The cyber-attacks described recently in Reuters highlight the vulnerabilities and weaknesses impacting banks using the SWIFT messaging system for payment processing.
The hackers tried to steal nearly $1 billion dollars. As in any criminal activity of this scale, the perpetrators are experts, creative and focused on their goals to break in and steal. They are domain experts on defeating security measures and, unfortunately for the banks, quite innovative in their approaches. At the same time, corporations are spending millions of dollars to defend against cyber-attacks. They are employing armies of security experts using so-called SIEM systems, yesterday’s approach to managing cyber security. These experts believe that cyber-attacks can be predicted and prevented and the impact minimized. Are they right?
Hackers are similar to pirates or terrorists in their inventive ability to exploit holes in sophisticated systems that no one was aware of. The hackers are using the technologies that will be in tomorrow’s approach to managing cyber security. However, by the time corporations adopt these technologies the pirates will be on to something else. Look at what happened to the western world after 9/11. Billions of dollars of tax-payers are being spent to create sophisticated security technologies, security procedures are enforced to radically affect quality of our lives. Yet the terrorists continuously find new holes. The same philosophy applies to cyber-attacks.
To fight hackers, one must think like them and be a step ahead. They know their opponents think alike and use common sense for protection. To be effective, corporations should change their approach and consider using “uncommon” sense.
Hackers are well aware of surveillance systems. While the rules to catch them are revised daily, they follow the same standard patterns and thus can be circumvented. Instead, hackers stage their attacks from unexpected angles. There are endless ways to break-in and be invisible. But one common thread in many attacks is the usage of inside personnel. When physical security is weak, the hackers often leverage unaware insiders who inadvertently help the attackers succeed.
The amount of security data to ingest, digest, analyze, and present is so large that by the time a suspicious pattern is detected it is often too late. Corporations can certainly reduce their exposure but never entirely eliminate it.
So what’s the best way to counteract hackers?
There are additional ways to the brute force approach of parsing vast amounts of system and network log information, hoping to find a clue: fast data analytics…analyzing transactions in real-time to find intrusions faster. For example, payment applications usually initiate transactions that span many disparate computing environments. And since they handle money they are prime candidates for hacking. Their transactions might start on mobile devices, get processed in application servers on distributed servers behind a corporate firewall, get split and morphed as they pass through message brokers, and finally may update databases on mainframe systems.
Of course each of these systems have security tools that look for problems, but they are “in silos” and do not examine the end-to-end view of transaction behavior from the business aspect. In the article mentioned earlier, SWIFT itself felt safe, but had no insight into whether its member banks were safe. They all had their own security approaches without an end-to-end view of potential intrusions.
An uncommon approach would be to profile the end-to-end behavior of the transaction as compared to expected business behavior and look for unusual activities, anomalies or tampering. This approach requires both real-time, end-to-end visibility and a way to compare actual cyber transactions to what is expected. It is a way to contrast what happened to what we expected to happen. This analysis returns value no matter what innovative technologies the hacker is using. It is a significant step towards real-time surveillance and staying ahead of the hackers.
Will it eliminate the attack? No. Will it provide an alert early in the process of hacking? Yes, unless someone from the internal personnel exposed the sequence of business objectives to the hackers.