Author Name: Mark Graff, Chief Information Security Officer, NASDAQ OMX
In March 2014, the World Federation of Exchanges (WFE) established a new Cyber Security Working Group. (Members call it "GLEX", for GLobal EXchange security.)
GLEX's mission is to aid in the protection of the global capital markets. The Founding Committee included representation from over a dozen exchanges across the globe, and current membership stands at about two dozen. Any WFE member in good standing is eligible, and there is no cost beyond that of WFE membership itself.
In addition to discussing cyber security best practices, GLEX focuses on the following activities:
- Establishing a communication framework among participants based on mutual trust;
- Facilitating information sharing, including threat intelligence, attack trends, and useful policies, standards and technologies;
- Enhancing dialogue with policy makers, regulators and government organizations on cyber threats for fair, transparent and efficient markets;
- Supporting improved defenses from both external and internal cyber-based threats against the markets.
In this article I will report on the origins and activities of the working group. I will also give my perspective, as Founding Chair, on some major information security issues I see facing the world's exchange community, and how GLEX can help. Along the way, I will share some tips and insights from my colleagues in the working group on how to address these and other issues in defense of the world's exchanges.
The genesis of the working group, from my point of view, is recognition by information security leaders in our industry that there are unique risks that arise due to the interconnected nature of exchanges, brokerages, and clearinghouses. There are four needs that seem to me to be paramount in order to address those risks.
- The need for a better understanding of cyber threats to the world's exchanges, both on a strategic level (Who and Why) and a tactical level (What, Where, and When).
- The need for sharing and refinement of best cyber security practice as it relates to the trading ecosystem.
- The need to help smaller and newer exchanges build up their defenses, in order to protect the overall cyber health of the trading ecosystem.
- The need to prepare as an industry for events on a large (perhaps, in some sense, world-wide) scale
I hope that GLEX can help address these needs, and I am honored to be the inaugural chair of this working group. GLEX came to fruition as the result of a meeting at NASDAQ OMX headquarters in October of last year. Information security leaders from several large exchanges around the world joined me to discuss how we could better communicate and collaborate, in the face of a growing cyber threat to our industry.
Attendees at that meeting included representatives from the following organizations:
- Australian Securities Exchange
- CME Group
- The Depository Trust & Clearing Corporation (DTCC)
- IntercontinentalExchange (ICE)
- International Securities Exchange (ISE)
- London Stock Exchange (LSE)
- NASDAQ OMX
- NYSE Euronext
- Saudi Stock Exchange
- Singapore Exchange
- SIX Swiss Exchange
- Toronto Stock Exchange
After two days of discussions, this group deputized me (and Jerry Perullo, CISO of ICE/NYSE, now Vice Chair of the working group) to approach WFE with a proposal that the WFE host an organization to promote the cyber security interests of the world's exchanges. Two months of discussion bore fruit in December, when we were able to announce at the WFE/MIT Exchange Technology Workshop the formation of the WFE Cyber Security Working Group.
Founding members are as listed above, with three amendations: (1) Deutsche Börse lent its support in December, as a Founding Member; (2) Intercontinental Exchange completed its purchase of NYSE Euronext shortly after our October meeting, and so NYSE is not an independent member; and (3) LSE no longer belongs to WFE and is not a member of the Working Group.
GLEX's main purpose is to facilitate information sharing amongst global exchanges. We are charged with maintaining both a conduit for internal communication among our members and an externally-facing presence available for relevant third parties needing to address the GLEX members.
What do we do? We collaborate, communicate, focus on problems; and we look for ways to continually improve the security posture of not only our companies but also the industry.
We also meet and discuss issues face-to-face - the first in-person meeting of GLEX took place on April 8th at the ICE offices in New York, hosted by Vice Chair of GLEX Jerry Perullo. Attendees included representatives from NASDAQ OMX, ICE/NYSE, BM&FBovespa, Saudi Stock Exchange (Tadawul), SIX Swiss Exchange, Borsa Istanbul, National Stock Exchange of India, TMX Group, DTCC, Johannesburg Stock Exchange, and Japan Exchange Group.
As partnerships amongst these exchanges are developed, our communication is increasing as participants become more comfortable collaborating.
Questions are usually of the form, "We are seeing X. Anyone else?" Another example: "Does anyone have recommendations about the best way to defend against Y?" Of course the group has guidelines for sharing, laid out in the operating principles. Email is held confidential to the group according to a "traffic light protocol", meaning that the sender labels the contact of messages as either Red, Amber, or Green, (Highly Confidential messages intended only working group members, for example, is labeled Red.)
GLEX FACILITATES BETTER THREAT INTELLIGENCE
As for the need for intelligence, consider the following advice on how to secure an exchange, from a GLEX participant:
Your security is only as strong as your weakest link… Focus on developing intelligence-driven defenses. Profile your adversaries, understand their attack trends and motives, and reduce your attack surface.
