Financial institutions have always been highly targeted by cyber criminals and the professionals responsible for security posture must continue to try and stay ahead. We’re now seeing more sophisticated threat actors reinvesting profits from campaigns, such as cryptolocker ransoms, into their endeavours. The increasing tempo and audacity of attacks has gained mainstream media exposure, raising the general awareness of the need for cyber security among businesses and individuals.
Organisations should capitalise on the increased exposure of cybercrime to educate employees on best practices, and foster discussions about issues such as social engineering. Build upon these experiences with interactive training so users can better protect themselves, and in turn prevent the compromise of credentials or endpoints.
The increased awareness of security only serves to add to the cybersecurity skills shortage as security mature organisations with limitless budget ramp up their hiring policies to improve their programs. Smaller enterprises and SMBs can address the shortage by augmenting their security teams with managed services such as MDR. Utilising managed services does not relinquish control or responsibility but are opportunities to hand off trivial or specialist tasks that your organisation does not have the people, processes or time for. The augmentation of your team with managed services should allow your staff to focus on daily operations of dev/sec/ops, knowing someone is watching over your shoulder to alert and direct you, when it really matters.
User error persists as one of the top patterns in cloud-based breaches. Despite the presence of public cloud for over 10 years, user errors’ prevalence has been on a steady incline and Gartner predicts that 99% of cloud security failures will be the user’s fault by 2025. * Although the 99% figure is likely hyperbole, the sentiment rings true. Public Cloud providers operate on a shared responsibility principle, where the cloud provider is responsible for the security of the cloud but users must take responsibility for what they deploy in the cloud. Public cloud providers have made consistent improvements to the security of the cloud but the same is not true for the average user, in the cloud.
The transition towards facilitating remote and hybrid working models has added fuel to this fire. Some organisations have prioritised speed and agility, including undertaking cloud migrations of certain workloads, often at the expense of implementing appropriate security controls. Consider an example where an IT admin is tasked with getting on premise workloads into the public cloud space. The quickest way to achieve this is by undertaking a lift and shift exercise and copying the on-premise app onto IaaS. Not only is this a sub-optimal use of the advantages of cloud computing but it is also the least secure. Suddenly the application which used to sit behind layers of firewalls and other security controls is exposed publicly. Any default passwords or unpatched vulnerabilities which may not have been accessible in the layers of the datacentre are can now be exploited.
This scenario is all too common. Verizon performed a scan of public facing assets and found that ~40% had unpatched vulnerabilities disclosed between 2017 to 2006.** Without a clear migration and modernization strategy, the admin falls back on all that they know – processes and policy built for data centre deployments. Cloud native security tools or managed services exist to address some or all of your cloud security responsibilities. While cloud providers implement some controls greenfield, like AWS preventing public S3 buckets by default, the majority must be configured and maintained by the user. It is important that decision makers know what security controls are suited to their threat model.
Organisations must take a forward-thinking approach to public cloud and hybrid environments. First identify the reason(s) for moving to the cloud. Common drivers are efficiency, agility, accessibility and moving to OpEx. Then build an adoption policy around the three principles of migration, modernisation and optimisation. Security needs to be addressed at each stage, and a phased approach makes this manageable. For example, Google’s Zero-trust should be an end goal, but identify areas where you can crawl, walk and then run. Multicloud is becoming increasingly popular as certain provider’s services are optimal for different outcomes, so while multicloud makes best use of the benefits of Cloud, it adds complexity because it requires expertise to secure and manage multiple IaaS platforms. If possible, consider a staged migration into each and ensure that you have adequate visibility across all clouds in a centralised tool.
Financial Organisations will continue to be the most targeted.
With the primary motivation of breaches being financial, it is no surprise that the majority of attacks are made against financial organisations. Out of the customers that Alert Logic secures, it is the Fin-Techs that generate the highest proportion of incidents, and this trend has been echoed across the Threat Detection and Response (TDR) industry. Financial organisations need to be aware of the target on their back and act proportionately.
Finally, whatever controls are implemented, each silo must be monitored continuously and IT/Security personnel should be equipped to respond to all threats. EUBA should be used to identify when users behave abnormally, preventive controls should be monitored and endpoint/log/network traffic should be inspected daily.
Compromise must be treated as inevitable, so 24/7 visibility into the actions/configurations/topology of devices and networks is essential to maintain business continuity. Organisations should evaluate tools such as XDR and SIEM to facilitate holistic visibility and understand what approach is needed. Do you have adequate and capable staff to monitor 24/7/365? Do you have the staff that can consistently tune security tool set to extract value/actionable insights? Can you utilise threat intelligence to stay ahead of 0-day and emerging threats?
If your answer is “no” to any of the above points, then a managed detection and response approach may be best for you.
*Is the Cloud Secure?” Smarter with Gartner, October 10, 2019
** Verizon DBIR 21, Figure 31
About the Author
Josh Davies is a Product Manager at Alert Logic. Formerly a Security Analyst and Solutions Architect, Josh has extensive experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.