January 11, 2023
Cybercriminals don’t follow regulations, and simply checking boxes isn’t enough to guarantee sustainable security outcomes.
It’s easy for leaders in highly regulated industries to fall victim to compliance fatigue. It’s understandable, given the dizzying array of requirements that banking security regulations contain.
The problem is that compliance policies are standardized and uniform by design. The opposite is true of cybercriminal tactics, techniques, and procedures.
Adhering to industry standards is important, but it’s not enough. Compliance should be part of your overall security strategy – not the entirety of it.
Banking Cybersecurity Regulations Aren’t Enough
At the end of 2021, three federal agencies (the FTC, OCC, and FRB) established a set of cybersecurity standards for the financial services industry. These standards include policies for creating formal cybersecurity programs, designing internal systems, and reporting security incidents.
New additions to those rules were added in December 2022. These include encrypting all customer information in transit and at rest, implementing multi-factor authentication, and logging user activity to detect unauthorized users.
These are all good security practices that financial organizations should follow. However, they don’t provide the depth or detail that individual organizations need. Reading through the official requirements may bring up more questions than answers:
- What is the best way to encrypt customer information in transit and at rest? Should the same process apply to both types of information?
- What kind of multi-factor authentication should financial organizations implement? Which users need additional verification safeguards?
- How should user activity be logged? Where should the logs go? Who should scrutinize those logs for evidence of criminal activity?
These are not questions that policymakers can answer on an industry-wide basis. The answers to these questions will be different for every individual organization in the sector.
Great Security Outcomes Demand Thinking Outside the Box
MITRE ATT&CK lists almost 200 individual enterprise threat techniques and an additional 400 sub-techniques. The number of ways attackers can mix and match these techniques is practically unlimited.
A standardized compliance framework can only protect against a small number of these combinations. On the other hand, a highly customized security posture spreads resources more effectively across the organization’s attack surface.
But before you can strengthen your organization’s weakest points, you must identify them. That’s not something an industry-standard compliance checklist can do.
Instead, you must dedicate time and energy to discovering where your organization’s weak points are. Then you can deploy solutions that address the threats most likely to cause an impact. Security audits and threat intelligence data allow you to look beyond the limits of industry compliance. Only then can you deploy solutions that meet the security needs your organization really has.
A Real-World Example: Cash App’s Insider Breach
In April 2022, Block Inc.’s Cash App disclosed a security breach involving the personal data of 8 million users. Investigators discovered that a former Cash App employee was responsible for the breach. This employee had regular access to the data in question, which means it would have gone unnoticed by most security technologies.
Most alerts do not trigger when the attacker is a user who already has privileged access. Traditional security technologies simply see this as regular non-threatening user behavior.
There is no compliance requirement for gauging the intentions of users who access sensitive data. But this is exactly what financial services leaders need to do. Achieving this goal requires going beyond compliance and into proactive threat protection.
Use Behavioral Analytics to Catch Malicious Insiders
User Entity and Behavioral Analytics (UEBA) technology enables financial services leaders to accurately gauge the intentions of users and assets operating on their network. The UEBA platform observes user activity over time and sets baseline thresholds that correspond to that user's unique routine. It assigns a risk score to users and assets that deviate from their set routine and prompts investigations after reaching a set threshold.
For financial service providers dealing with unprecedented employee flux, UEBA technology (like that used in Exabeam's New-Scale SIEM) offers a way to improve operational security beyond what regulators demand. As a leader in implementing UEBA technology, Castra can help finance organizations extend their security profile far beyond the level set by banking cybersecurity regulations.
Contact us today for assistance.