Synthetic Identities and a CISO View: A Series on Cyber Security
A few years ago, most of our business was done in person, and your personal identity was showing up with your face and signature. As we move to a remote, digital work environment, creating Synthetic Identities is becoming easier and more common. In this podcast, Craig Jeffery of Strategic Treasurer talks with Jonathan Doskocil of TD Bank and Tyler Farrar of Exabeam on the importance of identity verification, education, and detecting compromised credentials.
Craig Jeffery, Strategic Treasurer
Jonathan Doskocil, TD Bank
Tyler Farrar, Exabeam
Episode Transcription - Episode #211: Synthetic Identities and a CISO View-A Series on Cyber Security
Announcer 1 0:04
Welcome to the Treasury Update Podcast presented by Strategic Treasure, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune it.
Craig Jeffery 0:18
Welcome to the Treasury Update Podcast. This is Craig Jeffery and today’s episode is sponsored by TD Bank. And it is on synthetic identities and the CISO view. Today, we have Jon Doskocil from TD Bank and Tyler Farrar, who’s the Chief Information Officer of Exabeam. Welcome to the podcast.
Jon Doskocil 0:41
Thank you, Craig. Thrilled to be here.
Tyler Farrar 0:43
Great to be here, Craig.
Craig Jeffery 0:44
Yeah, before we get started on this topic of synthetic identities, maybe each of you could give us a just a quick background of your responsibilities your career in terms of how it intersects today’s topic. Let me begin with you, Jon.
Jon Doskocil 0:59
Sure. So I work in commercial distribution for Treasury Management Services at TD Bank. And we have the opportunity to both educate and advise companies on best practices for accounts payable, accounts receivable, optimizing working capital, and most notably for this conversation, fraud, protection and how to create a strong security posture that includes education on what’s going on in the industry. When it comes to cybercrime and payments, fraud and help connecting with financial professionals may be experiencing in their everyday operations with observations on industry trends. I did not take a traditional path to banking, I started my career in the Department of Defense where I managed and helped secure data networks. And during that time, I became Security Plus certified through CompTIA and gained some real world cybersecurity experience. So when I eventually made my way into banking and payments, I brought with me a more informed perspective. And drawing on that experience to help companies combat fraud and educate customers is an area of my role that I really enjoy.
Craig Jeffery 2:12
And Tyler, thanks for joining us from Exabeam.
Tyler Farrar 2:16
Yeah thanks, Craig. I’m the CISO here at Exabeam. I focus both on enterprise cybersecurity. So more traditional cybersecurity of corporate IT infrastructure, the laptops that employees work on, and protection of those devices, as well as product security to ensure that the product that we sell to our customers is is secure and providing that level of assurance that is comfortable for for our customers. Prior to Exabeam. I worked at a clear defense contractor Maxar Technologies. I ran security operations, infrastructure governance, cyber assurance, and USG, US government program protection functions prior to that consulted with KPMG and worked on various engagements like FedRAMP next gen security operations, vulnerability management. And before that, just like Jon was a naval officer, I worked in the cryptologic warfare community heavily was focused on cybersecurity operations, and various multimillion dollar projects within US Cyber Command.
