Security Spending and Preparedness in the Financial Sector ... · 3 Security Spending and Preparedness in the Financial Sector Security professionals responsible for protecting systems

A SANS SurveyWritten by Jaikumar Vijayan

Advisor: G. Mark Hardy

June 2015

Sponsored by LogRhythm

Security Spending and Preparedness in the Financial Sector: A SANS Survey

©2015 SANS™ Institute

Financial companies are at a critical juncture: The attack landscape has transformed

dramatically over the past few years, and as a result, these companies are under more

scrutiny than ever for the security of their financial systems.

Numerous breaches of financial institutions in 2014 reshaped the industry. Of the eight

major breaches reported by the Association of Certified Financial Crime Specialists

since the 2009 Heartland Payments System breach, four of them occurred in 2014.1

Meanwhile, the U.S. Securities and Exchange Commission (SEC) has started reviewing

such organizations on their preparedness to detect and avert cyber

attacks.2 And, starting in October 2015, Visa and MasterCard are shifting

liability for fraud away from card processing businesses that have

implemented EMV smart card readers.3

Unfortunately, financial services organizations are still being breached

too often, most frequently by those with insider access, according

to the second annual SANS survey on the security of the financial

services sector. Results of this survey also reveal that change is slow in

happening across the financial services industry while threats continue

to get harder to detect and defeat.

Like the SANS 2014 financial services security survey,5 this year’s

survey revealed several gaps in preparedness both in the capability

of organizations to defend against attacks and in their capability to

respond to one. Organizations that participated in the survey reported

problems with insider threats and phishing attacks. In another

question, the majority of respondents (41%) said they feel unable to

quantify the costs of a data breach.

At the same time, respondents struggle with a variety of tools and

technologies that, while providing some improvement, still fail at basic

levels. For example, 66% of respondents don’t turn on inline security

systems for fear of false positives blocking legitimate traffic, while 50% don’t turn on

blocking because of operational/throughput concerns.

SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector1

Introduction

1 www.acfcs.org/the-top-8-largest-data-breaches-in-the-financial-services-industry2 www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf3 www.smartcardalliance.org/wp-content/uploads/EMV-FAQ-update-April-2015.pdf4 Results total more than 100% because respondents could select multiple responses.5 “Risk, Loss and Security Spending in the Financial Sector: A SANS Survey,”

www.sans.org/reading-room/whitepapers/analyst/risk-loss-security-spending-financial-sector-survey-34690

abuse or misuse by internal employees

successful spearphishing emails

exploits on unpatched or misconfigured systems

lost devices

compromised endpoints

Top 5 Causes of Successful Breaches4

46%

42%

27%

26%

27%

Introduction (CONTINUED)


Respondents are also learning that compliance does not translate to security, which is

perhaps the most positive change and sign of improvement in the financial industry,

especially because many of the recent headline-making victimized companies were in

compliance with their industry standards.

Now, based on the results of this year’s survey, organizations no longer

consider compliance as their primary mandate. Instead they are moving

toward more comprehensive incident response and holistic security

programs. Instead of compliance being their primary driver (as it was

last year), these organizations are most concerned about responding

to threats, while compliance is their second most important driver.

Their third top driver is to improve their security and risk management

programs overall. This shift indicates growing maturity in cyber risk

operations, which should be the ultimate goal for all IT organizations,

according to the Critical Security Controls and other such frameworks.6

(the majority) chose compliance as their primary driver in 2014

(the majority) cited avoiding data breaches as their primary driver in 2015, with compliance being their second most important driver (70%)

65%

81%

also feel that improving risk posture overall is a primary driver in 2015

69%

Evolving Drivers for Information Security Programs

6 www.counciloncybersecurity.org/critical-controls

Organizations and Standards


Security professionals responsible for protecting systems and networks at financial

institutions in the U.S., Europe, Asia Pacific and other regions participated in this survey.

The results provide diverse insights into the security concerns that confront financial

institutions and their approaches for mitigating those concerns. A mix of operational

security staff, network and security administrators, senior security executives and

managers from small, medium and large organizations were represented in the survey.

Respondents also represented a variety of financial institution types and their associated

issues: Of the 196 professionals who qualified to take the survey, 21% were from

retail banking, 12% from insurance and 11% from the commercial banking sector.

Professionals from the investment banking sector, payment processing firms and

merchant card system acquirers were also represented. See Figure 1.

Almost 42% of respondents identified themselves as belonging to “other” industries,

including government regulators, health care, consulting and asset management,

indicating that financial services are being performed across sectors and supported by

consultancies.

What is your organization’s primary industry?

