Spotting and staying ahead of the next network breach
If they can't identify attacks when they happen, how can financial organisations effectively combat them, asks Ron Miller.
Ron Miller, Solarflare
High-profile network security breaches have escalated dramatically in 2015. The recent assault on the Office of Personnel Management in which the personnel data of over 4.2 million US government employees was compromised is just the latest example of how both the private and public sector are susceptible to cyber-attacks.
Financial services firms have become increasingly more vulnerable as the level of sophistication and ability of these attacks to evade detection has improved. In fact, a recent survey conducted by the Bank of England found that financial institutions often misdiagnose cyber-attacks as internal IT failures, leaving them vulnerable to infiltration and the loss of valuable data as a result.
By not being able to properly identify these attacks when they happen, how can financial institutions hope to effectively combat them?
The time has come for the financial services industry to re-evaluate their approach to network security, and to consider employing a ‘defence in depth' strategy to safeguard against both external and internal threats. In this article, we will look at how this ‘outward-in' approach to cyber-security works to expose cyber threats, and the need for financial institutions to put greater emphasis on breach detection, data capture and internal network segmentation in order to effectively implement it.
Breach detection and theft mitigation
From blunt force distributed denial of service (DDoS) attacks to more subtle and embedded approaches (ie, phishing, malware, etc), the methods and exploits employed by hackers to infiltrate financial institutions' host networks have and will continue to evolve. In order to effectively combat these threats, we first need to evaluate how they are being identified and managed.
According to Gartner, global spending for cyber-security is expected to reach over US$101 billion (£60 billion) by 2018. To date, many of these institutions have prioritised and continue to invest heavily in threat prevention technology to nullify security threats at the perimeter of the network.
In addition to being a more cost prohibitive approach, this approach doesn't account for cyber threats that have already breached externally focused security measures. Given how often data passes throughout a networks' sub-systems, it is imperative to have adequate hardware and software based internal security in place to monitor and protect the network. This includes comprehensive anti-virus protection, access control and authentication policies.
The concept of ‘defence in depth' begins at the edge of the network, and then works its way through to the internal infrastructure, such as firewall, router, MDF switches and IDF switches. In order for this in-depth strategy to be successful, measures need to be taken to address internal threats to the system.
Data capture and network performance
Financial institutions need to strike a balance between intrusion and detection to not only eliminate imminent threats to critical data assets, but also to identify the source of the breach and to then take steps to mitigate the loss of data by creating barriers to prevent data loss. The best means of doing so is to implement a data packet capture solution to isolate and expose the threat.
A high-performance data capture platform needs to be implemented to allocate CPU usage for core security applications as well as to maintain the performance of the network if/when the system is under attack. In addition to capturing data from ‘north and south' attack vectors, implementing data packet capture allows IT administrators to better identify internal threats to the network that have already bypassed the firewall into the heart of the data center. While packet capture will slow down these internal threats, IT administrators still need to take measures to prevent their potential spread across the network.
Internal network segmentation
Once the nature of the breach has been identified and the capture process has been completed, the last and arguably most crucial step in this process is to isolate customer traffic and services within multitenant cloud environments to defend against the spread of malicious code to other key segments of the network. Once the infected areas have been partitioned off, new policies, filters and access control lists can be implemented to limit access to critical data stored on the servers to only properly authenticated users.
When combined with the physical layers of security that protect the server (i.e. network adapters, etc.), this effectively quarantines the areas that have been impacted by the breach, allowing day to day operations to continue normally while malicious data is excised from the server.
Financial services organisations will continue to be one of the leading targets for cyber-security attacks, and as such need to have the right processes in place in order to safeguard their mission critical business data and the data of their customers. By enacting a defence in depth approach to cyber-security, they have the unique opportunity to create cost effective security protocols that can not only detect current network breaches, but allow them to stay ahead of attempts to exfiltrate sensitive data in the future.
Contributed by Ron Miller, Solarflare.