CIO Academy Asia, in partnership with Kaspersky held a series of virtual roundtables across ASEAN in August 2020. The roundtables were attended by technology industry leaders in the financial services sector, and moderated by CIO Academy’s CEO, P. Ramakrishna. This article is based on insights from the sessions.
Organisations are increasingly using interconnected digital ecosystems, comprising a distributed network of devices accessing mission-critical applications and data over the cloud. Financial institutions today embrace a wider network of fintech partners and are expanding their portfolios of financial services available through digital channels.
Targeted attacks on financial services firms are increasing in frequency and sophistication. It is not always possible for financial services companies to predict the attack type and the type of threat actor which it will face. For this reason, financial services companies need to develop a forward-learning posture which uses intelligence to predict likely adversaries and attack methods. Defences can then be dynamically modified based on a continual flow of intelligence.
The impact of successful attacks is also increasing rapidly. “Our operational and business risk is huge and must be mirrored by investment in risk mitigation. For example, a network outage would stop our sales.” remarked by a CEO of a large financial institution based in the Philippines, when interviewed by CIOAA.
Attack surface expands and remote working becomes the new normal
Since the pandemic crisis began, the focus for many organisations has been on enabling employees to work remotely – security has been and remains a secondary consideration, too often.
Remote working has become the new normal, and a need for vigilance towards security threats has become particularly important. A lack of face-to-face contact and highly distributed workforces, often untrained in cybersecurity, is creating the opportunity for new attack techniques. Phishing by posing as a provider of COVID-19 information has been remarkably successful. Identity theft based on stolen credentials is making it difficult to ascertain the authenticity of individuals who are engaging remotely.
During the interview, an important point relating to new threats was made when the CEO asked “How do we know if people we engage with online are authentic?” He continued by explaining that “It is hard to tell if a customer is real or fictitious”.
According to Siang Tiong Yeo, General Manager for Southeast Asia at Kaspersky, ”We see the criminals move fast. Attackers have always been operating from the home and they are more familiar with such working conditions than most of us, so they fully understand the home vulnerabilities and how to exploit them.”
An executive director of an international crime control organisation stated that “There is a spike in criminal activity. We are seeing targets shift from individuals and smaller businesses to major corporations, government, and critical infrastructure.”
It is becoming increasingly important for organisations to develop a forward-leaning cybersecurity posture and to integrate threat intelligence into their operations as soon as possible. This intelligence can then be used to understand adversary behaviour. According to Victor Chu, Head of Systems Engineering, SE Asia at Kaspersky, ”This enables the building of defences around adversary behaviour and optimises the incident response and threat hunting process.”
SOCs must be Intelligence-Driven
Attackers are adapting their techniques to penetrate traditional defences. Often, they breach defences and remain undetected for months, or even years. To address these evolving and dynamic threats, cybersecurity postures must also adapt, using threat intelligence and AI and automation wherever possible.
Defending defined corporate perimeters using commonly available security solutions remains a typical approach to cybersecurity, even in the financial services sector. This approach prevents malware infections or unauthorized access to the corporate networks. It is deemed by many to be a sufficiently robust approach to mitigating operational, legal and reputational risk. The rise of targeted attacks and nation state attackers has demonstrated that this approach is now inadequate. Financial services firms now need a multi-faceted, highly adaptable, forward leaning approach to security, based around a SOC. Today’s SOCs must be empowered with threat intelligence and multi-layered security solutions.
Training and Engaging Employees is Critical
CIO Academy Asia research as well as roundtable attendees identify insider threats as the biggest vulnerability for organisations.
Therefore, it is more important than ever to engage employees in the battle against cybercrime. All employees must now be educated on cyber hygiene, ranging from educating them to not click on suspicious links, double checking the file extensions of downloaded files, and being just a little more savvy about the origins of the file/link that they’re about to access.
Remote employees often access sensitive business data through home Wi-Fi networks that will not have the same security controls — such as firewalls — that are used in offices. There is more connectivity from remote locations, which requires greater focus on data privacy, and hunting for intrusions from a much larger number of entry points.
Governance must be modified to address the changing threat landscape and to ensure compliance. This requires the alignment of security strategy with business strategy, controls to mitigate risk, and response plans. The continual use of threat intelligence is critical to ensure that governance protocols remain relevant to new and emerging threats. Indeed, an executive from a leading bank stated that “From a response plan perspective, it is necessary to integrate threat intelligence into strict governance protocols.”
Security Operations and Management with Threat Intelligence
In order to complement security operations and management with threat intelligence, the need to understand changing risk was highlighted. Forward-leaning proactive mitigation is deemed necessary as a way of improving enterprise security maturity.
According to the Financial Crime Operations Assurance Lead at a global financial institution, “Risk is increasing as the threat landscape has expanded as people work remotely. Data loss becomes a big issue and a big risk.” He continued “Customer and insider threats are increasing due to phishing.”
Combatting these threats requires greater use of threat intelligence. Vitaly Kamluk, Principal Security Researcher at Kaspersky highlighted the importance of knowing potential attackers. Kamluk said “Organisations should follow the latest threat trends by subscribing to reputable threat intelligence feeds provided by companies such as Kaspersky.”
Security operations need a continuous flow of intelligence on their adversaries. After all, it is more difficult to protect your organisation against unknown threats than known threats. Financial services firms are particularly vulnerable to attacks from unknown actors. In addition to holding valuable assets, financial services firms also hold valuable data such as credentials and banking details. According to Kaspersky’s Chu, “Threat intelligence which tracks adversary behaviour is critical.” Organisations must seek to minimise the number of alert dashboards or they risk creating alert fatigue. In such a situation, the organisation can become overwhelmed by dashboards and alerts.
According to Chu, “It is also important to track what is being sold on the dark web. There are services which can find out if your data is being sold on the dark web.”
To guard against new and emerging dangers, organisations need an increasingly adaptable approach to security. According to Kaspersky’s Yeo, “Prevention maybe better than the cure” Yeo continued “Threat intelligence and unified security solutions need to be built into SOCs to better facilitate threat management in an efficient, centralized approach.”
The integration of analytics and machine learning is needed in today’s solutions. Only with data, analytics and AI/ML can potential adversaries be identified.
Kaspersky’s Kamluk offers the following six tips to organisations that wish to stay safe:
- Stay ahead of your enemy: make backups, simulate attacks, prepare action plans for disaster recovery
- Deploy sensors everywhere: monitor software activity on endpoints, record traffic, check hardware integrity
- Never follow demands of the criminals. Do not fight alone – contact Law Enforcement, CERT, and security vendors like Kaspersky.
- Train your staff while they work remotely: digital forensics, basic malware analysis, PR crisis management.
- Follow the latest trends via premium threat intelligence subscriptions, like Kaspersky APT Intelligence Service.
- Know your enemy: identify new undetected malware on premises.