the industry i'm serving through a number of i.t and digital leadership roles so stacy welcome and we've also got fernando cordoso fernando is a ten year veteran at trent micro he must have started when he was eight years old because when you see him uh you're gonna think he's uh he's still in his teenage years um but regardless uh fernando has been working on cloud in cloud cloud technology and with trend micros cloud one platform across kind of the globe um from europe to to latin america to north america with our various customers so thousands of customers across across the globe really um in cloud in cloud one fernando has a great published background as it relates to articles on medium articles that he publishes on his personal blog that are all tied to devops um and and tied to aws carries a lot of certifications multi-cloud certifications not just aws but he and stacy will be kind of going back and forth today to talk about misconfigurations and compliance specifically in the fintech space so in addition to the expertise that's just broadly brought from the group we also have a great set of expertise that's specific to to fintech right and finops and that's really what we're going to be honing in on today so without further ado i'll pass it over to our presenters i'll be coming back and forth i'm going to go off camera a little bit because the microphone and the way zoom kind of shows who's talking and who's making sound sort of things but i'll be going back and forth and having a couple of questions and comments um as we go through to try to moderate this but i'll pass it over thank you very much for joining and we'll take it over from here stacy all right let me share my screen and make one adjustment here good afternoon everyone as aaron mentioned my name is stacy tucker i am the practice lead for cloud security and public sector at connect consulting and connect consulting specializes in helping customers use aws and trend micro cloud one to address misconfigurations and achieve assurance that their workloads are well architected and compliant and secure in the cloud aaron mentioned that we are a trend micro partner and in their capacity we also help customers to understand their risk and security posture by using trend micro cloud one conformity and as an aws well architected partner we also help customers remediate that risk and implement security best practices aligned to the framework and their specific compliance objectives so that's where we're going to really come together as an amazon partner and a trend micro partner today to talk to you about how our cross-functional team specializes in this area and helps developers information security and operations teams and authorizing officials work together to define align and operationalize security controls in aws as infrastructure as code automation and managed services and those three areas of focus are really the the benefit of the aws cloud from a compliance and regulatory perspective being able to do infrastructure as code automation and managed services with security built in by design these are these are the benefits of the cloud that helps support regulatory relief for financial institutions today we're going to share more with you about these benefits and answer key questions about fintech compliance and then demonstrate how you can take advantage of the cloud by leveraging aws and trend micro cloud one to address regulatory guidance so i'm going to begin with a brief discussion of the who what when where why and how of fintech regulatory compliance so who regulates fintech compliance the conference of state bank supervisors is the nationwide organization of banking and financial regulators from all 50 states the district of columbia and the u.s territories state regulators supervise state chartered banks and are the primary authority governing non-bank financial service providers these are fintechs including mortgage providers money service businesses consumer finance companies payday lenders check cashers and debt collection firms so when referring to non-banks or the non-bank industry what's what's happening here is we're talking about the financial institutions that are responsible for delivering products and services either directly to customers or related to customers so directly to consumers or related to consumers and their use of those products and services and are supervised or regulated by state non-bank financial regulators so what does fintech even mean um fintech is shorthand for combining the words financial services and technology and it's how this technology is driving innovation of financial services which is at the center of fintech fintechs primarily operate on the internet and in the cloud and another description that really helps to simplify what fintech is is these are non-bank businesses that use technology to lend hold or move money and this change in the industry is really challenging the marketplace cyber security is a new area where the focus on the risk is greater and driven by fintech and the senior legislative vp uh and deputy general counsel of the conference of state bank supervisor these are the regulators for fintech right this is a description that has that was provided by that particular person on a webinar cost simply stated and if you operate um solutions in the cloud or on the internet that are fintech based i highly recommend that you check out simply stated so why are fintechs regulated stacey just real quick uh going back to the your fintech slide um you know when we're talking to customers and and people in that state space we often hear them talk about cryptocurrencies and some of the more popular technologies uh that are there um those are good examples for for our audience of what you're thinking or what you're seeing when you think of that non-bank um or non-non-bank businesses yes for sure um again any any use of technology that