Financial Organisations: Approaching Security Intelligently

ross-formalRoss Brewer, Vice President and Managing Director for International Markets, LogRhythm

In recent years, the playground that criminals are operating in has changed. Hackers are going undetected, operating passively, and while any organisation can fall victim to an attack, the financial industry in particular is a target for hackers given the large volumes of money and confidential financial information banks hold.

A big problem is that the financial sector is vast and has many different segments, banks and countries that operate independently across the industry. Legacy systems are also in place that don’t interact well, which can make it difficult to have a security program in place that fully protects important assets.

As the boundary of the network has become blurred, coupled with the emergence of ‘shadow IT’ and cloud based sharing, employee activity has become harder to monitor.

While this can help streamline operations, they can limit the ability for already resource-constrained IT security teams to monitor legitimate usage. You only need to look at the recent attack on the SWIFT banking system, which saw cybercriminals obtain authentic credentials to send out fraudulent money transfers, to see how much damage can be caused when a hacker is able to essentially come from within.

Hackers will find a way to get in

Today’s threat landscape has become more and more complex, with hackers using increasingly sophisticated tactics to get in. This means today’s breaches are almost inevitable, but they can be stopped before any damage has been done. Organisations need to take a different approach to cyber security; instead of trying to keep the criminals out, they need to focus more on reducing the time it takes to detect and respond to a threat. Perimeter tools, of course, still play a part in protecting against an external threat, but with more and more attacks coming from within –businesses need insight into suspicious or unusual activity that could, to the human eye, appear normal.

As it stands, the finance industry has no formal regulatory framework that banks must comply with when it comes to cyber security. While those processing payments have to adhere to PCI DSS, there are no standards for other areas of financial services. The Bank of England launched CBEST, a framework to test cyber readiness, in 2014, the process is not compulsory and this presents a number of problems. With no enforced standards in place, banks are essentially, left to their own devices.

Banks tend to have a large number of business divisions – investment banks, private banking, wealth management, mergers and acquisitions and so on – operating within the same organisation, which can make it much more complex to implement a cyber security strategy. What’s more, they are spread across multiple offices in multiple geographies, which means that they are required to comply with a range of mandates and have varying priorities when it comes to security. These silos can result in conflicting objectives and inconsistent communication between divisions, which can make it harder for investigators, security and IT staff to have visibility they need across the entire organisation.  Furthermore, many remain focussed on perimeter security with legacy systems in place that don’t interact well.  In fact, according to the SANS Institute1, the most prevalent cause of security incidents within financial services organisations is the abuse or misuse of privileges by internal employees or contractors, followed closely by spear-phishing emails. Despite this, almost a third of respondents claimed that perimeter tools (firewalls, Intrusion Detection / Prevention (IDS and IPS)) are their most effective security solutions – which are unlikely to prevent these types of threats.

The disparate organisational and operational structure of banks, combined with an overreliance on perimeter security solutions, is leaving multiple points of weakness across networks fall victim to cyber attacks. Without standardised policies in place to determine how to close those gaps or manage threats we’re likely to see far more financial services companies fall victim to cyber attack.

In the majority of organisations, threat detection is based on various security sensors that attempt to look for suspicious behaviour or known signatures of malicious activity. These sensors provide a continuous stream of data related to threat events. In enterprise organisations, there can be thousands, or even hundreds of thousands, of events every hour and with such a huge quantity of data, the security team can be blinded to those that really matter.  If they are unable to prioritise what needs to be investigated, they have little hope of executing a quick and effective response strategy.  Organisations subsequently operate in a manner where the time it takes them to detect and respond to threats can be months and weeks respectively. The longer it takes an enterprise to discover that the network has been compromised, the longer it will take to respond and, during this time, there is the potential for a lot of damage to be done. As such, businesses must strive to reduce detection and response time to a maximum of hours and days – and ideally, hours and minutes across networks.

The importance of security intelligence

Effective IT security depends on skilled people, well-defined polices and processes, and a range of integrated technologies.  As both the volume of cyber threats and the sophistication of attack methods continue to grow, security technology is critical in augmenting the human expertise necessary to successfully detect and respond to potentially damaging threats. Just as business intelligence has helped organisations sift through irrelevant data to find opportunities that may otherwise have remained unseen, security intelligence does much the same thing with cyber threat information. The main objective of security intelligence is to deliver the right information, at the right time, with the appropriate context, in order to significantly decrease the amount of time it takes to detect and respond to threats.

Security teams must be able to quickly evaluate threats to determine the level of risk, as well as whether an incident has occurred, and ensuring that analysts have as much information as possible enables them to react more efficiently. As such, when threats are detected – either via an enterprise’s vast array of sensors or through machine analytics – the role of security intelligence is to deliver actionable insight into potentially damaging threats, with supporting forensic data and contextually rich intelligence.

An effective security intelligence platform ideally enables streamlined workflow across each of the processes, delivering automation wherever possible.  Discovery is the first step in detection and is the process of identifying those threats that could present risk.  For example, if web traffic is coming from a country the organisation doesn’t normally do business with, that traffic could be communication from a new international customer, or it could be attack traffic. At this stage, it’s unknown whether it represents a threat or not. The process requires extracting those threats that require further analysis from the mass of forensic data through user and machine analytics. From there, the qualification process can begin. This critical step involves analysing the threat further to determine if it could present risk. When qualification is done well, threats representing risk are quickly identified as requiring additional analysis or response efforts. When qualification is done poorly, actual threats are missed, or teams spend the majority of their time chasing false positives.

The outcome of the qualification step is determining whether the discovered threat is a false positive, doesn’t present risk and can be ignored, or likely presents risk and should be further investigated. If the outcome of the qualification process determines that a threat may present a risk, the security team can start the response process. It begins by conducting a deep investigation in order to understand the risk presented by the threat and determine if an incident exists. The outcome of this step is to determine whether the threat presents a risk; if an incident has occurred; and, if so, to initiate mitigation efforts.

The mitigation step is highly dependent on having sufficient knowledge about the root cause and impact of the threat, as well as the knowledge and skills to do something about it. It is a time-sensitive action, where security practitioners will benefit greatly by having an integrated and centralised view into all threat related activities, as well as streamlined cross-organisational collaboration capabilities, knowledge bases, and automated responses.

This final step is about recovery and involves performing post-mitigation efforts, such as eradicating the threat from the environment, performing any required incident/breach notifications, and performing root cause analysis to learn from the incident so that any future data breach can be managed and contained effectively.

To have the best possible chance of mitigating the threats that they face, financial organisations need to re-think their security strategies. The most effective course of action is to employ policies based on the principles of security intelligence, with the right technology. Not only will this approach help banks identify threats more quickly, it will also provide the deep network visibility required to help close the security gaps between silos. As breaches become inevitable, it’s essential that banks shift their focus from prevention to mitigation so that when – not if – they are attacked, hackers are stopped in their tracks before any damage has been done.

1                     https://www.sans.org/reading-room/whitepapers/analyst/