Banking's New Channels, ThreatsCisco's Srinivasan on the Evolving Threat Landscape for Banks
A leading bank in India now believes that 80 percent of its consumer banking happens through its online channels - a dramatic change from just five years ago.
Different versions of this story are playing out today throughout the financial services industry, as the appeal of non-traditional channels such as Web and mobile banking capture the imagination of banking institutions and their customers alike. These new business models necessitate a change in the threat focus for Indian banking institutions, says Pravin Srinivasan, head of security sales at Cisco India.
"The traditional mindset has to go away. The reason for the changing threat landscape is fundamentally baked into business models today - we cannot wish them away," he says. "Practitioners must ensure security is fundamentally built into the stack itself when supporting multichannel initiatives."
The increasing number of applications and channels has vastly increased the attack surface, he says. Focusing on perimeter defenses and hardening only the data centers could leave the rest of your infrastructure at risk, Srinivasan warns. Banking institutions must integrate defense layers that have the ability to enhance visibility into the environment and to address these challenges.
In this exclusive interview with Information Security Media Group (transcript below), Srinivasan touches upon the key trends in the banking sector in India today. He also shares his thoughts on:
- Non-traditional channels and the security challenge;
- The need for platform-based security;
- Recommendations for banking/security practitioners;
Srinivasan has more than 15 years of industry experience, the past nine years at Cisco. Most recently, Srinivasan was part of the India commercial team where he was responsible for the development and execution of the "Vertizontal" strategy - working with the field sales/PSS teams as well as with partners to build business and vertical solutions. Before joining Cisco, Pravin worked with Dell India and Wipro Infotech.
Broad Trends in Banking
VARUN HARAN: What are some broad trends and challenges the Indian banking sector is facing, and how can Indian CISOs can better protect their businesses and customers?
PRAVIN SRINIVASAN: One of the trends that we see from our banking and finance customers is the change in the approach toward customer acquisition. They are all doing multichannel now, so there is a lot of Web-based banking, mobile banking, tab banking. The touch points have changed.
All these different channels, for a bank especially, are enabled by technology. There is a lot of IT that is going into the underlying applications. Since a lot of it is Internet-based, it is assumed today that the customer is coming through a mobile phone, through an open 3G network. There are connected security considerations, so a lot of banks are looking at how this impacts their entire security infrastructure, since all this needs to be integrated with their core banking with their databases.
The threats themselves are changing. Previously, security was about ensuring viruses don't get through, or they are able to ward off DDoS attacks. But today the threat perception is changing toward anti-malware, APT, zero-day and unidentified attacks. What we are seeing across the globe, and not just in India, is the "industrialization of hacking," and unfortunately, banking is a prime target.
Threats are being written specifically to infiltrate certain organizations. So, the normal methods of stopping a virus or an attack sometimes fall short in trying to detect these. A lot of banks are looking at mechanisms to detect and stop threats that infiltrate the perimeter.
HARAN: So, you spoke about new channels and we will come back to that, but speak to me a little about Trojans like Zeus, Citadel, SpyEye. How prevalent are these threats when you are speaking to your customers, and what are some of the common vectors?
SRINIVASAN: Unfortunately, they are lot more common than we would like. A lot of customers we have spoken to have already faced such attacks. There are two broad kinds of organizations here; (a) those who have been targets of such attacks, have identified the cause, have been successful in identifying the spread, the ingress vectors, what it is trying to do, and have been able to put a stop to it. (b) There are other customers who know an attack has happened, but are not able to pinpoint where it is coming from, and how to remediate it.
The biggest ingress point for these threats are phishing e-mails, but a lot of it is pure Web-based traffic as well. Trojans are coming disguised through these two channels.
The focus today is to ensure visibility into applications, users, the kind of traffic that is coming in. Traditionally, the thought process was to build strong perimeter defenses, and try and stop everything there. Two problems with that are; (a) there is just a single line of defense and if stuff gets through - like a Trojan for instance - then the second line of defense is poor; (b) The perimeter itself is now changing.
HARAN: With Indian banks getting behind this idea of mobile banking and channels, how does this change the security scenario going forward? Is the Indian BFSI sector ready to embrace these non-traditional channels?
SRINIVASAN: Yes, absolutely, in our conversation with the banks ... banks of all sizes are talking about the integration of various channels. The capability to open and get new customers with minimal infrastructure cost is very appealing. In some cases it is just a question of feasibility itself - establishing traditional brick and mortar branches everywhere does not necessarily make sense.
We now see banks having mobile ATMs, mobile branches, for instance. All of these create a different challenge. The attack surface has gone up, and sometimes this growth is exponential.
Banks need to ensure that a security mechanism they put in place follows a certain logic. Firstly, it should not be restricted to a certain part of the infrastructure. The traditional thought process was: "We have core banking and these applications running in the data center. Let me put in a lot of security infrastructure to protect the data center." But the downside of only doing that is that you open the rest of the infrastructure to attacks, and that can at some point spread to and overwhelm your data center as well.
Secondly, it has to be visibility-driven, which means that just looking at putting in a firewall in every branch, or just putting in an endpoint agent in every laptop/desktop, may not necessarily give you the security posture that you are looking for.
We have to look at it from what application is being used, what baseline traffic is there on your network - for instance, who are the users, what versions of applications, operating systems - ensure you know what is happening currently on your entire infrastructure, and then look at it from the threat-focused angle. If there is new traffic that is coming in, or if an application is trying to do something, you need the context around why it is happening.
The threat-focused view is concerned with how do you ensure you can detect any changes. The more information you have around this, the more correlation and analytics you can do on the data. Which means you have a better chance at stopping these threats as soon as they begin, rather than figuring it out post-facto.
Need to Adapt
HARAN: I don't envy a banking CISO's job right now. With all the new channels, what are some of the recommendations you have for CISOs? Because you really can't wish these problems away - it's just going to increase.
SRINIVASAN: New applications and channels mean that the security challenge has increased. But the flip side is, security is no longer just a siloed or network discussion, but rather a boardroom discussion, because it is a business enabler. The more successful CISOs are the ones directly engaged with the business - who get in at the ground level of the discussion.
When we speak to customers, we see a lot of CISOs are getting involved on day one of any discussion, when a bank decides to move in a particular direction - to open a new channel, or to look at a new business model. Getting involved on day one means that the risks are more upfront. So organizations can make an informed decision.
The best CISOs have front row seats and are able to integrate security mechanisms into the business from the beginning, as well as keep the management appropriately informed on risks to avoid any surprises (see: Articulating Security's Business Value).
A concluding thought: The reason for the changing threat landscape is fundamentally baked into business models today. We cannot wish them away. Adoption of cloud is probably going to continue and grow. New business models are coming in, and mobile endpoints are going to stay and get more powerful. So today, we are calling them trends, tomorrow they might be business as usual.
It is left to us as security practitioners to ensure that when adoptions like these happen on a grander scale - the Internet of everything is the biggest example - security is fundamentally built into the stack itself and is not added at a later point. The traditional mindset has to go away; we have to start looking at different ways to do security and different ways of adapting to it. That's the future.