-
Banks are starting to lay traps for cybercriminals that have broken through their defenses.
September 14 -
The agency's Semiannual Risk Perspective pinpointed compliance and operational risk as potential problems for big banks while it outlined a different set of challenges for midsize and community banks.
June 30 -
A new series of reports from analytics and consulting firm Accenture found that nearly 90% of the 450 financial firms surveyed plan on increasing their spending in risk management related to cybersecurity and fraud detection and prevention.
May 11
When Orion Hindawi attended a dinner with executives from a global bank that recently became a customer of the cybersecurity company he co-founded, he heard something that crystallized the high stakes of his work.
The bank's CEO told Hindawi that there are three threats that could put the bank out of business: nuclear weapons, meteors and cybersecurity.
"Think about that," said Hindawi, the president and chief technology officer of Tanium, in recalling the conversation. "Two are existential risks that you can't control at all and the third is an emergent threat."
As banks work to
IT managers can type a question such as "How many laptops are currently missing security patches?" or "Which Linux servers are vulnerable to Shellshock?" into Tanium's Endpoint Platform and they are supposed to get the answer within 15 seconds.
"This is an opportunity for banks to take something that's been antiquated for a long time, the way they've managed their endpoints en masse, and upgrade it in a way that's qualitatively different and better," Hindawi said. "You can't even imagine what's possible."
In addition to surveying a network instantly, Tanium can consolidate threat intelligence and identify and shut down compromised access points. The platform, which consists of software the company installs on servers, desktops, laptops, virtual machines, embedded devices and cloud environments, also lets IT managers patch, update or uninstall software; detect and disable malware; track usage of databases and servers; and capture forensics to aid incident response.
Those capabilities have earned Tanium the business of seven of the 10 largest global banks and more than half the Fortune 100, according to the Emeryville, Calif.-based company, which counts U.S. Bancorp, Visa, Amazon and the U.S. Department of Defense as customers.
Investors such as Andreessen Horowitz, T. Rowe Price and TPG also are depending on Tanium, which the
Finding Threats That Matter
A
While banks may be shelling out for cybersecurity, the challenge for chief information officers may be getting their arms around what they have.
"A large bank will get a half million to a couple million security alerts a day and they're not well prioritized," said Avivah Litan, vice president at Gartner. "The systems are all shooting off alarms and it's hard to distinguish which ones are important. CIOs want to detect the bad guys who are flying under the radar and to improve the productivity of their security staff."
Tanium says its platform allows banks to lower the volume and filter out the noise. According to the company, a
The company says the platform makes most sense for networks that have at least 5,000 access points, a critical mass that signals "you probably have data that's worth stealing and people targeting you already," Hindawi said. The price of the platform ties to the number of vulnerabilities, though a sliding scale means the price per endpoint drops above a certain threshold.
Lords of the Ring
Tanium's promise turns on speed and potential for expansion, which reflects the evolution of a design developed by Hindawi, 35, and his father and co-founder David Hindawi, 70, an émigré from Israel who holds a doctorate in operations research from the University of California at Berkeley and serves as CEO and chairman.
In 1997, David founded BigFix, a company that patched computers across a network automatically, and recruited then-17-year-old Orion, who while still in high school was taking college classes, as a developer. While at BigFix, which IBM bought in 2010, the duo began to hear from customers that the increasing virulence of cyberattacks and the advent of virtualization and cloud computing demanded the ability to assemble information from remote access points immediately. Getting data within days or even hours no longer sufficed.
The realization spurred David, Orion and a dozen of their colleagues to start Tanium, where they set out in 2007 to solve what Orion terms "a fundamentally different problem." The solution ultimately led them to discard the hub-and-spoke design that characterizes many networks in favor of a system in which computers pass files to their peers along a series of ordered rings. Instead of a server sending a file to each machine in the network, the server sends the file to a lead machine in each ring that then distributes the data to its peers.
"The ring architecture was the outgrowth of our realization that the hub-and-spoke architecture everyone uses was the problem," Orion said. "That's why they were slow. Tanium to this day is the only tech company that is not using that 40-year-old design."
With Tanium, the range of queries a company can put to its access points ties to the number of so-called sensors those points are programmed to register. Though Tanium has a library of more than 1,000 sensors (most companies use around 400, the company says), IT managers, either in-house or with support from Tanium, can customize sensors to harvest any information they can program a machine that runs Windows, Mac OS X, Linux or Unix to identify.
One thing Tanium cannot query is smartphones and tablets that run iOS or Android. That is because Apple and Google do not enable their operating systems to answer questions about which applications are touching certain types of data, a limitation that Hindawi notes affects all mobile device managers.
"I've never met any company that is happy with its mobile device management solutions," added Hindawi, who says the answer lies either with mobile OSs permitting better management or with manufacturers such as Intel and Qualcomm building the capability directly into processors.
Sorting 'Fact from Fiction'
Add that to the challenges for bank CIOs, who are faced with sorting through a deluge of companies that come calling with software or services that a defender of data seemingly cannot fail to vet.
"There are hundreds of unbelievably innovative cybersecurity technologies that typically focus on one niche or the other," FBR's Ives said. "That's always the decision for CIOs: do they do best of breed when you can have 16 or 20 vendors in your data center or go with three or four? Customer references are crucial in terms of separating fact from fiction."
Hindawi agrees, noting that Tanium typically enables companies to decommission between four and seven applications they had used. He adds that Tanium, which in August announced an
"Banks should not have to be worried about balance sheets of their vendors, but if a company is making excuses that 'because we're growing we cannot be profitable' it means there's something wrong with their business," said Hindawi, adding that he knows from experience what IT managers endure. "I've been on the phone with CIOs at 3 a.m., when it's their worst time."
The goal, says Hindawi, is to achieve what he calls "a real A-plus." On a network with 500,000 access points, "if you're sitting at 92% compliance ... that's tens of thousands of vulnerabilities," he said. Even "95% is not good. It means they can be hacked by a 9-year-old with access to Google."