The recently acknowledged multi-million dollar hacks of Bangladesh’s Central bank, Vietnam’s Tien Phong Bank and Ecuador’s Banco del Austro have put the sensitive topic of network security even more front/center for financial institutions.
Firms are drowning in a wealth of potential threat data provided by their security tools, industry peers and governments, but integrating this data into a company’s security operations can be tricky, according Colin McKinty, vice president cyber security at BAE Systems Applied Intelligence.
“Just because you’ve read 10 or 15 medical books, that doesn’t make you a doctor,” he said. “You have to find some way of using that information in an operational, defensive manner.”
McKinty separates attacks into the known methods of attacks, such as phishing for user account data, and the unknown and novel threats that hackers keep creating.
For known attacks, it is recommended that firms regularly inoculate themselves by updating systems to include new threat indications that are often detailed in post-breach research reports, as well as applying automated security rules and secure signatures into their operations.
Detecting unknown attack types requires a more nuanced approach, especially in today’s hyper-connected financial services environment. One critical step is to determine whether identified anomalies have malicious intents or not.
“It takes you away from the black-and-white world of what is bad or not, into a gray world of what could be bad,” said McKinty. “It requires an extra step of putting that data into the proper context so that you can make the right decision.”
To help generate that context, many firms include all of the data from the single-point solutions that they have deployed on their network over the past decade, including firewalls, intrusion detection and protection systems, end-point protection devices, and network traffic.
Integrating additional data, such as threat intelligence, and data from the asset themselves, can further enrich the context, he added.
“Imagine an asset database alerting users that it detected suspicious activity coming from an IP address, assigned to this machine that belongs to this person who has this email address,” said McKinty. “Bringing in this extra information provides a more complete picture so that people can make decisions as quickly as possible and mediate and remove the threat from the organization.”
However McKinty warns that ‘big data’ in terms of network security has been overhyped and often doesn’t leave the development sandbox.
“It’s easy to experiment with big data,” he said. “You can stand up a big-data platform, throw some data at it, and find some interesting results. But putting that into a firm’s day-to-day business operations actually is very challenging.”
More on Cybersecurity:
- Cybersecurity Still a Work in Progress
- For Hedge Funds, Infrastructure Matters
- Asset Managers Wary of Robo-Advisors
Featured image via Negative Space