Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
A SANS SurveyWritten by Jaikumar Vijayan
Advisor: G. Mark Hardy
June 2015
Sponsored by LogRhythm
Security Spending and Preparedness in the Financial Sector: A SANS Survey
©2015 SANS™ Institute
Financial companies are at a critical juncture: The attack landscape has transformed
dramatically over the past few years, and as a result, these companies are under more
scrutiny than ever for the security of their financial systems.
Numerous breaches of financial institutions in 2014 reshaped the industry. Of the eight
major breaches reported by the Association of Certified Financial Crime Specialists
since the 2009 Heartland Payments System breach, four of them occurred in 2014.1
Meanwhile, the U.S. Securities and Exchange Commission (SEC) has started reviewing
such organizations on their preparedness to detect and avert cyber
attacks.2 And, starting in October 2015, Visa and MasterCard are shifting
liability for fraud away from card processing businesses that have
implemented EMV smart card readers.3
Unfortunately, financial services organizations are still being breached
too often, most frequently by those with insider access, according
to the second annual SANS survey on the security of the financial
services sector. Results of this survey also reveal that change is slow in
happening across the financial services industry while threats continue
to get harder to detect and defeat.
Like the SANS 2014 financial services security survey,5 this year’s
survey revealed several gaps in preparedness both in the capability
of organizations to defend against attacks and in their capability to
respond to one. Organizations that participated in the survey reported
problems with insider threats and phishing attacks. In another
question, the majority of respondents (41%) said they feel unable to
quantify the costs of a data breach.
At the same time, respondents struggle with a variety of tools and
technologies that, while providing some improvement, still fail at basic
levels. For example, 66% of respondents don’t turn on inline security
systems for fear of false positives blocking legitimate traffic, while 50% don’t turn on
blocking because of operational/throughput concerns.
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector1
Introduction
1 www.acfcs.org/the-top-8-largest-data-breaches-in-the-financial-services-industry2 www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf3 www.smartcardalliance.org/wp-content/uploads/EMV-FAQ-update-April-2015.pdf4 Results total more than 100% because respondents could select multiple responses.5 “Risk, Loss and Security Spending in the Financial Sector: A SANS Survey,”
www.sans.org/reading-room/whitepapers/analyst/risk-loss-security-spending-financial-sector-survey-34690
abuse or misuse by internal employees
successful spearphishing emails
exploits on unpatched or misconfigured systems
lost devices
compromised endpoints
Top 5 Causes of Successful Breaches4
46%
42%
27%
26%
27%
Introduction (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector2
Respondents are also learning that compliance does not translate to security, which is
perhaps the most positive change and sign of improvement in the financial industry,
especially because many of the recent headline-making victimized companies were in
compliance with their industry standards.
Now, based on the results of this year’s survey, organizations no longer
consider compliance as their primary mandate. Instead they are moving
toward more comprehensive incident response and holistic security
programs. Instead of compliance being their primary driver (as it was
last year), these organizations are most concerned about responding
to threats, while compliance is their second most important driver.
Their third top driver is to improve their security and risk management
programs overall. This shift indicates growing maturity in cyber risk
operations, which should be the ultimate goal for all IT organizations,
according to the Critical Security Controls and other such frameworks.6
(the majority) chose compliance as their primary driver in 2014
(the majority) cited avoiding data breaches as their primary driver in 2015, with compliance being their second most important driver (70%)
65%
81%
also feel that improving risk posture overall is a primary driver in 2015
69%
Evolving Drivers for Information Security Programs
6 www.counciloncybersecurity.org/critical-controls
Organizations and Standards
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector3
Security professionals responsible for protecting systems and networks at financial
institutions in the U.S., Europe, Asia Pacific and other regions participated in this survey.
The results provide diverse insights into the security concerns that confront financial
institutions and their approaches for mitigating those concerns. A mix of operational
security staff, network and security administrators, senior security executives and
managers from small, medium and large organizations were represented in the survey.
Respondents also represented a variety of financial institution types and their associated
issues: Of the 196 professionals who qualified to take the survey, 21% were from
retail banking, 12% from insurance and 11% from the commercial banking sector.
Professionals from the investment banking sector, payment processing firms and
merchant card system acquirers were also represented. See Figure 1.
Almost 42% of respondents identified themselves as belonging to “other” industries,
including government regulators, health care, consulting and asset management,
indicating that financial services are being performed across sectors and supported by
consultancies.
What is your organization’s primary industry?
