A cyber attack on a large-scale government IT services provider, SolarWinds, in 2019 allowed the hackers behind it to gain access to various high-profile entities, including email access to the US Departments of Treasury and Justice. The case highlighted that a cyber attack on one company could have drastic ripple effects across vital network systems.
Following the SolarWinds and other high profile attacks through the late 2010s, US financial services enterprises became more proficient in the languages of security ecosystems, threat hunting, and defensive enterprise intelligence operations.
The larger problem in today’s VUCA (short for volatile, uncertain, complex and ambiguous) world is the amplification of arms races in digital realms. Cyberattacks, in their own growing complexity and severity, represent among the most severe threats to the global financial systems. To confront these ever more sophisticated attacks, banks are increasingly turning to more advanced tools.
Since AI-enhanced algorithms can process large amounts of data points in near real-time, they provide the technological basis for vendor and in-house solutions to provide threat intelligence as well as detecting phishing and malware.
This article will explore three of the most prevalent real-world applications of AI in banking cybersecurity workflows:
- Threat hunting and intelligence: Training models to create alerts for potential threat activities to be investigated further in detail.
- Malware detection and prevention: Plugging in malware detection tools to identify malicious behavior and prevent and block malware
- Vulnerability assessment and management: Leveraging AI to modernize vulnerability management and automate patch management
For each use case, we further discuss the business challenge said technology solves, the data being leveraged in the process, and the distinct benefit that AI applies to the processes therein.
Use Case #1: Threat Hunting and Intelligence
Financial Trend Analysis report estimated that the US banks paid out 1.2 Billion USD in 2021 as a result of ransomware attacks. Other findings from the report indicate that cyberattacks continue to be a threat for the businesses.
Given the exorbitant costs of cyberattacks, banks must know how hackers are before they strike the system. Banks need to predict and know beforehand who could be a potential threat. Further, with the number of entities that the banks deal with and the number of transactions that it processes in a day, it is not possible for a team of analysts to manually look out for threats.
While the traditional risk management approach can resolve the risk of known threats, for defense from more advanced and targeted attacks – like phishing or supply chain cyber threats – businesses require ever modern and more advanced technology.
That arms race raises the need for systems and technologies to process a high volume of data by looking at different variables simultaneously.
In simple terms, threat intelligence aggregates, transforms, analyzes, and interprets information to provide decision-making context. AI capabilities help businesses detect and collect threat intelligence in two ways:
- Coping and processing overwhelming data volume
- Ensuring the freshness of data for continuous learning
Vendor example: Splunk
Splunk is a California-based data platform provider for security and observability. The company offers advanced threat detection and intelligence platforms.
Splunk Enterprise Security is an enterprise security framework that extends security architecture beyond legacy systems. It uses connected intelligence to gain complete visibility and responsiveness across the entire security ecosystem.
It provides full visibility across the systems to detect threats in the environment. With advanced security analytics, machine learning and threat intelligence, the software helps businesses with a higher rate of true positive alters.
1. First, an analyst downloads the threat intelligence feeds that are available for immediate use:
2. The security administrator then defines a commercial or community threat list at threat intelligence downloads interface by entering the URLs and filling up other instructions:.
3. Once the layers of threat lists are downloaded, the intel framework aggregates, consolidates, and prioritizes the information allowing easy utilization and processing of many threat sources.
4. After the configuration is complete, Splunk applies the intelligence to all the data processed by the platform across domains such as access, network, identity, and endpoints:.
5. Whenever the received data is matched against the security data, the Splunk Enterprise Security platform generates an alert notifying the security operation with specific intel matched for further investigation.
6. To investigate threat list match incidents, Splunk provides an interface to dive into rapid investigation using asset investigator:
Because of the increasing digital activities, Security Operation Centres are increasingly overwhelmed with information. Automated systems generate a lot of alerts, forcing the team to only examine the high-priority results, which are often false positives.
To reduce the alert volume, Splunk’s platform works on risk-based alerting (RBA). Machine learning capabilities assist RBA applications as they are a useful tool for generating datasets that emphasize substantive evidence rather than noise.
Using predetermined risk score thresholds and behavioral patterns, the system generates the alert only when the activity mimics the behavior and reaches the threshold value.
Scoring each potential threat activity and setting an alert on a particular aggregate value can help the security teams focus on the true positive alerts and take action when necessary.
Japan Net Bank (JNB), Japan’s first internet-only bank, faced the challenge of a time-consuming risk management process and ineffective fraud analysis. After adopting Splunk Enterprise to derive real-time threat intelligence, JNB has seen the following benefits, as claimed by Splunk:
- Prevented illegal money transfer
- Changed from manual processing of alters to an automated process
- Accelerated analysis of cyberattacks from 36 hours to a few minutes.
Though Splunk has not specified the detailed business results for the bank in terms of security, in its marketing materials, it mentions business impact for an insurance company as:
- Blocked more than 2 million security threats in 6 months period
- Automated threat hunting and ninety percent of metrics process in 2 months
- Saved more than 40 hours monthly of security analysts
Use Case #2: Malware Detection and Prevention
Malware is defined best for our present purposes as a malicious programming code, script, active content or intrusive software designed to destroy an intended computer system. In recent days, malware attacks have become so complex that the human mind fails to observe and detect them.