Craig Jeffery 3:22
I’m going to begin asking you, Jon, a few questions about the bank’s use synthetic identities and how customers should be thinking about that
Jon Doskocil 3:32
Synthetic identity fraud really has become a leading area of concern for all industries, particularly industries that interact with consumers where you know, a criminal can get some sort of financial gain through creating a false identity. In general, synthetic identity fraud has been around forever. And it’s evolved over time in kind of a spy versus spy way where criminals will exploit a vulnerability, and the industry will respond in defending it, and then criminals will find another creative way to commit these crimes. You know, I guess, as the old adage goes, necessity is the mother of innovation. And unfortunately, in this case, it kind of goes both ways. But I’d like to start by maybe giving a background maybe get to understand that a little bit synthetic identity just a little bit better. So if we go back in time, where we were mostly doing business and in person in local communities, your personal identity was your appearance or a signature. But as commerce expanded, geographically, an identity fraud has kind of evolved with it, it’s become more necessary to have these layers of identity. So now we have things like your driver’s license, or your passport. And then in the advent of the Internet, almost everything that we do today is done remotely, or in some cases, we have personal or business relationships with people whom we’ve never met before. Physically, how many times have you wrote the email? It’s nice to meet you virtually or it’s nice to meet you via via email and all of these, all of this has kind of given rise to an environment Where a significant amount of personal information. And business information is available publicly through the internet. We want our customers to know as much as possible about who we are and what we’re about. But we don’t want that to be used against us. So we find ourselves in a position today, where we as individuals are more susceptible than ever to having our identity stolen. Financial practitioners in particular are more susceptible than ever to falling victim to being tricked by criminals who create these synthetic identities, you know, we’re experiencing significant financial loss is this disruption and reputational risk when when they’re able to convince somebody on the finance team that they’re a vendor, or, you know, as crazy as it might sound, the CFO, or even a service provider, so, so criminals have gained this, this wide avenue of approach where they can use publicly sourced information or information that they’ve gained through social engineering to defraud different financial practitioners trying to operate in the digital economy. And that means that, you know, we have to be so much better now than ever before in identifying what’s going on. And it starts by really understanding what’s synthetic identity fraud is and how to defend against it.
Craig Jeffery 6:16
Jon, how does this synthetic identity impact things like man in the middle or business, email compromise?
Jon Doskocil 6:22
Business email compromised factors in to this in a way that’s, that’s really unique? The criminals are able to create an identity, that is not one that’s their own. Right? So it’s an identity that’s been fabricated through publicly available information, and also information maybe that they’ve gained through monitoring an email box, right, so So synthetic identity plays into the ability of a criminal to defraud an employee. And because of that, it’s created an environment where that’s very dangerous for financial practitioners to operate in. And I think that, you know, understanding how synthetic identity plays in is an important way to also defend ourselves from falling victim to it.
Craig Jeffery 7:04
Thanks for the details on that, Jon. Now, let’s shift over to you, Tyler. How are companies being exploited? I know you have stories, you’ve got examples, maybe you could open up how these companies are being exploited and the CISO and provider view would be very helpful here to build on what Jon said.
Tyler Farrar 7:24
Yeah, absolutely. Just to reiterate and expand upon what Jon mentioned, you have financial institutions where their main charge is to do is to protect money. But there’s also this digital asset and the network that is certainly worthy of that same type of protection. And as Jon mentioned, you know, you’re talking about millions of dollars in costs, if a breach does occur. How the financial industry has become a prime target for external threats has been through means such as credential theft, and phishing, and ransomware attacks. And it definitely has increased with the adoption of new technology, like mobile banking, and digital only banks and other kinds of financial management technology. What should we be focused on as an industry that number one piece here is compromised credentials, is the major root cause of nearly every single cyber breach that we’ve seen over these last few years. And it’s usually due to an insufficient set of controls that are related to identity. And you have these traditional methods of issuing a user ID and a password. And it’s been it’s created an environment that’s just rich and account takeover and fraud. And if you have compromised credentials, now you’re posing that tremendous threat to the cybersecurity of your organization. And in the hands of a malicious actor, you’re talking about them getting access to the most sensitive information in your company. The sources of this compromise are often due to man in the middle attacks, business email compromised, like phishing scams, where a credential user just clicks on something that they’re not supposed to, right? A malicious link. But it also could happen as a result of just someone being negligent and that that’s what we call a negligent insider. So think about like an employee who just doesn’t follow proper IT procedures. Maybe they left their computer without logging out. Maybe you had an IT administrator that forgot to change a default password. Maybe they forgot to apply a security patch or maybe somebody was walking in the in the parking lot, and they picked up a USB device and it was infected and they plugged it into their computer. And those compromised credentials are really what we call the home base for cybercriminals. It allows them to establish the persistence, it allows them to move laterally. It allows them to scan your file shares, find your data, create new accounts, escalate the privileges and then siphoned out your high value assets or that private data. And so I mentioned a little bit about what is the key risk here. How do they do it? I said phishing, phishing is a big one. And when we think about fraud and business, email compromised and synthetic identities, a big target here is your payroll departments, your accounts payable departments, your accounts receivable departments, think about getting an email and it says your account is in need of immediate attention. Or think about getting a compelling email from your CEO asking, Can you change my banking information? I’m working here now at this bank, and I need you to send my paycheck here. Right? It is very compelling. It looks very realistic. And it’s, it’s all clickbait, it sounds official, it resembles somebody that’s trusted, maybe again, it’s the bank, maybe it’s the CEO, maybe it’s the CFO, maybe it’s a third party organization that the company does business with that is asking to change banking, routing information, it is absolutely leveraged and use to establish a foothold into your organization’s network and compromise those credentials. And again, it allows them to move laterally, it allows them to take over accounts, and it allows them to exfiltrate data.