Figure 1. Respondents by Primary Industry
Other
Banking—retail
Insurance
Banking—commercial
Investment banking
Payment processing
Merchant/Card system acquirers
Organizations and Standards (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector4
The responses reflect the sentiment of technology professionals from organizations of
different sizes, with 24% coming from relatively small companies (100–1,000 employees),
while 22% represented very large companies (more than 15,000 employees). Another
20% were from medium-sized companies (1,000–5,000 employees). The remaining
respondents were from organizations with between 10,001 and 15,000 employees
(10%), those with between 5,001 and 10,000 employees (12%) and companies with
fewer than 100 employees (11%). The survey respondents were dominated by U.S.–
based organizations: 85% have operations in the U.S. and 76% have their headquarters
in the U.S. See Figure 2 for a breakdown of the regions represented by respondents.
As you might expect with companies in the financial services sector, many of the
respondents have operations around the world, particularly in Europe. This globalization
indicates that their compliance mandates and security drivers are as diverse as the
regions in which they operate and the types of services they offer. Among respondents,
44% issue credit and debit cards, which means they, as well as payment processors, are
subject to PCI DSS in addition to SEC and other guidelines.
In what countries or regions does your organization operate? Select all that apply.
Uni
ted
Stat
es
Sout
h A
mer
ica
Cana
da
Euro
pe
Mid
dle
East
Afr
ica
Aust
ralia
/New
Zea
land
Asi
a Pa
cific
(APA
C)
Cent
ral A
mer
ica
80%
60%
40%
20%
0%
Figure 2. Operating Regions
Organizations and Standards (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector5
Standards and Frameworks
With 44% of respondents representing companies that issue credit and debit cards, the
PCI DSS turns out to be the most widely used security framework in the financial services
industry, chosen by 50% of respondents. See Figure 3.
The responses point to the enormous role that PCI has played in influencing the
adoption of security standards in the financial industry. PCI rules apply directly only to
organizations that handle credit and debit card data. PCI DSS is broad and high-level
enough to apply across different industries, yet granular enough to offer some real
guidance to organizations struggling to figure out what security controls to use and how
to implement them.
What security frameworks does your organization adhere to? Select all that apply.
Paym
ent C
ard
Indu
stry
Dat
a Se
curit
y St
anda
rd (P
CI D
SS)
FISM
A (F
eder
al In
form
atio
n Se
curit
y M
anag
emen
t Act
)
COBI
T (C
ontr
ol O
bjec
tives
fo
r Inf
orm
atio
n an
d Re
late
d Te
chno
logy
)
ISO
270
00 S
erie
s
Oth
er
Criti
cal S
ecur
ity C
ontr
ols
NIS
T Fr
amew
ork
for
Impr
ovin
g Cr
itica
l In
fras
truc
ture
Cyb
erse
curit
y
NIS
T SP
800-
53
50%
40%
30%
20%
10%
0%
Figure 3. Most Commonly Used Security Frameworks by Financial Companies
PCI DSS is broad and
high-level enough
to apply across
different industries
and granular enough
to offer some real
guidance.
Organizations and Standards (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector6
While PCI is the top standard being followed, the results suggest that organizations
use more than one framework. The second most common standard, used by 40% of
respondents, is the ISO 27000 Series, followed by the NIST framework, Control Objectives
for Information and Related Technology (COBIT) and the Critical Security Controls (CSC),
along with others. In our 2014 survey, ISO 27000 and PCI tied, each chosen by 49% of
respondents, as the top frameworks being followed.
Over time, organizations have invested a lot of work and funding into the 27000
standard, so it seems unlikely they would drop it. However, in this year’s survey the
number of respondents using PCI remained almost exactly the same, while those relying
on the 27000 series dropped by 10%. Regular updates to PCI over the years have kept
the standard relatively current and in tune with new and emerging threats. The latest
update, version 3.1 released in April 2015, includes the core elements shown in Table 1.
Table 1. PCI 3.1 Data Security Standard: High-Level Overview from PCI Security Standards Council7
Standard
Build and Maintain a Secure Network and Systems
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Requirements
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
7 “Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures,” www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf, p. 5.
Similar to last year’s results, insiders are still the primary culprits for breaches. Insider
threats and spearphishing were the top two causes for security breaches, at 46%
and 42%, respectively. They were followed by successful exploits on unpatched and
misconfigured systems (27%). See Figure 4.
Some of the write-in responses also suggest that closer integration with business
partners and contractors also puts organizations at risk. The data breach at Target, where
attackers gained access to the retailer’s network using login credentials belonging to a
third-party heating, ventilation and air conditioning service, highlighted those concerns
in dramatic fashion in 2013.8
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector7
Security Incidents and Preparedness
Please rank the top three most prevalent causes of security incidents in your organization with 1 being most prevalent.
