Name: Exposed: Cyber Risk in the Financial Sector and its Supply Chain
Uploaded: 2025-10-21T16:31:34.421Z
Duration: 59 min 52 s
Description: Exposed: Cyber Risk in the Financial Sector and its Supply Chain

Transcript for "Exposed: Cyber Risk in the Financial Sector and its Supply Chain": Alright. Hi, everybody. Thank you for joining, and welcome to today's webinar. I'm Greg Keshin. I'm the chief product officer here at BitSight, and we are really excited to have you all here today with us. What this is gonna be is the first in a series of deep dives that we're gonna do on the financial sector. So BitSight has a lot of experience, over 600 customers in the financial sector and a ton of incredible data that we wanted to make available to you both in this webinar as well as, some documents that you'll receive in follow-up. So today, we're gonna focus our attention on the supply chain of, financial sector companies, and I am joined by a really great set of speakers that I'm gonna introduce to you now. And so on stage with me, we have Roland Cloutier, who is an adviser to BitSight, a deep cyber expert and a former global CISO at companies like TikTok, ADP, and EMC. So, Roland, great to have you here, and thanks for joining us. We also have Ben Edwards. Ben is a principal research scientist here at BitSight. He's done some really remarkable research on global supply chains. Ben, thanks for joining, and looking forward to, what you have to share with the audience today as well. And finally, Dov Lerner, who's a threat researcher at BitSight, he's brought amazing threat insights to the market, including our annual state of the underground report on what we're seeing across the deep and dark web. Dov, thanks for being with us here as well today. So, I wanna set the stage a little bit before we jump into all of it. We know that the digital supply chain is a huge area of concern for many of you and for a lot of companies out there, and there's a lot of challenges. We've got accelerating risks happening. It can be really difficult to get a complete picture of that risk, And it's also very hard across teams that are typically stretched thin to prioritize what you wanna do as far as remediation goes across the supply chain. And then I'll also add to that that events like the AWS outage that just happened yesterday, only helps to bring the supply chain issues into greater focus for us certainly, and I'm sure for all of you. So we wanna bring our data and perspectives, to the table for you all and also try to answer some of your questions. I'll outline the agenda, and then we're gonna jump right into it. So we're gonna start with Dov, who's gonna kick us off with his latest research on the threat landscape specific to financial institutions. And then Ben is going to cover some really fascinating data about, the supply chain as it pertains to the financial sector, the risks, that are particular to financial institutions, monitoring trends, and also some insight about, the impact that you see when you have issues with big providers, AWS being an example of that. And along the way, we're gonna get Roland's expert opinion about how CISOs should be thinking about these things and reacting to the research. And Roland and I will discuss how to build a resilient digital ecosystem in this landscape, and I can also share some thoughts about where we're headed, at BitSight from a product and investment standpoint. So as we go through, there's a chat, as part of the webinar, operations, so you can feel free to ask any questions along the way. We also have three poll questions that we're gonna be asking throughout the session so that we can get some specific audience feedback as we go. So with that, let me first turn it over to Dov, who's gonna spend a few minutes on threats to the financial sector and what we're seeing from the underground. Dov, take it away. Thank you very much. Great to be here. Okay. So the ransomware attacks and data breaches over the last year, we found those are saying the financial sector, it's where the money is. It's a very attractive target to attackers. Attackers know financial institutions can, can give them successful attacks. So for ransomware, we saw that nearly 600 ransomware attacks occurred against financial services companies. Seventy percent of the identified victims were in The United States. Huge number. United States is the top target. September actually was the the highest month at 80 attacks in a single month. For data breaches, we saw 522 breaches that were shared on underground sites. This was actually a much more even distribution amongst, different countries with India as the leader with only fifteen percent and US number two at fourteen percent. I have to say that this data is actually fairly consistent with what we saw in 2024 even though, you know, it's, this is, this year's data. So surprising the amount of consistency in terms of which countries are being targeted. Regarding compromised credit cards, however, we actually are looking projecting at, about 10,000,000 compromised credit cards, which would be, I would say, significant drop from 14,000,000 in 2024. This could be due to a number of factors, but, this is something that, that I think is notable that compromised credit cards are are, going down. Actually okay. I see, there's a question which underground sites we've sourced these data. So the ransomware is based on, dedicated leak sites and the, data breach sites, based on, breach forums, which went down, and then and dark forums are the primary places where data breaches are shared on the underground. To take a higher level view, what can an attacker do? Right? What does the deep and dark web provide for any aspiring attacker? And I like to say that the deep and dark web is a marketplace. It's a marketplace of ideas, of tools, of services. And so someone with the ambition to carry out an attack can do so without knowing exactly how each step is is being done. It's we use software as a service all the time, and we purchase services all the time in our professional and personal lives, and the deep and dark web is no different. I can go on the dark web and I can buy phishing tools and services targeting and here is the long list of the biggest banks. Right? Because these banks, everyone knows about them. They're they're clearly big lucrative targets. And so without knowing how to code a phishing page, I can buy the phishing pages. I can buy phishing services. I can buy bank logs, which are, the, user names and passwords that are extracted from phishing campaigns. So this is something where it's very simple to just go on the dark web and buy all of these tools to carry out an attack. Similarly, I can find data breaches. This, there's a data breach targeting a major bank. And with this information, I can now do further attacks. Right? I have someone's name, mother's maiden name, date of birth, Social Security number, all those important things. And now I can call up the bank, impersonate this person, maybe gain access to their account. Account. I can phish them. I can do all sorts of things like that as well. So there are lots of raw ingredients and even more, mature