This summer, more than one million Capital One clients had their information breached, furthering the financial sector’s infamous reputation of being the most breached industry with 35 percent of all data breaches. However, the driving force is not just that breaches in the financial sector can be lucrative for those attacking, it is also due to the fact that in an effort to meet consumer demands for access to accounts and transactions anywhere, anytime, this industry has moved more quickly than others on the digital transformation journey. In the process, the financial sector has dramatically grown its cyber terrain, and burdened itself with too many unorganized and insecure systems for the millions of transactions it processes daily.
Breach news and metrics jeopardize organizational trust. The industry needs to approach cybersecurity as a bigger piece of its customer experience and as part of its practices. The sector’s current cybersecurity solutions rely on monitoring an abundance of data. This is overburdening security teams that are already under staffed. These solutions are simply unable to effectively monitor the volume of data, nor can they effectively identify problems that indicate malicious or potentially harmful activity. Security professionals are left chasing benign alert after benign alert.
Emerging security technologies like deception security offer a new way to both deter attacks and prevent data loss. Cyber deception relies on building a layer of decoys or hosts that project an appearance of being real machines to confuse and misdirect adversaries. It also offers a way for teams to collect threat intelligence which can be used to improve overall security.
How Deception Security Works
Breadcrumbs—in the form of files, email, documents, fake credentials, cookies in the browser or application data—are distributed as bait among real-assets and decoys. As there is no real reason to access the decoys, anyone engaging with a decoy is a potential threat. Once they’ve attracted interest, decoys alert the system of the threat, block the attacker from accessing real assets, and send the attacker off on in a futile search, bombarding them with additional fake services and data for engagement. Meanwhile, security personnel may observe the activity in a safe manner.
This method changes the terrain’s appearance by altering the attacker’s perception of what is exploitable, thereby removing the attacker from the true terrain. This reduces the workload of security teams as they no longer need to go over false alerts. Rather, they can use deception as a starting point to hunting.
Modern deception uses emulation or virtual-machines for decoys and services, and does not increase an organization’s risk profile (does not increase the attack surface). Efforts to deploy deception and administrate it are actually very low, especially when the deception solution is automated. To be clear, a deception system can be largely automated—based on network and asset discovery including decoy creation, decoy and breadcrumb distribution, to adapting to network and resource changes—while alerting security operations of activity on a pre-determined basis.
Any good deception solution is frictionless; it does not interfere with the networking or the process of the organization. Deception tech is a viable means of security and protection to both deter attacks and prevent data loss.
The Stakes in the Financial Industry
The financial industry pays the highest cost from cybercrime, about $18.3M per company according to an Accenture survey. Organizations are struggling to effectively integrate security into their infrastructure as is. With the vast number of customer-owned devices connecting to their networks, financial sector organizations will never be able to fully secure their entire terrain via endpoint, middleware and authentication systems. However, achieving visibility across the entire breadth of network traffic forces staff to create new rules and log analysis that can accurately identify an anomaly versus normal network behavior. As adversaries continually evolve their attack methods, this grows increasingly difficult. IT and security staff must keep up with the exponentially increasing network terrain in addition to anticipating how threat actors will evolve their attack methods.
In short, financial organizations can no longer get by fighting security threats as they arise. The Capital One breach itself exposed approximately 100 million people's personal data, including nearly about 80,000 bank account numbers and 140,000 Social Security numbers. Not only can a breach like this become a massive law suit, but it hurts the organization’s relationship with its customers and key stakeholders.
Organizations with mature cybersecurity operations have already begun adopting deception technologies. Many more small- and mediums-sized organizations initiate deployments every day to help support protection of un-managed hosts. Others need to follow suit.
Although deception technology can be used in limited network areas, its true power is best experienced after an organization deploys the solution across its entire cyber terrain – giving organizations a clear view of their attack surface and key vulnerabilities. This eliminates blind spots in which threat actors can potentially hide and better helps financial organizations better protect their entire terrain.
Already a leader in digital transformation and putting customer experience first, the financial industry can also take the lead in cyber security and putting customer protection first. Deception practices can help turn the tables.