Top Takeaways for Security in Financial Services

Palo Alto Networks recently participated in the FS-ISAC summit in Florida and I also had many opportunities this month to meet with financial services customers and discuss their needs and vision for tighter security.

Below are the topics that were raised most frequently and our point of view on how these topics are opportunities:

First, there’s much better visibility for security projects at the executive level. This did not happen in the best way possible but there’s no doubt that the past eight months of cybersecurity headlines have had a definite impact on awareness at the C-level. It started with the breach of credit card data at Target in December 2013 and continued up through the Heartbleed vulnerability that impacted a wide range of online services (check our CSO Rick Howard’s post 8 Tips For Dealing With Heartbleed Right Now). There have also been ongoing IE vulnerabilities, which our team has closely watched. We wrote about these various topics and how we contribute to solving them. The takeaway is that now, more than ever, is the time to create and present to your executive team a comprehensive plan and set of initiatives to improve your organization’s security.

But, more needs to be done on segmentation across the entire organization and the IT Infrastructure. This is a broad topic that touches employees, contractors, data centers, endpoints, computing infrastructure and more. It includes:

  • Better segmentation of facilities, branches, remote offices or business partners located in high-risk geographies or conducting business with high-risk geographies. A common topic is what are the best practices to protect facilities and group in high-risk geographies. We’ve recently published new ideas on the topic that make full use of our next-generation security platform.
  • Clear segmentation of assets, systems and data based on their risk level
  • Access control of users and applications

Organizations must be proactive about the growing dilemma between the need to control IT costs versus the imperative to tighten security. There’s growing tension between the ongoing push to pare down IT costs while ensuring tighter security. This is especially acute around technology initiatives such as:

  • Mobile computing. As part of a device refresh cycle, many financial organizations are in the process of retiring their portfolio of Blackberry devices that were provided years ago to employees with the goal to improve work flexibility and productivity. Old devices are now replaced by a full BYOD model with employees allowed to use their chosen devices to connect to their enterprise network. We highly recommend IT departments to proactively deploy solutions that will force all traffic coming from mobile devices to go through security checks similar and even tighter than other network traffic. Make sure to check our full solution for mobile computing.
  • SaaS applications and cloud computing. Along the same lines as the above, the use of SaaS is a fairly logical way to reduce costs for applications that are not core to your business and for which you might not want to keep critical expertise in-house.

Organizations are living under a constant state of compromise. This topic is one of greater concern. We keep hearing that threats are more often coming from the inside of an organization, making obsolete any security strategy based only on perimeter protection. Network segmentation helps significantly by blocking attacks from propagating from one zone of your network to another. Our recent product enhancements and acquisitions of Cyvera and Morta will directly contribute to a stronger overall security platform, starting with the endpoint and detecting attacks there as well as detecting when threats are attempting lateral moves within networks.

Finally, there’s broad acknowledgement that threat information sharing is critical to raise the bar for the bad guys. It’s ironic but in many ways it feels like the bad guys are better organized as a community compared to the enterprises that need to protect themselves. I have not heard one objection against the need for the private sector to collaborate though communities like the FS-ISAC to share threat intelligence more systematically. With Palo Alto Networks, we share all findings across all our customers as soon as new malware is detected, but we also continue to hear about the high value of information sharing with a specific industry sector, such as finance.

If you’re interested in more details on these topics, check out our events page and Palo Alto Networks solutions for financial services. There are also major FS-ISAC events in the coming months: the fall FS-ISAC Summit in Washington DC, and the first ever European FS-ISAC Summit in London.