Figure 1. Respondents by Primary Industry

Other

Banking—retail

Insurance

Banking—commercial

Investment banking

Payment processing

Merchant/Card system acquirers

Organizations and Standards (CONTINUED)


The responses reflect the sentiment of technology professionals from organizations of

different sizes, with 24% coming from relatively small companies (100–1,000 employees),

while 22% represented very large companies (more than 15,000 employees). Another

20% were from medium-sized companies (1,000–5,000 employees). The remaining

respondents were from organizations with between 10,001 and 15,000 employees

(10%), those with between 5,001 and 10,000 employees (12%) and companies with

fewer than 100 employees (11%). The survey respondents were dominated by U.S.–

based organizations: 85% have operations in the U.S. and 76% have their headquarters

in the U.S. See Figure 2 for a breakdown of the regions represented by respondents.

As you might expect with companies in the financial services sector, many of the

respondents have operations around the world, particularly in Europe. This globalization

indicates that their compliance mandates and security drivers are as diverse as the

regions in which they operate and the types of services they offer. Among respondents,

44% issue credit and debit cards, which means they, as well as payment processors, are

subject to PCI DSS in addition to SEC and other guidelines.

In what countries or regions does your organization operate? Select all that apply.

Uni

ted

Stat

es

Sout

h A

mer

ica

Cana

da

Euro

pe

Mid

dle

East

Afr

ica

Aust

ralia

/New

Zea

land

Asi

a Pa

cific

(APA

C)

Cent

ral A

mer

ica

80%

60%

40%

20%

0%

Figure 2. Operating Regions



Standards and Frameworks

With 44% of respondents representing companies that issue credit and debit cards, the

PCI DSS turns out to be the most widely used security framework in the financial services

industry, chosen by 50% of respondents. See Figure 3.

The responses point to the enormous role that PCI has played in influencing the

adoption of security standards in the financial industry. PCI rules apply directly only to

organizations that handle credit and debit card data. PCI DSS is broad and high-level

enough to apply across different industries, yet granular enough to offer some real

guidance to organizations struggling to figure out what security controls to use and how

to implement them.

What security frameworks does your organization adhere to? Select all that apply.

Paym

ent C

ard

Indu

stry

Dat

a Se

curit

y St

anda

rd (P

CI D

SS)

FISM

A (F

eder

al In

form

atio

n Se

curit

y M

anag

emen

t Act

)

COBI

T (C

ontr

ol O

bjec

tives

fo

r Inf

orm

atio

n an

d Re

late

d Te

chno

logy

)

ISO

270

00 S

erie

s

Oth

er

Criti

cal S

ecur

ity C

ontr

ols

NIS

T Fr

amew

ork

for

Impr

ovin

g Cr

itica

l In

fras

truc

ture

Cyb

erse

curit

y

NIS

T SP

800-

53

50%

40%

30%

20%

10%

0%

Figure 3. Most Commonly Used Security Frameworks by Financial Companies

PCI DSS is broad and

high-level enough

to apply across

different industries

and granular enough

to offer some real

guidance.



While PCI is the top standard being followed, the results suggest that organizations

use more than one framework. The second most common standard, used by 40% of

respondents, is the ISO 27000 Series, followed by the NIST framework, Control Objectives

for Information and Related Technology (COBIT) and the Critical Security Controls (CSC),

along with others. In our 2014 survey, ISO 27000 and PCI tied, each chosen by 49% of

respondents, as the top frameworks being followed.

Over time, organizations have invested a lot of work and funding into the 27000

standard, so it seems unlikely they would drop it. However, in this year’s survey the

number of respondents using PCI remained almost exactly the same, while those relying

on the 27000 series dropped by 10%. Regular updates to PCI over the years have kept

the standard relatively current and in tune with new and emerging threats. The latest

update, version 3.1 released in April 2015, includes the core elements shown in Table 1.

Table 1. PCI 3.1 Data Security Standard: High-Level Overview from PCI Security Standards Council7

Standard

Build and Maintain a Secure Network and Systems

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

Requirements

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

7 “Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures,” www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf, p. 5.

Similar to last year’s results, insiders are still the primary culprits for breaches. Insider

threats and spearphishing were the top two causes for security breaches, at 46%

and 42%, respectively. They were followed by successful exploits on unpatched and

misconfigured systems (27%). See Figure 4.

Some of the write-in responses also suggest that closer integration with business

partners and contractors also puts organizations at risk. The data breach at Target, where

attackers gained access to the retailer’s network using login credentials belonging to a

third-party heating, ventilation and air conditioning service, highlighted those concerns

in dramatic fashion in 2013.8


Security Incidents and Preparedness

Please rank the top three most prevalent causes of security incidents in your organization with 1 being most prevalent.