Abu
se o
r mis
use
by in
tern
al
empl
oyee
s or
con
trac
tors
Den
ial o
f Ser
vice
att
acks
Lost
dev
ices
(lap
tops
/pho
nes)
Succ
essf
ul s
pear
phis
hing
em
ails
ag
ains
t em
ploy
ees
Web
app
licat
ion
atta
cks
(e.g
., SQ
L In
ject
ion,
XSS
, XSR
F)
Oth
er
Adva
nced
att
acks
/APT
s
Loss
, the
ft o
r com
prom
ise
of
empl
oyee
-ow
ned
devi
ces
(BYO
D)
Expl
oite
d pa
ssw
ords
Targ
eted
att
acks
on
finan
cial
pr
oces
sing
sys
tem
s an
d da
taba
ses
Com
prom
ised
con
sum
er
endp
oint
s/U
ser e
rror
s
Expl
oits
on
unpa
tche
d or
m
isco
nfigu
red
syst
ems
Adm
in a
cces
s ab
use
Part
ner s
yste
ms
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
Figure 4. Prevalent Causes for Security Incidents at Financial Institutions in 2015
1 2 3
8 www.krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector8
These results are nearly identical to the 2014 survey, suggesting that while external attacks attract a lot of attention, financial companies are, more often, victims of rogue or careless insiders with access to privileged systems. While a few new options were added between the 2014 to 2015 surveys (indicated by N/A), Table 2 shows the comparison of rankings between the two years.
The PCI DSS framework calls for strong access controls and restricting access to cardholder data, while Critical Security Control 15 provides information on how to control access based on need to know. All actions by users and their devices should also be monitored for abuse, based on these and other frameworks.
Meanwhile, advanced persistent threats (APTs) and targeted attacks, which security vendors and the media most often portray as the most common major threat breaking through defenses, do not appear to cause much concern for financial services firms. Barely 12% of survey takers ranked APTs as the first, second or even third most prevalent cause for security incidents at their organizations. That ranking could simply be because many financial services companies do not know they have been victimized in a targeted attack (perhaps lacking the visibility into their systems).
Spearphishing emails are a hallmark of APT campaigns. Threat actors often use such emails to drop malware on target networks and then use that initial foothold to move laterally across the organization.9 So for survey takers to identify spearphishing as a major threat—but not APTs—suggests a puzzling disconnect in how many in the financial industry perceive APTs.
Table 2. Year-Over-Year Comparison of Top Security Concerns by Highest to Lowest Ranking in 2015
Most Prevalent Cause of Security Incidents
Abuse or misuse by internal employees or contractors
Spearphishing emails
Compromised consumer endpoints/User errors
Exploits on unpatched or misconfigured systems
Other
Admin access abuse
Lost devices (laptops/phones)
Denial of Service attacks
Advanced attacks/APTs
Partner systems
Web application attacks (e.g., SQL Injection, XSS, XSRF)
Exploited passwords
Targeted attacks on financial processing systems and databases
Loss, theft or compromise of employee-owned devices (BYOD)
2014
23%
16%
N/A
8%
4%
N/A
7%
7%
4%
N/A
4%
2%
2%
3%
2015
21%
19%
10%
8%
7%
5%
5%
4%
4%
3%
3%
2%
2%
1%
TAKEAWAY:
Financial institutions
need more automated,
comprehensive means for
monitoring insiders, their
authorized access to systems
and their use of critical data.
Percentage ranking advanced persistent
threats as the number one most prevalent
threat to their organization
4%
9 “A Detailed Analysis of an Advanced Persistent Threat Malware,” www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector9
Risk and Loss Evaluation
While most survey takers were able to tell us about the types of incidents occurring on
their networks, only 25% were able to quantify losses. Another 41% could not, and 35%
didn’t know what their losses were.10 This suggests a lack of metrics, asset awareness and
risk measurement practices within many financial services organizations.
This year’s results track closely with the results from the 2014 survey and suggest
that financial services companies have made little headway in gaining a better
understanding of the consequences of data breaches occurring in their organizations.
Security Incident Outcomes
Most reports on data breaches tend to focus on the direct losses, such as breach
mitigation costs, breach notification costs and costs associated with offering free credit
monitoring services. While such costs can be significant, the impacted organization has
other costs to worry about as well.
Of those who were able to quantify losses in the survey, 38% cited loss of business
through service downtime as the biggest impact of a data breach, 23% cited damage
to brand reputation as a result of reporting a breach, 20% cited direct losses against
impacted financial accounts, and 15% pointed to regulatory proceedings and fines. See
Figure 5.
TAKEAWAY:
The fact that spearphishing
emails are such a big threat
to financial institutions
underscores the importance
of end user awareness and
training.
10 Percentages total more than 100% due to rounding error.
What was the outcome of these incidents? Choose all that apply.
Loss
of b
usin
ess
thro
ugh
serv
ice
dow
ntim
e
Oth
er
Bran
d re
puta
tion
loss
due
to
repo
rtin
g th
e in
cide
nt
Regu
lato
ry o
r leg
al
proc
eedi
ngs
and/
or fi
nes
as a
resu
lt of
inci
dent
s
Dire
ct lo
sses
aga
inst
im
pact
ed c
usto
mer
fin
anci
al a
ccou
nts
Bran
d re
puta
tion
loss
due
to
nef
ario
us u
se o
f bra
nd
to p
hish
cus
tom
ers
40%
30%
20%
10%
0%
Figure 5. Security Incident Outcomes
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector10
The majority of “Other” responses pointed to minimal losses due to quick response
and mitigation. Some respondents did, however, indicate loss of productivity and the
expense of replacing devices as expenses of their incidents.