Jon Doskocil 11:23
Yeah, Tyler, there’s something that you said in there, I think that’s really important. And in many ways, the synthetic identity isn’t the goal, right? Creating a synthetic identity is not the goal, the goal is the financial gain. So the criminals will be as patient as possible. And in some cases, you know, it’ll be months or years before they, you know, bust out or they commit the crime, they’ll create this false sense of urgency. And, you know, they’ll use the synthetic identity that they’ve created, or they create this identity or this trust with whoever their target is. And then they’ll wait for the right time, and then make that you know, an urgent ask and disappear without a trace.
Tyler Farrar 12:01
Yeah, absolutely. And you can think about the end goal here is not creating the synthetic identity, the end goal is usually to capitalize and make money. And so either that could be through again, exfiltration of data and or sensitive information. Or there’s another threat here, which is malware, right? It’s ransomware. And access to a banking network or to the data that a banking network contains is extremely profitable for an attacker, and there’s ransomware as a service that’s available on the dark web. So no longer do you need somebody who’s proficient in writing malicious code, they can absolutely get on the dark web and and in a matter of minutes, just initiate a ransomware attack that can pay for itself within days or even hours. While ransomware is certainly similar to other modern malware attempts, to avoid detection it is another means that cyber criminals will use in order to profit.
Craig Jeffery 13:02
When we were prepping. For today’s discussion, we talked about, you know, all of these activities of criminals to create a synthetic identity to get to data to get to money or cash. I remember, one of you shared a story about deep fake videos to apply for remote work really, really interesting is like, you go through all that to apply for work, especially in a remote work environment. You know, as we move off of this, you know, how they’re being exploited, how are criminals succeeding at this? This, you know, from phishing, to ransomware to exfiltrating data or getting money out. Let’s talk a little bit about defense in depth. And what is the strategy for for better defense? I know you have three steps that you highlight Tyler. I know we probably don’t have time for all three of them. But maybe you could talk us through what you see are the key steps. And let’s get into some detail on these.
Tyler Farrar 13:57
Absolutely. Because of the threats that we just talked about. You’ve seen CISOs or cybersecurity programs, expand and focus on analyzing user behaviors, employing fraud detection programs, developing other advanced verification methods for account recovery, and to eliminate that synthetic identity fraud. What we focus on here and what I would recommend to the listeners today is number one is to build out your key objectives. It’s really important to focus and balance prevention and response, incident response. There’s a lot of focus today on prevention of breach. Breaches will happen and so what you do during incident response and crisis management is equally as important. So what are those key objectives? Number one, I talked about prevention, reduce your cyber attack surface focus on reducing your cyber attack surface. And number two is where you are going to have threats that attempt to breach your network, you need to deploy capabilities for threat detection, investigation and response. When you think about where should I focus on key objective number one, around reducing that cyber attack surface, I would recommend that listeners focus on prioritizing areas of risk remediating areas of risk that are major root causes of breaches. And there’s a book out there that is authored by Neil Daswani and his book is called “Big Breaches: Cybersecurity Lessons for Everyone.” Highly recommend the book. There are six root causes and I’ll share with you today.
