A recent trend has seen organisations leveraging cloud for their critical workloads. Specifically, the FinTech Industry is shifting from being cloud averse to cloud first strategy given the increasing demands of digital transformation. While this has made lives easier today, being online opens the door to increased risk and vulnerabilities. Security risks include malware attacks, cloud environment security risks, data breaches, application security risks, system outages and so on. That being said, developing a comprehensive plan to detect threats and protect data is of utmost importance for the FinTech industry.
Being highly regulated, it's important that the cloud strategy also includes threat detection to be at the top of the list for such organisations.
The economy is trying to recover gradually after the global crisis caused by the pandemic. Innovations are crucial to this revival. Building a risk-free online ecosystem is an important task for our financial systems to function seamlessly.
Top threat detection strategies to consider
Focus on complete coverage and visibility
The attack surface has expanded exponentially with organisations working in hybrid environments. A larger attack surface leads to increased security costs, preventing organisations from securing data sources lower down on the priority list. Threat actors thus focus on the bottom of the list (unsecured and therefore easier targets) as an entry point. Hence it is pivotal that organisations should focus on increasing their visibility across the entire ecosystem. This will enable them to correlate and detect threats at the very first stage on the kill chain.
Leverage threat intelligence (TI)
TI Feeds enable organisations to enrich and validate against known signatures forming an effective way to detect threats. SIEMs, Antivirus and IDS systems utilise these TI feeds to increase the value of data ingested. More importantly TI feeds or validation APIs allow you to attribute attacks to campaigns and threat actors. This way you are able to anticipate threat possibilities and envisage scenarios before they actually manifest.
Analysing user behaviour
Baselining normal behaviour (access, login, locations, etc) and validating active behavioural changes against the baselines with UEBA will enable organisations to detect abnormal patterns. Unrelated activities detected in the network over time also act as building pieces to detect external threats. Behaviour analytics gives you the ability to identify threats that were previously undiscovered or threats that we were not designed to detect.
Attacks on applications
Defending applications is often the most difficult because they are usually custom built for every requirement. Besides, applications also do not have a central framework that ensures a base level of security, this means each app needs to be tested and defended differently. A good approach to defending applications would be to monitor application events and build threat scenarios to prevent specific entry points and access to crowned jewels. Similar approach can be followed to protect application APIs.
Being proactive and not reactive
Defining periodic threat hunting exercises helps organisations to detect threats outside the boundaries and present strategies. A proactive approach will only move your ecosystems closer to your threat detection goals. Start with identifying your inventory database and then engage with your team to identify crowned jewels, apply special attention these sources while increase visibility across your estate.
Defined a threat approach plan
Building defence logic relevant to individual organisations is the key. Having thousands of use cases only means alert fatigue and an increase in false positives. A defined threat approach plan works wonders. One way of doing this is by aligning your detection strategy with the MITRE ATT&CK framework. This gives organisations visibility across various techniques and tactics used by threat actors (derailing attacks, lateral movements, exfiltration, etc).
Developing a comprehensive incident response plan
All businesses must develop a robust response plan to minimise the potential damage of any attack, reduce recovery time, and lower associated costs. Whether it is an Internet attack, a natural disaster, or the end of an ISP, enterprises need to make sure everyone knows what is required of them and set clear obligations to return to normal activities as quickly and painlessly as possible. By establishing a clear set of instructions and procedures to follow in the event of various problems, organisations can prevent the type of panic that makes the situation worse.
Having a plan is not enough, being able to rehearse the plan with the team is also extremely important. Every individual in the team needs to recognise their role and play accordingly during an incident. Incident response must be a part of muscle memory for every threat handler and incident responder.