is um you know the the business has a technology that's being used to lend hold or move money um by which cryptocurrency would certainly apply um that is at the center of fintech so um let's move on to why are fintechs regulated um money services businesses is a 1.4 trillion dollar sector and the regulators have data that show that 55 of all transactions in this space are fintech based uh we're talking about mortgage origination which grew from one-third in 2013 to two-thirds of the 890 billion market in the mid-2019 time time frame and technology and innovation have enabled companies to scale geographically and enter new markets more quickly all right so we hear about how the cloud can be used to go global how you can innovate quickly this is really getting into concerns around moving large amounts of money across state lines and other geographic lines in fact there's a joint cloud statement which we're going to talk more about that that really hones in on misconfigurations of cloud resources and cyber security concerns that are at the center of these transactions so where do you go to get guidance the good news is that the csbs which is the regulator we spoke of earlier the authoritative regulatory body they are doing a good job of implementing a fintech innovation contact in each state so on this slide there's four areas of focus that i wanna i wanna talk about um namely this fintech innovation contact in your state the conference of state bank supervisors cyber security 101 resource guide the federal financial institutions examination council's joint statement for security in cloud computing environments so this is all of the organizations that work together to provide regulations coming together to put you know put in place a statement around security in the cloud and then the work that they've done to actually create a cyber security mapping document that nist has reviewed and approved and supported that assists in mapping the fintech regulatory controls to nist controls so i've listed here mr jed bellman he is the fintech contact in my state there are currently 24 contacts for 24 of the the states in the united states of america and like i said csbs is doing uh the work of getting a innovation contact in each state so um where you operate you should definitely go to www.csbs.org state innovation contacts and look up your person to assist with any guidance you may need around fintech compliance in 2006 the state liaison committee was added to the federal financial institutions council exempts our examinations council so the examination council was already there doing the work of federal regulations for banks and in 2006 they added the state liaison committee which included the state regulators of the csbs this is a community that's working together very tightly to ensure consistency across the regulatory requirements and you really see that in this mapping of the ffic controls to nist controls so when are fintechs regulated non-bank cyber security examinations occur on a risk base and a scheduled basis typically every three to five years so the way this works is um as a fintech you receive a letter that says your examination will take place using a questionnaire there'll be a document request and then you have a scheduled examination period what's really interesting about this process is that as i mentioned before these regulatory requirements all align to the nist cybersecurity framework so the examination process is actually numbered specifically by the um the categories of the cyber security framework so identify all the way through to recover stacy who are the people that are doing the audits they are examining examinators right and you have to be certified to do that uh you have to be educated to do it you have to be certified to do it and they function as a resource through the state regulatory supervision is it the state body that's then sending the letter requiring the audit to be done the examiner is go so the state provides these guidelines and these uniform approaches and forms and consistency and process and requirements but the examiner will send you the letter um and then they will ask you based on the questionnaire things like what's your pci level do you have an authorizing official right these are all these are all questions that you would expect for a cyber security examination or any kind of compliance that aligns to financial services um to begin with and then they actually take the answers from those questions uh and use that to make decisions about the documents they will request um and then from there you have your examination do you know how long it takes like for like a fintech to pass through this all process stacy um well there's no one size fits all right so the nist csf um isn't a one size fits all but a very flexible comprehensive um framework so it really depends on the organization's operating model their scale etc all right so how to do fintech compliance in the cloud and we're going to talk about aws specifically today and i want to highlight um a few excerpts from the guidance provided by the joint statement which really speaks to misconfigurations and security as key concerns and then how that aligns to best in class capabilities in the cloud by aws and trend micro so it says management may consider leveraging a cloud computing standard and framework from industry standard setting organizations to assist in designing a secure cloud computing environment while considering risk so this maps directly to the nist cyber security framework and the nist cyber security framework aligns very nicely to the aws well architected framework covering all five pillars of from operational excellence to cost optimization where you have an enterprise architectural approach to risk reduction the guidance also says management should consider implementing tools designed to detect security misconfigurations this is where cloud