How Continuous Monitoring Can Help Financial Services Firms Avoid Cyber Attacks

Follow these steps to achieve comprehensive visibility. They aren’t easy but they are necessary.

By Ryan Kalember, Director, ArcSight

Although cyber war and cyber espionage have captured recent headlines, cybercrime directed at financial institutions and their clients continues to wreak the real havoc on the Internet. Financial fraud cases won't astonish casual observers the same way news of Stuxnet malware infiltrating computer systems to send uranium-enrichment centrifuges spinning out of control does, but financially motivated cybercrime affects far more people, while enriching immoral people around the world.

Things are not getting better, either; cross-channel attacks and the occasional spectacular public incident make it clear that the way many financial institutions approach fraud is at best inadequate. The only realistic way to combat modern cyber fraud methods is a continuous monitoring approach, focusing on establishing a comprehensive view of user activity, infrastructure events, and banking transactions.

The current approach to fraud monitoring has three primary blind spots. First, most banks deal with fraud with dedicated teams for different financial products, such as electronic (ACH) transfers, Web banking, and wire transfers. This specialized model worked well for a long time, as fraud methods (for example, check kiting) were largely specific to one type of transaction. Now that financial firms are more diversified and have pushed most, if not all, of their services online, gaps have opened for fraudsters to exploit vulnerabilities across banking transaction types.

To compound the problem, many security breaches now start with cyber criminals compromising internet-connected systems, which can lead to deeper penetration into bank systems and consequently increases fraud risk. However, financial institutions rarely correlate data between their information security and fraud teams, creating another substantial blind spot.

The final gap comes from the inside. Fraud and information security teams alike typically do not perform sophisticated monitoring of privileged accounts. A recent noteworthy example of the abuse of privilege occurred in France, where Jérôme Kerviel allegedly illegally accessed computers and executed fictitious trades on a trading desk at Societe Generale to risk almost €50 billion, well beyond his trading limit, nearly €5 billion of which he lost. If the Societe Generale information security team had focused on the activity of those traders, they would have seen an anomalous number of accounts used on Kerviel’s computer and could have detected signs of his fraudulent activity.

This situation is analogous to what banks faced when evaluating their portfolio risks before the recent financial crisis. For example, siloed risk tools became notably less effective in calculating cascading risk originating from bad mortgages. A banking customer falling behind on his mortgage would very likely have an impact on mortgage-backed securities tied to that loan, which might have been on the same bank's books. Many risk tools were inadequate to monitor that exposure, but pioneering vendors helped convince many banks to take a systemic view of risk, correlating information across multiple dimensions. This helped some banks survive the financial crisis in better shape than their peer institutions.

The same approach is needed to combat cyber fraud. A system that can collect data from all relevant sources and correlate it intelligently can help detect the activities of sophisticated fraudsters. Cross-channel attacks, which take advantage of the first blind spot mentioned above, have given new life to fraud techniques such as phishing.

Many banks now require extra validation for initiating wire transfers online, but phishers can obtain much of that data by looking at a phishing victim’s profile on a Web banking portal. Banks may not correlate the suspicious activity patterns of phishers logging on to Web banking portals with the fraudster’s next step: convincing a call center operator to authorize the wire transfer they could not do online.

The second gap (the lack of coordination between information security and fraud teams) was spectacularly exploited at RBS Worldpay. Hackers stole over $9 million by gaining access to RBS Worldpay’s computer systems, creating counterfeit debit cards, figuring out PINs to make withdrawals, raising the daily withdrawal limit up to $500,000, and unleashing a network of "cashers” in over 200 cities worldwide to take cash out of ATMs.

There were three key opportunities to catch these fraudsters. The first was their initial network security breach by which they gained access to the server running the prepaid debit card system. The second was their compromise and misuse of administrative privileges on that system -- presumably the limit for a prepaid debit card had never been raised to such limits, and the system was probably typically accessed only locally and during business hours. The third was when the cash was streaming out of the ATMs -- withdrawing such amounts was likely an anomalous amount of money for any type of debit or ATM card. Complete visibility across the systems, user accounts, and account transactions would have given the RBS Worldpay information security and fraud teams a greater chance of stopping the heist before damage was done.

The steps needed to achieve comprehensive visibility are by no means easy; they may require reorganization, new technology, and above all, a shift in mentality. The alternative is to accept that sophisticated hackers will frequently be able to pull off heists of a size that the CEO of the bank will notice, accompanied by unpleasant media attention, investigations, and perhaps litigation.

Finding the Right Solution

There are a number of different tools that may make the transition easier. Security information and event management (SIEM) tools have addressed a similar problem for network security, and they have the capability to perform the rules-based correlation, anomaly detection, and pattern analysis required to detect sophisticated fraud. Many tools have also enabled processing and storing information; for instance, the Common Event Format (CEF) provides a framework that can be extended to include the types of information relevant from a fraud perspective (such as account numbers and transaction types) that aren't typically addressed by network security-centric information security tools.

Network security events and transactions are simply data; the key is to select and invest in a platform that can be extended to collect and intelligently process all the data sources relevant to fraud analysis. The approach is a direct contrast with the specialized point solutions of the past and, ideally, the platform should collect or integrate with data from these legacy systems.

In the short term, financial services firms should take a high-level look at their various fraud initiatives and determine where integration may make sense. In most cases, it is easiest to start by enabling data sharing between the technologies used by the various fraud protection groups, then address integrated fraud response processes so the teams develop strong working relationships. In parallel, many financial firms would benefit from extending existing processes, such asinformation security monitoring, in new directions, most notably user activity monitoring.

In the longer term, financial services firms should work toward a comprehensive view of enterprise risk, including both fraud and information security monitoring. The gaps inherent in the traditional approach clearly give cyber criminals too much room to slither around security controls.

Ryan Kalember is a director at ArcSight, an HP company, that specializes in cybersecurity and compliance solutions that protect organizations from enterprise threats and risks. You can contact the author at

Must Read Articles