1© 2017 Billtrust. All Rights Reserved. Billtrust and the Billtrust Logo are registered trademarks of Billtrust.

CYBER SECURITY

Laura Whitt-Winyard, CISSP, CISA,

CISM, CRISC, RSA-ACADirector, Cyber Security

Moving past “best practices”

2

Experience

● Over 16 years in Cyber Security

● Joined Billtrust in 2015

● Comcast, Bloomberg, LP, Allstate

Awards

● Eight time ISE Award Nominee/Finalist

● Four time RSA Archer Award Winner

● Two-time CSO 50 Award Winner

Personal

● Likes to stay nerdy – attends annual hacking conference and cyber security events

LAURA WHITT-WINYARD, CISSP, CISA, CISM, CRISC, RSA-ACA

3

AGENDA

I. The Cyber Security

Stats

II. Cyber Security at

Billtrust

III. What can you do?

IV. Q&A

4

THE

STATS &

CYBER

SECURITY

TODAY

5

LEADING CAUSES OF SECURITY INCIDENTS

Source: BakerHostetler: Data Privacy Monitor

6Source: BakerHostetler: Data Privacy Monitor

CYBER SECURITY INCIDENTSCompany Breakdown

7

OLD WAY:

• He who has the most knowledge wins

• Collaboration is bad

• Keep security challenges close to the vest

NEW WAY:

• Share knowledge

• Don’t reinvent the wheel

• Engage with security partners

• Security is an enabler of

business

• Threats evolve, so should we

• Explore new ideas together

HOW HAS CYBER SECURITY CHANGED

8

System Security

Patches, Anti-Virus, Malware,

File Integrity Monitoring, Host-

based Intrusion Detection,

Rogue Applications,

Vulnerability Scanning

Network Security

Firewalls, Network Intrusion

Detection, Web Filtering, Virtual

Private Network (VPN), Cloud

Security, 24x7 Monitoring

Governance

PCI-DSS 3.2, HIPAA, NACHA, SOC

1 & 2 Type II, National Institute of

Standards & Technology (NIST),

Computer Security Incident

Response Team (CSIRT), Source

Code Scanning

SECURITY BEST PRACTICES

Data Protection

Data Loss Prevention

(Endpoint, Storage &

Network), Encryption,

Tokenization

9

SECURITY MEASURES

• Considered the most security

stringent of all auditable regulations

• Is it enough? No.

• Threat landscape moves too fast

• Compliant is not secure enough

• Just a check-box?

10

USING CHECKLISTS

Checklists are great if…

• The data is being monitored

by a human as well as a

machine

• If the data is optimized

• If you have/can afford the staff

• If your team is highly efficient

and effective

11

CYBER SECURITY AT BILLTRUST

12

Artificial Intelligence

Machine Learning, Anomalous

Detection, Bayesian’s Theory of

Probability

Containment

Zero Day, Contains the

unknown, runs in a

virtual machine

Authentication

Two-Factor Authentication on

everything that contains

sensitive/confidential data

NEXT-GEN

Automation & Orchestration

Removes human error,

Automates the repetitive

so security can focus on

the hard stuff

13

• Unsupervised self-learning intelligence

• Detects subtle, stealthy threats

• What is normal & abnormal on an evolving basis

• Old school: humans told machines what to look for

• New school: Machines show us what we never

knew was there

• All done in real time

• Improves security by reducing Mean Time

to Detection (MTTD)

ARTIFICIAL INTELLIGENCEThomas Bayes

14

CONTAINMENT

The problem: Antivirus cannot cope

with today’s threats

For thirty years, most of us have relied

on signature based antivirus products for

protection that use their signature file

(blacklist) to identify and respond to

threats. Unfortunately, that means

“legacy antivirus” must first detect the

threat before it can be addressed.

Legacy antivirus systems simply cannot

cope with the volume and sophistication

of today’s threats.

Our solution: Intelligent Threat

Containment

Our threat containment solutions provide

total protection against zero-day threats

while having no impact on end-user

experience or workflows. All untrusted

processes and applications are

automatically contained in a secure

environment, allowing safe applications

the freedom to run while denying malware

the system access they require to deliver

their payloads.

Unknown files: The Good, The Bad,

and The Ugly

Known Good: The file is known to be

valid and not a risk.

Known Bad: The file is a known threat

and must be dealt with accordingly.

Unknown: The file is not on our lists of

good or bad. It may be safe or it could

be malicious. We just do not know.

15

• Work Smarter

• Respond Faster

• Strengthen Defenses

• Execute actions in seconds instead of

minutes, hours or more done manually

AUTOMATION & ORCHESTRATION

• Automates repetitive tasks

• More efficient staff

• Improves security by reducing Mean

Time to Resolution (MTTR)

16

• Complete device visibility

• Identify Corp owned vs. Personal devices

• Block Untrusted Endpoints

• Visibility into security hygiene of each device

• Policies to prevent vulnerable devices

• Secure Single Sign on experience

• Two-Factor Authentication

• Geolocation

AUTHENTICATION

17

WHAT CAN

YOU DO?

18

EASY FIXES

Manage User Accounts

• Bad Ideas: Shared accounts, accounts with the

same password

• Create strong but easy to remember passwords

• Keep your devices updated

• Phones, tablets, laptops

• Learn to spot spoofed emails & phishing emails

• Be leery of pop-ups & phone calls

19

STRONG PASSWORDS

Come up with a phrase and use a

character from each word. Use capitals

where appropriate

Example:

• “I met Susan Morris at Lincoln High School

in 1991”

• Password could be: ImSMaLHS#91

20

STRONG PASSWORDS

An easy way to make each

password unique

Add a letter or two to the password based on

the name of the site you’re logging into.

For example:

• Amazon: almSMaLHSi#91z (added an

A to the beginning and a z at the end)

• Google: glmSMaLHSi#91

• Twitter: tlmSMaLHSi#91r

Change your passwords if and when:

• There has been any type of security breach

on the site or your system

• You have lost a device that has the password

stored

• Someone else gets hold of your password

• And even if none of this happens, change

them every few months

21

SPOOFING & PHISHING EMAILS

22

POP-UP & PHONE SCAMS

23

WANT TO LEARN MORE?

Free Cyber Security Learning

https://www.cybrary.it/

National Institute of Standards & Technology

https://www.nist.gov/topics/cybersecurity

Report Phishing

https://www.consumer.ftc.gov/articles/0003-phishing

PCI-DSS documentation

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

Annual Hackers Convention

https://defcon.org/

24

WANT TO LEARN MORE?

Want to learn how Billtrust solutions can help your accounts receivable team protect and secure your data?

Visit www.billtrust.com to find out more and request a free demo.