conformity as an aws technical partner provides solutions that align as well they're very well fit to the nist csf in fact that particular tool will tell you it will provide you a compliance scorecard based on the services you're using that is aligned to the csf and the aws well architected framework um and then the guidance speaks about misconfigurations of cloud resources is prevalent in cloud vulnerability and can be exploited to access cloud data and services and this is where trend micro cloud one provides an array of tools from application security to container security to file storage security workload security network security and again compliance for cloud using cloud conformity that address these areas that i'm highlighting so let's take a real world example from the well architected framework and show how the fintech regulatory compliance objectives do map very nicely to um the nist csf uh framework as well as the aws well architected framework and then how you would do that in the cloud using trend micro cloud one so we're going to take security question number six and it says how do you protect your compute workloads now the description under the question is really honing in on ec2 instances containers lambda functions database services iot devices and more and it outlines six best practice areas to focus on actually seven best practice areas to focus on perform vulnerability management reduce the attack surface implement managed services enable people to perform actions at a distance automate compute protection enforce and validate secure configurations and validate software integrity so there's quite a bit here that the guidance is saying these are the best practices that you should do to ensure that you are actually protecting your compute workloads so now let's look at specifically for ec2 instances containers lambda functions how this aligns to the controls objectives and i want to go back to a statement from the conference of state bank supervisors cyber security 101 resource guide for bank executives which highlights that your information security program will be shaped by your organization's unique needs and business processes there is no one-size-fits-all solution the nist cybersecurity framework is a flexible adaptable tool for organizing any information security program regardless of size and resources although an institution would never be completely invulnerable organizing your bank or non-bank cyber security program around the nifcsf supports a comprehensive level of risk management so what we're going to show you is how to do that um how to align define and operational uh operationalize the controls based on the nist csf so again going through the objec
ives of the well-architected framework which aligns very nicely to nist and ffiac how do we do this using amazon's managed services and trend micro cloud 1 capabilities so for number one and number two automate compute resources and enable people to perform actions at a distance aws cloud formation provides the ability for you to do infrastructure as code and this infrastructure as code is how you declare your cloud resources but it serves a number of purposes beyond just creating and deploying resources it also provides you version control for your infrastructure it provides a way for you to have auditable and repeatable well-documented code that represents your infrastructure uh and then aws code pipeline allows you to use that infrastructure as code in a way where you can enable people to perform action at a distance you know such that you you write your code you submit it to a repository um and that repository serves as the source for your pipeline and in that pipeline you can implement testing mechanisms using cloud one conformity you know where you can actually scan your templates to make sure that they are well architected before they go to the cloud as a deployment to begin with um when we look at reducing the attack surface um this is an area where um actually i'm sorry i'm going to go to perform vulnerability management next so vulnerability management is all about the pipeline again and code inspection and testing and scanning against well-architected best practices additionally vulnerability management for workload security is also about providing defense in depth for ec2 instances containers and lambda functions where trend micro cloud one augments aws's cloud native solutions to provide additional layers of capabilities to provide real-time vulnerability management which we'll we'll demonstrate more of shortly uh so now let's looking at reducing the attack surface this is all about establishing a secure baseline configuration for compute resources and then ensuring the integrity of those compute resources through the life cycle of how they are implemented as virtualized capabilities this is where you define and implement your hardening standards for ec2 and for containers and lambda functions and then use trend micro cloud 1 workload security and application security capabilities to control the consistency of that baseline configuration next we look at how do you validate software integrity so this is all about implementing integrity checking mechanisms to verify your software your firmware and information integrity related to the data that you implement so in aws there are some managed services that help you do this very effectively kms key management services one acm which is the certificate management service in aws is another and a really nice tool that aws launched not that long ago is aws signer which you can use for code signing integrity as a code signing integrity checking mechanism and then equally to the micro cloud one workload and application security solutions again will offer additional layers of protection to support these controls objectives lastly we're going to look at implementing managed services so each of the aws services mentioned above