I see two ways that GLEX can be central to the development of intelligence-driven defenses in the exchange community.
First and most importantly, we need improved information sharing. Prior to this year, there was no means for the information security leaders of the world's exchanges to quickly communicate. Now, as of March 2014, we have the WFE Cyber Security Working Group, a vehicle for minute-by-minute updates of attack signatures, tactics, and techniques.
A second benefit I have been exploring as GLEX chair is the idea that one or more major threat intelligence vendors may be willing to make certain of their briefing tools available to working group members at no charge. (The U.S. cyber organization FS-ISAC – the Financial Services Information Sharing and Analysis Center -- already provides such a service to its members.) If we can bring this idea to fruition, it would provide a baseline of intelligence about attacks, targets and techniques across the industry, irrespective of the size or cyber sophistication of the exchange.
GLEX HELPS SHARING OF CYBER SECURITY BEST PRACTICES
Following the creation of GLEX, another information sharing breakthrough took place on April 7th and 8th of this year, when NASDAQ OMX convened the first Defense of International Markets and Exchanges Symposium (DIMES 2014). Representatives of over 35 exchanges from 21 countries came together to identify and discuss problem-solving approaches to our common cyber issues. Attendees represented a superset of GLEX members, as the wide net thrown by our privately sponsored symposium included even very small and quite new exchanges that cannot yet qualify for WFE membership. Attendance was open to our customers, prospective customers, and competitors alike.
A common interest among DIMES 2014 attendees, as well as Working Group members, seems to be what lessons other practitioners have learned about best practice. GLEX meetings and mailing list messages offer an ideal medium for the sharing of information about the tools and processes in place today, as well as sage caveats concerning the limitations of those approaches.
About tools and techniques:
I continue to be a fan of the ASD Top 35 Strategies to Mitigate Cyber Intrusions as a starting point for best practice.
About limitations of the tools:
Remember, security tools are cool but are useless if the people and process component of a security service are not fully identified and documented and the value added measured. Any good process can be automated through technology but a bad process cannot be improved with technology.
GLEX members have also weighed in on best practice as it relates to how to select appropriate countermeasures, as well the importance of senior support for the security program.
Information Security is about aligning information security capabilities and services with business strategies and initiatives using a risk based approach for decision-making and investments.
Senior management support of Information Security is critical to the success of the program; not just via budget and staff approval, but through adhering to policy, avoiding exceptions, and considering security implications in strategic decision making.
GLEX HELPS SMALL EXCHANGES DEVELOP BETTER SECURITY
One of the most important issues we tackled at the NASDAQ OMX DIMES 2014 conference was how to help small or new exchanges around the world build a strong cyber security program. Over a dozen exchanges participated in this daylong track, some great and some small. The need for this collaboration to encourage a minimum level of cyber health is the third of the four needs I have identified that GLEX may help address.
It is in the interest of each member of the trading industry to ensure that behind every connection to the trading networks lays a cyber-healthy, well-protected enterprise. In essence, I am making here the "public health" argument that, for exchanges with mature cyber security programs, helping to ensure a baseline of cyber security defenses throughout the trading ecosystem is a matter of enlightened self-interest. Please note, I am not arguing that the bigger exchanges have solved all security problems, only that those with more experience and greater resources may have insights and resources that can benefit the larger community.
By sharing best practice about countermeasures, providing information about existing resources and tools, and making basic threat intelligence available, the Cyber Security Working Group can help provide every exchange fundamental information useful in securing the worldwide trading ecosystem.
GLEX HELPS PREPARE FOR INDUSTRY-WIDE INCIDENT RESPONSE
The need to prepare for recovery from a cyber event affecting multiple exchanges around the world is a matter of prudence for exchanges, as demonstrated by participation at SIFMA's industry-wide 2013 "Quantum Dawn2" cyber exercise. Further exercises, some large-scale and some limited to a single company, are scheduled for 2014. This far-seeing practice is picking up steam this year, a development welcomed by all the industry CISOs I know.
Because it is the only organization with the reach to engage the majority of cyber security practitioners at the world's exchanges and clearing houses, the WFE Cyber Security Working Group is in a unique position, should it choose to, to help the industry prepare for a system event that spans international borders. This is not an activity to which the group is currently committed, but the concept is within its charter and a move in that direction could be countenanced if a sufficient number wished to participate.
The four needs I have raised – better threat intelligence, sharing of best practices, ensuring a common baseline security for interconnected trading systems, and the need to reason through and prepare for recovery from a cyber event crossing multiple exchanges – cannot all be successfully addressed in 2014. But this year, working together as never before, we have made a start.
In this article, as I discussed those needs, I have been able to include several "best practice" tips from CISO's of exchanges around the globe. How did I do that? By posting a query to the GLEX mailing list inviting my colleagues for tips to appear in this article. This experience therefore offers a prime example of the sort of practical advice available to the cyber security practitioners at the exchanges.