Big banks are besieged by cybersecurity alerts. Some alerts might point to threats that are real, but the challenge is distinguishing the signal from the noise. In fact, some 60% of banks deal with 100,000 or more alerts a day, according to reporting by Penny Crosman of the American Banker, a financial services industry trade publication.
The American Banker story is based on a survey of banks conducted by the market research and business consulting firm, Ovum. Seventy-five percent of the banks surveyed reported assets under management of at least $10 billion and one-quarter maintain $250 billion in assets or more.
Such high value is a beacon for bad actors, but identifying attacks is complicated by the sheer volume of alerts from across tools. The problem is exponentially more challenging for some banks. According to Ovum, 37% are hit with an astounding more than 200,000 daily alerts.
Even worse, many alerts appear to be technically true, but largely irrelevant. Overall, about half of all respondents (47%) say just one in five alerts – or about 20% – is related to a unique security event.
By way of our analysis, this means about 40% of banks get 160,000 duplicate, irrelevant, or erroneous, cybersecurity alerts. If we conservatively estimate it takes 15 minutes for a security analyst to perform basic research on an alert, it becomes clear why Ovum Principal Analyst Rik Turner labels this “unsustainable.”
See these related posts:
Security Leadership: 5 Habits of Effective CISOs
3 Use Cases in Network Security for Threat Hunting
Unleash the Kraken! 6 Things Your CISO is Thinking but Can’t Say Aloud
Catalyst: Proliferation of Disparate Security Tools
The first question that comes to mind is…how did we get here? The answer may well point to the idea that while the financial services industry has earned a healthy reputation for early technology adoption – that strength is also a weakness.
The Ovum report suggests the development of threat variants and new vectors of attack come so fast that banks are left with little choice other than to explore new tools to solve emerging problems.
“As a result of this dynamic, the financial services’ security infrastructure is characterized by multiple silos of products and platforms, which have grown up over time, as new tools have been deployed to meet emerging threats and attack methodologies,” according to the assessment in the report.
However, the problem is greater than just growth in tools – it is also the complexity and complication caused because these tools rarely play well with each other. According to research, the “proliferation of disparate security tools” are “typically unable to communicate among themselves.”
Just how many tools? The survey found “73% of respondents are running more than 25 cybersecurity tools, and 9% are running more than 100.”
The solution, in many ways, has also become part of the problem.
Refocusing on Integration Across Security Infrastructure
Cybersecurity professionals in banks are well aware of the challenge. The Ovum survey found 67% of respondents said they need better security tools rather than more. Indeed, one of the recommendations Ovum suggests in the report is to “migrate from security silos to a unified threat defense architecture.”
In an email interview with Bricata, Mr. Turner put this recommendation into perspective. He noted the rapid pace of threat evolution means incumbent security vendors cannot reasonably respond to every new threat which creates an opportunity for emerging solutions. As a result, most of the respondents to the survey – large banks – will inevitably have silos in the security infrastructure.
Therefore, the remedy is to ensure a capability for those tools “to report into a common platform that can aggregate, normalize, collate, and analyze the data, alongside external threat information, for a centralized definition of incident response rather than necessarily migrating away from the actual silos.”
“In other words, the silos are probably not going away anytime soon, so at least implement some means of them all acting in concert for an enterprise-wide response capability, defined once and implemented in a streamlined fashion,” he said in his email message.
Indeed, banks as a group are not helplessly dependent on vendors either. Mr. Turner suggested the financial services industry has the ability to organize behind industry standards and compel vendors to develop interoperability capabilities if they want to continue doing business with the banking community.
If there is a study or statistic you’d like considered, please let us know on Twitter – @Bricata
If you enjoy this post, you might also like:
10 Trends in Threat Hunting and Security Analytics
Photo: Pixabay (CC0 1.0)