White Paper
Security in Financial Services: Protect Your Firm
from Zero-Day Threats
What You Will Learn
Acquiring effective tools and skilled workers to combat the ever-increasing number and sophistication of zero-day
threats and targeted attacks against financial services firms can add significant costs. This white paper provides an
overview of the threat landscape and the challenges faced by these firms as they seek to protect themselves from
®
cyber attacks. It then describes the features of Cisco Cloud Web Security Premium, the cloud-based security-asa-service solution available from Cisco that can help secure your organization from zero-day threats.
Overview
Banks and other financial institutions have long understood that cybercriminals are targeting them and have taken
steps to protect their data and systems. The New York State Department of Financial Services 2014 Report on
Cyber Security in the Banking Sector found that nearly 90 percent of the 154 institutions surveyed - from
community and regional institutions to large global ones - report having an information security framework in place.
The elements of the framework include policies, training and education, cyberrisk management and audits, incident
monitoring and reporting, and a combination of security tools.
Despite these efforts, cyber attacks on financial institutions are growing every day in strength and velocity across
the globe, and the ramifications are costly. The Carbanak attack discovered in early 2015, in which hackers
infiltrated more than 100 banks across 30 countries and stole as much as $1 billion over the course of two years, is
a recent and dramatic example. Just prior to that attack, another successful attack targeted 14 other financial firms.
According to the Ponemon 2014 Cost of Data Breach Study: Global Analysis, the financial services industry
bears one of the highest per capita data breach costs per company at $206 million - well over the mean value of
$145 million.
Financial services firms face a set of business dynamics that create significant security challenges. These include:
●
Mergers and acquisitions: With the 2008 recession now over, financial services firms are looking at
mergers and acquisitions with renewed focus as a way to expand their customer bases and respond to a
competitive and regulatory environment that favors scale. According to the KPMG 2015 M&A Outlook
Survey Report, the financial services industry is among those expected to dominate mergers and
acquisitions in 2015. Implementing standard security policies for the new integrated organization while
reducing the cost and time involved can be a challenge.
●
Roaming users: Though the financial industry has lagged behind other industries, it is quickly catching up
in allowing employees to work from home or in other remote locations. Providing employees with the option
to work remotely is sometimes a critical capability in attracting top talent. It is imperative to protect
employees and maintain security policies while they work out of the office.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 8
●
Complexity and fragmentation: The New York State Department of Financial Services 2014 Report
finds that a large majority of firms are using a combination of security tools. These include antivirus
software, spyware and malware detection, firewalls, server-based access control lists, intrusion detection
tools, intrusion prevention systems, vulnerability scanning tools, encryption for data in transit, encrypted
files, and data loss prevention tools. Costly and complex to integrate and manage, this patchwork of
solutions from too many vendors drives up management costs, or operational expenses (OpEx) and still
leaves security gaps.
●
Global talent shortage: An industrywide talent shortage compounds the challenge of maintaining a strong
security posture. For 2014, the worldwide shortage of security professionals is estimated at more than a
million, with 210,000 cybersecurity job openings in the United States alone, according to the 2015
Department of Labor. Chief information security officers (CISOs) struggle to attract and retain talent as the
competition for coveted security skill sets increases.
●
Advanced threat landscape: Today, the threat landscape is more dynamic and advanced than ever
before. According to the Cisco 2015 Annual Security Report, malware is becoming increasingly
sophisticated and elusive, and cybercriminals are launching attacks through a variety of attack vectors,
including tools that users trust or view as benign. Furthermore, targeted attacks are on the rise, creating a
persistent, hidden presence within an organization from which to execute their mission.
Financial Services Threat Landscape
Cybercriminals don’t discriminate when it comes to industry. Financial institutions around the world are subject to
malware, phishing, ATM skimming, and distributed-denial-of-service attacks, with the most serious information
losses coming from targeted attacks. Today’s threats change with time, evading detection by point-in-time
solutions. To combat today’s advanced attacks, financial firms need a threat-centric approach to security that
provides continuous protection not just before an attack happens but also during and after an attacker or malware
penetrates the network.
