FFIEC Guidance: A Cloud Security Perspective

As reported in a recent post on our blog, banks are rapidly moving to the cloud. Another recent post discussed how banks can make this move securely. If you are a financial institution looking to make the move to the cloud, this post can help you meet the information security program management requirements of the FFIEC Information Technology Examination Handbook published in September 2016 (“the Handbook”).


It is well known that while FFIEC guidance, as expressed in its various publications, may not have the force of law or regulations, it serves as a blueprint for examiners to follow in conducting audits of your institution. Accordingly, if you fail to comply, you could fail an audit and therefore be prevented from entering new markets, introducing new products, or even merging with or acquiring another institution. For these reasons, it’s important for you to understand how to meet the requirements of FFIEC guidance when moving to the cloud.


The Handbook states that a Financial Institution (FI) should have a “robust and effective information security program” that includes the following:

  • Risk identification
  • Risk assessment
  • Risk mitigation
  • Risk monitoring

Each of the above requirements is described in detail in the Handbook.

The Handbook also cautions that:

“In light of the increasing volume and sophistication of cybersecurity threats, examiners should focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program.”

The remainder of this post will describe how Threat Stack can help you provide and maintain robust security for your cloud infrastructure while also meeting the information security program requirements of the FFIEC Handbook.

Identifying Threats and Vulnerabilities

The Handbook states:

“To be effective, an information security program should have documented processes to identify threats and vulnerabilities continuously. Risk identification should produce groupings of threats, including significant cybersecurity threats.” [Emphasis added.]

Threat Stack’s Audit, Monitor, and Investigate can help FIs identify these threats and vulnerabilities.

Threat Identification

Communication between your cloud instances and a malicious host (e.g., botnet command and control server) can represent a significant cybersecurity threat. The Threat Stack Investigate solution includes Threat Intelligence rules that can alert you whenever an instance communicates with an IP address appearing on one of several open-source and commercial threat intelligence data feeds.


Infrastructure and Instance Vulnerability Scanning

Financial Institutions running their operations in the cloud can be exposed to vulnerabilities both in their cloud infrastructure (e.g., Amazon Web Services) as well as in individual instances (servers).

The Threat Stack Audit solution includes Configuration Auditing (aka Config Audit). This capability can help FIs operating in AWS identify infrastructure vulnerabilities and implement AWS security best practices and conform to Center for Internet Security (CIS) benchmarks by automatically auditing current environments. It provides an immediate, concise report of configurations that are non-compliant with best practices. We then offer steps to remediate vulnerabilities and make your AWS infrastructure more secure.


So while Config Audit helps identify and remediate AWS infrastructure vulnerabilities, our Monitor and Investigate solutions can perform vulnerability scans on instances (either on-premise or in the cloud) to help you identify vulnerabilities that exist in specific packages that are installed on any of your instances.


Risk Measurement

The Handbook recommends the use of threat analysis tools “to assist in understanding and supporting the measurement of information security-related risks” and to “deconstruct an event into stages, better understand the event, identify the most effective and efficient means of mitigating risk, and improve the information security program.” It cites as examples tools which can display a “chronological series of events in a system or activity,” as well as schemata that list software vulnerabilities such as Mitre Corporation’s Common Vulnerabilities and Exposures (“CVE”).

Threat Stack can support your the risk measurement process in several ways:

TTY Timeline

When a suspicious event occurs in a user’s session on an instance being monitored by Threat Stack, our Investigate package can recreate a “TTY Timeline”, essentially playing back all of the events that occurred in the session so that you can deconstruct the event, understand what occurred, identify the best way of mitigating risk, and implement changes to improve your information security program.


As explained above, Threat Stack’s Monitor and Investigate solutions can perform vulnerability scans on instances (either on-premise or in the cloud) to help you identify vulnerabilities that exist in specific packages that are installed on any of your instances. Any vulnerabilities identified include links to the relevant CVE to further assist you in measuring the extent to which it may represent a risk to your institution.


Risk Mitigation

The Handbook states:

“Once management has identified and measured the risks, it should develop and implement an appropriate plan to mitigate those risks. … Additionally, management should develop, maintain, and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments and provide updates to senior management and the board on cyber risk trends.”

It goes on to describe the timing and nature of controls that you can implement in order to mitigate information security risks, including:


Control Type




Controls designed to alert management when incidents occur

Reports that show suspicious activity


The Threat Stack intrusion detection platform includes detective technology that can form important components of a layered control system that the Handbook recommends in order to mitigate information security and cybersecurity risks. These include a number of rule sets designed to alert on various types of cloud security incidents, including:

  • Base Rule Set — agent-based rules for monitoring file intrusion, host activity, network activity, potential exploits and user activity
  • CloudTrail Rule Set— agentless rules for monitoring AWS infrastructure for VPC, SQS, IAM and other policy changes, root logins and other AWS administrative activity
  • Threat Intelligence Rule Set— agent-based rules for monitoring inbound and outbound communications between instances and known bad IP addresses, including bot-net command and control servers, spamming servers, and other malicious hosts

1 - Rules and Alerts-1.png

When activity on an instance or in AWS triggers a rule, an alert is generated.  For example:

2 - Alert Example.png

The following summarizes important aspects of the recommended risk mitigation actions and the specific Threat Stack functionality that can help you meet these requirements:



