By Faiz Shuja, Co-Founder & CEO at SIRP
As an industry built on the flow of money, the financial sector has always been in the sights of criminals looking for a big pay day. Criminal activity has historically ranged from complex fraud schemes to more direct attempts at robbery, but in the digital era these threats have largely been superseded by cyber crime.
Outsiders and criminal gangs are constantly evolving their attack techniques. Meanwhile, unscrupulous employees may be tempted to abuse their access privileges to carry out an untraceable inside job. As a result, both the volume and sophistication of attacks has steadily increased in recent years.
Official figures from the FCA reported last year found that cyber incident reports from the UK finance sector jumped an astonishing 1,000 percent in 2018. Research has also found that roughly 70 percent of UK finance companies suffered some form of security incident in the last 12 months.
Alongside the growing capabilities of threat actors, the financial sector has also undergone dramatic changes in recent years. If anything, this has made it an even more attractive target. The race is on to transition fully to online services accessed via mobile and other Internet-enabled platforms. Young digital native challengers such as Monzo have moved quickly to eat up sizeable chunks of the market. Caught by surprise, traditional bricks and mortar institutions are playing catch up. Intense effort is being spent digitising their services and bringing them to market as quickly as possible.
While customers may now enjoy a wide range of high-quality digital offerings, it also means financial services companies have an increased attack surface for cyber criminals to penetrate.
A wide array of threats
The financial sector is surrounded by cyber threats in all directions. On one side are APTs (advanced persistent threats) that make use of sophisticated tools and techniques to infiltrate bank networks to extract customer credentials or steal money from their bank accounts. Such attacks are usually the work of organised criminal gangs, or even by state-sponsored threat actors.
Attackers also have bank customers themselves in their sights. A common technique is to target customers with phishing emails that impersonate their bank or building society to trick them into sharing login credentials or financial information.
Separately, firms must also deal with malicious insiders abusing their privileged positions to access sensitive data. Insider trading is one example of this.
Keeping pace with security automation
Long accustomed as the centre of criminal attention, the financial sector is arguably the most mature and developed industry for security and privacy policies. In the cyber world, however, threats evolve at frightening pace. Banks and other financial institutions have little choice but to adapt fast to keep up.
Financial institutions have invested heavily in security solutions such as SIEM (security information and event management), EDR (endpoint detection and response), and next-generation firewalls to identify attacks and perform behavioural analytics to detect unusual behaviour patterns signifying both external intruders and malicious insiders.
Detecting threats is only half the battle, however. With security analysts battling through a huge caseload of threat alerts, it can take an hour or more for every new threat to be assessed responded to. This delay gives attackers ample time to complete their attack. In some cases, the sheer quantity of incoming threats may mean an alert is overlooked entirely.
The key to keeping up with the punishing pace of cyber threats is to automate as much of the workload as possible. Automating time consuming manual tasks reduces cyber security analysts’ workload allowing them to concentrate on investigating and responding to the most serious threats. It also reduces the risk of alerts being missed.
Orchestrating cyber defences
While automation is essential for defending against modern cyber threats, the truth is that implementing it is a time-consuming process. There is no magic wand to simply automate everything – each process must be thoroughly assessed and understood.
This means organisations should focus their automation efforts on the areas that are generating the largest workload. Phishing and web-based attack analytics, for example, both generate significant incident volumes requiring investigation. Automation of these processes would have an immediate impact, freeing up a great deal of time. Many low level threats and false positives could be resolved without any need for human intervention.
For best results, automation strategies should be combined with a risk-based approach tailored to the organisation’s unique circumstances. Factors such as size, structure, objectives and attitude to risk can vary dramatically the threats on a business and its optimal response. Deploying a SOAR (Security Orchestration, Automation and Response) solution is an effective way to manage threat detection and response as well as longer-term strategic management and prioritisation of different risks.
Threat alerts from SIEM (Security Information and Event Management) can be displayed in a single dashboard, enabling security analysts to quickly and reliably identify the most pressing threats and prioritise accordingly. At the same time, this data can be used to prioritise how automation and other defensive measures are rolled out across the company.
As one of the primary targets for cyber criminal activity, the financial sector will always be among the first to face the latest developments in attack tools and techniques. With the judicious application of automation, however, firms give their security teams the tools and the time to detect and deal with the influx of threats. At the same time a risk-based SOAR approach orchestrates defences to help them keep up with the rapidly changing threat landscape.