For an attacker, privileged account access is the proverbial payload. Account access provides powerful controls to
IT administrators and restricted user groups. According to the top global threat investigation firms that contributed
to a Federal Bureau of Investigation report, at least 80 percent of all serious security incidents investigated include
compromises and misused privileged accounts at some point in the attack lifecycle. With privileged access,
attackers can move laterally to other systems faster and easier and with little risk of detection, persisting for months
or even years.
Gaining access to privileged accounts can be accomplished in a number of ways, including malvertising, watering
holes, and phishing.
●
In malvertising, online advertising is used to spread malware. Victims are infected with malware in the
course of their normal Internet browsing: for example, reading a trusted news source online. Malware can
be downloaded without the user even clicking the advertisement.
●
In the case of watering hole attacks, attackers use specific industry-related websites to deliver malware. For
financial services firms these could be websites that employees check frequently for financial or regulatory
data.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 8
●
Phishing attacks combine spam and social engineering to create emails that appear to be legitimate in an
attempt to gather personal or financial information from the recipient. An example of a phishing attack could
involve an executive who delivers a keynote address at a conference. A savvy attacker sends the executive
an email claiming to have a video of the address and to click the link to view it. When the link doesn’t work,
it directs the executive to update a driver that appears to be benign but in reality contains malware.
Other examples of attacks targeting the financial services industry are shown in Table 1.
Table 1.
Attacks Common to the Financial Services Industry
Attack
Description
Cisco Talos Threat Research Analysis
Zeus
Steals passwords from privileged access users by hijacking
web browsers.
Reported in CNET article on Zeus Trojan
String of Paerls
Exploits a feature within Microsoft Word email attachments
in order to download malware from Dropbox.
Cisco Security blog post: “Threat Spotlight: A String of
‘Paerls,’ Part One”
Regin
Highly sophisticated malware with a multistage architecture
that, once fully installed, contacts a command-and-control
server and exfiltrates user data, such as keystrokes and
screen shots.
Cisco Talos blog post: “Cisco Coverage for ‘Regin’
Campaign”
Dridex
Email campaigns that trick users into installing malicious
software on their systems. It disguises itself as a Microsoft
Office macro and then steals online banking credentials
when the user accesses her banking site.
Cisco Talos blog post: “Dridex Is Back, Then It’s Gone
Again”
Depository Trust & Clearing Corporation (DTCC) for the third quarter of 2014 found that 84 percent of financial
firms ranked cyberrisk as one of their top five concerns, up from 59 percent in the first quarter. Close to 40 percent
of financial firms say the probability of a “high-impact event” on the global financial system has intensified in the
past six months and more than 75 percent have added more resources to detecting and mitigating “systemic risks”
over the past year.
Finance Network Infrastructure and Security Challenges
CISOs are chartered with making security a business enabler. However, a global talent shortage, a complex and
fragmented set of security tools, and a network infrastructure that can contribute to security gaps can make this a
difficult challenge.
Here are just a few aspects of the typical financial services industry network infrastructure that can present security
challenges:
●
Many times, for branch office networks, the security and access policies for user groups are extended to
mirror the policies in headquarters. All traffic is then sent back, or “backhauled” to headquarters. This drives
up latency and bandwidth costs.
●
Large amounts of M&A activities bring new locations into the corporate infrastructure. In the case of rightsizing, when organizations undergo organizational changes (which are common in the case of M&A)
networks and user groups needs to be adjusted to account for the changing user base. At the same time,
policies need to remain consistent. This constant atmosphere of churn in network provisioning creates
additional complexity and requires additional management, taking critical resources away from threat
identification activities.
●
Data privacy requirements vary by geography and global financial institutions must be able to set global
security policies that can be adapted by region. Further, organizations must be able to anonymize data used
in security reporting.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 8
●
Many financial services firms are underserved by point-in-time security solutions that lack the network
visibility and integration necessary to detect complex zero-day threats. Security professionals, already
understaffed, are stretched too thin as they must manage a myriad of disparate solutions.
Cisco Cloud Web Security: Low Maintenance and Zero-Day Advanced Threat Protection
Cisco has developed a cloud solution that administers and controls network usage in ways that can prevent threats
and block malicious activities. Furthermore, Cisco can block zero-day threats and identify breaches that have
already occurred, while at the same time lowering the amount of management and maintenance required.