services I can consume. We also see, for example, there are initial access brokers where this is one of the most, I'd say, notorious types of attacks where someone, sells access to the internal organization. Here you can see that someone's selling an access to a an American bank, through their VPN. They have a $100,000,000 of, annual revenue. That's a large bank. And with that, now I can, get in and I can do all sorts of things, deploy ransomware. I can buy accounts. Right? So these are some these are people who are selling access to large accounts. And I can also buy cash out services. Cash out means I have a compromised account, and I need to find ways of withdrawing the money. It's obviously not so simple. There are all sorts of controls. But with the cash out service, I'll, I'm procuring a service from someone who knows the threshold, understands the trip wires so you can withdraw x amount of dollars every y interval in order to not, spike the, the the detection. So, again, an attacker with a little bit of knowledge and a little bit of ambition can do quite a lot based on the deep and dark web, and there's no question no question that financial services are being the most targeted in in this. I'll I'll hand it over to, to Ben. Greg, or Greg, you're muted. If you'd like to jump in. Oh, I'm sorry. I was trying trying to say yeah. My bad. So, Dov, I have a follow-up question for you. But actually, before I do that, we wanted to run the first poll question for the audience, which is, we were curious about how all of you think about the threat environment and whether, from a day to day perspective, you feel like the threat environment against the financial sector has increased over the past year. So we're interested to see the results of that. And then, Dov, great analysis that you shared. My question to you is, what do you think are the biggest challenges or issues that financial institutions may not be aware of, in terms of how the threat landscape looks specific to financial services? So, good question. I I mean, a a company's attack surface is much broader than what their SOC can monitor. Right? And that's something that's really, really needs to that needs to be internalized specifically for financial services. Because even if I have ironclad security and and I have a great security program and and my network is is protected and everything, my customers can still click on a phishing link. And someone can take over their account, and then someone could withdraw the money from their account. And that can boomerang onto me, their implications, possibly regulatory implications, brand, reputational implications. And so I need to know not only how am I being directly targeted, but how is the broader, attack surface of my business being targeted. And so, my customers being targeted is still a matter of concern, and I need to know what phishing pages are targeting my customers, and I need to deal with that. I need to build controls when, again, I don't necessarily have visibility over, what my customers are doing and how they're doing it. So these are things that really, you know, taking over customers' accounts, that could be, you know, all of their savings and and moving the money out, that could be a large headache for me. So I need to know that. Yep. Yeah. So you're making the point that the attack surface is actually a lot more expansive than what somebody might traditionally, think about it. Roland, I'm I'm really curious to get your perspective on that as well. Yeah. I'm actually I have, like, 50 questions for Dov because I it's such an important area. I think CTI and the and the ability to see deep inside some of this data to understand the broader perspectives. I think a lot of us on the critical infrastructure defense side, yeah, financial crimes is a big thing. That's where all the money is. Money moves and, you know, people want the money. But there's there are also larger implications against Western societies. We have, you know, generalized criminal, which we've been talking about, but there's terroristic, you know, actions of terroristic organizations focusing on our businesses and nation states, to impact the underlying eco economic ecosystems of the countries we serve. So that broad really getting back to those, point of view about that broader ecosystem of our of our businesses and the threats against them is are there mechanisms to really help define map print understand those, broader edge cases that can impact some of these, you know, other focus areas that we have to have, beyond financial crimes? Yeah. I mean, we we look at APTs. We match, APTs. We consider them motivated by one of three things. So there's the financial APTs, the state sponsored, and the ideological, the activist ones. And and any one of those can be a challenge. And and, yeah, I I you know, I I might be attacked my account might be attacked by a sophisticated financial group. You know, Fin seven comes to mind or or, you know, one of the many, ransomware groups, but also, ideological. Right? And it might just be a denial of service attack, but a denial of service attack against a financial institution. I can't log in to my bank at a time that's necessary. You know, credit cards can can, go out, ATMs, whatever. These are things that, you know, the pace of business is so fast and and our reliance on we saw yesterday, but it's true. Right? Our reliance on systems of systems of systems of a tech stack that we don't even know about just to conduct our daily lives. Yeah. And and mapping the threat landscape is critical because the attacks can come from anywhere. And and so you may need to know how is your sector being threatened, how is your geography or location being threatened, and, you know, for for financial services, really, how are your customers being threatened. Right? Someone, cryptocurrency is a part of financial sector that, that's a very, very big deal. People aren't necessarily careful. You know, they might post online about how many Bitcoins they have. Someone might SIM swap them and then get control over their phone and then move out all all the cryptocurrency and then it's gone. Right? So there the the the number of threats are tremendous, and the first step is to map the threats. The first step is to understand, you know, who, what, where, when. And then from there, you have to build controls. Right? You have to build security controls and some of them are preventative, but some of them are gonna be detected. Right? A customer clicks on the phishing link, I can't really prevent that from happening, but I need good robust mechanisms to prevent money from being moved out. And I need to know how people are moving money out through threat intelligence so I can, you know, play chicken and egg and and or, cat and mouse, better metaphor. And then I can, I can, you know, evade their ways of evading my, detections? Yep. Super interesting. So, what I'd like to do next is share the results of that first poll, and you can see the results up there on the screen. The vast majority of people do feel like the threat environment against the financial sector has increased over the past year. I guess the good