Abu

se o

r mis

use

by in

tern

al

empl

oyee

s or

con

trac

tors

Den

ial o

f Ser

vice

att

acks

Lost

dev

ices

(lap

tops

/pho

nes)

Succ

essf

ul s

pear

phis

hing

em

ails

ag

ains

t em

ploy

ees

Web

app

licat

ion

atta

cks

(e.g

., SQ

L In

ject

ion,

XSS

, XSR

F)

Oth

er

Adva

nced

att

acks

/APT

s

Loss

, the

ft o

r com

prom

ise

of

empl

oyee

-ow

ned

devi

ces

(BYO

D)

Expl

oite

d pa

ssw

ords

Targ

eted

att

acks

on

finan

cial

pr

oces

sing

sys

tem

s an

d da

taba

ses

Com

prom

ised

con

sum

er

endp

oint

s/U

ser e

rror

s

Expl

oits

on

unpa

tche

d or

m

isco

nfigu

red

syst

ems

Adm

in a

cces

s ab

use

Part

ner s

yste

ms

45%

40%

35%

30%

25%

20%

15%

10%

5%

0%

Figure 4. Prevalent Causes for Security Incidents at Financial Institutions in 2015

1 2 3

8 www.krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Security Incidents and Preparedness (CONTINUED)


These results are nearly identical to the 2014 survey, suggesting that while external attacks attract a lot of attention, financial companies are, more often, victims of rogue or careless insiders with access to privileged systems. While a few new options were added between the 2014 to 2015 surveys (indicated by N/A), Table 2 shows the comparison of rankings between the two years.

The PCI DSS framework calls for strong access controls and restricting access to cardholder data, while Critical Security Control 15 provides information on how to control access based on need to know. All actions by users and their devices should also be monitored for abuse, based on these and other frameworks.

Meanwhile, advanced persistent threats (APTs) and targeted attacks, which security vendors and the media most often portray as the most common major threat breaking through defenses, do not appear to cause much concern for financial services firms. Barely 12% of survey takers ranked APTs as the first, second or even third most prevalent cause for security incidents at their organizations. That ranking could simply be because many financial services companies do not know they have been victimized in a targeted attack (perhaps lacking the visibility into their systems).

Spearphishing emails are a hallmark of APT campaigns. Threat actors often use such emails to drop malware on target networks and then use that initial foothold to move laterally across the organization.9 So for survey takers to identify spearphishing as a major threat—but not APTs—suggests a puzzling disconnect in how many in the financial industry perceive APTs.

Table 2. Year-Over-Year Comparison of Top Security Concerns by Highest to Lowest Ranking in 2015

Most Prevalent Cause of Security Incidents

Abuse or misuse by internal employees or contractors

Spearphishing emails

Compromised consumer endpoints/User errors

Exploits on unpatched or misconfigured systems

Other

Admin access abuse

Lost devices (laptops/phones)

Denial of Service attacks

Advanced attacks/APTs

Partner systems

Web application attacks (e.g., SQL Injection, XSS, XSRF)

Exploited passwords

Targeted attacks on financial processing systems and databases

Loss, theft or compromise of employee-owned devices (BYOD)

2014

23%

16%

N/A

8%

4%

N/A

7%

7%

4%

N/A

4%

2%

2%

3%

2015

21%

19%

10%

8%

7%

5%

5%

4%

4%

3%

3%

2%

2%

1%

TAKEAWAY:

Financial institutions

need more automated,

comprehensive means for

monitoring insiders, their

authorized access to systems

and their use of critical data.

Percentage ranking advanced persistent

threats as the number one most prevalent

threat to their organization

4%

9 “A Detailed Analysis of an Advanced Persistent Threat Malware,” www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814



Risk and Loss Evaluation

While most survey takers were able to tell us about the types of incidents occurring on

their networks, only 25% were able to quantify losses. Another 41% could not, and 35%

didn’t know what their losses were.10 This suggests a lack of metrics, asset awareness and

risk measurement practices within many financial services organizations.

This year’s results track closely with the results from the 2014 survey and suggest

that financial services companies have made little headway in gaining a better

understanding of the consequences of data breaches occurring in their organizations.

Security Incident Outcomes

Most reports on data breaches tend to focus on the direct losses, such as breach

mitigation costs, breach notification costs and costs associated with offering free credit

monitoring services. While such costs can be significant, the impacted organization has

other costs to worry about as well.

Of those who were able to quantify losses in the survey, 38% cited loss of business

through service downtime as the biggest impact of a data breach, 23% cited damage

to brand reputation as a result of reporting a breach, 20% cited direct losses against

impacted financial accounts, and 15% pointed to regulatory proceedings and fines. See

Figure 5.

TAKEAWAY:

The fact that spearphishing

emails are such a big threat

to financial institutions

underscores the importance

of end user awareness and

training.

10 Percentages total more than 100% due to rounding error.

What was the outcome of these incidents? Choose all that apply.

