The key pillar of cyber defence
Anthony Perridge, VP of International at ThreatQuotient, on why cyber threat intelligence is key to trust and security for the digital finance world
In 2017, the value per Bitcoin reached over €20,000 (£17,324) – a climax in the hype surrounding the cryptocurrency. However, confidence has been lacking for the price to remain stable. To date, online currencies are more speculation than real means of payment as concerns around security are being raised. An establishment is only possible if users believe in the value’s sustainability, and this applies to every means of payment.
In no industry is the subjective perception of security as important as in the field of finance. Both private users and large customers are increasingly handling transactions online, so the fear of digital innovation isn’t what stops them from adopting this type of currency. It’s security they really care about, or rather their data’s security. The financial sector has acknowledged this and, must above all focus on security to appease the apprehensions some might have.
Blockchain is considered safe to this day, yet speculation is causing such great uncertainty that cryptocurrencies have not yet developed into serious competition for established currencies. IT decision-makers should therefore always keep in mind the importance of the users’ sense of security in their industry. As part of their digital transformation, many financial organisations have implemented several security tools and also have their own security teams.
These are necessary to comply with legal requirements. After all, almost all other sectors depend on the financial sector. Of course, it is also about the security of customers and partners’ data. Therefore, it is not surprising that this industry has taken a pioneering role over the years. While some organisations already have their own Security Operations Centres (SOCs) to respond to potential threats and identify Indicators of Compromise (IoCs), they should think about other ways to optimise their organisation’s cybersecurity.
From information to intelligence
The SANS Institute recently investigated the latest developments in security and revealed that companies are increasingly taking advantage of Cyber Threat Intelligence (CTI). The findings show a development that goes beyond the expertise of IOC and gives a new perspective of Threat Intelligence.
It is well known that public sources such as the National Cyber Security Centre (NCSC), security vendors and open source communities publish reports and threat feeds on current threats. At the same time, security tools such as Security Information and Event Management (SIEM) or firewalls also collect information that can be used to combat threats and create a situational picture. In addition, there are industry-specific Information Sharing and Analysis Centres (ISACs) that organisations can participate in. The number and quality of both information sources and IoCs continues to grow and is currently the most important resource for an effective cyber-defence.
However, the trend is moving towards Tactics, Techniques and Procedures (TTPs), meaning a better understanding of how the attackers want to penetrate victims’ networks. Instead of focusing only on the evidence of attacks, IT teams should work to stay one step ahead of the criminals by anticipating their next steps: leveraging cyber threat intelligence.
Thus, it is necessary to step away from the manual evaluation of individual fragments to the building of strategic knowledge about the danger landscape and the extent of the threats for their own systems. Without support, the analysis of IoCs is extremely time-consuming. Indeed, IT teams in the financial sector can sometimes find themselves having to compare and check data from different sources manually. In this situation, there’s no agreement on the activities between the individual teams, the work becomes inefficient and information silos start to emerge. At the same time, the number of attacks continues to increase, and the growing networking infrastructures are also more complex.
When IT departments do not have an overview of their own security situation, there is no basis for creating trust – the basic but crucial quality that we mentioned earlier. CTI works at this point: SANS notes that after deploying an appropriate platform, 81 percent see their defence and detection capabilities as improved. It involves partial or complete automation to turn the available information into actionable intelligence and use it in your own organisation.
Building your own Threat Library in practice
It takes a variety of tools and processes to set up your own cyber threat intelligence platform. However, most financial companies already have the most important components for implementation. Often internal data sources already exist: SIEM solutions or threat information from security providers whose solution is used (IDS, Firewall, End Point Security). As mentioned, government agencies and open source offerings (such as www.malwaredomainlist.com) also have reports and analysis. In addition, information from industry associations and their own analyses of network traffic can be incorporated.
The challenging final step is building a cross-platform. The SANS speaks of a collection management platform (CMF), which is characterised mainly by building a local threat database, in which all data from external and internal sources are stored in a central location. In addition, the information should then be automatically aggregated, normalised and de-duplicated, as well as relevance and priority for the own company be checked by means of a scoring system. The Threat Library serves as a “single source of truth” for all teams and systems within a company.
In terms of personnel, there are many departments that should be considered: in addition to SOCs and incident response teams, IT operations and security teams can also coordinate their actions with one another via a CTI platform. Of course, the departments are very differently positioned, especially in the financial area. This is why there are also own teams for compliance and audits, but also for the management of vulnerabilities. Moreover, service providers also took on such tasks.
Depending on the size and budget of an organisation, service providers play an important role. However, SANS experts are increasingly recommending partnerships and cooperation rather than considering outsourcing altogether. Proper management of the threat situation is essential, since the cyber threats are already an integral part of everyday life in the area of finance, and organisations must prepare themselves for further attacks. The question then arises as to whether and how strongly your own company is affected.
The Threat Intelligence Platform figures speak for themselves: survey respondents recognise the greatest benefits in improving their security operations, threat detection, and attacks, and blocking. Coordinating the use of CTI proved to be of particular value to 90 percent of users stating that it has improved the visibility of threats in their own network environment. Additionally, in almost all cases, the accuracy and speed of eliminating noise improved.
These are all areas that directly affect the user experience. Banking and payment in the digital world are particularly dependent on customers’ trust and subjective sense of security. Therefore, players in the industry need to have a clear understanding of the overall threat situation and their individual threat situation in order to respond properly at all times.