news, for all of you that feel that way is you're certainly not alone. Everybody is feeling the pressure. And then, for the one person who is alone that doesn't feel that way, it sounds like you're in much better shape than anybody else, anyhow. So at least you don't have, as much of a threat looming over your head. But, I mean, I think it underscores the importance of what we're talking about here, which is that, you know, the stakes only continue to increase as time goes on. And, and so what we're trying to do here is illuminate for everybody, what the biggest risks are and and how you might be able to, avert those. So before I pass it to Ben, I do wanna ask the second poll question to the audience, which is around the level of concern that you have about a cyber attack, targeting one of your suppliers. So everybody's got that in the background. And then, Ben, I'm gonna turn it over to you for your research. Beautiful. So thanks for that intro. And I I think it's really interesting, to hear from Dov just because the the threat research kinda gives you an idea of what attackers are going for, what pieces of maybe your attack surface you're talking about, and great to hear from from Roland and Cash about, hey. Like, understanding that is really important. And so now I'm here to tell you it's not just your attack surface, but your entire supply chain's attack surface you can worry about. So we'll try to we'll try to get down to, like, you know, actionable stuff that you could do. We don't wanna get into into FUD territory. But it is like it's this complex world that we live in as we all found out yesterday. And so let's, let's dive into kind of how how the supply chain looks through the financial sector, kinda what's different about it, what's the same, and what exposures we actually see within that supply chain sector. So, I am a data scientist nerd. So whenever I talk about research, I really like to talk a little bit, at least in the intro, about kind of where we pull our data from, as we're looking at supply chains. So, for example, when we do supply chain measurements, we essentially what I'm talking today, we essentially have three sources that we're pulling data from. One is our Groma platform, which is kind of, you know, what BitSight was really built on, and has done over the, you know, past decades of of our of our work is we do continuous scans of the Internet. Meaning, as we look for security problems, we're trying to map out attack surface. We have to understand what organization's infrastructure look like, what software they're running, what products they're running. And so to that end, what we do is we have about 40,000,000 organizations that we monitor, almost 3,000,000,000 different host names, and a bunch of I p v four like, all of ratable I p v four space and a bunch of I p v six space that adds up to about, 4,300,000,000 ratable IP addresses. So that's kind of this map on the on the right. My screen's mirrored. This map on the right, which is the Microsoft global footprint. So this is like all the Microsoft kind of assets and products that we see, on the globe. This is actually a a public thing you can go look at. Gromer Explorer is a product that we actually put out. And the the cool thing about this is as we do all this scanning, we're doing so non intrusively. We're not we're not gonna we're trying very hard not to set up any alarm bells. We're not gonna break anything as we do it. But there's really a wealth of information that we can gather on what products folks are using and then maybe, like, what what are some problems that we see as we're doing that scanning. We also have our third party risk management, our fourth part, or, third party risk management where we can get some fourth party relationships, understanding what vendors your vendors used. We source this from public and private data. We do a lot of advanced NLP to try to make connections between organization a and organization b. If you're a fan of my webinars, I've went to this in-depth when we talked about supply chain research. And, of course, we'll have a a paper ready at the end, where you can go, understand more of how we do make those those relationships. And then, of course, we have customers who say, like, I'm gonna monitor this other organization because they're important to me, because they're my vendor. And so we can have those defined relationships from BitSight customers that give us even more information about what their supply chain might look like. And so what does this all add up to? Is it, ends up being we have about the 62,000,000 connections between organizations. That includes, a little more than half a million consumers and then a quarter of a million providers. Consumers and providers is a little strange here because everybody is kind of a consumer and a provider in an economy. But what I'm saying is we have 500, half a million consumers in this sample who are organizations who we have using different vendors, and then the providers are the ones that we know are providing services. If you're a graph nerd, it means you have, like, out degree, if you're a provider and, you have zero out degree if you're a consumer. But on the right hand side is kind of a visualization of this. It's like all this data, as if we could map out all these connections. It's kind of a hairball, but I think it's nice and aesthetic, so I like to include it in these kinds of these kinds of webinars. So but we're talking about the financial sector today. So if we kind of narrow that down, we're looking at actually, like, 42,000 financial sector organizations and approximately, like, 50,000 providers to the financial sector. So we're not just looking we're looking kind of a subset, because I we think this is an important subset, and it's unique and and the same in some different ways. So first of all, the first question I always ask for data like this is, like, what's the size? Like, how how big are things? And this is actually kind of interesting is that supply chain size varies a lot. So, like, we have organizations, within our dataset that have, you know, hundreds or even thousands of different providers that they have, and even actually this goes out a few more orders of magnitude. Some, you know, use tens of thousands of different providers. But the thing that's interesting here is even through all that variation, financial organizations don't vary all that much from everybody else in the world. And so, there is a lot of variance within finance. There's a lot of variance globally. And so this is not a place where finance is is necessarily special. And I I found that surprising. I assume they would either have I mean, either hypothesis could smaller supply chain because they're better at managing, that attack surface and and making it harder to discover who they use, or larger because they tend to be larger organizations. But, it seems to run the gamut, and and things are not all that different. So, but the particularities of that supply chain actually do vary quite a bit based on kind of what industry we are. So, given that we had a large event, yesterday with a cloud provider who who's, had some some service