Threat Stack Support

Configuration Management Configurations should be monitored for unauthorized changes, and misconfigurations should be identified. Management can use automated solutions to help track, manage, and identify necessary corrections.
  • Config Audit can ensure compliance with best practices and identify misconfigurations in your AWS infrastructure.
  • Vulnerability scanning can help ensure that linux instances are free of known vulnerabilities (CVEs).
  • CloudTrail monitoring can alert you to configuration changes in your AWS account.
  • File Integrity Monitoring can alert you to unauthorized changes to system or configuration files.
Hardening When deploying Commercial Off the Shelf  (COTS) applications and systems, management should harden the resulting applications and systems.
  • Vulnerability scanning can help you maintain your instances with necessary patches and up-to-date versions of packages.
  • Config Audit can help you test your AWS infrastructure to ensure secure configuration.
Standard Builds The institution should use standard builds, which allow one documented configuration to be applied to multiple computers in a controlled manner. We’ve created templates for you to use with Chef, Puppet, Ansible, and Salt to easily incorporate deploying the Threat Stack agent in your environment.
Patch Management [M]anagement should use vulnerability scanners periodically to identify vulnerabilities in a timely manner. Vulnerability scanning can help you maintain your instances with necessary patches and up-to-date versions of packages.
Malware Mitigation Management should implement defense-in-depth to protect, detect, and respond to malware. Agent-based detection can monitor for and alert on:

  • Unauthorized network connections
  • Installation of unauthorized software
  • Anomalous activity
Logical Security Management should implement logging and independent monitoring of the use of privileged access.
  • Agent-based detection can monitor and alert on privileged account access on instances.
  • Audit solution can monitor CloudTrail logs for privileged account access to AWS infrastructure.
Operating System Access Management should:

  • Filter and review logs for potential security events
  • Independently monitor system access by user, terminal, date and time of access
  • Audit solution can automate the process of monitoring CloudTrail logs and alert on potential security events in AWS infrastructure.
  • Agent-based detection can monitor and alert on system access and provide event details.
Remote Access and Use of Remote Devices Management should … [l]og and monitor all remote access communications. Agent-based detection can monitor and alert on remote and alert on remote access communications
Customer Remote Access to Financial Services Management should develop and maintain policies and procedures to identify, measure, mitigate, monitor, and report on significant security incidents to ensure the resilience of remote financial services. Our recent blog post on Using Threat Stack to Demonstrate PCI Compliance details how we can help address these requirements.
Encryption Effective key management should address:

  • Rules on when and how keys should be changed
  • Logging the auditing of key management- related activities.
  • Config Audit can scan AWS infrastructure to determine whether key rotation policies comply with CIS benchmarks.
  • Audit solution can alert on key-management related activities.
Outsourced Cloud Computing Management may need to revise information security policies, standards, and procedures to incorporate the activities related to a cloud computing service provider. Config Audit can scan AWS infrastructure to determine how closely configuration conforms to AWS best practices and CIS benchmarks.
Log Management [I]nstitutions should strictly control and monitor access to log files whether on the host or in a centralized logging repository.
  • Config Audit can scan AWS infrastructure to determine whether CloudTrail logging is enabled for all regions and that logs are adequately protected.
  • File Intrusion Monitoring can alert on unauthorized access to, changes to, or deletion of instances log files.


Risk Monitoring and Reporting

The Handbook defines risk monitoring as:

“A process by which the institution tracks information about its inherent risk profile and identifies gaps in the effectiveness of risk mitigation activities. Risk monitoring should address changing threat conditions in both the institution and the greater financial industry. Threats change frequently, particularly in terms of the threat’s capabilities and intentions, as well as the vulnerabilities they may exploit. Vulnerabilities in software are continually announced, and other vulnerabilities may emerge as the institution’s systems are modified or updated.”

It describes risk reporting as:

“A process that produces information systems reports that address threats, capabilities, vulnerabilities, and inherent risk changes. Risk reporting should describe any information security events that the institution faces and the effectiveness of management’s response and resilience to those events.”

For financial institutions moving operations to the cloud, risk monitoring and reporting must occur both at the infrastructure and instance level. Fortunately, the Threat Stack intrusion detection platform has capabilities for monitoring and reporting on both of these aspects:

  • Config Audit — Monitors your AWS infrastructure on a daily basis and generates a report indicating how closely your configuration of key resource types conforms to AWS best practices and CIS Benchmarks.
  • Vulnerability Scanning — Monitors your instances on a daily basis and generates a report showing any known vulnerabilities (CVEs) present in any packages installed on an instance
  • CloudTrail Monitoring — Monitors and alerts when events occur in the AWS infrastructure that could indicate malicious activity, or could result in non-compliance with best practices or benchmarks.
  • Instance Monitoring — Monitors your cloud instances and alerts and can report on user, file, process, network, or threat intelligence activity that could compromise security or indicate malicious activity.
  • Compliance Reporting — An integral part of Threat Stack’s intrusion detection platform, which means you can receive daily reports on the status of internal controls and processes that address a number of key compliance requirements.

Final Words . . .

For financial institutions looking to move operations to the cloud, complying with FFIEC information security requirements need not present an insurmountable challenge. This post shows how the Threat Stack intrusion detection platform can help make your cloud security journey as smooth as possible.

We encourage you to explore additional Threat Stack features and, if you are interested in learning more about Threat Stack’s ability to help with compliance, please download a copy of our free Compliance Playbook for Cloud Infrastructure.