Mark Jow, EMEA Technical Evangelist, Gigamon, asks if the financial sector is prepared for the invisible threats lurking in the cloud. He warns: “While it may be reasonable to assume that cloud providers provide security by design as part of their platforms, this is sadly not the case.”
The financial sector has never been a stranger to strict security policies. Since the 1600s, banks and their security partners have pioneered some of the most secure strongrooms in the world. Named originally after their vaulted ceilings, ‘vaults’ have since become synonymous with the highest level of protection, featuring armoured walls and air-tight locks that can protect valuables from thieves, natural disasters and even atomic bombs.
But modern banks have far more complex threats to counter, and far more valuables to protect. Customer payment data, access to high-profile networks and critical operations all present lucrative opportunities for bad actors. All this leads to an environment in which the Bank of England identified the risk of cyberattacks as one of the major threats to the nation’s financial stability. So, are these bastions of security prepared for today’s criminals?
A cloudy landscape
The rise of fintech newcomers in banking can be credited for initiating a dramatic shift in the financial landscape. With new startups often making extensive use of modern cloud infrastructure and SaaS providers such as Mambu, they benefitted from efficiency and scalability, whilst offering customers more flexible digital banking options. It is no surprise, then, that established retail banking brands have been quick to follow suit.
But the outcomes of an increasingly digitised financial system are not all positive. Without considered security controls, tools and capabilities in place, cloud-based workloads can be easier to penetrate, and are often targeted directly by bad actors.
While it may be reasonable to assume that cloud providers provide security by design as part of their platforms, this is sadly not the case. Far too often, organisations leave security gaps that only become clear in post-incident analysis. When said organisations make up part of a nation’s critical national infrastructure (CNI), remediating cloud security gaps before an attack can occur is essential.
With UK Finance forecasting that notes and coins will account for just 7% of all UK payments by 2032, an attack on the digital systems that facilitate a large majority of payments and transactions would have a huge ripple effect, giving bad actors credibility amongst their peers and providing them great leverage for further extortion.
Confronting an invisible threat
But just as banks once had to deal with ever more sophisticated heist attempts, the tactics of cybercriminals are evolving. Firstly, financial institutions don’t just attract standard hackers – their CNI status marks them as likely targets for nation-state cyberattacks, which often have more time, resources, and far more skilled actors with which to find and exploit blind spots.
Earlier this year, the NCSC issued a warning about one such sophisticated tactic: living off the land attacks. These cloud-borne cyberattacks focus on lateral or ‘east-west’ movement, using defensive week spots to gain access to vulnerable cloud hosts before moving internally from host to host to find a safe dwelling spot.
Hidden within the organisation’s network, these actors can then bide their time and plan their attack before they act, detecting the most sensitive data stores, analysing the networks for intelligence, and covering their tracks. As hybrid cloud environments grow more sophisticated, financial institutions’ workloads and data becomes wider spread across the network. Without full visibility and robust security monitoring, the newfound complexity only breeds more potential blind spots for attackers to hide in.
Securing these landscapes with the right tool strategy is essential, and this must evolve in line with changing IT infrastructure. Financial institutions’ existing security tools, engineered and employed for on-premise environments, rely heavily on data from logs, traces and event files – a fact that living-off-the-land attacks take for granted. The reality is that logs are ‘mutable’, meaning bad actors can manipulate them to mask their activity and lull security teams into blissful ignorance of an on-going cyberincident.
Today’s financial sector needs additional network visibility to enhance and verify log, event and trace-based intelligence. Only by gaining deep insight into their network traffic, including east-west movement across both the cloud and existing ‘on-premise’ environments, can security teams expose and remediate hidden threats.
Clearing the path
Log manipulation is not the only trick in the hackers’ handbook. Encryption, deployed by countless modern businesses to protect sensitive data in motion, has become increasingly popular in hybrid cloud security strategies. But decrypting and inspecting all this traffic is not seen as cost-effective by many businesses. As a result, this same security strategy is commonly exploited to hide malware, mask malicious activity, and even smuggle stolen data through encrypted east-west traffic.
Currently, over two-thirds of businesses allow encrypted data to flow freely. Security professionals and boards are leaving their networks vulnerable to attacks which could cause significant financial and reputational damage, and worse still, may not be discovered at all until their data is already for sale. With particularly sensitive data to protect, financial services organisations should be especially aware of the risk of uninspected encrypted traffic.
Without complete visibility of all network traffic, including east-west and encrypted data-in-motion, all organisations are vulnerable to encrypted malware, data theft and ‘living off the land’ attacks. It is exceedingly difficult to defend against invisible threats you cannot see, and unprotected blind spots present organisation-wide risks with expensive consequences. For financial institutions and any other nation-critical organisations, gaining full network visibility must be a number one priority.
Click below to share this article