Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


By Ian Pratt, co-founder and President of Bromium

Ian Pratt
Ian Pratt

Verizon’s 2017 Data Breach Investigations Report revealed that financial services organisations are the most common victims of cybercrime, with 24% of all data breaches occurring within this sector. Reducing the scale of this problem is far from easy, as much of the financial services industry continues to rely on detection-based security to defend against attacks. This approach means financial services firms are constantly one step behind hackers when it comes to cyber security, and the gap is only getting bigger. We have seen that the vast majority of malware hashes are seen for a matter of just seconds before the code changes, and most malware is only seen once – even with AI and automation, detection software simply can’t keep up. In fact, with so many malware variants available at the fingertips of cyber criminals, detecting every malicious program is not just impractical – it’s mathematically impossible.

While the security industry is struggling to find a way to detect every possible threat that the banks might come up against, Alan Turing’s famous proof of the halting problem demonstrated this can’t be done over 80 years ago. In 1936, Turing showed that no standard algorithm can predict an outcome for every possibility without sinking into a logical paradox. In other words, there is no program that can predict a yes/no outcome (or even won’t halt/will halt or safe/malicious) for every possibility, because the algorithm can easily be contradicted. Like casting out a net that tries to cover absolutely everything, it will get tangled in itself. On the other hand, if the net isn’t cast widely enough, there will always be something that is missed. As we’ve seen from the recent high-profile security breach at Tesco Bank that saw £2.5 million stolen from 9,000 customer accounts, the consequences of an attack slipping below the radar can be all too painful in the financial services industry.

In the red with mutating malware

This problem, all too familiar to the security pros tasked with protecting the banks from the threat of cybercrime, has been compounded by the rise of polymorphic malware. Polymorphic malware is designed to avoid signature-based detection software, as the code is automatically transformed each time it is delivered, so attacks can’t be traced back to a single piece of malicious software. To put the problem this creates into perspective, researchers at Columbia have shown there are many more possible strains of polymorphic malware than there are atoms in the universe. No amount of computing power can search the possibilities.

This is not a fight that the financial services industry, or indeed any other sector can win. We have to accept that computers are more like us than we think, and cannot reliably distinguish the good from the bad. Those trying to keep the banks’ systems secure need to dig themselves out of this reactive rut and look at how to build proactive defences, without relying on detection-based algorithms. To provide an effective line of defence, security technology should be focused on what it can defend: the user’s environment for individual workers within the bank. From application sandboxes to white-listing and behaviour analysis, the industry has the groundwork in place. But these solutions often come at a price – sacrifices to performance and user flexibility that affect productivity.

Virtualisation has been around for some time, but in an attempt to protect the user without compromising on performance, companies are starting to look at using virtualisation technology to secure their organisations. Microsoft, for example, recently announced that it plans to protect Edge browser users using its Hyper-V virtualisation technology.

Tipping the balance by letting malware run

Advances in modern CPU architectures have made it possible to create micro-VMs (virtual machines) that sit on the endpoint, and granularly isolate each user task in an individual, disposable virtual environment. These micro-VMs operate at the hardware level, meaning they can be created and destroyed in milliseconds for every task the user performs – from opening up an email attachment containing a seemingly legitimate financial report, to clicking on a link that takes them to a malicious landing page.

Because every new task is isolated in its own micro-VM with access to just the resources required for that task, when malware executes it cannot impact the underlying physical machine, or any of the other tasks in their own micro-VMs. The malware is unable to access other data, nor persist on the machine or access other systems on the enterprise network – it has nothing to steal and nowhere to go. This kind of micro-virtualisation could be the answer that banks are looking for, as users are protected by the CPU before malware is even detected. As such, cybercriminals can’t use their most successful tactics, such as phishing attacks, to gain a foothold on bank workers’ terminals from which they can leapfrog onto other systems to steal sensitive account information or capture logins to secure systems.

Running tasks in micro-VMs allows their behaviour to be monitored from outside the micro-VM, capturing a black-box flight recorder trace of their execution that can’t be erased by any malware running inside. The trace can be monitored for deviations from expected execution behaviour, thus indicating the presence of malware, even polymorphic malware. Full forensic data can be collected before the micro-VM is destroyed. This keeps banks one step ahead of their attackers, allowing a safe environment to collect intelligence on the latest hacking techniques being used against them and demonstrate that their customers’ finances are in safe hands.

Challenging the norm

By proving that the halting problem was ‘undecidable’ in computing terms, Turing demonstrated that an all-seeing algorithm that can predict anything cannot logically exist. The current approach to security is unworkable, and if banks continue to rely on detection-based software to keep the bad guys out of the digital vault, the hackers will continue to win. We don’t need ‘next gen’ detection software, we need to start again, and look at new technologies that won’t just turn the tide against cybercriminals, but will force hackers to meet on a battleground of our choosing.