Perimeter Focus
Even though respondents report that their primary culprits are insiders and partners
with privileged access, results in this report indicate that the majority of financial
institutions continue to focus more on stopping external threats than on detecting or
stopping careless or malicious insiders. Nearly 84% said their advanced firewalls, IDS and
IPS systems were effective or very effective in protecting systems containing or handling
sensitive data. See Table 3.
Table 3. Perimeter Still the Main Prevention Point of Protection
Control
Advanced firewalls/IDS/IPS to protect internal systems
Vulnerability scanning/Continuous monitoring
Segmentation
Continuous monitoring for critical anomalies and suspicious transactions
Encryption
Log aggregation and SIEM/Security event management
Secure configuration practices for applications and systems
Monitoring of infrastructure
Endpoint visibility
Endpoint AV
Whitelisting of executables, applications and activities
Blacklisting of executables and activities
Malware analysis systems
Security analytics and intelligence (in-house)
Data de-identification methods (masking, tokenization)
Real-time threat intelligence provided by third parties
Database protections
Very Effective Rating
32.4%
29.4%
26.5%
26.5%
26.5%
22.8%
22.1%
21.3%
20.6%
19.9%
19.1%
16.9%
16.2%
15.4%
15.4%
13.2%
11.0%
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector11
On the other hand, the financial IT pros taking this survey have identified their primary
cause of successful breaches to be from inside the firewall—their users. So, in addition to
perimeter security, respondents are also improving protection on their endpoints—closer
to their users in the case of user endpoints and closer to the applications and data in the
case of server endpoints. Endpoint technologies that received enthusiastic endorsements
included endpoint AV (68%) and endpoint visibility tools (65%). Table 4 shows the
comparisons to 2014 survey results; light gray indicates the option wasn’t used that year.
Table 4. Year-Over-Year Comparison of Most Effective Controls
Control
Encryption
Advanced firewalls/IDS/IPS to protect internal systems
Secure configuration practices for applications and systems
Monitoring of infrastructure
Continuous monitoring for critical anomalies and suspicious transactions
Vulnerability scanning/Continuous monitoring
Log aggregation and SIEM/Security event management
Endpoint AV
Segmentation
Endpoint visibility
Data protections/Encryption
Security analytics and intelligence (in-house)
Blacklisting of executables and activities
Whitelisting of executables, applications and activities
Malware analysis systems
Real-time threat intelligence provided by third parties
Data de-identification methods (masking, tokenization)
Real-time monitoring for critical anomalies and suspicious transactions
Strong authentication for customer-facing sites
Strong authentication for employees and partners
Very Effective
27%
22%
22%
19%
13%
23%
10%
20%
8%
11%
19%
22%
23%
Very Effective
26%
32%
22%
21%
26%
29%
23%
20%
26%
21%
11%
15%
17%
19%
16%
13%
15%
Effective
56%
55%
64%
49%
44%
59%
39%
42%
46%
35%
58%
44%
54%
Effective
59%
51%
58%
57%
50%
47%
47%
49%
40%
45%
50%
46%
43%
40%
40%
42%
35%
Total Effective
83%
77%
86%
69%
57%
82%
49%
62%
54%
46%
77%
65%
77%
Total Effective
85%
84%
80%
78%
76%
76%
70%
68%
66%
65%
61%
61%
60%
59%
56%
55%
50%
2014 2015
Percentage of financial institutions that
consider encryption to be an effective or very effective approach for
protecting data
85%
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector12
Fewer respondents pointed to emerging technologies such as threat intelligence
monitoring, despite the market buzz about it. Even so, acceptance appears to be
growing compared to last year, with 15% saying that in-house security analytics and
intelligence is very effective, compared to around 10% saying the same thing in the 2014
survey. Similarly, data de-identification approaches such as tokenization and masking
appear not to have gained wide acceptance yet, with only about 15% pointing to them
as being very effective in protecting financial data.
Interestingly, although IDS/IPS fell into the top most effective category, respondents say
they are not turning on inline blocking for a variety of reasons, foremost among them
being the concern of blocking legitimate traffic. See Figure 6.
Second, respondents are concerned about the operational issues of throughput, and to
a lesser degree interoperability. All of these issues should have been resolved years ago
with IPS, but still continue to plague enterprise users.
What barriers, if any, do you have to deploying active, inline security systems? Select all that apply.