as well as the trend microservices are managed services and we're going to use these to mitigate disruptive cyber attacks and ensure availability is maintained [Music] things like ddos protection and web application security attacks we have some great solutions about trend micro and aws to address those concerns so an aws wav will help address a wasp top 10 concerns aws shield and cloudfront support pushing those security threats to the edge and mitigating them away from your workloads to ensure greater availability and equally trend micro again trend micro cloud one application security will provide additional layers above and beyond this that provide things like runtime application self-protection capabilities much closer to the workload you know where amazon is pushing pushing the threat away to the edge those areas of focus that are still very close to the workload itself trend micro covers you very effectively there so with no further ado i'm going to turn it over to fernando to show us more about those trend micro cloud one solutions thank you so much stacy for the the explanation i think it was very good the the groundwater details and all those kind of things uh during the demo um like if you want to just jump jumping on and like to give like a little bit more background information if you're free let me share my screen and thank you so much aaron early uh for the the great introduction to appreciate it um what we would like to show here is like how the centralized platform that uh stacy mentioned before right to the cloud one could help you to achieve every single piece that we were talking before here is basically the platform where you can easily go and drive through to different like services i'm just like going straight to one of the services where we can automatically and help you to build like one automated uh web architecture framework after you connect to your aws account here in less than 15 minutes you'll be able to generate like a multiple reports one of those reports would be the aws over protective framework another one could be a nice cyber security that was mentioned by stacy and also denise 853 in some cases right we also have the the pci dss that can help like some financial services organizations and it's pretty simple like after you scan your account you can easily go to the view by standards and frameworks and you can easily see the the frameworks that you can choose here and starting generating those reports those reports can be generated like in pdf or csv and can be exported for a better way to see it but um just going further in one of the areas that we were talking during this session here uh sex six right it's like basically how uh do you protect your computer resources it's pretty important and uh we show in a very good details like which specific resources in your cloud environment are not following the best practice created by aws plus if you want to just like uh generate like a pci dss they also do the same way or at least cyber security but like um one of the important points here it is also the automation that stays in mission right it is not just like you're looking for the issues or looking for the bus over protected framework in the production environment but also looking for the early stage basically uh conformity can be applied in the pipeline with the aws environment right where you can add as the ide plugin that you can scan every single time your cloud formation templates before you push a production or you can also integrate in your cicd pipeline in aws will be integrated with aws build code build and also aws code pipeline those will be the the technologies to integrate to the template scanner in your regular pipeline just giving you a like uh one example how that works with like um a vs code here is like my vs code with like a very simple cloud formation template and i will just uh run uh conformally scan here oops sorry about that we scan like a discount formation template and uh if you see they are just running and something looks like wrong in my environment yeah i think i change maybe change my api key sorry about that um you know the demo and the the the content that you're providing is a great example of what stacy laid from a foundation standpoint so you know i think you know while you're getting that that going this is a great working example of how connect and trend micro um empower one another to to work to provide um the answers really to to the audit and the questionnaire that's being presented there yeah sorry i think i changed my api key i need to generate another one uh i i will like do that uh further after but uh if you have like any specific question i put everything in my github where i have like a little explanation about like how to use the vs code plugin created by raphael and it's pretty simple uh i think i just generate like multiple api keys and like one of those was declined but i can show after if you need or if you have like any questions sorry about that like um going further um to the second piece was mentioning by uh stacy wright automated compute protection one of the the different ways that we can do that process it is with the workload security imagine you're creating like multiple easy choose in instance in aws right you can easily automate the way how you deploy those agents you can basically select the deployment script and you can select which specific operation systems you are going to protect linux windows solaris or aax one of the cool points about us it is our broad support for linux like centos red hat amazon linux oracle linux and so many others and you can easily select those what is the security profile that you want to apply for those machines and they will automatically generate those deployment scripts for you you can copy this and using like a puppet chaff ansible or any kind of like automation infrastructure tool that you are using your company and