Art Corviello, ex-CEO, RSA Security

The banks are serious about security. There is no doubt about that – their very existence depends on tight, elegant security. So why are there so many security breaches, why do so many banks pay off ransomware attacks and how come they miss so many occasions of fraud? In fact are they any better than any other corporate entity when it comes to security?

A new research note from McAfee and Ovum hints at why the situation may still be quite bad. Almost 73 percent of financial institutions report working with over 25 cyber security tools that lengthen response times and reduce effectiveness

The report analyses the decision-making process of financial institutions when it comes to cybersecurity and outlines the critical gaps in security infrastructure that need be closed to ensure financial institutions remain ahead of attackers. That there are any significant gaps is worrying in itself.

The one to many rule

The interconnected nature of underlying financial systems means that cyber attacks against one bank can quickly open the door to attacks on several banks. As a result, financial services are facing the same issues globally – and must work together to address these and adopt best practice.

The Ovum report finds that an overwhelming number of financial institutions, especially Tier 1 and 2, deploy between 100-200 disparate security solutions.  The report also finds that three percent of global financial services institutions use over 100 security solutions, reducing effectiveness and creating additional operational cost, This increases their organisation’s cyber risk exposure.

Adding to security teams’ burdens: 37 percent of respondents deal with over 200,000 daily security alerts. Security teams are overwhelmed with sifting through and prioritising the vast amounts of alerts that each security tool is often generating with limited threat intelligence sharing between the various tools in a cohesive and adaptive manner.

The sheer amount of manpower required to sift through each alert accurately drains resources and leaves security teams drowning in IT complexity. Not surprisingly, over a third of respondents across EMEA, US and APAC listed integrating and maintaining disparate security tools as their top operational pain point.

The Ovum study, says that 40 percent of respondents indicated that faster threat discovery is their first or second security priority.

To enable quicker threat detection, over 70 percent of organisations are planning strategic investments in cloud, web and ATM security.

Greater automation, integration and orchestration are necessary first steps to provide relief to these teams, which can only be delivered through a unified threat defence architecture. The transformation to an open source communications fabric offers a significant impact on the efficiency and effectiveness for organisations by simplifying the integration of disparate tools and enabling the sharing of threat data.

Nigel Bolt, vice president, McAfee said: “Banks are so bogged down in legacy solutions and fragmented security point products that cyber criminals are able to take advantage of this confusion and disconnect. They’re lurking amongst the complexity of architecture systems, undetected, ready to strike. It is no longer enough to focus on protecting the network, the customers and their data. The key to avoiding disaster scenarios is to have the capabilities in place to detect a threat in real-time and correct any damage before it has a chance to spread.”

Bolt is on the right path, but IT security for most enterprises has got too broad, too deep and too expensive. A light at the end of the tunnel recently was what the security industry called ‘threat intelligence’. This meant that clients were encouraged if they were publishers such as the Economist to concentrate on the hackers most likely to attack publications; regional hospitals in the US were warned to concentrate on their most likely attackers and so on. What is threat intelligence? Gartner has defined threat intelligence as: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

The banks should realise that only threat-intelligence can narrow down the expected attack vector. As Art Corviello put it, as he deftly side-stepped the dramatic RSA Security hack of 2010 at their annual jamboree: “We have to presume that the hackers are already inside the perimeter,” but the secret is to prepare for the right attackers. – Criminal hackers, like any other groupings in this complex world, tend to specialise. Therefore Chaos Computer Club APT28, is unsurprisingly an Advanced Persistent Threat group and Anonymous has its own favourite targets. Find out who they are and concentrate on protecting yourself from them.

Closing the Cybersecurity Gaps in Financial Services, a global survey from Ovum is sponsored by McAfee.

by Bill Boyle
IBS Intelligence Senior Editor
imp-loader
Scroll Up