Five specific features work together to combat zero-day threats, on top of Cisco Cloud Web Security (CWS) web
filtering and application control features. They include:
●
Talos Security Intelligence and Research Group
●
Outbreak intelligence
●
Application Visibility and Control
●
Cisco Advanced Malware Protection (AMP)
●
Cognitive Threat Analytics (CTA)
Outbreak intelligence is a CWS feature that scans the different components of a website for those components that
behave in a way that might indicate the existence of malware. If an object does not conform to a known or
expected behavior, CWS runs the component through a real-time heuristic analysis to see how it behaves in a
controlled environment. From this analysis, outbreak intelligence identifies malicious behavior before the
information is served to the user. If the webpage component is identified as malicious, the user is still served the
web page - minus the part that contained the malware. Figure 1 shows an example of a webpage where individual
malicious components have been blocked and the harmless parts of the page have been allowed.
Figure 1.
How Outbreak Intelligence Blocks Malicious Components of a Webpage
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 8
Outbreak intelligence complements Application Visibility and Control (AVC), which allows for setting policies as
specific as which applications or which parts of social media sites users can access. Activities and actions on web
applications can also be controlled based on policies.
Cisco AMP is the industry’s only retrospective security solution, and it can help stop a zero-day threat once it has
breached the network. The AMP File Retrospection feature tracks the spread of any file within the environment and
monitors the disposition of the file over time. If AMP File Sandboxing or Talos determines a file to be malicious, file
retrospection can instantly identify every instance of the file within the environment. File retrospection addresses
the problem of malicious files passing through perimeter defenses that are later deemed to be a threat, providing a
way to detect and defeat them. It combats polymorphism, obfuscation, sleep timers, and other highly effective
tactics that avoid initial detection.
Figure 2.
Cisco Cloud Web Security Features
Extending the capabilities of AMP, CTA identifies security breaches by using behavior analysis, machine learning,
and anomaly detection. Once this capability is engaged, it discovers threats on its own. CTA excels where other
zero-day threat detection methods might fail because it uses analysis over time to figure out what an abnormal
event might actually look like in a network. Its big data capabilities also allow it to identify smaller incidents from
discrete attacks that can add up to inflict big damage on an organization. CTA takes advantage of the incredible
processing power of the cloud to input and analyze data continuously, from all traffic, and from all users. It
processes 7.5 million requests every minute from around the world.
Both outbreak intelligence and CTA use the cloud to add an element of computation through smart and resourceheavy engines. However, just because CWS Premium boosts processing power, this does not mean that it has to
displace appliances already in place within an organization. As shown in Figure 2, CWS Premium can be deployed
with multiple products, like the Cisco Adaptive Security Appliance (ASA) firewalls, Cisco Web Security Appliance
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 8
®
(WSA), Cisco Integrated Services Routers Generation 2 (ISR G2) or the Cisco AnyConnect client. It can also be
deployed through a standalone traffic redirection method.
Talos is Cisco’s threat detection network, administering 4.2 billion web filtering blocks per day across the Cisco
security portfolio. It automatically updates CWS Premium with real-time threat information. Talos provides a
24-hour view into global traffic activity, helping Cisco to analyze anomalies, uncover new threats, and track traffic
trends. It monitors 35 percent of the world’s email traffic and gathers information and context from 1.6 million
sensors and 150 million endpoints. With all of this data collection, Talos processes 100 TB of data on a daily basis.
In addition to helping financial services firms effectively deal with advanced attacks, CWS helps institutions
overcome many of the security challenges that business dynamics create. For example:
●
By redirecting traffic through AnyConnect, CWS Premium offers endpoint protection for roaming users.
●
Redirecting traffic to CWS Premium provides a simple solution to overcome the challenges associated with
backhauling traffic. Instead of traffic going to headquarters for security analysis, it goes directly to the cloud
and CWS Premium.
●
CWS Premium can decrease the number of security personnel required during the deployment and
management of the solution through a singular management and reporting capability. The administrator can
set policies and gather reports from one interface. Policies can be set to anonymize user information
displayed in reports, addressing data privacy requirements.
●
For right-sizing and M&A situations, policies can be set once and applied across multiple locations. Policies
and reporting can even be synchronized between CWS and Cisco WSA, allowing for easy policy control
and reporting.
