• Today, no European retail bank has attack-aware security that automatically detects and responds to intrusions inside perimeter defences sufficiently
• Intelligent Environments calls on developers across the banking industry to enhance security as it demonstrates new software that copes with threats in real-time
• This follows the Bank of England’s call to action for banks and the vendor community to change their approach to security and cooperate rather than compete in order to strengthen information and share good practice

The first attack-aware security software for the banking sector is being revealed at FinovateEurope 2015 by Intelligent Environments, a leading digital financial services software provider. Intelligent Environments will demonstrate the groundbreaking new security software while calling on software developers across the financial services industry to enhance existing security tools that focus exclusively on perimeter defence. Intelligent Environments will monitor the applications of its digital banking systems clients via its new Interact® security application.

Intelligent Environments built the new application into its Interact® software to apply the AppSensor concept promoted by the Open Web Application Security Project (OWASP), a platform aimed at making all web applications stronger. Intelligent Environments supports this goal and views collaboration across financial services as the best defence against the growing cyber security threat.

Security is under threat

Intelligent Environments developed the software based on ideas first put forward in the open source AppSensor project by the Open Web Application Security Project (OWASP), a global not-for-profit charity focused on improving the security of software. Rather than building ‘higher’ and ‘thicker’ perimeter defences and making passwords longer and more complex, the new attack-aware software works from the inside, monitoring behaviour inside the perimeter defences.

As stated at a cyber security event in January, by the Bank of England’s executive director for resolution Andrew Gracie, the banking industry should not assume that perimeter defences can keep out all attacks.

Far from it, with the rise of phishing and other methods it is easier than ever to get through the perimeter. This is why the industry must today begin to collaborate to create ‘attack-aware’ measures that enable banks to identify where intrusions have occurred and to respond accordingly.

There is a lack of transparency and collaboration on the issue, but the Cabinet Office estimates that the UK banking sector is paying more than £2.5 billion per year to fight cybercrime. It is clear that current spend on cyber security focuses on protecting the perimeter defences. Yet most data loss occurs because hackers already have the user IDs and passwords they need to gain access; more than three quarters of attacks use login credentials sourced from phishing that bypass the perimeter.

Despite high spending levels, the industry is facing an unprecedented volume of security incidents – According to PWC there were 120,000 breaches every day in 2014. As an industry underpinned by trust from customers that their money, privacy and data is protected, Intelligent Environments urges the financial services sector to further support the effort to find new ways of meeting the threat of unscrupulous agents motivated to defraud banks of their assets and data.

Intelligent Environments calls on developers to provide attack-aware security

Today, it is estimated that up to 100 per cent of retail banking security software fails to automatically detect and respond to intrusions behind the traditional perimeter defences of banking security protection and yet a solution to the problem is available. Through collaborative projects, the industry could now see 100 per cent deployment of attack-aware security across the sector within years. With AppSensor, Intelligent Environments has built a platform designed for collaboration. AppSensor is designed so that new detection points, such as data from other systems and devices, can be added to its system, enabling it to grow and evolve with the shifting approaches of cybercriminals. Whether through the new insights that AppSensor provides or new and evolving ways of detecting unusual behaviour, the hope is that the industry can collaboratively make the application stronger.

Clayton Locke, chief technology officer, Intelligent Environments, comments: “For the first time, banks can now deploy security that responds from inside applications that are self-defending. By not being attack-aware, traditional security measures are like putting a lock on the door after the burglar is already inside the building. It’s not enough to have multi-layered security measures at the point of entry. It’s time we gave banks the chance to see what’s going on inside the applications that their customers are using and to collect valuable data metrics that are currently absent, giving them security software that can monitor and spot when user activity falls outside an acceptable pattern of behaviour and automatically takes action.”

Michael Coates, former Chairman of OWASP and founder of the OWASP AppSensor project comments: “I’m excited to see the defensive concept from the OWASP AppSensor project being used within products to provide the next level of defence for applications. OWASP’s mission is to raise the visibility of application security and anytime our tools and resources can be used as an inspiration to protect applications, we’re moving in the right direction. Secure design alone is not sufficient to protect today’s applications from attacks. We must use defensive approaches, such as those within the AppSensor project, to provide timely and contextual defence against application attackers.”