A Credit Union’s Introduction to Behavior-Based Cybersecurity

It is a few minutes before midnight and an employee just downloaded a large file over VPN from a remote site. Unbeknownst to all security scans, this large file contains all the credit union’s members’ names, addresses and share information. The next morning, nothing happens – the action does not raise any flags or alarms because a known person is doing it over an approved connection. This scenario raises the hair on the backs of business and IT leaders alike, and it is one that likely can happen inside your credit union today.

Thankfully this scenario, modelled on a real-life event, was one that had an understandable justification. It was the Digital Banking Conversion Project Team performing some last-minute data transformations before the big launch of the new digital banking platform scheduled for a few days later. The scenario would have passed without comment, had the program manager not asked the information security manager about it.

Most cybersecurity events are caused by what are called insider threats. An insider threat suggests a disgruntled or malicious employee. However, IBM’s X-Force 2020 Cyber Security Intelligence Index report showed phishing accounted for 31% of cyber-attacks and 29% involved unauthorized use of credentials. Popular depictions of cyber-attacks showed hackers using brute force attacks, but the truth is that hackers simply found that your people are the best path of attack.  So how does a leader protect the credit union from cyber-attacks without halting operations and losing pace with financial industry innovation?

Fortunately, there is a new approach for cybersecurity called behavior-based cybersecurity. The old approach, called signature-based, is what most organizations use. Signature-based cybersecurity relies on understanding how a threat “looks” either from a number of attributes such as file name, size, etc., which together makes a “signature.” Behavior-based cybersecurity handles the security problem differently. It uses data to model what normal behavior for a person is and then compares it against what they are doing currently.

Organizations like the Department of Defense and Department of Homeland Security are aggressively pursuing behavior-based cybersecurity approaches because they are active measures to protect networks. Signature-based cybersecurity relies on a cybersecurity professional to identify a threat in “the wild.” Then they add its signature to the definition file and distribute it across the network to guard against that specific threat in the future. Most anti-virus software platforms do exactly that. However, it means even the most protected networks are vulnerable during the process. An active measure protects the network based on behavior, asking if this is normal or not, and takes action.

An organization can exercise a spectrum of actions for threats detected through behavior-based cybersecurity, based on the detected threat and the organizational risk rules. The actions can be as passive as a notification to the user via SMS message simply asking, “Is this you?” These actions can be more aggressive, such as automatically moving the suspected threat into a quarantined group and removing its network access. Once remediated, the user or computer can rejoin the organization’s group and resume productive work.

Behavior-based cybersecurity requires something different from signature-based cybersecurity – it requires an understanding of what “normal” behavior is for each user and computer or network asset. This requires volumes of data and different approaches to data management. While some of the new providers of behavior-based cybersecurity may have solutions, those solutions will require the use of data architectures that many credit unions have not implemented. For most credit unions that have implemented data warehouses or data lakes, they were purpose-built for managing member data without plans for integrating operational data like behavior-based cybersecurity.

Credit union leaders can approach this dilemma by asking for cooperation between the professionals who manage their data and cybersecurity. They should know that there is a seismic shift in cybersecurity and a time in the not-too distant future when cybersecurity data will need the same level of resiliency and accessibility as member data has today. Having these two groups work together will prepare a credit union for that time, and for the innovative credit union, will allow for behavior-based cybersecurity practices today.

The scenario presented in the opening of this article was based on real events and should have raised alarms, but it did not. Signature-based cybersecurity did not detect any problems because it did not share a signature with a known threat. The 2020 IBM Threat Intelligence Index clearly showed that hackers prefer to execute these threats through people. Preparing for behavior-based cybersecurity means collection, storing and reporting of data – likely data that your organization is not collecting today. However, you can start asking the questions and encouraging cooperation among your teams to prepare for a much smarter approach to cybersecurity that awaits tomorrow.

Ray K. Ragan, PMP is the co-founder of Clear Core, a data cleaning and transformation provider focusing on increasing the value and accessibility of data for financial institutions, in Tucson, Ariz.

Timothy “Buck” Strasser is the founder of Clear Core in Tucson, Ariz.