every single time when you create like a new instance they will automatically push those agents for those insists it's a very nice way to automate some process we also have like some integrations with aws ssn and also aws distributor that you can easily push those agents using the system manager from aws um if we go further in the performance vulnerability management right if you see uh workload security today is compu compil composed by like seven security modules right uh anti-malware web reputation active monitoring that is like our edr for servers um application control integrity monitoring inspection file and uh intrusion prevention and if we go to intrusion prevention one of the very important pieces here it is like our what we call virtual patching right and you can basically do like uh they scan for recommendations every single time when we scan your server or your instance we collect like a metadata to understand which operation systems you are using what is the hot fix that you have applied what is the platforms that you are using right in those services we collected those informations and we compared with like our variability database if we found that there is some possible vulnerabilities or some secured flaws in in the environment we will grab those informations and we automatically push a virtual patching to protect in the network side uh those vulnerabilities in your ec2s or instance those are very important aspects uh from like a deep security that like so many customers like it right and this is scans for accommodations you can sched schedule like a daily weekly or monthly it's pretty interesting for so many uh companies um reduce um oh and when we talk about like the the into the virtual machine right one of the important aspects it is being very map we we map it with like the cves when we we have the actual cvs there are some virtual patchings that we protect basically the my tree or some other like uh researchers that our team do like globally to protect the customers right but if you see today the actual number is pretty high let's see if i can see oh like uh we have like over 7600 like ids and ips rules imagine if you need to apply this manually that would be crazy right that's why we have these kind of recommendations to do this process automatically for you awesome uh moving to the next piece here reduce attacks and surface i think this is a nice way to show you like how we can reduce the attacks and surface right um because we are looking not just to one specific area and now we are not saying we are the silver bullets for protecting every single area right we have like the intimal protection application control faro ids and ips and multiple layers that we can protect your easy choose but also when we talk about like a surface we can easily go to the application security and select like specifically protections for the servers and microservices where we can add a security layer or secured framework to your applications and actively monitoring every single request to your applications and block on the fly right you will basically be living inside your application and if we see something malicious associated with like a malicious payloads or sql injection or illegal file access all those kind of things we can block or just meet uh log those informations depend what is the action that you select here in this case um anything that you want to add stacy sorry if i'm jumping on from one to another oh this is great uh validate software integrity this is very good point let me go back to uh workload security in workload security we have the integrity monitoring and application control right those are two very important modules first integrity monitoring we basically uh select a group of like monitoring files folders registries and services inside linux machines or windows machines and after we we define what is the rules that we want to like be monitoring uh the integrity in the machines we create what we call baseline right we created this baseline to understand those files in that specific moment and if it's something change in the future we can um um like um understand in real time or we can uh scan the server with the scan integrity and like see which file was changed or which folder or services or like registries in the server was changed to understand if the integrity from the server was compromised by like some attacks right this is a very important in aspect for like a pci dss compliance for example today if we go a little bit further uh like when we talk about like application control what we are doing here actually it is imagine you build all your server you build your application you are running those binaries you are running the the python with flask and all those kind of things right as a like a web server running python with a flash platform it could be another platform but just one example um in this case we will create like a baseline that server and if any of those applications or if somebody tried to change the code that like binaries with python java all those kind of things we will basically block if you define for us to block and recognize software updates or chains right basically what we are doing here is like let's lock down the server uh until you basically request and maintain this mode right we have a different ways to do maintenance mode we have apis that you can automate in your ci cd pipeline but you can also uh come here and say action turn on maintenance mode and say like i want to maintain this mode for my server for 15 minutes for like 30 minutes or a couple of hours until i have a complete my uh windows of like changing and updating those applications in my servers right this is a nice way for you to lock down and don't allow anybody to change the platform the operation systems and all the binaries that you have those services um any questions i don't know if i cannot see the chat if there's no