[BreachExchange] How Financial Services Firms Can Overcome Security Concerns

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 15 20:55:30 EST 2018


As the financial services industry continues the transition to a digital
business model, customers expect new digital capabilities. Customers have
gotten used to 24/7 access to their financial accounts, for instance, and
expect ongoing application enhancements that provide more customized
products and services. This means that banks and financial services firms
collect and process user data.

As financial services firms seek to meet customer demand and provide
excellent service, they are also bound by strict government regulations to
ensure the privacy of their users and minimize the risks and likelihood of
a data breach. As a result, these firms need to provide updated,
interactive applications and online user portals as well as advanced
security tools and strategies in order to stay competitive. Neither can
come at the expense of the other. To meet these dual requirements,
regulators and customers alike expect banks to employ robust security
measures across distributed networks and into the application layer in
order to curb cyber risks.

Because the internal networks of banks often rely on legacy systems and
code, this is a challenge – the process of creating, testing, releasing and
deploying new code has historically been a slow process. Moreover, in many
organizations, security is still thought of as a separate process owned and
managed by a separate team. Sending new software updates or applications to
be tested by the security team further extends the release of new software
and features. This is why so many technologically progressive banks are
having such success with the DevOps process, and have been adopting it at a
higher rate than most other industries.

DevOps Defined

DevOps occurs when the development and operations teams collaborate in the
software development process. The transition to a DevOps model affects more
than just the software development process. Enabling banks and other
financial institutions to deliver software and software updates rapidly and
continuously through a collaborative approach can often require a change in
company culture and philosophy. But the value is that it allows development
teams to make updates throughout the software lifecycle, not at one
distinct point in the process.

This approach has enjoyed adoption far and wide, but financial services
providers have been particularly enthusiastic. In fact, a recent study
shows 45 percent of financial services companies have already adopted a
DevOps approach.

Security Concerns

Though DevOps has been rapidly accepted for enabling new software
iterations and features to consumers, there is some concern among security
professionals that faster development and deployment can hamper security.
These concerns are not wholly unfounded.

Some development cycles are longer and leave room for more extensive
security testing, but no piece of software is ever 100 percent secure.
Thus, it’s reasonable to assume that software that can be updated as
frequently as every hour is also more likely to have more gaps in its
security. In many industries, if a security gap is discovered, it can
simply be fixed in the next iteration of the code deployed. But in finance,
that sort of lag time is unacceptable. Once data or money has been stolen,
the damage has been done. This is why it is important to detect threats and
mitigate them immediately. If a breach is detected early and dwell time is
minimized, the cost of an attack can be significantly reduced.

The irony here is that DevOps has also gained ground among malicious
actors. New malware releases often move faster than security does.
Therefore, the continuous integration and continuous deployment (CI-CD)
that DevOps creates is necessary in order to keep pace with malicious

Recommended: Security Controls and Automation

To ensure in-depth defense during a faster deployment cycle, financial
services firms have to adopt multiple security controls. This ensures that
if vulnerable code delivers a great new feature but with an unknown flaw to
consumers there need to be additional security measures in place that will
keep it from being exploited. Combining a strong network security
infrastructure with constant application and service monitoring ensures
end-to-end protection as new software is deployed.

Because the DevOps approach is primarily adopted for the purpose of web
application development, it’s necessary that a part of this infrastructure
include a web application firewall (WAF). A next-generation WAF provides
comprehensive application protection that scans for and patches
vulnerabilities, and keeps applications from being exploited by the risks
identified in the OWASP Top 10. Additionally, threat intelligence can be
fed to the WAF to keep applications safe from even the latest sophisticated
attacks. Which means that if an application is running a common exploit or
is being probed by malware, the WAF will recognize it and know to deny
network access to the application.

A successful DevOps program will have automation as another primary
component. As code is committed to a central system by developers, an
automated process looks at the submissions in the repository and builds a
new version of the software.

The security protocol of DevOps initiatives will also need to be automated
in order to keep up with increased volumes of both internal development and
cyberattacks. Security automation capabilities are becoming more
sophisticated through the use of artificial intelligence and machine
learning. Eventually, this will allow for a fully automated, secure DevOps
process, with the ultimate goal of enabling intent-based security.

Security and Agility

Financial services firms have a great deal to gain by adopting the DevOps
approach, including remaining competitive and defending against cybercrime.
When software has such a short development cycle, complete security cannot
be guaranteed. For this reason, financial services firms must integrate
additional network-level security controls. These controls extend security
from mobile devices and IoT through the network core and out to the cloud.
As financial services firms move forward with their DevOps process, the
above recommendations will help construct an intelligent, integrated
security system that allows agility at the same time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180115/0c2f6625/attachment.html>

More information about the BreachExchange mailing list