Cyber Security Overview

Charles Blauner

Managing Director – Global Head of Information

Security

charles.blauner@citi.com

+1 908 563-3589

Treasury and Trade Solutions

Overview: 2014 Significant Attacks

2

Overview: The Cyber Threat Landscape—Actors and Methods

Motivation: make money

Methods: spear-phishing and other

techniques; mature underground

economy supporting

criminal activity

Threat Actors

Motivation: theft of trade or craft

secrets or support of military

capabilities and

nationalized industries

Methods: advanced operations to

establish a foothold into

infrastructure

Motivation: instill fear to have

targets comply with demands

or ideology

Methods: using Cyber to “enable”

their programs (recruit, incite, train,

plan and finance)

Motivation: seek publicity for their

geopolitical agenda

Methods: disruption (i.e.,

Distributed Denial of Service)

and defacement

Motivation: emotional or

sometimes financial needs

Methods: uses insider knowledge

to steal data, conduct fraud, etc.

Nation-State Actors Organized Criminals Cyber Terrorists Hacktivists Insiders

Methods

3

It’s All About Speed

The Bad Actors move at the speed of light, while the victims learn of it well after the attack

43%

29%

4%

11%

7% 7%

0%

8%

38%

14%

25%

8% 8%

0% 0% 0% 0%

27% 24%

39%

9%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Seconds Minutes Hours Days Weeks Months Years

Initial Attack to Initial Compromise Initial Compromise to Data Exfiltration Initial Compromise to Discovery

Conclusions

The efficacy of attacks is high and, once a network is infiltrated, adversaries are difficult to

detect and are often able to operate undetected for long periods of time

– Aggravating the issue of slow speed of detection, is the fact that in the majority of

cases, the victim discovers the breach by being notified by third-party

A key objective remains prevention but we can NOT assume we will be successful 100%

of the time and need to enhance our ability to detect and respond to the adversary at each

stage of the kill chain

External Party 49%

Internal Active 16%

Internal Passive

28%

Not Documented

7%

Source: 2012 Data Breach Investigations Report from Verizon / http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.

4

IS Capabilities Assessment

Information Security Priorities

IS Talent/Operating Model IS Capabilities Maturity

Metrics/ Measures

Threats IS

Challenges

Business

Direction

External/Internal

Perspectives

Drivers

Talent/Operating Model Review

Strategic Planning Process

The strategic planning process must reassess key drivers versus current capabilities on a quarterly basis to define a set of

Information Security priorities

Situational Analysis

IS Strategy/Plan

5

Prevention is not Enough

For the Bad Actor to “win” they can succeed on 1 out of 100 attempts

For Citi to be successful they must prevent 100 out of 100 attempts

– Given time, the Bad Actor will eventually succeed

The ability to detect and respond to events are critical to a successful cyber defense

Intelligence about our adversaries and about ourselves must be used to inform all three phases of our defense system

Prevention

Detection Response

Intelligence Led Ecosystem

6

The Cyber Kill ChainTM

Cyber Red Zone

The Cyber Kill Chain is a Trademark of Lockhead Martin

Attacker must expose tools, techniques and processes as attacker moves through each phase of

the intrusion chain

7

Malicious Attack—Disrupting the Kill ChainTM

Gathering Initial Information

Creating Malware

Delivering the Malware

Exploiting a vulnerability to

gain access to an asset

Installing malware on

the asset

Creating a channel of

communication back to

the attacker

Adversary performing

their objectives

Reconnaissance

Prepare

Delivery

Exploitation

Installation

Command and Control

Actions on Objective

Protect sensitive data, stronger

access controls,

Intelligence gathering on

up-coming malware

Secure email protections, spam

filters, “Be Safe, Be Secure”

training

More secure code, firewalls,

Silvertail, IDS/IPS,

vulnerability testing,

EERS, privileged account controls

Malware analysis, investigation

support, network tools that capture

suspicious traffic

Reactive Proactive

Intelligence gathering on new targets

Predictive analysis that identifies

potentially malicious URLs; Streamlined

technologies/process for SOC alerting

Tools that leverage analytics to identify

attacks in progress

Ability to know who is on the network

with what credentials

Real time network tools that can isolate

suspicious traffic and identify source

Simulate real world threats; identify and

remediate process gaps

8

Cyber Defense Starts with Strong Intelligence Capabilities

1. Understand the threat: gain knowledge of the adversary and their

tradecraft; know ourselves, valuable assets and challenges

2. Integrate cyber threat intelligence and analysis into decision-making:

Deliver tactical and strategic intelligence products

3. Build a Foundation of Information Sharing: Increase internal and

external information sharing in a trusted environment

4. Strong Execution of Program Management: Support an enterprise

approach to integrated processes while conducting incident

response in a learning cycle environment

5. Maximize Collaboration: Promote collaboration and partnerships

both internal and external; sharing best practices and benchmarking

6. Promote Team Success: Hiring top talent, providing the best

available training and experiences, focused on enterprise solutions

7. Leverage Technology: Identify and develop innovative technologies

that enhance safety and security

Principles of an Intelligence-led Organization

9

IS Architecture—Defense in Depth IS architecture is one of layered security—deploying the latest technologies at the network layers as well as within the strategic

data centers.