okay and i know we're good fernando we don't have any uh any chat questions perfect um thank you aaron and the last one that is implement manager services right as is stacey mentioned all our like platform today cloud one it is all driven as a services you can just select which specifically manager services you want to use in your applications as the same when you are using management services by aws right we also have a specific integration with aws manager services ams they call to where we can deploy and help aws teams with a workload security basically they will request you to deploy the workload security for them to monitor in the security in your easy choose okay this is one of the partnerships that we have with aws in the management services and it's a very well received for so many customers across the globe i don't know if you have something to add to stacy but you also offer the managed services where you can help the customers the ability of managing aws and uh training micro technologies correct yes uh and when you look at the well architected framework and you look at a controls framework and the objectives of it um cloud1 conformity you know is really a a very strong compliance bri
ge to get you from your controls objectives to how you do security in the cloud and and you understand right from your documentation about what you implemented that you have assurance that you're actually secure it fits very nicely with well architected and with what we understand are the controls objectives for fintech right from the ffiec alliance in this csf but even for pci um you can check your workloads against how you're using services for pci with conformity and then again moving into where you're actually operating with an ec2 instance or a lambda function or containers having these additional tools to protect you in real time as you're running your applications it's very powerful stuff actually can you is it possible for you to talk a little bit more briefly about the lambda layer uh yeah security um covers you there let me basically what happens it is application security works as a rasp technology right runtime application self protect and for you to implement if you are using containers you basically inject or just import one specific line of code as like this example here one sec let's see if i have you yep i have one uh let me remove this in my case here i'm oops sorry in my case here i have like a java application right and uh what i'm doing here just importing like our framework security framework to the container uh to the docker file to generate the container image and before i run my money x application right and basically you make an invocation to say like oh please uh start the the trend micro library first before you start to the actual application and in this specific case you are basically monitoring every single request right after you starting um running those applications the same happens for like a serverless uh like lambda right we have a security layer that you can basically add it to your lambda function and after you connect that in the the aws portal or through aws cli you can easily start monitoring all those requests after one request happens to your application right they're starting showing here how many vocations how many um um um attacks we we detect what is those attacks i like i have a couple examples here where i was like just uh testing uh one specific reaction with like a sql injection right what i was trying to do basically in the logging form i was trying to pass always true uh type of like attack right and uh because it was basically using the the axa format they recognize those access extra format to don't affect the the sql database and bypass the logging processes and basically we were able to walk on the fly uh this happens depending which kind of like a security profile you are using but uh it's basically just adding like a security layer in your lambda function and you can automate all this process right you can use confirmation templates and easily automate the deployment across multiple lambda functions that that's the really powerful part for serverless architectures right for sure and then again having cloud conformities scan your templates to ensure that those security mechanisms are there to protect against high risk to begin with right yes and and you can also uh scan the template scanner using the format that didn't work in my case here because the apis but uh in conformity you can also go to what we call template scanner on the top right and you can start in scanning your uh cloud formation templates right the cut the template scanner can work directly in the console like this way here or you can also use in the ide or in the cisd pipeline basically excellent i hope um we call over all the the main areas right i think yeah i think you did i think this gives a good example of the the the process and the technologies that fintechs and finnops teams can use um so partnering with the people and the resources to help man the technology as well as the experts that can help you interpret the results and and look at the data so hopefully everyone that's on here had a good um good outcome and got a lot of nice information out of the discussion i know this is being recorded so if you have questions or comments after watching the recording please follow up with the information that's posted down below we thank you all for your time and uh if you have further questions for state or stacey or fernando um we'd be glad to answer them now but so far the chat's been relatively quiet i think my camera just froze so perhaps uh it's a good time to end the discussion uh when your camera gets tired of being on zoom all day thanks so much stacy fernando you know yvonne andrea brittany for putting this together we certainly appreciate it and hope everyone's well safe and take care awesome thank you everyone appreciate it