Banking on cybersecurity: a comprehensive approach to attack surface management in financial institutions
The European Investment Bank (EIB) experienced a calamitous system breakdown in June of this year, disrupting a staggering €550 billion in their balance sheet.
It’s just the latest in a long line of attacks targeting the banking sector, driving home the need for investment in robust, proactive security measures. The top priority? Regain control of the attack surface – the total points an unauthorised user can breach. With the accelerating adoption of cloud services and hybrid work models, organisations grapple with ever-expanding, increasingly challenging attack surfaces.
Attack Surface Management (ASM) is key here. The term is not merely about securing a superficial ‘surface’ but a complex web of every digital asset exposed to cyber exploitation. As demonstrated by the EIB breach, the fallout from an attack on the financial sector has far-reaching consequences, with further disruption to all businesses dependent on their services. As such, organisations must ensure they fully understand and deploy security capabilities to secure their entire attack surface.
Falling under the more extensive term of Exposure Management (EM), Attack Surface Management (ASM) exists alongside Vulnerability Management and Validation Management. Unsurprisingly, with so many different terms and acronyms, navigating them is far from obvious.
Let’s get this out of the way: ASM is not a specific solution or process, nor is it not tied to any singular tool; instead, it’s an overarching approach enveloping various solutions and activities.
An effective ASM strategy embodies three critical components:
Firstly, External Attack Surface Management (EASM) is often mistaken for the entirety of ASM. EASM concentrates exclusively on public-facing assets, such as public clouds.
Secondly, Digital Risk Protection Services (DRPS) focus on achieving visibility into threat intelligence sourced from places like the deep web, social networks, and open data containers. Implementing this advanced capability necessitates high cyber maturity.
Lastly, the keystone of ASM practice, Cyber Asset Attack Surface Management (CAASM), is centred on gathering and efficiently managing data concerning the organisation’s vulnerabilities.
An integrated approach to ASM
Adopting an integrated ASM strategy means comprehensively understanding potential threats and effectively prioritising remedial actions. Without this overarching perspective, security responses tend to be reactionary and tactical rather than strategic.
CISOs then face the challenge of linking their technical efforts to non-technical staff – notably board members who aren’t interested in the minute details of a vulnerability. They want to understand its potential ramifications on business and the urgency to address it.
Some firms’ approach to ASM is still embryonic, focusing on individual vulnerabilities rather than appreciating the broader business risk. This narrow view significantly hampers their ability to comprehend and prioritise their security efforts in a business context.
On the other hand, some companies are trying to bring in ASM strategies but lack efficient tools and processes. Many are still using outdated practices to manage internal and external risks (we’re looking at you, Excel spreadsheets). These are labour-intensive, inefficient, and lead to risks going overlooked.
However, more enterprises are recognising the importance of structured ASM practices and are gearing up to invest in suitable tools and processes. So, what are the challenges that financial businesses specifically face when implementing ASM protocols?
Challenges implementing ASM
The initial hurdle is comprehending the organisation’s specific security requirements related to ASM and how it plugs into related practices like EM. Following this, it’s important to explain these distinctions to the board and secure their approval for the necessary investments. The key lies in simplicity, emphasising that the primary role of ASM is to identify and counter business risks while enhancing the overall security posture of the enterprise.
Next on the agenda is dismantling the siloed IT structures within the organisation. Larger and older organisations will need to do more de-compartmentalisation to align departments that have independently grown and evolved over the years. This is particularly common in the financial sector, where institutions likely have decades of technical and structural growth to account for. In contrast, smaller firms such as new challenger banks and digital-native financial services with only a handful of individuals in IT and security will find this task significantly more manageable.
Further complicating matters, internal and external security and IT teams don’t often operate under the same strategy and are therefore rarely on the same page. This disparity is even more profound when considering IT-security adjacent departments such as DevOps, cloud, and web teams.
Each unit operates with its unique agenda, deploying distinct tools and processes. There are often multiple, disconnected solutions even within the same team – from scanning vulnerabilities to coding configurations.
To formulate a unified ASM strategy, it’s essential to establish a harmonised view across all business divisions. Risk data should converge to a single focal point, visible concurrently and in a consistent format, providing the CISO with complete visibility.
Significance of a proactive ASM approach in cybersecurity resilience
The correct set of tools can significantly help consolidate diverse threat and vulnerability data streams, creating a unified and clear-cut view of cyber risk.
The first critical step includes establishing a shared understanding between key decision makers, from the board to department heads. While it’s easier said than done, a shared vision of risk and universal KPIs for vulnerability mitigation is imperative. This unified perspective will facilitate the prioritisation of risks across the entire organisation from a singular reference point.
Once the silos have been dismantled, it’s possible to identify where processes, tools, and tasks are being unnecessarily replicated so that redundancies can be eliminated. Automation can also be further integrated to enhance team productivity. As the internal ASM strategy evolves, the company can expand its scope to start implementing CAASM and integrating more threat intelligence.
A comprehensive and proactive approach to Attack Surface Management is crucial in today’s digitally driven financial sector. To prevent adversaries from disrupting these critical services, companies must break down silos, leveraging appropriate tools and fostering a unified view of threats. They can then effectively mitigate vulnerabilities, streamline processes, and bolster their overall cybersecurity resilience.
Drilling past surface-level ASM enables organisations to go beyond simple operational “enhancements” to proactively pinpoint potential threats from any source and act swiftly to neutralise them. This is a fundamental rethink that can transform your cybersecurity program and, with it, establish an irreplicable competitive advantage in the financial marketplace.