Loss

of b

usin

ess

thro

ugh

serv

ice

dow

ntim

e

Oth

er

Bran

d re

puta

tion

loss

due

to

repo

rtin

g th

e in

cide

nt

Regu

lato

ry o

r leg

al

proc

eedi

ngs

and/

or fi

nes

as a

resu

lt of

inci

dent

s

Dire

ct lo

sses

aga

inst

im

pact

ed c

usto

mer

fin

anci

al a

ccou

nts

Bran

d re

puta

tion

loss

due

to

nef

ario

us u

se o

f bra

nd

to p

hish

cus

tom

ers

40%

30%

20%

10%

0%

Figure 5. Security Incident Outcomes



The majority of “Other” responses pointed to minimal losses due to quick response

and mitigation. Some respondents did, however, indicate loss of productivity and the

expense of replacing devices as expenses of their incidents.

Perimeter Focus

Even though respondents report that their primary culprits are insiders and partners

with privileged access, results in this report indicate that the majority of financial

institutions continue to focus more on stopping external threats than on detecting or

stopping careless or malicious insiders. Nearly 84% said their advanced firewalls, IDS and

IPS systems were effective or very effective in protecting systems containing or handling

sensitive data. See Table 3.

Table 3. Perimeter Still the Main Prevention Point of Protection

Control

Advanced firewalls/IDS/IPS to protect internal systems

Vulnerability scanning/Continuous monitoring

Segmentation

Continuous monitoring for critical anomalies and suspicious transactions

Encryption

Log aggregation and SIEM/Security event management

Secure configuration practices for applications and systems

Monitoring of infrastructure

Endpoint visibility

Endpoint AV

Whitelisting of executables, applications and activities

Blacklisting of executables and activities

Malware analysis systems

Security analytics and intelligence (in-house)

Data de-identification methods (masking, tokenization)

Real-time threat intelligence provided by third parties

Database protections

Very Effective Rating

32.4%

29.4%

26.5%

26.5%

26.5%

22.8%

22.1%

21.3%

20.6%

19.9%

19.1%

16.9%

16.2%

15.4%

15.4%

13.2%

11.0%



On the other hand, the financial IT pros taking this survey have identified their primary

cause of successful breaches to be from inside the firewall—their users. So, in addition to

perimeter security, respondents are also improving protection on their endpoints—closer

to their users in the case of user endpoints and closer to the applications and data in the

case of server endpoints. Endpoint technologies that received enthusiastic endorsements

included endpoint AV (68%) and endpoint visibility tools (65%). Table 4 shows the

comparisons to 2014 survey results; light gray indicates the option wasn’t used that year.

Table 4. Year-Over-Year Comparison of Most Effective Controls

Control

Encryption

Advanced firewalls/IDS/IPS to protect internal systems

Secure configuration practices for applications and systems

Monitoring of infrastructure

Continuous monitoring for critical anomalies and suspicious transactions

Vulnerability scanning/Continuous monitoring

Log aggregation and SIEM/Security event management

Endpoint AV

Segmentation

Endpoint visibility

Data protections/Encryption

Security analytics and intelligence (in-house)

Blacklisting of executables and activities

Whitelisting of executables, applications and activities

Malware analysis systems

Real-time threat intelligence provided by third parties

Data de-identification methods (masking, tokenization)

Real-time monitoring for critical anomalies and suspicious transactions

Strong authentication for customer-facing sites

Strong authentication for employees and partners

Very Effective

27%

22%

22%

19%

13%

23%

10%

20%

8%

11%

19%

22%

23%

Very Effective

26%

32%

22%

21%

26%

29%

23%

20%

26%

21%

11%

15%

17%

19%

16%

13%

15%

Effective

56%

55%

64%

49%

44%

59%

39%

42%

46%

35%

58%

44%

54%

Effective

59%

51%

58%

57%

50%

47%

47%

49%

40%

45%

50%

46%

43%

40%

40%

42%

35%

Total Effective

83%

77%

86%

69%

57%

82%

49%

62%

54%

46%

77%

65%

77%

Total Effective

85%

84%

80%

78%

76%

76%

70%

68%

66%

65%

61%

61%

60%

59%

56%

55%

50%

2014 2015

Percentage of financial institutions that

consider encryption to be an effective or very effective approach for

protecting data

85%



Fewer respondents pointed to emerging technologies such as threat intelligence

monitoring, despite the market buzz about it. Even so, acceptance appears to be

growing compared to last year, with 15% saying that in-house security analytics and

intelligence is very effective, compared to around 10% saying the same thing in the 2014

survey. Similarly, data de-identification approaches such as tokenization and masking

appear not to have gained wide acceptance yet, with only about 15% pointing to them

as being very effective in protecting financial data.

Interestingly, although IDS/IPS fell into the top most effective category, respondents say

they are not turning on inline blocking for a variety of reasons, foremost among them

being the concern of blocking legitimate traffic. See Figure 6.

Second, respondents are concerned about the operational issues of throughput, and to

a lesser degree interoperability. All of these issues should have been resolved years ago

with IPS, but still continue to plague enterprise users.