Fear
of f
alse
pos
itive
s bl
ocki
ng
legi
timat
e bu
sine
ss
Exis
ting
netw
ork
band
wid
th
limita
tions
Conc
erns
abo
ut th
roug
hput
of
data
, par
sing
Oth
er
Issu
es w
ith in
tero
pera
bilit
y be
twee
n ou
r sec
urity
dev
ices
and
th
e m
onito
ring
supp
ort s
truc
ture
40%
30%
20%
10%
0%
Figure 6. Barriers to Turning on Inline Blocking
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector13
Risk Assessment
Numerous resources are readily available to help organizations start the risk assessment
process. They range from generalized guides on the topic to comprehensive templates
that offer step-by-step instructions on how to implement the various components
of an information security risk assessment program. Examples include the FFIEC’s
IT Examination HandBook InfoBase,11 NIST’s Special Publication 800-30 Guide for
Conducting Risk Assessments12 and the California Department
of Technology’s Risk Assessment Toolkit.13
Improving Risk and Compliance Postures
Organizations, particularly those covered by PCI DSS, should
consider implementing tokenization and data-masking
processes where sensitive data is stored and processed. Many
products for data masking and tokenization can do so today
without reengineering the database structure to fit the mask or
token format, making them easier to use.
In addition to better security, both approaches offer an opportunity for organizations
to reduce the scope of their PCI requirements. Strong encryption is also of critical
importance to protecting data at rest and in transit, while meeting compliance. In this
year’s survey, 85% cited encryption as effective or very effective in protecting sensitive
data processed in their systems. Recently, the latest update to the standard (PCI 3.1),
released on April 15, 2015 as an “out-of-band” update, makes it clear that organizations
can no longer use SSL and early implementations of the TLS protocol to encrypt data in
transit.15 In this context, data encryption assumes even bigger significance going forward.
In addition to encrypting sensitive customer data, the PCI DSS standard requires covered
entities to properly segment networks that process payment card data from the rest of
the corporate network, which 66% of respondents say they are doing.
Risk Assessment Steps
The FFIEC recommends the following risk assessment steps:14
1. Gather information on your organization’s operating and business environments.
2. Identify all the key information systems and data you need to protect.
3. Classify and rank sensitive data, prioritize threats and vulnerabilities, and assess controls.
4. Assign risk ratings to information and information systems.
11 “IT Examination HandBook InfoBase,” http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment.aspx?prev=1
12 “Guide for Conducting Risk Assessments: Information Security,” www.nist.gov/customcf/get_pdf.cfm?pub_id=91209113 “Risk Assessment Toolkit,” www.cio.ca.gov/OIS/Government/risk/toolkit.asp14 “IT Examination HandBook InfoBase,”
http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment/key-steps.aspx15 “Payment Card Industry (PCI) Data Security Standard: Summary of Changes from PCI DSS Version 3.0 to 3.1,”
www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector14
Preparedness
Despite the controls they have in place to protect sensitive data, only 13% felt “Very
prepared” and had the resources and technology to deal with known and unknown
threats. See Table 5.
Another 42% attested to being “Prepared” to deal with at least some of the known and
unknown security threats (but not all of them). See Figure 7.
The uncertainty reflected in the results mirrors a broader trepidation. The string of
high-profile data breaches since late 2013 has sparked considerable concern, across
all sectors, about the effectiveness of traditional security controls against new and
emerging security threats.17
16 Columns do not add up to 100% due to rounding error.17 www.wsj.com/articles/computer-security-industry-critiques-itself-following-high-profile-breaches-1429573277
Table 5. Level of Preparedness to Deal with Unknown Threats—2014 and 201516
How Prepared Is Your Organization?
Very Prepared
Prepared
Somewhat Prepared
Not Prepared
Unsure/Unknown
Other
2014
16%
42%
35%
4%
3%
0%
2015
13%
42%
32%
7%
4%
1%
How prepared is your organization to fend off attacks aimed at gaining access to your financial systems and accounts?
Very prepared. We have the resources and technology to defend against known and unknown attack methods.
Prepared. We have some ability to defend against known attack types but can’t predict the unknown.
Somewhat prepared. We have some resources and technology to fend off attacks, but we need more.
Not prepared. We need resources and technologies to solidify our systems and protect against attacks.
Unsure/Unknown
Other
Figure 7. Organizational Preparedness to Fend Off Attacks
TAKEAWAY:
The focus of security efforts
should be not just on blocking
threats at the perimeter,
but on mitigating threats
that breach the perimeter.
Incident response has become
as important as intrusion
prevention.
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector15
Financial organizations should consider ways to build more holistic situational awareness
capabilities to detect and mitigate both known and unknown threats. Unfortunately,
about 39% of respondents felt they are only somewhat prepared or not prepared to
fend off attacks, suggesting that security remains a work-in-progress within the financial
services industry, despite all the heightened concerns spawned by data breaches.
