Roll a Trojan horse up to city gates now, and no one would be fooled. It worked back then because it was a new tactic and, thus, unknown.
For financial institutions, complete security means not only guarding against known threats but also preventing unknown dangers from getting through.
As a standard practice, cybersecurity systems are updated regularly to guard against new threats and invasive methods as they are identified. But what if the biggest threat is something not yet thought of? How can security systems guard against a threat that does not exist today, but will be coming after your data tomorrow?
The answer is anomaly detection, which flags anything outside the range of normal activity. It uses the rules-based capabilities of machine learning to create a final line of safety which, if missing, creates a vulnerability that can easily be exploited.
Building a Solid Security Perimeter
When it comes to protecting financial institutions from attack, the first line of defense is simple in concept. Think of it as a wall that wraps around all environments and connection points to guard against any known, external threats. This type of attack — a force from the outside trying to breach the defenses — is what typically comes to mind in a security context, with good reason: Most of the “action” takes place at the perimeter.
The security system might not know specifically where the threats originate, but that is not necessary in perimeter defense. It is only necessary to know which type of attacks might occur in order to keep the defensive layer equipped to withstand them. So, a strong perimeter defense must be updated continuously with all the latest information and defensive measures; that is what keeps the wall strong.
And, of course, the stronger the wall is, the more attacks it can withstand. This defensive layer is formed by firewalls, web application firewalls (WAFs), distributed denial-of-service (DDoS) tools, credential stuffing tools, antivirus protections, malware detection and all the real-time threat-feeds keeping these defenses tuned to the current bad-actors.
But there is another consideration: In order to keep the business functioning, there must be points of entry in the perimeter, allowing customers and employees through. To create and use these connection points safely, we turn to the zero trust model, described below.
Maintaining Security Inside the Wall
Maintaining security in a business environment is a continual trade-off between protection and accessibility. Fewer points of entry, fewer connections and fewer interactions make the environment more secure. After all, it is easier to guard two doors than 20. While a closed or nearly closed environment is good for security, it can be bad for business.
The zero trust model helps to maintain security while allowing for business as usual; it works like a security layer installed within the perimeter and around connection points, guarding against internal threats such as unintentional breaches and careless mistakes.
With the shift to remote work, zero trust has become an even more important area of security consideration. The more employees use their own equipment, on their own Wi-Fi, in their own homes, the easier it is to infiltrate the system. Imagine the perimeter wall stretching around these individual homes, systems and pieces of equipment. Instead of being a sturdy wall, able to withstand a huge amount of outside force, it becomes stretched and thin.
The WFH Cybersecurity Threat :
The working from home trend opened up many new ways for fraudsters to penetrate a bank's security perimeter.
Additionally, each connection point is a type of gate; the more gates an employee has to go through, the more likely it is that they will leave one open. A zero trust model creates a resilient and flexible line of defense that protects external entries as well as interior points of connection. Trust no-one and continuously verify their identity and right to access.
Developing a Roadmap for Cybersecurity
All this requires putting enormous energy and thought into the emerging threat landscape and how it will evolve. The need to guard against current threats, which cannot be underestimated, must be balanced with careful and thorough preparation. This requires taking frequent inventory of tools and performing process analysis, as well as reviewing skills and organizational structures to identify what might become an area of risk.
From this type of ongoing assessment, Financial institutions and their vendor partners create a road map of development aligned with what the future landscape of risk is most likely to be, according to the knowledge accrued.
The big challenge in cybersecurity, however, is the unknown.
Even the most thorough preparation and predictive accuracy cannot imagine all possibilities. In fact, more and more vulnerabilities exposed are zero-day, which means that the vulnerability is already being exploited by the time the security community becomes aware of it. The bigger an organization is and the more complex its processes, the more software and tools needed for day-to-day operations.
What Is Zero-Day?
A zero-day cyberattack means data is already being exploited before a bank’s security software becomes aware of the threat.
No matter how good any software is about patching and defending against threats, there will inevitably be vulnerabilities the manufacturer does not know about until they are exploited. By the time the software is updated to guard against the threat, it has already been used as a new method of attack, which means any financial institution using the software might have been exposed to the threat as well, before it was even known to exist.
When this happens, it is imperative to recognize that having the best defenses against all known threats does not equal complete security. Anomaly detection is the most effective way to guard against unidentifiable but real dangers.
Anomaly Detection: Guarding Against Next Threats
Machine learning created huge changes in cybersecurity by allowing systems to process massive amounts of data and perform at levels that could never be achieved manually. But machine learning has to be trained. It must have rules to follow, and that’s where the limitation lies. Any known threat can be named and described, and rules can be created about how to identify and defend against it. But when it comes to dealing with the next iterations of a technological Trojan horse, there are no rules because it is impossible to create rules about what is not yet known or understood.
Anomaly detection overcomes that limitation and allows the vast capabilities of machine learning to be used to defend against even the unknown. Instead of using rules to define threats, anomaly detection systems use rules to define what is normal by identifying the range of acceptable behaviors within an operation. All known acceptable behaviors are labeled as non-threatening by default, and the systems are instructed to detect and flag anything that falls outside of the normal range.
Defying the Unknown:
It may seem impossible to detect the threats one doesn't even know about, but anomaly detection software flags anything outside of normal behaviors, making even the unknown stand out.
It is a brilliantly efficient approach as the last line of defense, because once the system has been trained in what normal is, it can identify abnormalities and raise the alarm. Thus, the system is able to prevent even unknown attacks by isolating anything that triggers as an anomaly until it is proven to be acceptable. It doesn’t know that the anomaly is bad, per se, it simply knows something is not normal, and therefore the anomaly must be assumed bad until proven benign.
Keeping Bank Cybersecurity Defenses Current
Every security system should be an evolving system, not only in terms of adding more layers of defense — from perimeter to zero trust to anomaly detection — but also ensuring that each layer stays updated and current. For example, Q2 subscribes to dozens of feeds from vendors and security groups so that our systems get real-time updates as different groups gain intel and make adjustments.
Each layer of cybersecurity requires work to implement and tune so it does what it is supposed to do. It is important to go in order, starting with the outer layer of perimeter defense, which will block most threats. Then rely on a zero trust model to prevent internal privileged access issues, followed by adding the final layer of anomaly detection to guard against the unknown. Once one layer is fully implemented, shift focus and resources to the next layer while maintaining and updating what is already in place.
With a security posture focused on evolving with technology, security systems can be built that hold the frontline and prevent damage from whatever version of a Trojan horse shows up at the digital gates.