Detecting Insider & Supply Chain Threats in Financial Services Organizations

Insider threats are a top priority for security teams at financial services organizations. The risk is high – nation-state actors and groups like Lapsus$ will specifically solicit disgruntled employees at target companies to get access to their networks. In fact, 60% of data breaches are caused by an insider; in the U.S. that’s over 2,500 internal breaches per day.

Financial services chief information security officers must be prepared to defend against several types of insider attacks. The amount of money moving through banks and investment firms creates an incentive for employee fraud, or for an insider to help an adversary solely for monetary gain. However, “insider threat” doesn’t always denote angry employees trying to get back at their employers. It also includes external actors targeting and exploiting insiders, honest mistakes by employees, or accounts for contractors or trusted business partners that are accidentally compromised. Something as benign as an employee emailing data to their personal email account to work over the weekend can create a security gap that an attacker can exploit.

Did you know that 15% to 25% of insider risk incidents involve supply chain, business partners or contractors? Imagine a contractor finishes his work and therefore his access to the client’s network is removed. But say he gave access to a subcontractor and didn’t tell the client about it. IT wouldn’t know to remove that access. Threat actors can now use that subcontractor’s account to impersonate a legitimate user, download a malware package, use various techniques to find more sensitive data and then start to exfiltrate that data. Financial security teams need the tools to detect and prevent all these scenarios.

Financial organizations are high-profile targets for threat actors and face strict legal and compliance requirements. This means the impact of a successful insider attack is enormous. Financial organizations are susceptible to data theft, since they store plenty of valuable personal information, and ransomware, because trust is so important to their business model. Even a small disruption to trading operations or financial transactions can mean hundreds of thousands of dollars lost. The reputational damage from a successful attack or breach will cost them much more in potential business, as investors decide they’d prefer to redistribute their portfolio away from a firm that, in their eyes, is vulnerable. The stakes are high and security teams must be ready for anything.

The root of many of these issues is inappropriate access – people having more access than they should. How can financial services security teams identify these people and prevent insider breaches? From conversations with our many customers, we’ve identified three ways.

Monitor User Behaviors

The most effective way to detect malicious insiders is to identify anomalous and risky user behavior. This requires gathering a lot of different data and information about the network infrastructure, baselining normal activity, identifying anomalies and estimating the risk level of those anomalies. Unusual behavior is suspicious, but truly risky behaviors are a higher priority for investigation and response.

For example, a high-privilege account doing something weird is riskier than a low-privilege account doing the same thing because the potential for damage is greater. Financial services organizations also need to monitor user behavior for compliance reasons, so there are benefits here beyond security.

This process must include data from the cloud – just monitoring on-premises network resources is not enough. The security team needs to know where the user in question is connecting to. Without a hybrid solution that can see into the cloud, there will be visibility gaps where adversaries can hide or slip through.

Examine Identity Data

The next component in identifying insider threats is examining identity data. The security team needs to be able to pull identity data from Identity and Access Management and Privileged Access Management systems (such as Microsoft Active Directory and CyberArk) to understand things like departing users, outlier access and accounts that have been dormant for a long time. This should include DLP email alerts. This helps inform what types of behavior are unusual or risky. Incidents like dormant accounts that suddenly go active, and high-privileged accounts (like those of the CEO or CFO) accessing unusual systems from unusual locations are suspicious and should be investigated. Identity data helps the security team find these incidents before they lead to attacks. This extra level of detection capabilities is especially important in financial services because the effects of a breach can be so devastating.

Pull in Multiple Types of Data & Build the Overall Picture

Building a detailed enough picture to spot insider threats requires lots of data. Security teams need to understand risk, user roles, account privileges, entitlements and anomalous user behavior. They must pull together data on location, normal network traffic patterns, security alerts and connections to known malware sites, and then combine that with user information, identity data and an understanding of entitlements for a particular user. If the security team doesn’t have access to any of these pieces, their accuracy and speed will decrease. This is a high-end capability not available in many threat detection products, but there are a few solutions available with these capabilities.

Financial services organizations should consider this approach even if their security team isn’t focused on insider risk. Building out this detailed visibility into their infrastructure improves overall threat detection, removing dormant accounts reduces the organization’s attack surface, and spotting risky insiders contributes to a zero trust approach. And with the high stakes financial organizations face in the case of a data breach, a visibility gap of any kind can be very dangerous.

Sanjay Raja is Vice President of Product Marketing and Solutions at the El Segundo, Calif.-based enterprise security firm Gurucul.