Financial institutions will always be highly targeted by cyber criminals and the professionals accountable for security posture must keep trying and remain ahead. We're now seeing more sophisticated threat actors reinvesting profits from campaigns, for example cryptolocker ransoms, into their endeavours. The growing tempo and audacity of attacks has gained mainstream media exposure, raising the general understanding of the requirement for cyber security among businesses and individuals.
Organisations should capitalise on the focus on cybercrime to teach employees on guidelines, and foster discussions about issues such as social engineering. Build upon these experiences with interactive training so users can better protect themselves, and as a result prevent the compromise of credentials or endpoints.
The increased understanding of security only serves to add to the cybersecurity skills shortage as security mature organisations with limitless budget ramp up their hiring policies to enhance their programs. Smaller enterprises and SMBs can address the shortage by augmenting their security teams with managed services for example MDR. Utilising managed services does not relinquish control or responsibility but are opportunities to hand off trivial or specialist tasks that your organisation does not have the folks, processes or time for. The augmentation of your team with managed services should let your staff to pay attention to daily operations of dev/sec/ops, knowing someone is watching over your shoulder to alert and lead you, if this really matters.
Cloud
User error persists among the top patterns in cloud-based breaches. Despite the existence of public cloud for over 10 years, user errors' prevalence has been on a steady incline and Gartner predicts that 99% of cloud security failures will be the user's fault by 2025. * Although the 99% figure is probably hyperbole, the sentiment rings true. Public Cloud providers work on a shared responsibility principle, where the cloud provider is responsible for the safety of the cloud but users must take responsibility for what they deploy in the cloud. Public cloud providers have made consistent improvements to the security from the cloud however the same is not true for the average user, in the cloud.
The transition towards facilitating remote and hybrid working models has added fuel for this fire. Some organisations have prioritised agility and speed, including undertaking cloud migrations of certain workloads, often in the cost of implementing appropriate security controls. Consider an example where an IT admin is tasked with getting on premise workloads in to the public cloud space. The fastest method to achieve this is as simple as undertaking a good start and shift exercise and copying the on-premise app onto IaaS. Besides this being a sub-optimal utilisation of the advantages of cloud computing but it is also the least secure. Suddenly the applying which used to sit behind layers of firewalls and other security controls is exposed publicly. Any default passwords or unpatched vulnerabilities which might not have access to been available in the layers from the datacentre are can now be exploited.
This scenario is too common. Verizon performed a scan of public facing assets and located that ~40% had unpatched vulnerabilities disclosed between 2022 to 2006.** With no clear migration and modernization strategy, the admin falls back on all that they know – processes and policy designed for data centre deployments. Cloud native security tools or managed services exist to deal with some or all of your cloud security responsibilities. While cloud providers implement some controls greenfield, like AWS preventing public S3 buckets by default, the majority should be configured and maintained by the user. It is crucial that decision makers understand what security controls fit their threat model.
Strategy
Organisations must take a forward-thinking method of public cloud and hybrid environments. First find out the reason for moving towards the cloud. Common drivers are efficiency, agility, accessibility and moving to OpEx. Build an adoption policy round the three principles of migration, modernisation and optimisation. Security needs to be addressed each and every stage, along with a phased approach makes this manageable. For instance, Google's Zero-trust should be a finish goal, but identify places that you are able to crawl, walk and then run. Multicloud has become increasingly popular as certain provider's services are optimal for various outcomes, so while multicloud makes best utilisation of the advantages of Cloud, it adds complexity since it requires expertise to secure and manage multiple IaaS platforms. If at all possible, think about a staged migration into each and ensure that you have adequate visibility across all clouds in a centralised tool.
Financial Organisations will still be probably the most targeted.
With the main motivation of breaches being financial, it is no wonder that the majority of attacks are created against financial organisations. Out of the customers that Alert Logic secures, it is the Fin-Techs that create the highest proportion of incidents, and this trend continues to be echoed over the Threat Detection and Response industry. Financial organisations have to be aware of the target on their own back and act proportionately.
Finally, whatever controls are implemented, each silo should be monitored continuously and IT/Security personnel should be equipped to respond to all threats. EUBA ought to be accustomed to identify when users behave abnormally, preventive controls should be monitored and endpoint/log/network traffic should be inspected daily.
Compromise should be treated as inevitable, so 24/7 visibility in to the actions/configurations/topology of devices and networks is essential to keep business continuity. Organisations should evaluate tools such as XDR and SIEM to facilitate holistic visibility and understand what approach is needed. Do you have adequate and capable staff to watch 24/7/365? Do you will find the staff that may consistently tune security tool set to extract value/actionable insights? Can you utilise threat intelligence to stay in front of 0-day and emerging threats?
If your answer is “no” to the of the above points, a managed detection and response approach may be good for you.
*Is the Cloud Secure?” Smarter with Gartner, October 10, 2022
** Verizon DBIR 21, Figure 31
About the Author