issues, it was I thought it might be interesting to look at, different cloud providers, and how their industry breakdowns work. So this is kind of a dot plot. Each point here represents, like, a giant file of infrastructure that we've mapped, And we're kind of clustering to they're we're clustering them together by industry, and they're colored by this set of a bunch of of cloud providers that we mapped out. So technology in the middle, as you can guess, like, it's the size the biggest. This is where most of, the cloud structure we map lands. Finance is here on the right. And what's interesting here is that finance has, like, a a large, Amazon presence, and, you know, we've even mapped some of the services down here. But they have a large Amazon presence, and kind of a similar distribution of cloud providers. This yellow is Google. This blue is is Microsoft Azure. Fastly, these some of these other providers. But it it is, like, kind of more heavy on things like, GCP than maybe some other industries. So for example, education, really heavy in in, Microsoft, very little GCP. Business services, kind of the same. And so we can kind of map out where some of these relationships are and see that finance maybe has a different cloud profile. Maybe they were affected a little bit less because they do tend to rely on GCP, or, Google Cloud, their Google Cloud services than other industries. So I haven't seen breakdowns on who was down yesterday, and I'm sure that's all coming as active research as what we're doing. But it may be interesting to understand if we have a better idea of, say, the technographics of an organization, we can understand better what incidents are gonna happen and and and how things are gonna go differently. So, I you know, of course, my co presenters, if anybody would like to interrupt and ask me questions as we go, I'm happy to answer them. I feel like Roland might be chomping with a bit, but I don't know. Yeah. I mean, it's it's great. It's just great data, Ben. I mean, one of the things that is is so difficult for us on the practitioner side, obviously, is understanding every independent level of a business process that may or may not use third, fourth, fifth party, API connections, marketing. I mean, you can think of all of things that drive a a digital supply chain of any given business process. And and what's unique, and why I like this graph so much, it's not necessarily the, you know, technology bigger and and and we in in finance do it, slightly different. It's how do I get at each one of those points. Right? The you know, being able to consume that information in a reasonable way that makes that helps me understand which business processes is using what portion of that infrastructure either for actual cloud instance, first party or, I'm connecting there for data exchange, third party in in AI pipeline, what have you. How how should users think about obtaining this type level of data and operationalizing it? I mean, so so one thing is we can help. I mean, I'm not a sales guy. Right? But, like, as BitSight, we we do say, here's where we think your organizational structure is. Here's where we think it's hosted. Here's your supply chain. Here's where, you know or or here are the organizations you monitor, and here's who we think you have relationships with. And say, hey. Your portfolio is really heavy Amazon. Right? If E C 2 has an or or US East has an has an interruption, that may affect your day to day operations depending on how critical those suppliers are. And I think this kind of as we're gonna go through, I think the main thing for me is, like, you you know, knowledge is power. Right? Like, you know, and, and and knowing is half the battle to getting to where you're where you're going. And so, certainly, you have you have an idea of where your own stuff is hosted. And knowing where your supply chain is hosted is something that you should be asking your providers. You should be relying on services to understand, hey. You know, all my web hosting is or in all my application back end is on AWS. And all the services, the APIs that feed my back end are also on a AWS even though I don't control those. So, like, I'm fully dependent on them. And that is not just cloud hosting. That's, like, other things too. And, actually, that brings me to my next point, which is good. Thank you for for that segment. Well, and then we did then just one other, maybe piece to add to that, which is I think what you're kind of alluding to there as well is sometimes once the operation gets big enough, then you ought to thought start thinking about diversifying. And that's something that, you know, we work with a lot of, insurance companies that that, of course, they think about heavily across their portfolios is they don't wanna see too much concentration in one particular provider of any sort, because it produces concentration risk in an insurance portfolio. But, you know, you can think about a supply chain very similarly depending on the parts of your operations that it's powering. And if there's something really critical, you may want either diversification or at least redundancy, in case you have, you know, an outage of of some sort. Yeah. And I think the kind of multi cloud environment was always I don't wanna say a boogeyman, but it was like, oh, man. How do you manage that? That's a lot harder to manage, and there's all these solutions out there. But the advantage then is, like you say, it's robustness and, to to a lot of these things. So I think that's certainly something that as you're building your infrastructure, as you're you're taking on vendors, maybe that's something you consider is not just does this serve the purpose, isn't that the right price, but is it gonna, like, concentrate me too much in a single place? Yeah. So as I said, I think Roland's question was a good kind of transition. We did a survey. We published a survey earlier this year, and one of the things we asked are, like, are you monitoring your supply chain? And about a little less than half organizations are were said, yes. We do continuous monitoring of some of our vendors, not everybody, but we we do have a continuous monitoring where we're looking at security problems, seeing what's going on. And only about 20 or less than 20% said we're doing comprehensively, like everybody in our supply chain. Now the cool thing is we can ask folks about this. Right? We can do a survey and and have it, professionally fielded and and get good responses from people who should know the correct answers. But what we can also do is we can, like, actually measure this. So I have customers in bedside. I know who they are monitoring. And then I also have a guess of what their whole supply chain is. And it turns out that a lot of organizations, are not necessarily monitoring all of their supply chain. In fact, on average, it's around, I'll get to the next slide. So the on average, it's less than 20%. Right? So, some organizations are doing excellent job. That's out here on the right. Some organizations are monitoring a 100%, and we would hope that those are the ones that are the 70% that says, yes. I have comprehensive monitoring. But we'd