●
CWS Premium has features that protect an organization before, during, and after an attack. Point-in-time
solutions can protect only before an attack, and they become useless if a large number of discrete zero-day
attacks successfully penetrate the network.
How Cisco CWS Can Help a Financial Services Firm
This real-world example shows how Cisco CWS can protect a financial services firm from today’s threat landscape.
Laurent, a CISO for a large financial services company in France, is disconcerted by the recent news regarding
security breaches in the retail industry. His company is looking to make a significant, strategic acquisition of a
company in England, and Laurent expects that his network will eventually be compromised. He has a small
security team, and labor laws make it difficult for Laurent to scale his team up or down in a short period of time. He
also does not have the budget to hire more help, but he needs a larger team in order to complete the network
integration in good time. With the support of the CEO, he decides to use the acquisition as an opportunity to create
an innovative security strategy.
After working with his Cisco account representative, Laurent decides to purchase the following Cisco solutions:
●
Cisco Migration Services
●
Cisco Identity Services Engine
●
Cisco Cloud Web Security Premium
●
Cisco AnyConnect (for the branch office only)
He currently has the following Cisco products installed at headquarters:
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 8
●
Cisco Web Security Appliance
●
Cisco AnyConnect
Cisco Migration Services provide the CISO with the focused support and guidance needed to implement the new
architecture. This means planning and building the right capabilities at headquarters to manage the employees
coming onto the network from the acquisition. Cisco Services professionals develop and implement a plan,
incorporating both Cisco and third-party products.
Cisco Migration Services are especially important in the implementation of the Cisco Identity Services Engine
(ISE), helping to extend highly secure access to the new employees and see that the right people have access to
the right data within the organization. Since Cisco ISE supports multiple Active Directory forests, it can designate
and safeguard access based on Active Directory groups.
At headquarters, content security is already provided by the Cisco WSA, and AnyConnect is the VPN client. The
CISO decides to purchase AnyConnect for the new branch office. He uses AnyConnect as the primary redirection
method for Cisco CWS Premium, which he will deploy both at headquarters and branch offices. Through CWS
Premium in both locations, he can protect roaming users and extend CTA coverage. Knowing that his organization
will eventually be compromised, Laurent is willing to move heavy processing to the cloud in order to be better
equipped to detect zero-day threats. Redirecting traffic to CWS through AnyConnect protects browsing traffic for
roaming users through an SSL tunnel to the cloud proxy, relieving the organization of the need for a full tunnel VPN
on roaming user browser traffic. Together, AnyConnect and Cisco ISE also allow for posture checks on endpoints,
providing even more detailed visibility into users on the network.
CWS Premium brings the CISO a “postbreach” view on existing web traffic data, of which he previously would not
have visibility. Furthermore, he gains this visibility with no extra effort on the IT operations side. As shown in the
CTA portal in Figure 3, within one month of the new security installation, CTA provides a report of a zero-day
breach affecting eight current users. The CISO’s team shows him that more than 100 users in more than 50
companies have been affected by this attack, so the threat is industrywide. Thanks to the early detection, he
immediately remediates the issue on the eight users within his company affected in the last forty-five days by
reimaging their devices. The Cisco Migration team has already fulfilled its purpose and the CISO’s own security
team is now handling day-to-day security policy management and reporting. Meanwhile, Cisco ISE is delivering
visibility, context, and dynamic control of network access policy as the organization continues to grow through new
acquisitions.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 8
Figure 3.
Cisco CTA Portal
Expanding his current deployment of Cisco products with additional Cisco security products and services, the CISO
is able to address the challenges of delivering consistent security as the organization expands to include the newly
acquired firm, providing highly secure access for remote workers, and protecting against zero-day threats, all
without hiring additional staff.
Conclusion
Financial services firms can combat zero-day threats with the powerful cloud-operated big data analysis available
with Cisco CWS Premium. Furthermore, they can lower operating expenses while overcoming business challenges
like supporting roaming users, mergers and acquisitions, branch office bandwidth requirements, policy consistency,
and reporting mandates. Acknowledged as a leader in the network security market by Gartner, Cisco CWS offers a
smart way not only to provide the highest quality of security but to make security a business enabler with low
operating and management costs as well.
For More Information
For more information, visit http://cisco.com/go/cws.
Printed in USA
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C11-734318-02
3/16
Page 8 of 8