The cyber security industry grows in its defensive capabilities day by day: our AV software grows in its signature base; NGAV tools mature in their ML sophistication; and EDR tools increase their TTP detection. However, even though we are growing our capacity to defend against attacks, it must be understood that – as with any battle – the opposition is growing and adapting to our solutions. In this case, adapting means bypassing our prevention and detection mechanisms in order to destroy our businesses. In knowing that we will almost inevitably be breached, it’s increasingly important that we employ a strategy of Continuous Response.
Above all other industries, the Financial Services (FS) industry stands to lose the most. Managing trillions of dollars, the FS industry is one of the leading targets of all cyber-attacks. This article will tell you everything you need to know about the security priorities of financial organizations. There are countless examples of successful breaches of big and small companies, resulting in the loss of significant amounts of money. The bottom line? No one in the FS industry is safe; all businesses operating in this realm must remain vigilant.
Maintaining a Continuous Response approach to security allows us to prepare for and address threats as they arise. Continuous Response addresses three weak points that often aren’t well established in organizations:
- Communication Channels and Reporting (Collaboration)
- Complex data-backed evidence of the attack (Context)
- The ability to respond effectively (Control)
Communication Channels and Reporting (Collaboration)
When an incident is underway, it is imperative that appropriate communication channels are already established. Who will take the lead in the investigation? How are communication bridges being established? How often? What happens if the normal “lead” is on vacation? How are major decisions being made? Having answers to these questions, and having plans in place, will prevent mass panic and enable swift decision making – both very important things to maintain when dealing with potentially business-critical problems.
Obviously, having communication is not enough. What’s also required is the ability to find evidence of nefarious activity occurring on your estate. This means having appropriate solutions in place to look through security logs, user data, endpoint data, network data, etc. Without the power to contextualize an attack, the scope is endless. Context lets you understand how an attack unfolded, giving you information as to where and what attackers might have access to, what vulnerabilities were exploited in your infrastructure, and what data may have been exfiltrated or affected.
Unfortunately, contextualizing an attack is also not enough. Once an attack is understood, the capacity to respond becomes of the utmost criticality. Having an extremely robust set of response features within your security tooling – such as the ability to mass ban processes, selectively isolate networks/domains, and blacklist IP addresses – is compulsory, as is the ability to deploy these features at scale. Every second that passes after an attack is discovered is another second that could put your entire business at risk.
It’s at the intersection of Context, Collaboration, and Control which allow for a comprehensive method of dealing with discovered threats. Collaboration allows for swift decision making and easy communication; Context allows for the understanding of an attack in its scope and reach; and finally, Control allows for effective action. While all industries seek to benefit from employing a continuous response approach, the Financial Services industry seeks to benefit the most; an industry founded on trust and money, FS businesses certainly have the most to lose. It is therefore extremely important that cyber security leaders within these businesses do everything they can to prepare for the worst. Context, Collaboration, and Control prepares businesses for just this.