also note this is a lot lower than 17% of organizations. And in fact, most are leaving a lot of that supply chain unmonitored. Now I'm also gonna say that this is not necessarily, like, the worst thing. Maybe you don't need to monitor, your social media providers. Right? Because they're just doing ad services. If they go down, maybe that's not the best, but it's not gonna it's not gonna ruin your day. So let's talk about the finance sector. And I wish I could I wish I was in a room with all of you because I would just ask, you know, do you think the do you think financial is or the financial sector is better or worse at monitoring their supply chain? But rather than ask, I'll just give you the answer. They're actually better. So, financial organizations average they've averaged a monitor of about 36%, a little more than, a third of their supply chain, which is pretty good, compared to the average, which is about 25%. And that's that's everybody. So, even though because we're kinda doing this incomplete monitoring, and I think that's probably, you know, triaging of resources, getting them in the right place, they do do financial org seems to be more able to to look at their supply chain or more willing to look at their supply chain and do that monitoring. So that's that's really important. I I also so who is in that supply chain that everybody needs to monitor, of course, is the next big question. I produced this graph for our kind of general supply chain report that we published in the spring. This is what we call the critical 99. It's kind of a marketing term. Why is it 99? Because it fits nicely in three columns. If you do four columns of of 25 to make a 100, all the names get squished. It doesn't look as good. So, critical 99 it is. And what we did is we came up with this idea of market share, which is, the weighted percentage of consumers who use a particular provider, and this gives us, helps us kind of more accurately reflect how important a provider is. This is, I think, like, a really interesting view of kind of a digital supply chain, although there is some physical stuff in there. And it gives us an idea of who really is important. I think at the top here is jQuery, and if you're a tech person and you know everything on the web is built with this library, it's an open source library. It has, like, a couple dozen maintainers, but it's really important. Right? And we could we could imagine, kind of a a package takeover or spoofing. Something happening to jQuery would be a very big deal. We see other providers at the top here who would totally expect Microsoft, Google, Oracle. Amazon is is is AWS is up here 80%, because, of course, Google also includes, you know, Gmail as well as their cloud computing. Microsoft includes Office. Everybody uses Office. There are some interesting ones here who are not terribly important, but they appear at the top of the list. So Twitter is here at, 12, ranked 12 with about 80%. Most of this, if we dig into what it's actually providing, is ad tracking, user clicks, link shortening, things like that. So, while they are used really extensively in the global supply chain, they're maybe not that important in the sense of, again, if they go away, they're not gonna your your business is not gonna grind to a halt. We might be able to say the same thing about, Meta, but it's also possible that, you you know, if you're a restaurant and that's your only web presence, maybe that's a bigger deal than if you are just have a Facebook page for your company. Also, up here at the top is f five. And I'm I'm not sure anything has happened with f five recently that we'd be too worried about. But they actually they did. They had a major incident earlier, or last week. It was the fifteenth, I think. And, where a nation state actor managed to get into their system and and stuck around for a while. This is the kind of attack really sophisticated attackers that Dove knows a ton about. Right? So, like, you know, f five is is not necessarily is not the blame here in the sense that they got targeted by a really sophisticated group, but they are really critical to global infrastructure largely also because they own engine x. Right? It's really common web platform web server, that I believe was not compromised, or additional indications, the code is not compromised. But it does show you that this is a really important group that appear at five as critical 99. So I wanna talk about the financial sector in this critical 99. So we're gonna take a look at the same list, except we're gonna color it a little differently. So what we're gonna do is we're gonna look at the financial critical 99, but we're gonna make the color, like, how much more important they are in finance sector than globally. And suddenly, we see some red some hot spots here. So Bloomberg Group providing those terminals, providing that data to the financial sector, they're about two and a half times more important to the financial sector than everybody else. We see a lot of the same names appearing kind of in this first column for sure, but there are some interesting differences here. So, for example, if we think about things like, deliver or, PKI infrastructure, particularly digital certificates, things like, organizations like LexEncrypt are much lower. This is kind of a newer, let's let's everybody issues certificates to everybody for TLS. We'll be much more liberal about those in signing those versus DigiCert, which has been around forever in the PKI game. It may indicate that the financial sector is more willing to go with those more established players. They often they probably, adopted them much more early. And rather than switch to something new like Let's Encrypt, they're more interested in something like Digicert. So we start to see some of those, like, really important differences within the financial sector and who's important for them versus who is important kind of globally. And I think this this now is my favorite slide because we wanna know who's important to the financial sector, but, like, maybe not that important globally. And I have made several versions of this slide, but I think this this one is now my favorite. So, let's look at some, like, specialized financial service sector providers. And I think there's some really interesting ones. What I looked at is providers to the financial sector that have a high difference from their, like, global, value. Now some of these are not all that exciting or interesting. For example, Plaid, these this is like a digital payment processor. It helps connect organizations. Of course, they are gonna be kind of low globally, but high in the financial sector. A lot of organ a lot of financial organizations use Plaid to help link, things. Organization so, FactSet and News Corporation actually owns Dow Jones. So a lot of the data that comes out of Dow Jones has come out of of News Corp. Same thing with FactSet. These are organizations that provide data to financial organizations that they need. A few are really kind of, specific identity providers, Entrust and CyberArk. This may be, an indication that identity and access management really important to the financial