Craig Jeffery 15:36
A quick question for Tyler, you know, when you talk about attack surface, that’s a very it or security position. What do you mean by attack surface in this discussion.
Tyler Farrar 15:48
When I talk about reducing the cyber attack surface, I’m talking about reducing the likelihood and the ability for a cyber threat actor to breach your network or to take advantage of, you know, a specific security vulnerability.
Craig Jeffery 16:04
So in our physical office, we have doors as points of access or who we grant in there. On the network side, what would be some examples that we would think of in terms of an attack surface.
Tyler Farrar 16:14
Examples here would be your intrusion detection and intrusion prevention systems. Examples would be patching having a solid patching cadence and patching especially exploitable vulnerabilities. And one other example would be good configuration management, meaning that you are taking your laptops that everyone’s working on, you know, endpoints, and ensuring that they’re in a configuration that is secure. It is also being patched etc.
Craig Jeffery 16:46
So is email is that a surface area of attack that has both IT and the user involved? Is that not a surface area of attack because it’s after it comes through the filters.
Tyler Farrar 16:59
When we talk about email threat protection and emails a vector and email being one of the larger vectors of cyber threat act that they utilize email threat protection is absolutely a tool that can be utilized to reduce that cyber attack surface. So it is automatically sitting in front of your email flow into your company and filtering out the known bads, thus drastically reducing the amount of potential malicious emails that could come into one of your employee’s mailboxes. Another tool that you can leverage to reduce the cyber attack surface with respect to email is around reducing the ability to spoof an email to look like the CEO to look like the CFO. That’s called DMARC. And it’s another big tool leveraged by cybersecurity professionals in order to reduce or to eliminate business email compromise.
Craig Jeffery 18:00
Does it make sense to talk about how that works at a macro level? This is I know, some of the people in the audience are very, very IT or CISO savvy, others are Treasury or finance professionals. Maybe I’ll ask a question when you can tell me if this makes sense. You know, I know in terms of emails, that’s all governed by your domain name server, where the rights are, it says where this information can come from. It’s like Rosetta Stone of what comes out in their setting do you can use define what systems that can come from? So if someone just says I’m going to send an email, it says it comes from ACME Corp. But it’s not there’s some things that will get captured or tracked. Is that what we’re talking about here? And then there’s other services that ensure nobody sends data out from your domain?
Tyler Farrar 18:51
Yes, implementation of business email compromise is intended to only allow verified senders to send from your email domain on your behalf. So that could be internally right. And we only allow emails to come from internal sources, approved internal sources, or it could be an external source. Maybe it’s a marketing vendor that you leverage as a as a third party partner. And it’s it’s working alongside that partner to implement this DMARC policy in order to specifically allow this trusted partner to send emails on behalf of your company’s domain.
Craig Jeffery 19:30
Excellent. Anything else on attack surfaces or capabilities that provide defenses in this first area?
Tyler Farrar 19:38
I would highly recommend that everybody listening to this today understands and pushes to understand the business complexity within your organization. It’s really important for IT professionals and security professionals. If security teams do not understand network infrastructure, various systems or applications that are deployed, and how they all work and talk to each other, and where I’m getting at with this is an acid inventory, it will become very difficult if not impossible to effectively prevent, and respond to a security incident or security breach. So if your company’s continuing to add business complexity, I would caution that you may be doing things wrong.
Craig Jeffery 20:30
So that covers the first step to reduce the attack surface. You also mentioned detect and block attacks.
Tyler Farrar 20:38
From a threat detection, investigation response. A lot of the the goals here are to deploy various technologies that can help block and detect what really are very highly motivated adversaries, particularly within the banking sector. And so some things that I would recommend and think about are endpoint detection, response, blocking and protecting your laptop from a malware incident. I already mentioned around email threat protection, there is a detective component to that. And a big one around identity, we talked about compromised credentials, being the key root cause of breaches is utilizing behavioral analytics and automation and having more purpose built content that allows a security analyst to really see across detection of a threat all the way to incident response, and being able to quickly detect any kind of anomalous behavior, and then ensuring that that those technologies are monitoring all activity on your network, maybe your SWIFT transactions and all of your cloud instances.