Security Outsourcing
A relatively large proportion of survey respondents use third-party, outside service
providers for tasks such as infrastructure monitoring, event management, incident
response and security control monitoring. Nearly 50% outsource infrastructure
monitoring, 43% use outside services for event management and response, and 36% use
them for security intelligence and analytics, as shown in Figure 8.
In this year’s survey, 49% of respondents said they use a third party for monitoring
their IT infrastructures. One possible explanation is that many financial institutions are
spooked by the recent intrusions at major players in the marketplace and are looking
to professional third parties for help finding and mitigating security threats they might
have missed on their own. The same reason could also explain why 36% of the IT
professionals surveyed said they are outsourcing security intelligence and analysis to
third parties.
Do you rely on any outside services for the following? Select all that apply.
Mon
itorin
g of
in
fras
truc
ture
Risk
man
agem
ent
Mon
itorin
g of
se
curit
y co
ntro
ls
Even
t man
agem
ent
and
resp
onse
Oth
er
Com
plia
nce
man
agem
ent
Secu
rity
inte
llige
nce
and
anal
ytic
s
Secu
rity
arch
itect
ure
50%
40%
30%
20%
10%
0%
Figure 8. Outsourced Security Functions
Percentage of financial institutions that use a third party
for IT infrastructure monitoring
49%
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector16
At the same time, the proportion of financial institutions outsourcing their security
architecture to third parties dropped from 27% in 2014 to 19% in 2015. The numbers
for those outsourcing compliance management decreased as well, from 26% last year
to 21% this year. The shifts are substantial enough to indicate that financial companies
have more success outsourcing some security functions than others.
The fact that only 49% outsource infrastructure monitoring suggests that the remaining
half either are very confident in their ability to monitor the infrastructure or do not pay
enough attention to the need for such monitoring. The same holds true in other areas
like security event management, security intelligence and analytics, and compliance
management.
Are They Blocking?
A relatively high proportion of financial companies say they use active in-line security
monitoring tools for protecting externally facing customer systems. Nearly 60% of
survey respondents cited these tools as being most effective in blocking external threats.
See Figure 9.
Figure 9. Tools for Protecting External-Facing Customer Systems
[Begin figure content]
What tools or techniques do you find most effective in protecting external-facing customer systems? Select all that apply.
Activ
e, in
-line
sec
urity
m
onito
ring
syst
ems
Inte
rnet
cra
wlin
g se
rvic
es
to d
etec
t dec
eptiv
e us
e of
br
and
for p
hish
ing
Frau
d de
tect
ion
for a
ccou
nt
and
syst
em a
ctiv
ity
Mul
tifac
tor a
uthe
ntic
atio
n fo
r tra
nsac
tions
(suc
h as
a
tele
phon
e ca
ll-ba
ck)
Unk
now
n/U
nsur
e
Oth
er
Secu
re a
pplic
atio
n de
velo
pmen
t and
life
cyc
le
Cont
inuo
us m
onito
ring
for
appl
icat
ion
vuln
erab
ilitie
s
Mal
war
e an
alys
is
60%
50%
40%
30%
20%
10%
0%
Figure 9. Tools for Protecting External-Facing Customer Systems
Security Incidents and Preparedness (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector17
The word active implies that “automated” blocking is used, but not specified. It would
be a real win for intrusion prevention and other blocking technologies if large numbers
of financial companies have actually deployed in-line tools in active blocking mode
because it would indicate a high level of confidence that these tools do not block
legitimate transactions and customers without a lot of false positives.
False positives in card fraud are costly and often the most expensive part of running a
fraud prevention operation. Having to pay an employee to sit at a desk, call a cardholder
and ask, “Did you make this transaction?” and hear “Yes” in response results in an expense
for the bank, an annoyance for the customer and outdated fraud indicators in the system.
Multifactor authentication, such as an out-of-band telephone call-back, is also
considered an effective mechanism for mitigating threats against external-facing
customer systems, as indicated by 51% of respondents. The Federal Financial Institutions
Examination Council (FFIEC), the interagency body responsible for creating standards
for the oversight of financial bodies, has long called on banks to implement multifactor
authentication for protecting customer accounts.18
Secure application development and life-cycle management practices have assumed
increasing importance, especially with the move to the DevOps model for software
development.19 So it is encouraging to see 42% of the respondents cite secure
application development as an effective way to mitigate threats.
One direct offshoot of the increase in spearphishing against financial institutions is the
use of Internet crawling services for detecting deceptive use of branding in order to
phish their customers. Based on the responses in the survey, 13% of the survey takers
appear to use such services currently. It will be interesting to see if adoption of such
services increases over the next year.