sector, and so they're they have higher adoption of these. Let's talk about some of the more interesting ones that I I think are are are fascinating. So General Dynamics Group, I could not figure out why General Dynamics would be part of this list, until I dug into the services that they were actually providing. General Dynamics is one of the largest suppliers of COBOL Consulting. COBOL is, of course, this ancient programming language that tends to run on mainframes. And, you know, from my my previous life when I was at IBM, I know that almost a lot of financial transactions through credit cards still run on these mainframes that are running COBOL. And so General Dynamics actually has a lot of contracts within the financial sector to help them consult on COBOL, keep these mainframes running, keep the those financial wheels, greased, which I think is just totally fascinating. Another fascinating one, the NICE group. This is an organization that provides every screen you see outside a conference room, not everyone, but a lot of the screens you see outside a conference room that say, here's what's on the schedule today. Do you have your code? Here's what's reserved. They provide security, automation, smart devices for both commercial and home real estate. They have a huge presence, almost three times the global average in the financial sector. So my guess is for a lot of that commercial real estate that, finance the financial sector uses, they rely on NICE Group to provide some of those, systems to keep things running smoothly from a physical standpoint. So we can imagine, you know, IoT, ICS devices as its own set of concerns when it comes to security. If the there there there is potential for kind of, a bottleneck of of issues there. I could go on for all this time. Highsoft, they provide, like, charting and graphing software for websites. Financial industries, loves to have kind of the stock ticker symbol got from their website. So we actually see them used quite a bit. There's any number of these that are really interesting. So beyond that, I'm gonna throw it to Dov now, just for a second, to talk a little bit about kind of what we see in the in the from the attacker's perspective. And maybe maybe before Oh, yeah. This, it'll be good to just do a readout of the last poll question, which is Oh, yeah. About the level of concern, that you all have about a an attack against one of your suppliers, which, everybody is in either the medium or high category with most of you over 75% in the high category. Wanted to share that as we now transition into kind of the the risk aspect related to the supply chain now that Ben's, kinda gone through what the dispersion looks like. So dove over to you. Sure. Thanks. Really cool, presentation, Ben. And I tried to take this and say, okay. Let's take some of these critical 90 nines. Let's see how they're being targeted. It didn't take long. There are two ways that a a supply chain attack can take place. Right? One is where the supplier themselves are are compromised, or the other is my account with the supplier is compromised, which is sort of a parallel of what I said before of, you know, you as a bank could be compromised, your customers. So same thing. We're just shifting it, earlier on the supply chain. And both of those, I think, are important. Right? So the instance where you said with f five, Log four j several years ago, SolarWinds are great examples where where the, the supplier, the vendor themselves are compromised. And I found, for example, we have on the dark web, you know, you can buy all sorts of hacking tools that are targeting these suppliers. And you can also target they can target your instance. And one of the biggest cyber stories of the year, I would say, are the, shiny hunters, attacks that took place, over July, August, where we saw a staggering number of companies. And and, you know, not just companies like a small, you know, mom and pop shop that can't invest in securities on Google. You know, here, I have a lion's hell of a here, Gucci, and, and banks. Right? I mean, these were some of the hardest companies in the world, some of the companies that invest the most in security, and they were compromised by this collective of, like, teenagers. Right? 17, 18 year olds. And how did that happen? They were basically vishing attacks where they got a were able to call and convince the person to allow them to install any malicious plug in in their Salesforce account. And that's it. And then they were in, they got persistence, and then they, were able to gain access to the whole CRM database. And so that's very important too. Right? That as organizations, we're using incredible number of third party softwares. And it could be that the way into our organization is by compromising those vendors or just by compromising our accounts in those vendors, And we don't necessarily have, visibility over that if if someone in our company accidentally allowed, a malicious plug in to be installed. We're not gonna really see that. It's not plugged into our, to our security, you know, visibility. So I I would say that the the data breaches caused by Scattered Spider, Shiny Hunters were just staggering. Phishing attacks against cloud suppliers as well. They're they're all there. And then we have endpoint logs. And with an endpoint log is is essentially, a system is compromised by stealer malware. So there are several really good stealer malwares out there, and then all of their, credentials are are harvested, and the logs are sold for about $10 on underground markets. You can see here that there's an endpoint log with the login to AWS. Right? So someone could purchase this log, $10, really nothing. And, potentially, there's a here there's a username password, no cookie, but other places there could be one, or they could use social engineering to get past MFA. And they can log in to your AWS instance or any other instance of a, cloud provider or anything else on, on, you know, SaaS services. And once they have that, they they're they're in. Right? And this isn't something, you know, you know, they they have privileged, authentication because the user your username and password, they they didn't, brute force or anything. So these are all very, very significant concerns. And, again, the largest attacks of the year, and it wasn't just one, it was many, many attacks, but a cluster of attacks took place through, through compromising, a supplier. Right? Through compromising these, these Salesforce incident and, instances. So I think this is something we need to keep in mind. Again, what is our attack surface? It's not just our, you know, employees clicking on a phishing link or downloading malware. Also, answering the phone and allowing a malicious plug in, in Salesforce. And where do we have visibility over it? How do we, as an organization, map all those vendors? And if those vendors are compromised or if our instances are compromised, what is that risk? What data what what sensitive data, what sensitive systems are built on that? And how do we build controls to prevent, detect, and, respond? Yeah. And I think particularly that's that's interesting because, for example, we know they're going after Salesforce since this was like a big campaign. Not necessarily any particular, like, vulnerability, but there are, in fact, vulnerabilities that have really high instances in the supply chain. So if we wanna talk about specific risks to the financial sector in the in their supply chain, we can look at kind of where we see exposures within the financial sector. So, for example, some of these CVEs, we see, like, three, six, almost 10 x more often in the financial sector than we see other places. And this may be just due to their supply chain, their tech stack. They are trying to be running a Microsoft Exchange server that's on prem rather than doing it in the cloud. And so we'll maybe see some of those extra ones. This was, oh, no. This is not a recent one. That's a different one. But some of these are are older too. So it's interesting we're seeing those for the financial sector, even though they're they've been around for ten, maybe more years. So, this is there are, like, specific threats. I'm gonna move along here just so we have time to kind of get some good discussion at the end. We also see that even if you're in the financial sector, if you have a large market share, it doesn't mean your your ratings are necessarily gonna be better. You have more of a challenge. You tend to have more of a challenge. So we see organizations kind of this top 10 to 100% market share. Up to 80% of them are in the bottom half with respect to headline rating. And, again, this is not a reflection of your worst in security. It's a reflection of you have a complicated supply chain or you have a complicated attack surface, and it's tough to to work on if you're a large really large provider. But, Pete, maybe what's more interesting is we can look at a divide between we talked about the the portion of the unmonitored to the monitored supply chain. Which is worse? Are are you doing a good job are folks doing a good job monitoring where the security issues are? And it turns out that it's the actual opposite. So the dash line here is the unmonitored part of the supply chain. The solid line is is is, the monitored part. And what we see is, the organizations that our customers monitor for security do better in their headline rating, by nearly 40 points, for the most part. The other thing is, like, vendors in finance versus all vendors are not all that different. Right? So whether you're you're a financial vendor or you're a vendor to everybody in specifically, we actually see there's there's this gap either way. And it does seem to be widening recently, which I think is really interesting. And then we can also you know, going from that headline rating, that kind of unmonitored or doing worse, we can actually look specifically at kind of what kind of CVEs exist in the unmonitored supply chain. The top half of this is the unmonitored part. The bottom is the monitored part. And what we see is, like, four critical vulnerabilities. We see about 10 findings per month for organ for a provider in the unmonitored part of their supply chain. For known exploited vulnerabilities, the median here is about three, three calves per month per provider in your in your supply chain. So we're seeing a lot of these critical vulnerabilities in the financial sector supply chain, in the unmonitored section of the of the supply chain. So these are vulnerabilities that are there. We see them. We're like, hey. This is associated with a particular organization because it's exposed to the Internet, but you may not know about it because they're not somebody that you're concerned about. So understanding, hey. Maybe that supplier is really important, and maybe we should be doing that is is something that we should consider. So, I think I'm gonna turn it back over to Kesha. Let's let's talk about some of these results and what folks can do. Yeah. Sounds great. And, Ben, amazing research that you and the team, have done and continue to do here. And and, Doug, thanks for the insights that you had as well. Roland, I wanted to get your perspective on some of this as well. You spend a ton of time with, financial institutions and and know the space well. I'm curious, what do you see as some of the biggest challenges that financial firms have with respect to their supply chains? Well, first, I'll start with what's good because I think, and, kind of pointed out a few of these things. But one of the biggest is is obviously in the financial sector and and through the whether it's through regulatory pressure and or just a great ecosystem of, like, businesses, you see that, a, we monitor better typically, but, b, we have a bigger impact in the financial sector, so when done right on, our supply chain. But the the problem is still staggering, and it's not necessarily just a security one. I mean, we've talked about sustainability earlier. We talked about resiliency, you know, of vendors in our platform, and sometimes these do or do not fall into cyber defensive operations capabilities. But, you know, there's it's a wide spectrum of things going on here. And it it still points out this critical need to be able to and I'm gonna use a core word, but auto discover within our business this this supply chain. If you think about the three important parts of here, it's it's it's going to be understanding the supply chain and the digital ecosystem behind it. The second part is mapping that to criticality of the business. We talked a little bit about that. I heard that in and out. But as important to meshing that with CTI to be able to saying, you know, what is the most threatened? Not not just riskiest to the business because it has a largest percentage of money movement or something or client touch or or or, but that that focus on the map between here's the impact of my business, here's the, you know, the now issues going on with that vendor, that partner, that technology, and and how do we get to criticality faster to lower not just the kevs and the CVEs, but to shore up and be, assured that, you know, that part of our business pipeline is secure. And then how how do you get that over to ops? Right? Like, how do you automate this in a way we haven't been able to do before? A lot of this is done within the risk third party team, the risk team that gets sent over for, you know, defense over to IT for, say, hygiene and over security for net new controls. And then it gets moved over into, you know, content dev in our fusion centers for being able to monitor it, and it takes a long time to do that. And that's the concern here, I think, from my perspective, is that our our ecosystems continue to go wide. We see this in the, you know, accelerate use of AI and partner pipelines. We see this in a multitude of ways. And being able to actively, you know, and quickly get to those risk issues is where is where I think we need to be focused as an industry. What's my pipeline? How do I understand, the the threaded as to my business both from a a business and risk, and then how do we operationalize it. Yep. And so do you when you think about that, do you think of that as a technology problem, a problem related to governance within the organization, something