What barriers, if any, do you have to deploying active, inline security systems? Select all that apply.

Fear

of f

alse

pos

itive

s bl

ocki

ng

legi

timat

e bu

sine

ss

Exis

ting

netw

ork

band

wid

th

limita

tions

Conc

erns

abo

ut th

roug

hput

of

data

, par

sing

Oth

er

Issu

es w

ith in

tero

pera

bilit

y be

twee

n ou

r sec

urity

dev

ices

and

th

e m

onito

ring

supp

ort s

truc

ture

40%

30%

20%

10%

0%

Figure 6. Barriers to Turning on Inline Blocking



Risk Assessment

Numerous resources are readily available to help organizations start the risk assessment

process. They range from generalized guides on the topic to comprehensive templates

that offer step-by-step instructions on how to implement the various components

of an information security risk assessment program. Examples include the FFIEC’s

IT Examination HandBook InfoBase,11 NIST’s Special Publication 800-30 Guide for

Conducting Risk Assessments12 and the California Department

of Technology’s Risk Assessment Toolkit.13

Improving Risk and Compliance Postures

Organizations, particularly those covered by PCI DSS, should

consider implementing tokenization and data-masking

processes where sensitive data is stored and processed. Many

products for data masking and tokenization can do so today

without reengineering the database structure to fit the mask or

token format, making them easier to use.

In addition to better security, both approaches offer an opportunity for organizations

to reduce the scope of their PCI requirements. Strong encryption is also of critical

importance to protecting data at rest and in transit, while meeting compliance. In this

year’s survey, 85% cited encryption as effective or very effective in protecting sensitive

data processed in their systems. Recently, the latest update to the standard (PCI 3.1),

released on April 15, 2015 as an “out-of-band” update, makes it clear that organizations

can no longer use SSL and early implementations of the TLS protocol to encrypt data in

transit.15 In this context, data encryption assumes even bigger significance going forward.

In addition to encrypting sensitive customer data, the PCI DSS standard requires covered

entities to properly segment networks that process payment card data from the rest of

the corporate network, which 66% of respondents say they are doing.

Risk Assessment Steps

The FFIEC recommends the following risk assessment steps:14

1. Gather information on your organization’s operating and business environments.

2. Identify all the key information systems and data you need to protect.

3. Classify and rank sensitive data, prioritize threats and vulnerabilities, and assess controls.

4. Assign risk ratings to information and information systems.

11 “IT Examination HandBook InfoBase,” http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment.aspx?prev=1

12 “Guide for Conducting Risk Assessments: Information Security,” www.nist.gov/customcf/get_pdf.cfm?pub_id=91209113 “Risk Assessment Toolkit,” www.cio.ca.gov/OIS/Government/risk/toolkit.asp14 “IT Examination HandBook InfoBase,”

http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment/key-steps.aspx15 “Payment Card Industry (PCI) Data Security Standard: Summary of Changes from PCI DSS Version 3.0 to 3.1,”

www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf



Preparedness

Despite the controls they have in place to protect sensitive data, only 13% felt “Very

prepared” and had the resources and technology to deal with known and unknown

threats. See Table 5.

Another 42% attested to being “Prepared” to deal with at least some of the known and

unknown security threats (but not all of them). See Figure 7.

The uncertainty reflected in the results mirrors a broader trepidation. The string of

high-profile data breaches since late 2013 has sparked considerable concern, across

all sectors, about the effectiveness of traditional security controls against new and

emerging security threats.17

16 Columns do not add up to 100% due to rounding error.17 www.wsj.com/articles/computer-security-industry-critiques-itself-following-high-profile-breaches-1429573277

Table 5. Level of Preparedness to Deal with Unknown Threats—2014 and 201516

How Prepared Is Your Organization?

Very Prepared

Prepared

Somewhat Prepared

Not Prepared

Unsure/Unknown

Other

2014

16%

42%

35%

4%

3%

0%

2015

13%

42%

32%

7%

4%

1%

How prepared is your organization to fend off attacks aimed at gaining access to your financial systems and accounts?

Very prepared. We have the resources and technology to defend against known and unknown attack methods.

Prepared. We have some ability to defend against known attack types but can’t predict the unknown.

Somewhat prepared. We have some resources and technology to fend off attacks, but we need more.

Not prepared. We need resources and technologies to solidify our systems and protect against attacks.

Unsure/Unknown

Other

Figure 7. Organizational Preparedness to Fend Off Attacks

TAKEAWAY:

The focus of security efforts

should be not just on blocking

threats at the perimeter,

but on mitigating threats

that breach the perimeter.

Incident response has become

as important as intrusion

prevention.



Financial organizations should consider ways to build more holistic situational awareness

capabilities to detect and mitigate both known and unknown threats. Unfortunately,

about 39% of respondents felt they are only somewhat prepared or not prepared to

fend off attacks, suggesting that security remains a work-in-progress within the financial

services industry, despite all the heightened concerns spawned by data breaches.