18 www.ffiec.gov/pdf/authentication_guidance.pdf19 http://software-security.sans.org/blog/2012/07/09/what-appsec-can-learn-from-devops
This year, 13% of organizations said they would spend 9% to 10% of their IT budgets
in fiscal year (FY) 2015 on security, as opposed to 11% spending in that bracket in FY
2014. The trend shows that budgets for security, overall, have increased. In fact, 27%
of organizations plan to spend 9% or more of their IT budgets on security in FY 2015,
compared to 23% making that commitment in FY 2014.
Overall, 58% said they plan to invest more heavily in IT-related security and risk
management in the next 24 months, while 38% plan to keep their investments the same.
Those numbers would appear to make sense in the context of the growing threats that
financial organizations face from internal and external sources.
But judging from the responses, security spending at many organizations appears to be
somewhat ad hoc in nature. Nearly one-third (32%) of survey respondents said they are
unsure or do not know how much of their overall IT budget they will spend on security
this fiscal year. See Figure 10.
These results suggest respondents do not have a clearly earmarked budget for security,
are not actively involved in the budgeting process or are simply unaware of budget
constraints. Considering that 42% of survey takers identified themselves as either
security analysts or CISOs/CSOs, the improving numbers suggest more influence on the
part of key decision makers.
These results are even more encouraging when viewed without including respondents
who didn’t know about their budgets. Although one-third could not quantify their
security spending, 41% of those who could said their organization is planning to spend
9% or more on security, whereas 35% made that claim in 2014.
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector18
Security Budgets, Programs and Frameworks
Percentage of respondents who plan to invest more heavily
in security and risk management
58%What percentage of your organization’s IT budget was spent on security
for fiscal year (FY) 2014? What percentage of the IT budget will be devoted to security in the next 12 months (FY 2015)?
Unk
now
n/U
nsur
e
11%
–25%
4%–6
%
Less
than
1%
Mor
e th
an 2
5%
6%–8
%
1%–3
%
9%–1
0%
40%
30%
20%
10%
0%
Figure 10. Security Spending as a Percentage of Overall IT Budget
FY 2014 FY 2015
Security Budgets, Programs and Frameworks (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector19
Who’s Responsible?
This year, the level of strategic influence remained about the same, at 58%. This includes
25% of survey takers who report being security analysts, while 17% chose CISOs/CSOs
or security managers, and another 12% identified themselves as IT manager, director
or CIO. Add in the 4% who identify themselves as risk managers, and it’s clear that
strategic participation in security budgets ties directly to the power of the organization’s
influencers who can speak to the business needs while improving risk posture overall.
See Figure 11.
Please indicate your primary role in the organization.
Secu
rity
anal
yst
Com
plia
nce
office
r/Au
dito
r
Frau
d in
vest
igat
or
Oth
er
CSO
/CIS
O/IT
sec
urity
m
anag
er o
r dire
ctor
Risk
man
ager
Dev
elop
er
Fore
nsic
s an
alys
t/In
cide
nt
resp
onse
Soft
war
e en
gine
er/A
rchi
tect
Secu
rity
adm
inis
trat
or
CIO
/IT m
anag
er o
r dire
ctor
Net
wor
k/Sy
stem
ad
min
istr
atio
n or
ope
ratio
ns
Non
tech
nica
l bus
ines
s un
it
Figure 11. Respondents’ Roles
25%
20%
15%
10%
5%
0%
Security Budgets, Programs and Frameworks (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector20
Meanwhile, in another question about who’s responsible for information security, 55%
of respondents say their CISOs/CSOs and directors of information security drive the
information security practices in their organizations. These numbers are a good indicator
of the growing executive focus given to security. Another 17% state that their CIOs are
responsible, while another 7% say their compliance managers drive their practices. See
Figure 12.
Another 13% say their CEO/COO and boards of directors drive their security programs,
while the “Other” category suggested more collaborative approaches between IT and
upper management, including the CFO, stakeholders, and the setting up of security
governance communities and security boards.
Percentage of respondents with
some level of decision-making
authority for enterprise security
42%
Who primarily drives information security practices in your organization?
Figure 12. Executive Leadership for Information Security Programs
CSO/CISO/Director of Information Security
CIO
CEO/COO
Risk and compliance manager
Board of Directors
Other
Unknown
No one/Not applicable
CFO
1.3%1.9%1.9%3.9%
3.9%
6.5%
9.0%
16.8%
54.8%
Security Budgets, Programs and Frameworks (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector21
Security Programs
The level of management participation ties directly with an important change in focus
this year from “meeting compliance” (which everyone knows is not proof of good
security) to better response and overall improvements in security programs.
In the 2014 survey, the top two primary drivers of information security programs were
meeting compliance and avoiding data breaches, both chosen by 69% of respondents.
In this year’s survey, 81% of respondents selected avoiding data breaches as their
primary driver, while 70% ranked compliance as their primary driver. See Figure 13.
What are the primary drivers behind your information security program? Select all that apply.