else, like connecting between sort of the governance you're trying to put in place and the operations. Curious how you how you see that. Yeah. I mean, like, then I'm I'm not a nerd, but I play one on TV. You know, the there's a tech there has to be a technology component. I mean, think about machine generated code that these teams are dealing with on a daily basis that is our products that's being instantiated in cloud first environments or, you know, just a a bunch of APIs. Like, ask any of the practitioners on this call. Do they know all their APIs, what they connect to, what data should go over to it, what their authentication mechanism. Something as simple as that, and it's not simple. And so I think there is a big technology component to it. I will say that I think the financial sector does a really good job with, with narrowing that funnel, and not making it so top, you know, so top heavy or bottom heavy when it comes to consideration over, you know, jurisdictional issues, data issues, governance in general. I think they you know, it it's done well. The the problem is once the go is given, how's it implemented, how do you validate, how do you show that that linkage in end to end is is very problematic. And, of course, there's still the other issue on the other end of this, which is the partners. I mean, that's what's so exciting about, I think, some of this research is we can get to who's the biggest problem in my ecosystem fastest and and make changes to recommendations, apply that, kind of that pressure that we can, as financial organizations, five zero one c's, five zero one c three c, the FS ISAC. However, we're going to do it, do it in a way that says we can apply a relationship and pressure, at the same time to solve for those. So at the end of the day, there needs to be more technology in services to accomplish what we need to at speed. Yep. Yeah. Makes sense. So, I guess two things. First is we have another poll question, which is, whether or not you believe your organization has the ability to affect the security posture of your suppliers. And, and obviously, that's related to what Ben laid out with kind of some of the concentration risk that we see in some of the top, suppliers out there. And then, somewhat related to that role, and I'm curious from you, what you see the best leaders focusing on in order to actually reduce risk across their supply chain. So first is is is, this concept of supply chain mapping. I think, there were leaders in other sectors in technology, like Dell does an amazing job of of it. And, you have financial leaders like JPMC and and and BOA that do a good job as well, which is this detailed, mapping and cross business use of that mapping. So my resiliency teams use it. My business partnership management teams use it. So it's the same set of data that we use to ensure that we understand it. So that's number one. Second is is attacking the biggest problems. So, you know, if we know about kevs in our supply chain, go attack those first. Right? Like, whether it's our infrastructure, someone else's that's providing services to us, you know, how we prioritize the work we have to do, critically important. But I'll say the number one thing is transparency and visibility. You cannot depend what you cannot see. You cannot depend what you don't understand. So being able to see both that outside inside view and cross mapping those and doing the other things we talked about is is probably the number one thing that where organizations can start. So how do we get an understanding of my sector, my business, my partner ecosystem, and how does that apply to my actual business process, and then go make prioritize decisions based off that. Yep. Super helpful. We hear a lot of the same from our top customers as well, which is, like, visibility is paramount. Like, you can't really protect what you can't see. And then this communication layer as well. Like, in a lot of cases, you have two teams that are working on related problems in the space. You have governance aligned teams, and then you also have security operations teams. They tend to see different parts of the picture. And to the extent that you can connect them with the same foundation of data, it helps everybody operate much more effectively. And that's one of the things that, that we've been focused on over the last quarters at BitSight. And then in addition, kind of bringing a couple of big concepts together, two big ones that, that Dove and Ben both highlighted, which is understanding kind of the exposure landscape across the supply chain, you know, what the attack surfaces of your suppliers look like, what their fourth party ecosystem looks like, etcetera. And bringing that together with threat intelligence so that you also understand what the adversary landscape is like, and you understand based on the types of, suppliers in the supply chain, which types of attacks you should be prepared for and where you may need to harden. And so a lot of our focus inside of our product team is around bringing those concepts together and also, bringing tools and and power to our customers that help them accelerate the different workflows they need. One thing being, streamline the kind of operational and, and compliance oriented work so that you have more time that you can spend on downstream resilience so that you can address, critical issues as they pop up. Faster information, particularly when it comes to zero day vulnerabilities when everybody's in kind of a mad scramble to make sure that they understand the impact to their supply chain into their organization. And then bringing together the exposure view with the, threat landscape so that you understand where the attack the attacks are likely to take place, what types of attacks, you are more susceptible to so that you can get in position to, to respond to them as effectively as possible. So we're excited about where we're headed to try to help with some of the problems that we had, spoke about on the webinar today. As you can see from the material, and from the data that was presented, it's, you know, a somewhat scary world out there, and you have both technical and threat related challenges that you need to address. And, and so we're all in it together to try to put ourselves in the best position to succeed. So I think we're just at time for the webinar. Sarah, I believe, has a couple of follow ups for, for the folks that are joining in terms of what you can expect next. But we appreciate everybody's time and and really thank you for being here with us. And and thanks to my, co presenters, Roland, Ben, Dov. Really great material. Yeah. Great to be here. Yeah. Thanks, Cash, Roland, Ben, and Dov. That was a great discussion. Thank you to our audience for joining us today. As a reminder, this was recorded. We'll send that out in the next couple of days, so please keep an eye out for your on your inbox for that. Since we didn't have time to get to the q and a today, any questions that came in, we will follow-up with you directly via email. So also keep an eye out for that. But, yeah, thanks everyone for joining us. I hope you have a great rest of your day. Thanks, everybody.