Security Outsourcing

A relatively large proportion of survey respondents use third-party, outside service

providers for tasks such as infrastructure monitoring, event management, incident

response and security control monitoring. Nearly 50% outsource infrastructure

monitoring, 43% use outside services for event management and response, and 36% use

them for security intelligence and analytics, as shown in Figure 8.

In this year’s survey, 49% of respondents said they use a third party for monitoring

their IT infrastructures. One possible explanation is that many financial institutions are

spooked by the recent intrusions at major players in the marketplace and are looking

to professional third parties for help finding and mitigating security threats they might

have missed on their own. The same reason could also explain why 36% of the IT

professionals surveyed said they are outsourcing security intelligence and analysis to

third parties.

Do you rely on any outside services for the following? Select all that apply.

Mon

itorin

g of

in

fras

truc

ture

Risk

man

agem

ent

Mon

itorin

g of

se

curit

y co

ntro

ls

Even

t man

agem

ent

and

resp

onse

Oth

er

Com

plia

nce

man

agem

ent

Secu

rity

inte

llige

nce

and

anal

ytic

s

Secu

rity

arch

itect

ure

50%

40%

30%

20%

10%

0%

Figure 8. Outsourced Security Functions

Percentage of financial institutions that use a third party

for IT infrastructure monitoring

49%



At the same time, the proportion of financial institutions outsourcing their security

architecture to third parties dropped from 27% in 2014 to 19% in 2015. The numbers

for those outsourcing compliance management decreased as well, from 26% last year

to 21% this year. The shifts are substantial enough to indicate that financial companies

have more success outsourcing some security functions than others.

The fact that only 49% outsource infrastructure monitoring suggests that the remaining

half either are very confident in their ability to monitor the infrastructure or do not pay

enough attention to the need for such monitoring. The same holds true in other areas

like security event management, security intelligence and analytics, and compliance

management.

Are They Blocking?

A relatively high proportion of financial companies say they use active in-line security

monitoring tools for protecting externally facing customer systems. Nearly 60% of

survey respondents cited these tools as being most effective in blocking external threats.

See Figure 9.

Figure 9. Tools for Protecting External-Facing Customer Systems

[Begin figure content]

What tools or techniques do you find most effective in protecting external-facing customer systems? Select all that apply.

Activ

e, in

-line

sec

urity

m

onito

ring

syst

ems

Inte

rnet

cra

wlin

g se

rvic

es

to d

etec

t dec

eptiv

e us

e of

br

and

for p

hish

ing

Frau

d de

tect

ion

for a

ccou

nt

and

syst

em a

ctiv

ity

Mul

tifac

tor a

uthe

ntic

atio

n fo

r tra

nsac

tions

(suc

h as

a

tele

phon

e ca

ll-ba

ck)

Unk

now

n/U

nsur

e

Oth

er

Secu

re a

pplic

atio

n de

velo

pmen

t and

life

cyc

le

Cont

inuo

us m

onito

ring

for

appl

icat

ion

vuln

erab

ilitie

s

Mal

war

e an

alys

is

60%

50%

40%

30%

20%

10%

0%

Figure 9. Tools for Protecting External-Facing Customer Systems



The word active implies that “automated” blocking is used, but not specified. It would

be a real win for intrusion prevention and other blocking technologies if large numbers

of financial companies have actually deployed in-line tools in active blocking mode

because it would indicate a high level of confidence that these tools do not block

legitimate transactions and customers without a lot of false positives.

False positives in card fraud are costly and often the most expensive part of running a

fraud prevention operation. Having to pay an employee to sit at a desk, call a cardholder

and ask, “Did you make this transaction?” and hear “Yes” in response results in an expense

for the bank, an annoyance for the customer and outdated fraud indicators in the system.

Multifactor authentication, such as an out-of-band telephone call-back, is also

considered an effective mechanism for mitigating threats against external-facing

customer systems, as indicated by 51% of respondents. The Federal Financial Institutions

Examination Council (FFIEC), the interagency body responsible for creating standards

for the oversight of financial bodies, has long called on banks to implement multifactor

authentication for protecting customer accounts.18

Secure application development and life-cycle management practices have assumed

increasing importance, especially with the move to the DevOps model for software

development.19 So it is encouraging to see 42% of the respondents cite secure

application development as an effective way to mitigate threats.

One direct offshoot of the increase in spearphishing against financial institutions is the

use of Internet crawling services for detecting deceptive use of branding in order to

phish their customers. Based on the responses in the survey, 13% of the survey takers

appear to use such services currently. It will be interesting to see if adoption of such

services increases over the next year.

18 www.ffiec.gov/pdf/authentication_guidance.pdf19 http://software-security.sans.org/blog/2012/07/09/what-appsec-can-learn-from-devops

This year, 13% of organizations said they would spend 9% to 10% of their IT budgets

in fiscal year (FY) 2015 on security, as opposed to 11% spending in that bracket in FY

2014. The trend shows that budgets for security, overall, have increased. In fact, 27%

of organizations plan to spend 9% or more of their IT budgets on security in FY 2015,

compared to 23% making that commitment in FY 2014.

Overall, 58% said they plan to invest more heavily in IT-related security and risk

management in the next 24 months, while 38% plan to keep their investments the same.

Those numbers would appear to make sense in the context of the growing threats that

financial organizations face from internal and external sources.

But judging from the responses, security spending at many organizations appears to be

somewhat ad hoc in nature. Nearly one-third (32%) of survey respondents said they are

unsure or do not know how much of their overall IT budget they will spend on security

this fiscal year. See Figure 10.

These results suggest respondents do not have a clearly earmarked budget for security,

are not actively involved in the budgeting process or are simply unaware of budget

constraints. Considering that 42% of survey takers identified themselves as either

security analysts or CISOs/CSOs, the improving numbers suggest more influence on the

part of key decision makers.

These results are even more encouraging when viewed without including respondents

who didn’t know about their budgets. Although one-third could not quantify their

security spending, 41% of those who could said their organization is planning to spend

9% or more on security, whereas 35% made that claim in 2014.


Security Budgets, Programs and Frameworks

Percentage of respondents who plan to invest more heavily

in security and risk management

58%What percentage of your organization’s IT budget was spent on security

for fiscal year (FY) 2014? What percentage of the IT budget will be devoted to security in the next 12 months (FY 2015)?

Unk

now

n/U

nsur

e

11%

–25%

4%–6

%

Less

than

1%

Mor

e th

an 2

5%

6%–8

%

1%–3

%

9%–1

0%

40%

30%

20%

10%

0%

Figure 10. Security Spending as a Percentage of Overall IT Budget

FY 2014 FY 2015

Security Budgets, Programs and Frameworks (CONTINUED)


Who’s Responsible?

This year, the level of strategic influence remained about the same, at 58%. This includes

25% of survey takers who report being security analysts, while 17% chose CISOs/CSOs

or security managers, and another 12% identified themselves as IT manager, director

or CIO. Add in the 4% who identify themselves as risk managers, and it’s clear that

strategic participation in security budgets ties directly to the power of the organization’s

influencers who can speak to the business needs while improving risk posture overall.

See Figure 11.

Please indicate your primary role in the organization.

Secu

rity

anal

yst

Com

plia

nce

office

r/Au

dito

r

Frau

d in

vest

igat

or

Oth

er

CSO

/CIS

O/IT

sec

urity

m

anag

er o

r dire

ctor

Risk

man

ager

Dev

elop

er

Fore

nsic

s an

alys

t/In

cide

nt

resp

onse

Soft

war

e en

gine

er/A

rchi

tect

Secu

rity

adm

inis

trat

or

CIO

/IT m

anag

er o

r dire

ctor

Net

wor

k/Sy

stem

ad

min

istr

atio

n or

ope

ratio

ns

Non

tech

nica

l bus

ines

s un

it

Figure 11. Respondents’ Roles

25%

20%

15%

10%

5%

0%



Meanwhile, in another question about who’s responsible for information security, 55%

of respondents say their CISOs/CSOs and directors of information security drive the

information security practices in their organizations. These numbers are a good indicator

of the growing executive focus given to security. Another 17% state that their CIOs are

responsible, while another 7% say their compliance managers drive their practices. See

Figure 12.

Another 13% say their CEO/COO and boards of directors drive their security programs,

while the “Other” category suggested more collaborative approaches between IT and

upper management, including the CFO, stakeholders, and the setting up of security

governance communities and security boards.

Percentage of respondents with

some level of decision-making

authority for enterprise security

42%

Who primarily drives information security practices in your organization?

Figure 12. Executive Leadership for Information Security Programs

CSO/CISO/Director of Information Security

CIO

CEO/COO

Risk and compliance manager

Board of Directors

Other

Unknown

No one/Not applicable

CFO

1.3%1.9%1.9%3.9%

3.9%

6.5%

9.0%

16.8%

54.8%



Security Programs

The level of management participation ties directly with an important change in focus

this year from “meeting compliance” (which everyone knows is not proof of good

security) to better response and overall improvements in security programs.

In the 2014 survey, the top two primary drivers of information security programs were

meeting compliance and avoiding data breaches, both chosen by 69% of respondents.

In this year’s survey, 81% of respondents selected avoiding data breaches as their

primary driver, while 70% ranked compliance as their primary driver. See Figure 13.

What are the primary drivers behind your information security program? Select all that apply.