Craig Jeffery 21:49
Excellent. And then the third area, which was cyber assurance, I don’t know if he had any quick thoughts on that. I know we only thought we might get to two, is there anything that you’d like to at least point us in the direction of on cyber assurance?
Tyler Farrar 22:03
When we talk about cyber assurance, we’re talking about providing a level of assurance to our customers, that we’re doing things right, we’re following best practices around security. And that is not specific or applicable to any any one company in any one industry that’s applicable to all of us, and how we provide that level of assurance through obviously, various compliance and certification frameworks, but also through the object, the prior two objectives that I just spoke about, and being able to tell that story and show that improvement around how a company has reduced that cyber attack surface about how we have capabilities to detect a threat or block a threat. And it is telling that story aligned with like I mentioned certification, compliance certifications, and in audits to really pull the full picture together to provide that cyber assurance to customers, that we are, you know, reducing the potential for either third party risk or, you know, breach of a customer data.
Craig Jeffery 23:12
As we bring this podcast to a close, I wanted to bring you back in Jon, particularly about closing advice, how should we think? How should we act? What What should we be sharing with others in our organization to, you know, to understand some synthetic identities, how companies are being exploited, how we can help with the defense of our organizations, because everyone has some element of being involved in the defense of organization.
Jon Doskocil 23:44
Yeah, thanks, Craig. Well, I’m so encouraged by you know, the answers, how in depth they are by Tyler, because I think that it really highlights all of the different stakeholders that a company needs to be engaging to, to create a good cyber defense posture and defend against payments, right? It’s kind of like a symptom versus a disease. Right? So when we try to treat the symptom of the payments fraud, but we don’t understand the disease, which may be the synthetic identity or the malware or the the uses that are the tactics that criminals use to exploit our operations. I think that we missed the mark. Right? So when we think about you know, understanding a good enter developing a good cybersecurity posture for for ourselves and making ourselves and others in the digital economy safe, we have to be looking at all of the different stakeholders that are involved. So you know, having Tyler’s perspective, I learned so much just by listening to this and being on this podcast because there’s such a depth of knowledge that, you know, we need to be making ourselves aware of and we can only do that by having good partnerships. So who’s in your foxhole with you? Who are the stakeholders that you’ve aligned with? Are they providing education? Are they providing, you know, the the ability for you and your company to create a safe environment for work? And I think that that’s incredibly important. And that would, I think, be the main piece of advice that that I would give is to take a look at and understand cybersecurity and in defending your company in a more broad perspective, not just not the bank that’s going to take care of you. It’s just not one cybersecurity company that’s going to take care of you. It’s a holistic group of stakeholders that you can partner with. And in doing that, you can create a stronger cybersecurity posture overall, and defend against the symptoms of payment fraud.
Announcer 2 25:46
You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasure on LinkedIn. Just search for Strategic Treasure. This podcast is provided for informational purposes only, and statements made by strategic treasure LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasure.com.
Subscribe to the Treasury Update Podcast on your favorite app!
Read our latest Treasury Perspectives Report today!
For the 4th year running, Strategic Treasurer and TD Bank are proud to present the findings from the Treasury Perspectives Survey with data from over 250 respondents operating primarily across North America and Europe. This annual study polls treasury and finance professionals on their views regarding the economy, technology, industry innovation, and regulation to better understand top challenges and opportunities in the marketplace.
Security Standards Are Shifting: A Series on Cyber Security
In this episode, Host Craig Jeffery sits down with Jonathan Doskocil of TD Bank and Christopher Gerda of Bottomline Technologies for the second conversation in this series concerning cyber security. This episode covers topics including changing security standards, growing risks, and the duty placed on companies to protect their people, data, and assets.