By Nils Krumrey, Cybersecurity Expert, Logpoint
The financial sector has led the way in digital transformation in its bid to deliver agile cloud-native customer-centric services. But it’s a move that has been slow and painful, with numerous regulatory hurdles, so that it hasn’t yet quite delivered on its promise. A recent Ernst and Young survey found that 38% regard their digitally transformed services to be underperforming. The move to a distributed network architecture has also painted something of a target on the back of a sector that is all too cognisant of the fact that the risk of a breach or a cyber attack is now much higher.
According to the Bank of England’s Systemic Risk Survey Results – 2023 H2, the overwhelming majority (80%) think the top threat facing the sector is the risk of a cyber attack. This came out above geopolitical risk (66%) and inflation (57%) as potential destabilising factors. The bi-annual report further found that cyber risk is at its highest ever level and 70% said it would also be the most challenging risk to manage, so confidence in resilience is at a low.
So how are attacks manifesting? Topping the list are backdoors, ransomware, and documents embedded with malware in terms of threats, notes IBM’s 2023 X-Force Threat Intelligence Index report. For the second year running, phishing is the leading infection vector (41%) while second place goes to attacks exploiting public facing apps (26%) followed by abused valid accounts (16%).
Monitoring activity
Detecting these attacks is paramount and one of the most effective ways of doing so is by using application and network traffic monitoring. This sees data collected from applications, network devices, servers and other entities on the network, which is analysed to spot any indicators of compromise (IoCs).
A Security Incident and Event Management (SIEM) solution collects all the security-related data, providing a centralised view over the entire infrastructure. In addition, monitoring the network can also be used to check for compliance violations, data leakage or the misuse of personal sensitive data. However, in order to detect early signs of malicious activity, additional technologies are required that work with the SIEM to look for anomalies using user and entity analytics.
Malware is now so sophisticated that it can often evade detection by conventional means and it’s not until the execution of the payload that it becomes detectable. This typically sees changes made to files and directories, such as the creation of new files or a change in the file’s extension and this can only be spotted as a deviation if you know what normal looks like. It’s here where file integrity monitoring (FIM) can help as it creates a baseline that sets out how a file system is used. Any spike in file creation, renaming or deletions by a user or process can then quickly be identified, and the hash value compared with those in the Virus Total database to identify and then remediate the threat via a Security Orchestration Automation and Response (SOAR) solution.
As well as monitoring the network, it’s also necessary to monitor user activity and access patterns. User Entity and Behaviour Analysis (UEBA) is designed to again baseline behavioural norms and can monitor access attempts to view critical transactions, disclosed corporate information or personalised data, for instance. Moreover, it can also detect and track attempts to connect to network elements such as closed ports or blocked internal connections. Plus, if the connection attempt comes from known-bad destinations, an untrusted zone or suspicious systems access, these can also be flagged.
Joined up thinking
Another key consideration is that all the existing technology from a security and application monitoring perspective can be harnessed to provide an early warning system, like a network of sensors. For example, perhaps there is a lot of low-level activity on the network, but because each event is happening in isolation, it may not qualify as an IoC. However, once the dots (or logs and alarms) are connected a different picture emerges and one that could well be of more serious concern for the security analyst. Case management tools that consider all the indicators, artifacts, and other contexts can be used in this way to build a security case that not only gives a clearer view of what’s happening in the infrastructure but also aids in the decision making by providing possible actions to take forward.
For the financial sector, the likelihood is that demands are only going to intensify when it comes to protecting data from attack and meeting regulatory compliance requirements. Next year we will see a number of regulations step up these demands.
The Digital Operational Resilience Act (DORA) sets out to strengthen digital resilience in the financial sector through uniform requirements for security of network and information systems with significant financial penalties for non-compliance from January 2025. And the new Payment Card Industry Data Security Standard (PCI DSS) v4.0 becomes mandatory from March 2024. This has been specifically designed to accommodate distributed architectures and has undergone a number of changes including more stringent access and authentication requirements, changes to testing and how the organisation chooses to comply.
These regulations demonstrate a commitment to making financial organisations more secure and accountable. Being able to demonstrate compliance as well as protect data is therefore a must and so the sector will need to review how it intends to monitor and defend the estate. Applying technologies such as SOAR and UEBA in conjunction with the SIEM can help by enabling the organisation to utilise different approaches such as FIM, user activity monitoring, and concentrated data to create a qualified security case. But just as importantly, combining those technologies reduces complexity while providing visibility, so there is no need for the security analyst to log in and out of different interfaces. They can see everything they need through a single pane of glass.