Avoi
ding
dat
a br
each
es
Redu
cing
acc
ount
and
pa
ymen
t car
d fr
aud
Prot
ectin
g in
stitu
tiona
l/Br
and
repu
tatio
n
Dem
onst
ratin
g re
gula
tory
co
mpl
ianc
e
Enab
ling
onlin
e, m
obile
an
d ot
her n
ew fo
rms
of
cust
omer
ser
vice
Oth
er
Avoi
ding
fina
ncia
l re
perc
ussi
ons
due
to b
reac
h
Impr
ovin
g ris
k po
stur
e ov
eral
l
Lega
l man
date
s
80%
70%
60%
50%
40%
30%
20%
10%
0%
Figure 13. Primary Drivers of Information Security Programs
Security Budgets, Programs and Frameworks (CONTINUED)
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector22
These are the reasons for increased focus on breach avoidances:
1. Time is money. According to the 2014 SANS Incident Response Survey, the time
from detection to remediation of breaches is usually days. But 29% reported
taking longer than one week, while 4% admitted to taking more than 12 months
to remediate the issue. For financial firms, this time frame is unacceptable.20
2. There is demand for regulation. Improvements in overall risk posture are
becoming more of a goal as standards and rules through PCI DSS, SEC and other
regulatory bodies order them.
3. Nobody wants to make the news. The media continues to report more
breaches, and most organizations want to avoid the negative publicity
associated with breaches.
4. Technologies can support them. Perimeter detections, endpoint monitoring
and some of the newer “threat intelligence” products are providing more support
to improve response cycles. As shown in Figure 13 (on page 21), improving the
risk posture overall was the third most important driver behind programs this
year, chosen by 65% of respondents.
This emphasis on improved security programs overall suggests that executives are
changing their emphasis on security from being compliant to being comprehensive.
Being compliant means receiving a minimum passing grade: Think C−. However,
compliant systems get hacked all the time. So that minimum requirement doesn’t
protect organizations from painful breaches and resulting lawsuits. Target was
supposedly compliant with PCI requirements and yet was breached in late 2013.21 And
Target’s compliance did little to protect it from the spate of lawsuits that followed.
Ensuring that your organization goes above and beyond achieving compliance yields
triple benefits—reduced likelihood of compromise, increased likelihood of detecting
breaches earlier and reduced legal exposure in civil court.
20 “Incident Response: How to Fight Back,” www.sans.org/reading-room/whitepapers/incident/incident-response-fight-35342, p. 18.21 https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector23
Conclusion
Information security continues to be a work in progress for many financial services
companies. Overall, financial institutions continue to struggle from a lack of visibility
and other shortcomings. Fortunately, this year’s survey also reveals that change is afoot
in the financial industry, as results show a clear shift toward improving response and
overall security programs. Security program development seems to be moving up
in priority, and the focus is moving from a “checklist compliance” mentality to better
response and improved security programs overall.
Financial institutions continue to use a wide range of appropriate tools to defend their
networks and data, and security managers appear reasonably confident about the ability
of their organizations to deal with new and emerging threats.
Still, many organizations remain focused largely on external threats and perimeter-
based security controls, which is critically important for financial transactional fraud
prevention. However, they also experience mostly internal breaches, meaning they must
also apply more focus on user endpoints and behaviors. Survey results show that they
get this point and are applying more controls on the endpoints as a secondary measure
to their perimeters.
These results are all indicators that financial services organizations are moving in the
right direction. Change comes slowly, however, even as the enemy continues to up
their game. That is why, for two years in a row, respondents reported that they will be
seeking—and obtaining—more budget and resources going forward.
The key is to apply their resources to the right locations (internal users and external-
facing customer systems) and against the types of threats that they see. As well as
protecting their employees from phishing and other attacks that get through their
firewalls, their most important objective is to instill trust in their protected financial
systems for their customers and shareholders.
G. Mark Hardy, SANS Analyst and certified instructor, is president of National Security Corporation
and has provided cybersecurity expertise to government, military and commercial clients for more
than 30 years. Also founder of CardKill Inc., he is a retired U.S. Navy Captain and an internationally
recognized expert who has presented at more than 250 events worldwide. G. Mark serves on the
advisory board of the National CyberWATCH Center. A graduate of Northwestern University, he holds
a BS in computer science, a BA in mathematics, and master’s degrees in business administration and
strategic studies. He also holds GSLC, CISSP, CISM and CISA certifications.
Jaikumar Vijayan is an award-winning journalist specializing in writing about information security
and how it affects enterprises and individuals. With 25 years of experience covering information
security and technology, his stories have appeared in Computerworld, InformationWeek, InfoWorld,
Network World, PCWorld, Macworld, The Economic Times and other publications.
SANS ANALYST PROGRAMSecurity Spending and Preparedness in the Financial Sector24
About the Authoring Team
Sponsor
SANS would like to thank this survey’s sponsor: