Can Asian banks futureproof their cyberdefences?

Hear it from the tech and security experts.

Banks experienced 13% of all ransomware attack attempts last year based on the SonicWall Annual Threat Report. The Neustar Worldwide DDoS Attacks and Cyber Insight Research Report also reveals that as of May 2017, 86% of the surveyed financial services firms have already suffered from DDoS attacks, 10% higher than the same period last year. Moreover, workplace shakers such as the bring your own device (BYOD) initiative, paperless banking, and peer-to-peer payments, whilst necessary for convenience, makes banks more susceptible to attacks than ever before.

In this highly erratic environment, financial service institutions need to outpace attackers to keep themselves and their obligations safe. Whilst they can continually upgrade their equipment and capabilities, doing so would ultimately be an expensive and counterintuitive means of defence.

And so the question is raised: is there such a thing as futureproofed cybersecurity?

James Fong, RSA Archer GRC solution leader for Asia-Pacific and Japan, says, “Traditionally, financial institutions made heavy investments to remain relevant for customers and stay competitive whilst ensuring they meet strict regulatory compliance and controls.”

However, such an approach keeps the “Gap of Grief” wide open. This gap refers to information silos, data inconsistencies, delayed reports, and anything that contributes to the failure of both technology and business to transform cyberrisk into something valuable and meaningful for stakeholders.

David Allott, Mcafee cyberdefence director for APAC, explains this situation, stating, “In an attempt to respond to constantly evolving threats, financial service organisations have developed unsustainable security infrastructures that are characterised by a huge proliferation of tools to address ‘the next big thing’ in cyberthreats.”

Sharon Toh, head of ASEAN for SWIFT, goes on to say that whilst no cybersecurity solution can be 100% futureproof due to the ever-evolving nature of attackers, “Banks can still mitigate threats by stepping up their preventive efforts at the initial stage before any attack takes place.” Some of the ways banks can do this is by laying down a strong defensive foundation, securing devices and data, engaging in red team exercises, and investing in analytics.

Building a foundation
Any cybersecurity strategy begins with a solid foundation, without which the whole defence crumbles upon the slightest hole. Allott recommends approaching organisational security from a bottom-up approach instead of a centrally-controlled, top-down approach. He explains this foundational view, saying, “Security capabilities have not drastically changed—traditional mechanisms such as firewalls, intrusion prevention systems (IPS), and two-factor authentication (2FA) remain relevant even today.”

Robin Schmitt, APAC general manager of Neustar, reflects this sentiment, saying banks “should first and foremost make sure that their antivirus and patching are regularly updated. They should also consider investing in intrusion detection and prevention solutions that will stop a potential attack and collaborate with experts who can provide guidance on preemptive strategies.”

Tim Liu, CTO of Hillstone Networks, adds that from the get go, banks must establish a cybersecurity framework which includes an audit of their valuable assets and current defence capabilities. From there, banks should assess their security requirements, risks for their assets, and define and implement a security policy, including monitoring, detecting, and response mechanisms, and mitigation measures.

“A good way to secure cybersecurity investments is to follow this security framework. Investments made this way are evergreen because whilst security threats are always changing, a well-designed framework evolves with the threat climate but maintains most of the outcomes from its elements. It is crucial we understand that the appearance of new attacks and threats do not render existing defences obsolete. New defence mechanisms can be added, in a layered defence approach, to increase protection of threat surfaces,” adds Liu.

Moreover, Elad Ben-Meir, VP of CyberInt, notes that banks should “Incorporate security solutions that are the right fit for their strategic business growth, i.e. if they planned on launching new mobile apps or online transaction sites, they should focus on systems that monitor and protect those.”

Securing the network and devices
Once a security foundation has been established, banks should also turn their attention towards network elements that may fall outside their control. McAfee's Allott says external devices should be given different protocols over native network devices, and should be contextualised whilst in use.

He explains, “The more control over the device, the higher ability you have to interrogate it and establish context. When you have more control over your nodes, you can establish paths of access and consider devices more trusted. But if you have less control, you can only observe behaviour.”

Allott adds that even though this may be the case, IoT tools can still be monitored through their behaviour. Through a ring-fence approach, such devices can be screened for anything malicious.

