Ross Brewer, VP and MD EMEA, LogRhythm

Technology has advanced to the point that today’s financial services organisations, such as brokers, fund managers, insurers and banks, are constantly connected. However, there is a dark side to this connectedness: cybercrime.

According to research conducted by Accenture earlier this year, cyberattacks cost financial services firms more than any other industry, with the rate of breaches in the industry trebling over the past five years.

Ross Brewer

The reason why financial services organisations are such a target is that they collect, process and store huge amount of funds, data and personally identifiable information.

Firewalls, spam filters and antivirus tools are an important first line of defence, but they are no longer enough. Being able to detect and respond to these attacks means being able to monitor across systems and networks for anomalous activity, receive timely alarms, and rapidly respond by shutting down or quarantining threats.

Battling external and internal threats

External threats (e.g., the Distributed Denial of Service attacks (DDoS) attacks that threatened multiple Taiwanese brokerages, or ransomware, such as WannaCry or NotPetya) attract media attention and need to be guarded against, but they’re far from the only reason financial organisations need robust security. An even greater threat may lurk within. The financial services sector sees staff move frequently from one organisation to another, representing a risk to data and the bottom line. In fact, one in four employees have reported taking data from an employer when leaving a job, according to file-sharing service provider Biscom.

Worryingly, this puts client lists, trading algorithms and strategies, strategic plans and other data at risk. Furthermore, if internal activity isn’t monitored, there is the potential of insider trading enabled by improper access.

Financial services organisations also need to be conscious of the regulatory environment in which they operate. Whether it’s Sarbanes-Oxley, GDPR or regulation from the FCA, companies must be able to document that they have operated in compliance with regulations, or face restrictions and financial penalties. Being able to clearly track activity, and respond proactively to any deficiencies, is another reason why a clear, holistic view of system-wide activity is crucial.

The growing importance of NextGen SIEM

Addressing these threats and challenges requires a multi-level approach, with a security suite that incorporates next-generation security information and event management (NextGen SIEM) as the foundation. Security monitoring across systems provides visibility of activity across the organisation. Building a good understanding of what constitutes normal activity makes spotting unusual activity possible.

Monitoring capabilities help with detection of attacks such as DDoS by picking up sudden spikes in bandwidth usage over a short timeframe and utilising deep packet inspection to increase visibility and understanding of what traffic is flowing into the network. Additionally, tools such as NextGen SIEM monitor public-facing web applications, alerting for any signs of disruption or lack of availability.

For a financial services firm, such as an insurer or a bank, this could mean a reduced mean time to detect (MTTD) attacks and a quicker mean time to respond (MTTR) – allowing breaches to be quickly thwarted and damage minimised and contained.

For private equity firms or hedge funds, the same tools can help detect insider threats. For example, if a staff member is accessing information related to accounts they don’t work on, it may indicate an insider trading threat. If that information is being shared to a cloud sharing site, such as Dropbox or Google Drive, it may indicate the theft of data ahead of that employee moving to a competitor.

Embracing UEBA

As security operations teams increasingly seek to monitor their environment so they can detect malicious activity and prepare a rapid response, there is a growing demand for user and entity behaviour analytics (UEBA). Firms can use UEBA to obtain deep visibility into user activity, helping detect insider threats, compromised accounts, privileged account abuse and other user-based threats. In environments where millions can be made, lost or transferred in a moment, this can provide a vital check against unauthorised activity.

Another advantage of having a clear picture of the organisation’s activity is that the data can be used to document compliance with regulatory requirements. With little additional effort or expense, another key business need can be addressed, reducing possible errors and easing the audit process.

Ultimately, keeping intruders out is an essential first line of defence for today’s financial services firms. But quickly detecting and responding to breaches is crucial. With investment firms, asset managers and banks dealing with huge amounts of data, it’s nearly impossible for them to do this manually. Only by utilising intelligent security tools that can automatically flag a compromise straight away will firms feel safe in the knowledge that they are doing everything they can to protect their assets, data and customers.