Cyber security for the financial sector

According to BaFin, insufficient investment in the ability to identify cyber threats at an early stage and respond adequately to attacks is a major weakness in day-to-day business. One approach to building up detection and response capabilities is to establish an in-house Security Operations Centre (SOC).

As cyber attackers are constantly developing their tools and approaches, financial organisations are struggling to keep up with the ongoing changes. They are reliant on up-to-date and comprehensive situational information in order to correctly assess threats. Collecting and analysing up-to-date data in particular requires considerable effort.

Security Operations Centre (SOC) as a solution?

A SOC acts as the control centre of the IT department and is responsible for monitoring, detecting and isolating security incidents. This contributes to cyber resilience, a concept that goes far beyond cyber security and includes both the protection of the IT infrastructure and the resumption of operations after an attack.

Added value through vulnerability management and SOAR

Vulnerability management and security orchestration, automation and response (SOAR) offer additional added value for SOC operations. Vulnerability management enables the SOC to proactively recognise potential defects in the security of (cloud) systems and take action against them. SOAR makes it possible to respond to recognised cyber incidents with automated workflows. Together, they strengthen cyber resilience and increase the efficiency of the SOC.

In the context of BAIT, VAIT, MaRisk, MaGo, the requirements of the GDPR and the new requirements of DORA, vulnerability management and SOAR underpin the need for structured, round-the-clock monitoring and regulatory-compliant SOC operations.

AI security as a new challenge

The use of artificial intelligence (AI) in modern financial organisations promises efficiency, innovation and competitive advantages. At the same time, AI can also help to optimise existing core functions of a SOC. AI-supported SIEM systems, for example, promise significantly higher detection rates than conventional systems. However, the use of AI also harbours new, previously unknown risks for IT security. The threat of misinterpreted output, self-learning algorithms with incomprehensible decision-making processes, the manipulation of AI systems by external influences and the insecure connection of AI systems to other applications and systems are just a few examples of such risks. However, modern SOCs can also master these new challenges through adequate risk assessment, dedicated guidelines, associated governance and the necessary monitoring.

Digital identities and digital identity management (DIM) play a central role in the digital transformation. Essentially, this involves Identity & Access Management (IAM) or Identity Governance & Access (IGA), which is considered one of the focal topics of digital transformation in general, particularly cloud and SAP transformation. Closely related to this is Privileged Access Management (PAM), which focuses on monitoring particularly privileged identities.

IAM and PAM are complemented by Consumer Identity & Access Management (CIAM).

Cyber security and regulation

Regulatory authorities such as the EBA or BaFin repeatedly place the management of digital identities at the centre of their observations as part of supervisory audits. Comprehensive, unmonitored access authorisations and compromised login data can be used by banks, insurance companies and asset managers as gateways for cyber attacks from both outside and inside. Robust, holistic digital identity management consisting of IAM, PAM and CIAM is required to protect the company and its sensitive strategic and business data from attacks by ransomware, phishing emails, malware or other external and internal types of attack.

DIM as part of the security strategy

DIM is an essential component of a centralised security strategy. It is implemented through the design and rollout of complete and compliant guidelines, definitions, processes and controls, which are centred around the management and monitoring of users and their access rights to functions and data and are an important part of IT governance. The main objectives here are to ensure the minimum principle (need-to-know principle), the segregation of duties and the monitoring of so-called highly privileged users (HPU) using a modern and robust PAM solution. The requirements are implemented using modern tools, which should be selected depending on the defined objectives and the existing IT landscape.

Holistic and centralised

A modern and secure DIM manages all identities and authorisations of natural users (employees, external service providers, customers, etc.) as well as technical and/or functional authorisations within the company's system architecture. It is therefore important that a DIM is integrated holistically and centrally into the company and equipped with the appropriate competences.

Financial service providers are accelerating their digital transformation, developing new and digital business models and increasingly relying on cloud services as an incubator for cutting-edge technologies - especially AI. This leads to a higher probability of security incidents on the cloud infrastructures of banks, insurance companies and asset managers. Cloud infrastructures are benefiting from the huge investments made by cloud service providers in their security architectures in the form of shared responsibility. Increasing complexity, also due to rising governance and security requirements (e.g. NIS 2 and DORA), means that both service providers and users are faced with the task of proactively adapting to changing circumstances. Today's demands on the cloud landscape are: secure, resilient and regulatory compliant. Using state-of-the-art blueprints and templates, we review the maturity level of the already integrated strategies, architectures, processes for resilience and the automation of cloud landscapes and use this to determine the status quo of cloud security.

Strategy

The expectation of a sustainable cloud security strategy is to remove complexity from intra-organisational processes and at the same time manage the transformation with a focus on responding to risk requirements.

This is achieved through the elasticity and scalability of the cloud and through preventive measures, including DLP, RTO, business continuity, disaster recovery, identity and access management, encryption, connection to the SIEM/SOC and segmentation of networks, tenants and the conceptualisation of container landscapes.

Architecture and resilience

The resilience of a cloud landscape is measured by its ability to ensure uninterrupted operation under a constant threat situation.

The ability to compensate for partial failures and maintain the functionality of cloud services requires failure and redundancy management - such as by hosting applications across multiple regions or availability zones of the cloud service provider (warm standby) or pursuing multicloud strategies.

Automation

Security-as-a-Code. Three core characteristics increase the resilience of the cloud: speed, risk reduction and business enablement.

According to today's cloud security standard, there is no alternative to tool-supported and secure automation. Automation is achieved by implementing tools (CNAPP, CSPM) or providing cloud-native monitoring functions depending on the hyperscaler (e.g. Microsoft Defender, Amazon GuardDuty, Google Security Command Center).