On top of employees throwing their own smartphones, tablets, smart devices, and laptops into the mix, unified communications is another fast rising trend that Kevin Riley, CTO of Sonus Networks, says is a critical yet misunderstood aspect of a bank’s network.

“As more banks in the Asia Pacific region are coming to the peak of their digital transformation journeys, they are increasingly adopting IP-based voice, video, and instant messaging services. However, some of the communications services have never operated over IP before, meaning there is a new IP application that organisations must protect,” says Riley.

Through the implementation of session border controllers (SBC), UC applications can be safeguarded from threats that normal firewalls can’t catch. SBCs not only detect and shut down anomalous UC behaviour, they can also share information with other security protocols and devices to lockdown any similar attack patterns.
“By taking a collaborative approach to security—where each device across a bank shares information, data and policies—the overall security posture of the bank is increased. Ultimately, this provides a better way to address today’s increasingly sophisticated and advanced threat landscape,” Riley explains.

Alex Lim, Forcepoint Southeast Asia regional sales director and APJ channel and alliance director, agrees that banks are most vulnerable at these point where people and data interact. He says that these intersections can undermine even the most comprehensive security systems. “Today, organisations require intelligent, integrated systems that can provide visibility into user behaviour (End User Behaviour Analytics) and uncover intent by providing the context behind a user’s actions,” states Lim.

“These systems of integrated solutions, when coupled with comprehensive cybersecurity programs, can secure the mobile workforce, reduce IT’s incident management burden, increase the value of new security investments, and provide proactive security that promotes innovation within the organisation,” he adds further.

Network privileges should also be closely observed. Jeffrey Kok, CyberArk director of pre-sales for Asia-Pacific and Japan, explains, “Today, we must assume that the attacker has already breached the network perimeter and adopt privileges as a critical layer of defence. Attackers need to escalate privileges and leverage credentials to move laterally and steal data, so protecting, restricting and monitoring privileged access to systems on the network that are most likely to be compromised and which ones would be the most devastating to have infiltrated is critical in developing a proactive and preventative approach.”

Engaging in red team exercises
What better way to test your own defences than have people you trust attempt to find zero-day exploits and other gaps in your security plan? Allott says, “Through exercises such as penetration tests and threat modelling, attackers will pinpoint residual and unaddressed attack vectors as well as assist in remediation efforts.”

Also advocating these red team exercises is Kok. He advises “Regularly conduct adversarial simulation to test an organisation’s ability to detect and respond to attacks in a safe environment, whilst also uncovering security gaps, identifying areas of improvement, and making risk-prioritised recommendations to help strengthen security and improve response times.”

Analytics and partnerships
What’s apparent is that in the search for the latest and greatest cybersecurity tools, cybersecurity professionals are bombarded with thousands upon thousands of alerts and data reports each day.

And the data reports will come. Firms today are met with over 200,000 daily cybersecurity alerts which would take years to analyse manually. Banks therefore need to invest in advanced analytic engines and analytical platforms that can discover patterns and anomalies from petabytes upon petabytes of data.

“Analytical platforms that harness the power of big data are increasingly used to provide the compute muscle to support human decision-making in security, offering insights into threat activity, hard-to-detect malware, evasive attacks, existing breaches, and indicators of compromise,” states Allott.

Additionally, Scott McCrady, APJ vice president of SonicWall, stresses the need for banks to find trustworthy partners they can collaborate with—ones with the same, if not greater, cybersecurity zeal and capabilities. “They must work closely with a trusted partner to identify and adjust to the ever-shifting security challenges, on top of devising an IT plan that will last them well into the future.”

Finding particularly solid partners are important, as when these trusted parties are breached, a bank’s system is likewise exposed to attacks. “The key to success in this hostile world is to identify the attack when it is in the first two stages and block the exploit. In other words, to change defences as the attacks evolve. This is why all the serious FSI security organisations have threat intelligence teams,” also shares Michael Smith, Akamai Technologies security chief technology officer, Asia-Pacific and Japan.

These threat intelligence teams can share intelligence with their peers, getting information on new attack signatures and hunting for them within their own networks.