In recent years, Operational Resilience has been a hot topic worldwide across the Financial Services sector. Initially, the focus was narrowly on Cybersecurity and Outsourcing.
The UK Financial Services took it one step further by looking at resilience of all operations, with Cybersecurity (Data) and Outsourcing (Suppliers) being just two parts of a larger resilience agenda which was expanded to include Technology, People and Facilities and has resulted in the new Operational Resilience regulation.
Further regulatory committees across the globe also looked at resilience through the lens of cybersecurity, risk, crisis and recovery management, testing and holding critical third-party suppliers to account for critical services, increasing the breadth of what Operational Resilience actually means e.g. in the European Union, DORA is coming into force, namely the (Digital Operational Resilience Act).
In terms of where we are today, the UK’s Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have just recently published their policy statements enacting into formal ruling the guidance that all Financial Services Institutes must now comply with the Operational Resilience regulation and timeframes.
There will of course be a transition period, but it will be very telling for global resilience efforts of how exactly financial service firms will adapt their existing operating models and tooling to support the new resilience efforts.
Explosive Growth of Assets and Devices Compound Resilience Complexity Challenge
Recent UK Finance research amongst members, indicated that it is currently difficult for FI’s (Financial Institutions) to identify the actual IT assets which are critical in underpinning the critical services which they will be measured upon from a ‘service uptime’ perspective under the Operational Resilience regulation.
COVID 19 has also compounded the challenge for FI’s: creating a pivot to home working increasing additional asset complexity and risk for FI’s to consider and mitigate.
In addition, the explosion of “unmanaged devices” across FI’s infrastructure – e.g. IoT and smart devices – creates additional risk through an expanding cyber ‘attack surface’ with some assets or devices which will not readily accept an endpoint security agent, so unmanaged asset visibility and protection is becoming increasingly difficult for FI’s to manage which increases operational and cyber risk.
Many FI’s “golden” CMDB data sources are often fragmented and rely on “point in time” scans from different sources to determine a view on IT asset inventory, making it difficult to understand and track all of the critical assets associated with a critical service.
Consequently, UK Finance research indicates that FI’s are exploring asset discovery or mapping tools; in many cases these tools unfortunately do not detect all the potential assets across an FI’s environment, so often many FI’s resort to manual methods of collecting inventory data via excel spreadsheets and end user compute applications. Some asset mapping tools also require active scanning which needs to be scheduled within a particular network segment and can be potentially disruptive to ‘live’ systems so is unsuitable e.g., BMS (Building Management Systems) which are classed as OT (Operational Technology). It is therefore increasingly difficult to achieve an aggregated view of underlying asset inventory and any real-time vulnerabilities or attack scenarios that could have an impact on critical services.
Trying to decode and manage this complexity via spreadsheets and end user compute is ineffective; you need a solution which can correlate what you have today against the world’s largest asset intelligence knowledge base. The attack surface is expanding at a rapid rate, your network and connected devices are constantly evolving, which introduces new risks. You likely don’t have full visibility or a solid inventory of everything connected to your networks which could represent a risk – e.g. IoT devices which cannot be patched which could have connectivity into networks and services to which they should not have access.
Armis’ and ServiceNow’s Response to Operational Resilience Challenges
A new approach is required to meet the Operational Resilience challenges head on; spreadsheets of critical asset counts don’t scale to environments with millions of potential devices. They are time consuming, laborious and don’t meet the objective; separate risk qualification is then equally time consuming. Armis can help with this challenge and if you use ServiceNow we can close the loop and help you map the critical assets against the critical services then monitor and track KPI’s and enable remediation workflows when asset health may be impacted, which could in turn impact a critical service.
Together, Armis and ServiceNow help FI’s get the situational awareness and visibility into their environments on what they have in terms of assets across their entire diverse global infrastructures.
Even though this may appear a monumental task, Armis helps to simplify the chaos by correlating the client’s environment against the world’s largest digital asset knowledgebase with close to 3Bn assets and tens of millions of behavioural device security profiles, which are constantly evaluated in real-time. This enables Armis to deliver an elegant, categorized inventory and help our clients get to ground truth on what assets they have, where they are and the health of those assets. Having successfully delivered this for over 40% of the Global Fortune 100 across some of the world’s most complex digital enterprises, Armis has gained deep experience in delivering a unified asset inventory. Working from that baseline we can then shine a light on the operational risk clients face by highlighting which cyber vulnerabilities and malware have been weaponized in the FI’s environment and crucially which assets are impacted. Once this is understood it is now a matter of mapping the key assets in ServiceNow with the critical services and impact tolerances for where the FI is being regulated and where service uptime is key. Any issues with underlying asset health e.g. weaponised vulnerabilities can trigger remediation workflows to fix issues which could impact an FI’s critical service e.g. a bank’s ATM network.
Ultimately, for FI’s to gain the visibility and situational awareness into their complex estates and address the Operational Resilience imperatives it is advisable to follow some key steps:
- Complete Visibility across hybrid, complex, dynamic, environments: Asset discovery mapping of total environment to cover both managed and unmanaged assets and provide 100% visibility of the estate across Cloud, On-Premise, Virtual, IoT, Wireless and OT environments.
- Business Risk Context: Gathering asset intelligence to understand risk posture and context for how the asset supports the critical business services and outcomes.
- Critical Service Mapping: Tagging or grouping the assets which ‘underpin’ the critical services, so they can be logically associated with the critical services whether through logical boundaries, geographic or both.
- Aggregate Operational Risk (Ownership, Independencies, Impact): Understanding the interdependencies between assets and network services to determine aggregated operational risks in real-time. Where possible understand the asset owners, location, and IP address.
- Consistency, Reliability, Compliance: Aligning the critical assets with the risk control framework and impact tolerances to provide an aggregated view of asset risk based on cyber and risk vulnerabilities and actual asset health / posture.
- Monitor real-time, track KPIs, disseminate to stakeholders and regulators: Critical Service mapping, aligning the aggregated asset inventory, determining the impact tolerance of the critical service and KPI’s to monitor and track. Monitoring the service against the cyber / risk and operational framework to ensure uptime in real-time.
… all of which can be achieved with the combination of Armis and ServiceNow:
Impact and Value of the Approach
The results of this approach speak for themselves:
- 100% asset visibility, across all environments and geographic boundaries, categorized and searchable for both security and risk teams with a common platform.
- Real-time asset intelligence on posture and health and context of how it pertains to a critical service.
- Ability to set alerts on KPI and service. E.g. changes to underlying asset health or any changes which may occur to the underlying infrastructure.
- Ability to extend into 3rd party infrastructure where critical service interdependencies may occur.
- Identification of technical debt across the asset base which can be scheduled for removal / funding transformation.