New York Department of Financial Services’ 23 NYCRR 500 and advanced authentication

Published on 15 February 2018

Today, February 15th, 2018 marks the day that the Department of Financial Services (DFS) cybersecurity regulation Part 500 comes into force. 

This means any financial institution either under the direct jurisdiction of the DFS or any financial intuition conducting business in the state of New York must comply with the new regulation.

23 NYCRR 500 emphasizes practices that harden applied security measurements to safeguard nonpublic information. But unlike many cybersecurity regulations, Part 500 takes advanced authentication to a new level.

This is done by recommending authentication procedures that rely on anomaly detection and/or changes in normal use patterns. This is referred in Part 500 as risk-based authentication and can be found under section 500.12 Multi-Factor Authentication.

Risk-based authentication

By including risk-based authentication in the category of multi-factor authentication, the New York DFS clearly acknowledges that such an authentication method requires some form of verification factor to function properly. This is also included in section 500.01, stating that multi-factor authentication systems must rely on three categories of verification factors:

  • Knowledge factors, such as passwords,
  • Possession factors, such as a token or text message on a mobile phone
  • Inherence factors, such as a biometric characteristic.

Digital biometric identifiers

The last one is particularly interesting. Nowadays, we don’t define biometric characteristics as narrowly as we a few years back. Apart from the usual fingerprint and retina scans, there are also so-called, digital biometric identifiers. These are regularly occurring patterns and constantly performed actions that can reflect an individual’s unique behavior. These characteristics are bound to an individual, impossible to mimic or reproduce yet easily distinguish one user from another.

User Behavior Analytics

All we need now is a system capable of performing anomaly detection based on digital behavior and that is where User Behavior Analytics (UBA) comes into play. UBA works in three separate phases.

  • First, it generates a custom profile for each user based on collected, digital biometric identifiers. This will act as a baseline to identify a specific user.
  • In the second phase, called continuous authentication, the UBA engine continually compares the baseline profile to actual behavior during the whole period of time the user is operating within the security perimeter.
  • The last phase, occurs when the difference between the baseline and the current behavior exceeds a tolerance threshold, which, apart from the digital biometric identifiers is also based on a risk-scoring system integrating contextual information, such as the user’s privileges, commands used, and the type of data accessed. These anomalies are presented to security teams in a detailed fashion and the risk scoring enables security experts to judge how critical the event is.

Benefits of risk-based authentication

Knowing how to set up a risk-based security environment is one thing but we should also talk about where and why we should use it. Digital biometric identifiers enable us to actually identify the person using an account due to continuous authentication; this is an excellent way to recognize privileged account compromise. Privileged accounts grant users the greatest freedom within a network. If a privileged account has been hijacked, the potential damage is almost limitless.

Risk-based authentication and UBA in particular were designed to recognize if a privileged account is being used  by a hacker. It recognizes deviations in behavior patterns and gives security teams the upper hand in preventing any damage from being done. By requiring risk-based authentication in the Part 500 regulation, the New York DFS has been forward looking. It remains to be seen whether other regulatory and standards organization will follow suit.

To learn more on Risk-Based Authentication, watch our recorded webinar here.

by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser