When it comes to data security, financial institutions today face an alphabet soup of U.S. regulatory and industry standards such as PCI DSS, GLBA and SOX – as well as a long list of SEC requirements where relevant.

Traditionally, financial institutions have met stringent security requirements through security best practices and traditional security products such as firewalls, data loss prevention and anti-virus software.

However, in light of today's burgeoning threat climate and the long list of breaches at prominent financial institutions, traditional thinking is changing. Today, new approaches are being considered to raise security, enhance accountability and visibility – while lowering liability and security overhead.

Today, more financial institutions are turning to deception technology.

Why Deception?

Deception technology becomes more relevant as financial institutions realize that perimeter security is not sufficient to protect sensitive data and meet regulatory requirements. Traditional solutions increasingly fail to stop attackers from penetrating the network, allowing sophisticated attackers to establish a backdoor and map network assets undetected for long periods of time. As attackers learn operating procedures for financial applications and compromise targeted systems, they can easily access and capture authentication traffic and escalate their permissions, often to the administrator level, to compromise financial transactions.

But it's not just malicious attackers that financial institutions need to look out for. Vendors, partners, consultants and associates do not always provide the level of security required by regulatory agencies and industry standards. As a result, networks and data can be compromised by poor third-party security, and financial institutions can face fines or other sanctions.

Deception technology not only alerts security teams that an attacker has broken through organizational defenses, but more importantly, it immediately and effectively diverts attackers away from valuable data assets. This reduces breach-to-resolution time – which is vital since more than half of companies breached find out about it from third parties, such as the FBI or customers. In this way, deception accepts the inevitability of breaches, managing them intelligently to mitigate liability and risk.

Decoys and More

So how does deception technology work? Intelligent deception solutions create decoy network assets that look like the real thing. Then, these solutions spread traps (known as breadcrumbs) throughout the financial network to entice attackers to go after decoys rather than the real data.

At the same time, deception solutions provide definitive proof and alerts to security teams that there are intruders in the network – since only an attacker would access traps or decoys.

In this way, deception technology lowers the overall burden on security teams by drastically reducing the number of false positives. Since only attackers go after the traps and decoys, when there is an alert from the deception layer, it almost certainly reflects an actual internal or external attacker. Fewer alerts for security teams mean more time and resources to expend on chasing actual bad guys.

Deception technology can coexist with and be fully integrated into existing security products, such as a security information and event management system. For example, deception technology can detect a "whitelisted" application that is operating in an unauthorized way, such as scanning files and/or uploading data to the cloud. The firewall will not pick this up because the application is whitelisted, but deception technology gives security teams a timely heads-up.

Regulations and Industry Standards

Now let's look at how deception technology can help financial institutions with particular regulations and industry standards.

  • PCI DSS: Any company that handles credit and debit card data must comply with the Payment Card Industry Data Security Standard, or PCI DSS. A core PCI DSS requirement is to protect stored cardholder data. Deception technology can help by deflecting attacks from data repositories, file and application servers, and other areas of the network where sensitive cardholder data might be stored.

In addition, PCI DSS requires organizations that handle cardholder data to develop and maintain secure systems and applications. The more intelligent deception solutions can monitor systems and applications, as well as third-party apps and services, and alert security teams when they pose a risk to the organization.

PCI DSS requires that access to cardholder data be restricted on a business need-to-know basis and be monitored, and that a unique ID be assigned to each person with access to the data. Deception technology plants false credentials and then detects when an unauthorized individual is trying to gain access to the data.

  • GLBA: The Gramm-Leach-Bliley Act mandates that financial institutions report their information-sharing practices to their customers and safeguard sensitive customer data. Deception technology, unlike other data security technologies, is non-intrusive and does not access sensitive customer data, hence there is no customer information sharing to report. In addition, it provides data decoys to attract attackers away from customer data.

  • SEC Cybersecurity: There are also a number of U.S. regulations that apply to publicly-traded companies in general. For example, the Securities and Exchange Commission has issued non-mandatory cybersecurity "guidance" to publicly-traded companies recommending that they conduct periodic assessments of the nature, sensitivity and location of data that they collect, process and store.

The SEC guidance also urges companies to conduct periodic assessments of internal and external cybersecurity threats and vulnerabilities, and the effectiveness of governance structure for the management of cybersecurity risk. Using deception is a way to continuously monitor the effectiveness of current security solutions.

To help meet the SEC recommendations, deception technology is able to correlate multiple data points, security events and feeds from third-party tools to deliver context to attacks. It monitors traffic to detect suspicious activities and assesses threats before they become critical, integrates with reporting tools to improve threat intelligence and detects vulnerabilities not found by pen-testers.

  • SOX: Finally, the Sarbanes-Oxley Act, or the Corporate and Auditing Accountability and Responsibility Act, holds publicly-traded companies and their upper management responsible for maintaining internal controls over financial systems. In fact, CEOs and CFOs must certify the accuracy of their financial reports and could be held criminally liable for any inaccuracies.

This means that upper management could be held liable for exposure of financial data they own, regardless of whether the exposure was their fault or the fault of a third party. Deception technology enables companies to set decoys and traps around financial data repositories, track malicious activity by attackers or suspicious activity by third-party tools and analyze the network to identify suspicious traffic.

The Bottom Line

In an era of increasing cyberthreats from both independent and government-sponsored hackers, financial institutions are truly on the front lines. To meet the challenges of data security and regulatory compliance – protecting sensitive data and avoiding fines and penalties – deception technology should be a key piece of any financial institution's security infrastructure.

Doron Kolton is Founder & CEO for TopSpin Security. He can be reached at 708-310-4025 or doron@topspinsec.com.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.