Security teams at large financial institutions are responsible for managing the execution of not only countless financial transactions spread across a myriad of IT environments, headquarters, branch offices, data centers, and remote work locations, but they must also be diligent in their efforts to detect threats that can be lurking in those environments. Due to the nature of financial services organizations, they are an attractive target for criminal gangs and state-sponsored cyber attackers. Just recently, the U.S. division of China’s biggest lender was hit with a ransomware attack, which disrupted trades in the U.S. Treasury market.
Combined with the responsibility for safeguarding sensitive customer data and critical infrastructure to meet required regulations, their hesitation to rely on automation when dealing with advanced persistent threats, and a crowded tech stack, creates a weighty challenge for Security Operation Center (SOC) teams. And unfortunately, many traditional security tools don’t provide full network visibility and critical evidence. These tools also often overwhelm security teams with false alarms.
Lacking Full Network Visibility Presents Risks
While most enterprise organizations utilize a combination of tools in their tech stack to detect the early warning signs of trouble, too often, the emphasis is put solely on Endpoint Detection and Response (EDR).
EDR primarily monitors and analyzes activities on individual devices (e.g.,servers, laptops and smartphones) – and it’s absolutely a core component of security. But, it ignores network traffic running in the cloud and on-premises environments. And, because it requires installing a software “agent” on every system it monitors, it is largely ineffective in environments with large bring-your-own-device user bases or proprietary operational technology systems.
Monitoring the network for anomalous traffic and other suspicious activity is one of the most impactful ways to detect threats. Because of this, financial services organizations can’t afford to ignore network traffic. Financial services organizations that lack full network visibility are at a greater risk of being attacked through network access points, allowing cyber attackers to remain undetected on their network for long periods of time. When this happens, bad actors can conduct reconnaissance on the network, start accessing more privileges, search for higher value assets, and then start exfiltrating them. They can even plan out larger scale attacks such as ransomware.
The most successful threat detection and response programs combine EDR capabilities with Network Detection and Response (NDR) solutions, which continually monitors network traffic for cybercriminals and suspicious behavior.
Cutting Through the Network’s Noise
Understanding the importance of network visibility is one thing. Actively monitoring it and responding is another challenge. Detecting threats early and having the actionable insight needed to respond before damage can be done is the ultimate goal for security analysts. With so much network activity taking place each day, legacy security solutions are bound to trigger a high-volume of event alerts.
With networks running at very high capacity, it’s difficult for security analysts to determine which threats are false alarms, and which need immediate attention. In this situation, it’s far too easy for cybercriminals to slip through the cracks and onto company networks.
A natural response to this overwhelming volume of alerts would be to eliminate the human element, and look for an automated response mechanism. Of course, in the case of mission critical systems run by financial institutions executing many high-value monetary transactions, any error in an automated response would be costly.
Advanced NDR tools, however, monitor network traffic for suspicious behavior, and then, once detected, they prioritize alerts based on confidence level and urgency. The response to the high-confidence, serious, and imminent threats can be automated, but others must still be reviewed by professional analysts. The built-in automated event triage helps security teams cut through that noise so they can focus on the most important security events, immediately. Advanced NDR tools also provide proactive threat hunting with actionable insights, so security professionals can respond quickly and strategically before any sensitive corporate, financial, or customer data can be stolen.
A Real-World Use Case
Here’s a look at NDR in action: At a large European central bank malicious spyware evaded endpoint defenses and company-wide browser restrictions, moving undetected through the financial institution’s network.
Thankfully, the bank’s NDR solution helped its security team uncover never-before-seen network communications – illustrating the importance of monitoring network traffic – which allowed them to respond before any sensitive customer, state, or country data was breached.
Here’s how it worked. While testing a new feature of the bank’s NDR solution, the organization was alerted to never-before-seen network communications. Upon further review it was determined that a laptop belonging to a member of the infrastructure team had unknowingly installed an adware program. To make matters worse, the malicious agent was attempting a spyware-like exfiltration.
This activity was only detected at the network-level. Ultimately, the discovery of unusual traffic allowed the organization to open an incident, evaluate the impact and determine if any additional points of quarantine were needed.
Addressing Imminent Threats with NDR
In summary, given the extremely sensitive nature of that data financial services work with, ignoring network traffic is too big of a risk to take. By leveraging an NDR solution, security analysts at these organizations can ensure a proactive approach to threat detection and response. And this is a core component of building a comprehensive, multi-layer cybersecurity strategy and protecting company and customer data.
Stay Ahead of the Financial Curve with Our Latest Fintech News Updates!
Éric Leblond, Chief Technology Officer at Stamus Networks
Éric Leblond is the Chief Technology Officer at Stamus Networks, a global provider of network-based threat detection and response systems. He has more than 15 years of experience as co-founder and CTO of cybersecurity software companies and is an active member of the security and open source communities. Éric has worked on the development of Suricata – the open source network threat detection engine – since 2009 and is a board member of OISF.