10

Cyber Kill ChainTM and a Layered Defenses Strategy (by Capability)

Phase Protection Detection

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and

Control

Actions on Objectives

Cyber Security Fusion Center

Cyber Intelligence Center

Proxies

Firewalls

Proxies Intrusion

Detection

Antivirus

Antivirus

Proxies

Data Leakage

Protection

Anomaly

Detection

Proxies

Malware

Analysis

Anomaly

Detection

Network Application ID

Network Malware Analysis Sandboxing Internet SSL Decryption

Malware Analysis

Sandboxing End Point Monitoring

End Point Monitoring

End Point Monitoring Anomaly

Detection

End Point Monitoring

Next Gen Firewalls

Forensic Analysis

Malware Analysis

A

n

a

l

y

t

i

c

s

11

Cyber Kill ChainTM and Building a Detection Capability The Security Operations Center (SOC) follows standard processes for detecting potential attacks

IS Event Alert SOC L1

Detection IS Event Triage

Data Collection Event

Annotation Case Creation

Case Escalation

Firewalls

Identified

threats

Known vulnerabilities

Business-critical IT assets

Intrusion Detection Systems

External Threat Data Damballa VPN McAfee Applications Databases

SafeWord Entrust Symantec DLP SiteMinder

Raw Events

Security Relevant Events

Correlated Events

Arbor

Windows UNIX

Risk-based Prioritization Threat Determined

Damballa

ForeScout

ArcSight

Netwitness

12

Why Focus on War Games?

“The more you sweat in peace, the

less you bleed in war”

(1939—Chinese Generalissimo Chiang Kai-shek)

13

War Games Overview

Execute internal and external cyber based exercises/workshops to ensure

Citigroup is prepared to react to cyber incidents of all levels. It is structured to

simulate the experience of a real attack and involves representation from

information security, technology, business, legal, and

communication organizations

Overarching Program Objectives

Identify opportunities for Citi to enhance its cyber threat

preparedness with a focus on three areas

Effectiveness of existing cyber incident protocols,

processes and procedures

Cross-functional coordination and command and control

Coordination and communication with internal/

external parties

14

Citi believes that sustainability is good business practice. We work closely with our clients, peer financial institutions, NGOs and other partners to finance solutions to climate change, develop industry standards, reduce our own

environmental footprint, and engage with stakeholders to advance shared learning and solutions. Highlights of Citi’s unique role in promoting sustainability include: (a) releasing in 2007 a Climate Change Position Statement, the

first US financial institution to do so; (b) targeting $50 billion over 10 years to address global climate change: includes significant increases in investment and financing of renewable energy, clean technology, and other carbon-

emission reduction activities; (c) committing to an absolute reduction in GHG emissions of all Citi owned and leased properties around the world by 10% by 2011; (d) purchasing more than 234,000 MWh of carbon neutral power for

our operations over the last three years; (e) establishing in 2008 the Carbon Principles; a framework for banks and their U.S. power clients to evaluate and address carbon risks in the financing of electric power projects; (f)

producing equity research related to climate issues that helps to inform investors on risks and opportunities associated with the issue; and (g) engaging with a broad range of stakeholders on the issue of climate change to help

advance understanding and solutions.

Citi works with its clients in greenhouse gas intensive industries to evaluate emerging risks from climate change and, where appropriate, to mitigate those risks.

efficiency, renewable energy and mitigation

© 2015 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or

relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction").

Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.

In any instance where distribution of this communication is subject to the rules of the US Commodity Futures Trading Commission (“CFTC”), this communication constitutes an invitation to consider entering

into a derivatives transaction under U.S. CFTC Regulations §§ 1.71 and 23.605, where applicable, but is not a binding offer to buy/sell any financial instrument.

Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a

financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or

regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any Transaction.

Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well as the legal,

tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us

for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you

should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials,

you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction

shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction.

We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number.

We may also request corporate formation documents, or other forms of identification, to verify information provided.

Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time

without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which

represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof

and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any such instrument at

any time.

Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly,

a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific

recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to

limit communications between its investment banking and research personnel to specifically prescribed circumstances.