In recent years, Operational Resilience has been a hot topic worldwide across the Financial Services sector. Initially, the focus was narrowly on Cybersecurity and Outsourcing.
The UK Financial Services took it one step further by looking at resilience of all operations, with Cybersecurity (Data) and Outsourcing (Suppliers) being just two parts of a larger resilience agenda which was expanded to include Technology, People and Facilities and has resulted in the new Operational Resilience regulation.
Further regulatory committees across the globe also looked at resilience through the lens of cybersecurity, risk, crisis and recovery management, testing and holding critical third-party suppliers to account for critical services, increasing the breadth of what Operational Resilience actually means e.g. in the European Union, DORA is coming into force, namely the (Digital Operational Resilience Act).
In terms of where we are today, the UK’s Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have just recently published their policy statements enacting into formal ruling the guidance that all Financial Services Institutes must now comply with the Operational Resilience regulation and timeframes.
There will of course be a transition period, but it will be very telling for global resilience efforts of how exactly financial service firms will adapt their existing operating models and tooling to support the new resilience efforts.
Recent UK Finance research amongst members, indicated that it is currently difficult for FI’s (Financial Institutions) to identify the actual IT assets which are critical in underpinning the critical services which they will be measured upon from a ‘service uptime’ perspective under the Operational Resilience regulation.
COVID 19 has also compounded the challenge for FI’s: creating a pivot to home working increasing additional asset complexity and risk for FI’s to consider and mitigate.
In addition, the explosion of “unmanaged devices” across FI’s infrastructure – e.g. IoT and smart devices – creates additional risk through an expanding cyber ‘attack surface’ with some assets or devices which will not readily accept an endpoint security agent, so unmanaged asset visibility and protection is becoming increasingly difficult for FI’s to manage which increases operational and cyber risk.
Many FI’s “golden” CMDB data sources are often fragmented and rely on “point in time” scans from different sources to determine a view on IT asset inventory, making it difficult to understand and track all of the critical assets associated with a critical service.
Consequently, UK Finance research indicates that FI’s are exploring asset discovery or mapping tools; in many cases these tools unfortunately do not detect all the potential assets across an FI’s environment, so often many FI’s resort to manual methods of collecting inventory data via excel spreadsheets and end user compute applications. Some asset mapping tools also require active scanning which needs to be scheduled within a particular network segment and can be potentially disruptive to ‘live’ systems so is unsuitable e.g., BMS (Building Management Systems) which are classed as OT (Operational Technology). It is therefore increasingly difficult to achieve an aggregated view of underlying asset inventory and any real-time vulnerabilities or attack scenarios that could have an impact on critical services.
Trying to decode and manage this complexity via spreadsheets and end user compute is ineffective; you need a solution which can correlate what you have today against the world’s largest asset intelligence knowledge base. The attack surface is expanding at a rapid rate, your network and connected devices are constantly evolving, which introduces new risks. You likely don’t have full visibility or a solid inventory of everything connected to your networks which could represent a risk – e.g. IoT devices which cannot be patched which could have connectivity into networks and services to which they should not have access.
A new approach is required to meet the Operational Resilience challenges head on; spreadsheets of critical asset counts don’t scale to environments with millions of potential devices. They are time consuming, laborious and don’t meet the objective; separate risk qualification is then equally time consuming. Armis can help with this challenge and if you use ServiceNow we can close the loop and help you map the critical assets against the critical services then monitor and track KPI’s and enable remediation workflows when asset health may be impacted, which could in turn impact a critical service.
Together, Armis and ServiceNow help FI’s get the situational awareness and visibility into their environments on what they have in terms of assets across their entire diverse global infrastructures.
Even though this may appear a monumental task, Armis helps to simplify the chaos by correlating the client’s environment against the world’s largest digital asset knowledgebase with close to 3Bn assets and tens of millions of behavioural device security profiles, which are constantly evaluated in real-time. This enables Armis to deliver an elegant, categorized inventory and help our clients get to ground truth on what assets they have, where they are and the health of those assets. Having successfully delivered this for over 40% of the Global Fortune 100 across some of the world’s most complex digital enterprises, Armis has gained deep experience in delivering a unified asset inventory. Working from that baseline we can then shine a light on the operational risk clients face by highlighting which cyber vulnerabilities and malware have been weaponized in the FI’s environment and crucially which assets are impacted. Once this is understood it is now a matter of mapping the key assets in ServiceNow with the critical services and impact tolerances for where the FI is being regulated and where service uptime is key. Any issues with underlying asset health e.g. weaponised vulnerabilities can trigger remediation workflows to fix issues which could impact an FI’s critical service e.g. a bank’s ATM network.
Ultimately, for FI’s to gain the visibility and situational awareness into their complex estates and address the Operational Resilience imperatives it is advisable to follow some key steps:
… all of which can be achieved with the combination of Armis and ServiceNow:
The results of this approach speak for themselves:
Sign up to receive the latest news