Why the finance sector needs to focus more on threat detection

Tim Wallen, Regional Director for the UK, US and Emerging Markets, Logpoint


The financial sector is one of the most highly regulated industries in the world yet confidence in its resilience to withstand attacks remains low. According to the Bank of England’s Systemic Risk Survey Results – 2023 H2[1], 80% said the top threat facing the sector was the risk of a cyber attack which was rated above geopolitical risk (66%) and inflation (57%). The report, conducted twice a year, found that the cyber risk is at its highest ever level and 70% of respondents said it would be the most challenging to manage.

Despite being a forerunner in digital transformation, the sector is still struggling to make headway. According to an Ernst and Young survey[2], 38% said transformations were underperforming with the move to customer-centric cloud-native processes slow and the stakes high. Top threats within the vertical are the creation of backdoors and ransomware states IBM’s 2023 X-Force Threat Intelligence Index report[3]. The most common method of compromise is a phishing attack, while the second is exploitation of public-facing applications.

Application and network traffic monitoring are therefore essential to protect customer data and to ensure regulatory compliance. It’s necessary to collect and analyse data from applications, network devices, servers, and the rest of the infrastructure in order to create a single view of what is going on. At the same time, monitoring needs to check for compliance violations, data leakage or misuse of personal sensitive data.

Tim Wallen

Building on the SIEM

Collating and analysing logs in a Security and Incident Event Management (SIEM) solution can provide this level of visibility. But in order to detect early signs of malicious activity, additional technologies are needed that work in concert with the SIEM and make use of user and entity analytics to look for anomalies.

File integrity monitoring (FIM), for instance, can be used to spot indicators associated with malware. It creates a clear baseline on how that file system is used which means that any spike in file creation, renaming or deletions by a user or process can be quickly identified. When the security analyst detects any changes made to files and directories, such as the creation of new files or changes in the file’s extension typically associated with the execution of a malware payload, they can perform an automated investigation, compare the hash value with those in the Virus Total database and then remediate the threat using Security Orchestration Automation and Response (SOAR).

It’s also possible to put controls in place to monitor user access. User activity monitoring that utilises User Entity and Behaviour Analysis (UEBA) can provide an overview of the access to critical transactions, disclosed corporate information and personalised data etc. In terms of the network itself, attempts to connect to closed ports or blocked internal connections can also be detected and tracked, as can connections being made to known-bad destinations, requests from untrusted zone or suspicious systems access.

These technologies can even be used to provide an early warning system, like a network of sensors. For example, there may be a lot of low-level activity and while each incident in itself may not qualify as an indicator of compromise (IoC), once the dots (or logs and alarms) are connected it paints a very different picture and one that warrants further investigation. A case management tool can perform this role by considering all the indicators, artifacts, and other contexts to build a security case.

Compliance as a driver

Going forward, compliance demands are likely to increase.  The Digital Operational Resilience Act (DORA) sets out to strengthen digital resilience in the financial sector through uniform requirements for security of network and information systems with significant financial penalties for non-compliance from January 2025. Many financial organisations will also be tightening up their payment handling processes under the new Payment Card Industry Data Security Standard (PCI DSS) v4.0 which becomes mandatory from March 2024.

These regulations have been revised to make them more fit for purpose in today’s distributed environments and to counter the growing threat to our financial systems from malicious attackers. They will require financial organisations to up their game when it comes to threat detection and defence but it’s also important to minimise complexity to ensure visibility and rapid response. Combining technologies such as SOAR and UEBA with the SIEM can provide the security team with that single pane of glass to both ensure compliance and monitor the attack surface.

[1] Bank of England’s Systemic Risk Survey Results – 2023 H2

[2] Ernst and Young survey

[3] IBM’s 2023 X-Force Threat Intelligence Index report


Explore more