Cybersecurity Risk Considerations Across the Financial Sector
With the highest level of security among the 16 critical U.S. industries, financial institutions should take every opportunity to re-evaluate their posture against various types of cybersecurity risk.
The new decade has brought us a new level of awareness in cybersecurity; the Department of Homeland Security has recently stated there is a new heightened risk of cyber-attack against U.S. targets because of the increased tension around the globe.
Financial institutions have the highest level of security among the 16 critical U.S. industries—and by far the most stringent regulatory requirements. This current environment we now live in provides a good opportunity for all financial institutions of any size to re-evaluate the adequacy of their safeguards to protect against various types of cybersecurity risk.
Achieving a heightened security posture
The FDIC and other banking regulators have published a variety of ways financial institutions can improve their security maturity around areas such as business resilience, authentication, system configuration, security tooling, data protection and employee awareness training.
Every bank should always take the time to review domains such as but not limited to:
- Response and resilience capabilities: Review, update and test incident response, DR and business continuity plans.
- Authentication: Protect against unauthorized access.
- System configuration: Securely configure systems and services.
- Architecture: Review and assess your security architecture to include tools.
- Segmentation: Determine the business goal of enterprise segmentation.
One example of where financial institutions should take time to evaluate and review is in their enterprise segmentation strategy.
Financial institutions and segmentation
In visiting with large global financials and discussing security with Managing Directors and CSOs, I notice that most don't have a clear segmentation strategy. One global financial institution stated they had “roughly” 243 segments with no corporate governance around how it segments, another couldn’t answer and a third was in the middle of trying to determine best known methods for protecting applications across multiple cloud environments. As we all know, this requires visibility in order to properly inventory applications and understand their dependencies.
As we have read before from my WWT colleagues, there are some key questions that need to be answered before deciding on an enterprise segmentation solution, which include:
- What pieces of information do you want to segment? And why do they need to be segmented?
- Who should be granted access to segmented areas of the architecture?
- What applications will be affected as a result of segmentation?
- Who owns those applications?
Mature cybersecurity through collaboration
For most organizations, the ability to demonstrate compliance directly correlates to the maturity of their cybersecurity program. The ability to rapidly take inventory and assess operational risk from configuration management, vulnerability assessments and operational procedures is one way to build your baseline.
Adapting an application of the Capability Maturity Model Integration (CMMI) is one way you can measure the security capabilities of your organization and its ability to operate through various threats and vulnerabilities.
It’s understood that no network is 100 percent secure, but collaboration with your stakeholders to understand your environment and move toward a multi-vendor architecture that creates an integrated security platform will certainly mature your program.
Consider user and entity behavior analytics
An interesting challenge I have seen financial institutions struggle with and try and operationalize is around user and entity behavior analytics (UEBA). The UEBA market has been around for a while now, as we all know, but challenges remain in certain areas, such as applying analytical models to a very unpredictable user base.
I suspect in 2020 we will see UEBA shift from being more of a dedicated product to be a product feature for many of the leading OEMs. This move enables the analytics to be placed around specific activities rather than the generalized approach—for example, placing UEBA on the application workloads or on authentication workflows.
With such a prescriptive scope, there will be fewer false positives. Expect purpose-built UEBA to be more common and become a building block of a Zero Trust architecture we are all bracing for. A well thought out Zero Trust environment should be agile and dynamically adjustable to your unique business requirements, such as customer-facing services, geographic business expansion, public cloud services (AWS, Azure or Google) third-party vendors or suppliers and opening up critical branch or processing facilities.
To focus on this one step further, we've found that obtaining value and having successes with UEBA is entirely dependent on the organization’s commitment and the access and availability of advanced programming and analytics skills. For security departments, you also need to add threat analysis skills to the mix, so you can’t just hire a big data company around the block to build a security data lake, build all the plumbing and walk away.
We have seen many companies fall into this trap of Googling for easy use cases, taking a bunch of data and just plugging it into some canned ML algorithms in R or MATLAB or Splunk. Unfortunately, it doesn't work that way, and financial institutions will keep failing until they understand this.
Our advice here is to consider splitting this into two problems, UBA (user) and EBA (endpoint), since there are subtle differences in the modeling, especially once you begin to incorporate information from your SaaS providers on user activity into the overall security picture (this should be on your roadmap).
There are a couple of ways in which WWT may be able to help.
Using sample data either from you (preferred, though problematic due to privacy issues) or an online source, with some effort we might be able to derive a couple of compelling use cases. A focus here would be in demonstrating how home-grown analytics are able to identify and prevent attacks that get past traditional security controls.
We have begun doing truly novel work in UEBA on big data, with an emphasis on real-time analytics. We can provide a lot of insight into the general problems that your team is facing, as well as a lot of specific recommendations on the way forward.
Constantly evaluate where you stand
As always, the world of cybersecurity continues to evolve. It's apparent that my advice from the previous decade continues to ring true as we move forward: it is more important than ever to continually evaluate your security posture and stay up to date on what today's attacks look like and how to respond.
When financial institutions apply the appropriate cybersecurity and risk management foundational principles and risk mitigation techniques, they can reduce the risk of a cyber attack's success and minimize the negative impacts of a disruptive and destructive cyber-attack. This will ultimately affect the confidentiality, integrity and availability of their greatest assets.
Make sure you are following our Security Strategy topic to stay up to date with our latest on building secure IT infrastructures.