Avoi

ding

dat

a br

each

es

Redu

cing

acc

ount

and

pa

ymen

t car

d fr

aud

Prot

ectin

g in

stitu

tiona

l/Br

and

repu

tatio

n

Dem

onst

ratin

g re

gula

tory

co

mpl

ianc

e

Enab

ling

onlin

e, m

obile

an

d ot

her n

ew fo

rms

of

cust

omer

ser

vice

Oth

er

Avoi

ding

fina

ncia

l re

perc

ussi

ons

due

to b

reac

h

Impr

ovin

g ris

k po

stur

e ov

eral

l

Lega

l man

date

s

80%

70%

60%

50%

40%

30%

20%

10%

0%

Figure 13. Primary Drivers of Information Security Programs



These are the reasons for increased focus on breach avoidances:

1. Time is money. According to the 2014 SANS Incident Response Survey, the time

from detection to remediation of breaches is usually days. But 29% reported

taking longer than one week, while 4% admitted to taking more than 12 months

to remediate the issue. For financial firms, this time frame is unacceptable.20

2. There is demand for regulation. Improvements in overall risk posture are

becoming more of a goal as standards and rules through PCI DSS, SEC and other

regulatory bodies order them.

3. Nobody wants to make the news. The media continues to report more

breaches, and most organizations want to avoid the negative publicity

associated with breaches.

4. Technologies can support them. Perimeter detections, endpoint monitoring

and some of the newer “threat intelligence” products are providing more support

to improve response cycles. As shown in Figure 13 (on page 21), improving the

risk posture overall was the third most important driver behind programs this

year, chosen by 65% of respondents.

This emphasis on improved security programs overall suggests that executives are

changing their emphasis on security from being compliant to being comprehensive.

Being compliant means receiving a minimum passing grade: Think C−. However,

compliant systems get hacked all the time. So that minimum requirement doesn’t

protect organizations from painful breaches and resulting lawsuits. Target was

supposedly compliant with PCI requirements and yet was breached in late 2013.21 And

Target’s compliance did little to protect it from the spate of lawsuits that followed.

Ensuring that your organization goes above and beyond achieving compliance yields

triple benefits—reduced likelihood of compromise, increased likelihood of detecting

breaches earlier and reduced legal exposure in civil court.

20 “Incident Response: How to Fight Back,” www.sans.org/reading-room/whitepapers/incident/incident-response-fight-35342, p. 18.21 https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ


Conclusion

Information security continues to be a work in progress for many financial services

companies. Overall, financial institutions continue to struggle from a lack of visibility

and other shortcomings. Fortunately, this year’s survey also reveals that change is afoot

in the financial industry, as results show a clear shift toward improving response and

overall security programs. Security program development seems to be moving up

in priority, and the focus is moving from a “checklist compliance” mentality to better

response and improved security programs overall.

Financial institutions continue to use a wide range of appropriate tools to defend their

networks and data, and security managers appear reasonably confident about the ability

of their organizations to deal with new and emerging threats.

Still, many organizations remain focused largely on external threats and perimeter-

based security controls, which is critically important for financial transactional fraud

prevention. However, they also experience mostly internal breaches, meaning they must

also apply more focus on user endpoints and behaviors. Survey results show that they

get this point and are applying more controls on the endpoints as a secondary measure

to their perimeters.

These results are all indicators that financial services organizations are moving in the

right direction. Change comes slowly, however, even as the enemy continues to up

their game. That is why, for two years in a row, respondents reported that they will be

seeking—and obtaining—more budget and resources going forward.

The key is to apply their resources to the right locations (internal users and external-

facing customer systems) and against the types of threats that they see. As well as

protecting their employees from phishing and other attacks that get through their

firewalls, their most important objective is to instill trust in their protected financial

systems for their customers and shareholders.

G. Mark Hardy, SANS Analyst and certified instructor, is president of National Security Corporation

and has provided cybersecurity expertise to government, military and commercial clients for more

than 30 years. Also founder of CardKill Inc., he is a retired U.S. Navy Captain and an internationally

recognized expert who has presented at more than 250 events worldwide. G. Mark serves on the

advisory board of the National CyberWATCH Center. A graduate of Northwestern University, he holds

a BS in computer science, a BA in mathematics, and master’s degrees in business administration and

strategic studies. He also holds GSLC, CISSP, CISM and CISA certifications.

Jaikumar Vijayan is an award-winning journalist specializing in writing about information security

and how it affects enterprises and individuals. With 25 years of experience covering information

security and technology, his stories have appeared in Computerworld, InformationWeek, InfoWorld,

Network World, PCWorld, Macworld, The Economic Times and other publications.


About the Authoring Team

Sponsor

SANS would like to thank this survey’s sponsor:

Documents

Security Spending and Preparedness in the Financial Sector ... · 3 Security Spending and Preparedness in the Financial Sector Security professionals responsible for protecting systems