Given the speed and dependency of computer systems in today’s business, malicious activity needs only a few seconds to plant damage in the system. The damage can be inflicted in many ways, and its results can be as deadly as data loss.
Advanced systems with AI and deep learning algorithms can help businesses view backend code in real-time to detect malicious activities. By adopting AI, the malware detection systems analyze malware datasets programs to understand large scale metrics such as its Fisher Score (FS), and Chi Square (CS), and others depicted in the graphic below:
Vendor example: Cisco
Cisco is a software development company specializing in networking and wireless security. For malware detection and prevention, the company offers a platform called Advanced Malware Protection (AMP).
The AMP platform provides visibility into behavior-based detection of malware entering the systems. Through a behavior detection engine, the software identifies malicious actions on the endpoint, network and email. It provides runtime detection and blocking of abnormal behavior of a running program on the endpoint.
Cisco also claims to use machine learning to extract 400 different attributes of information from each individual threat into categories. These attributes work as discrete classifiers in machine learning models to deliver high-quality results.
Cisco offers four conviction modes for malicious activity prevention engines. These are:
- Quarantine
- Block
- Audit
- Disable
To enable the ‘Malicious Activity Prevention’ on the endpoint, the workflow for a user will look like the following:
1. To begin with, ‘Malicious Activity Prevention’, the user will first have to select a policy from the management drop-down for policy creation and configuration settings.
2. On clicking edit to a policy, the user is taken to a page that lists all the conviction models. On this page, the user has to specify how the connector responds to suspicious files, networks, activity, and processes.
3. To access the additional options of the map engine, the user has to click the advanced settings option and choose the engine from the drop-down. Here the user will be able to enable the settings for MAP.
4. Clicking on save after enabling MAP will modify the existing policy and enable ‘Malicious Activity Prevention’ for the system.
Whenever a malicious code is run or a file is downloaded on the endpoint, the system will generate an alert for threat warning, which can be investigated further.
Cisco further claims their software protects:
- The endpoint – by blocking malware at the point of entry, gain visibility into files and remove malware from systems.
- The network – by providing deep visibility into network-level threat activity and blocking malware
- Email – with additional capabilities to secure email and web
The company also claims that Advanced Malware Protection provides international services in what they describe as “continuous” but never real-time.
While Cisco does not provide public information citing measured, tangible business results for the banking sector, their case report does mention that a security expert managed to bring down the time spent to detect and prevent the attack from 4 months to 40 minutes.
Use Case #3: Vulnerability Assessment and Management
Vulnerability management is a process by which businesses identify, analyze, and manage vulnerabilities in the operating network. The exploitation of these vulnerabilities by a threat actor poses a risk to the organization.
Expanding the discussion from what the vulnerabilities are, to how susceptible the organization is to disruption, or the impact of exploiting these weaknesses moves beyond the domain of vulnerability management into a discussion of risk management.
Security teams race themselves to detect, prioritize and fix vulnerabilities before hackers find a way to exploit them. Traditional, manual updating of vulnerability management solutions via “patches” is proving ineffective overall in being able to keep up with advancing capabilities – driving the arms race to spill again into the realm of AI.
Driving these trends is the traditional focus of legacy vulnerability management softwares on scan and patch methods, requiring heavy manual intervention and inefficiencies. However, legacy systems are not sufficient to cope with advanced persistent threats, zero-day threats, composite threats, or polymorphic threats.
To manage vulnerabilities continuously, security teams have to perform persistently monitored vulnerability assessments. Legacy assessment tools do not work effectively in today’s distributed and hybrid environments.
From these business problems throughout financial services, demand is growing for real-time solutions that:
- Prioritize vulnerabilities
- Remediate them in timely fashion
- Track the vulnerability management process.
As cited in the following linked studies from Cornell, an AI powered vulnerability assessment and management software – armed with AI capabilities like classification algorithms and neural networks – are at the heart of solutions helping businesses achieve these functions in their operations. Whether those solutions are from an outside vendor or developed as part of an in-house early AI adoption project, or some combination.
Vulnerability management software powered by typical AI capabilities in machine learning and natural language processing in particular benefit financial services enterprises in the following areas:
- Continuous monitoring and central management
- Risk-based vulnerability assessment
- Built-in-remediation
- Automated patch management
- Reducing false positives in vulnerability detection
Vendor example: Secureworks
Secureworks is a computer and network security company that offers SaaS security platforms and intelligence-driven security solutions. The company offers Taegis Vulnerability Detect and Response (VDR) for vulnerability management.
The software provides a risk-based approach to manage vulnerabilities and optimizes remediation efforts based on actionable recommendations to protect crucial data.
As the company markets, VDR uses the following elements:
- Asset Discovery
- Built-In, Outlier Asset Identification Using ML
- Secureworks’ Exclusive, ML-Driven, Contextual Prioritization
VDR is designed to improve its performance as it collects more data as a typical machine learning-based platform.
The company claims that the software leverages data not just from customer 1 for the benefit of customer 1, but from all Secureworks customers using the product. So, Customer 1 benefits not only from the activities of Customer 1 but also from the activities of Customers 2, and so on.
VDR dashboard offers insights into 4 main areas. These are:
1. Vulnerability Variation: Displays the new and fixed vulnerabilities
2. Health Score: Indicates the impact of the remediation plan on health score. It also tells the business if they are moving towards improvement or backward.
3. Assets: Displays the number of new assets added to the company network and the number of scanned assets for vulnerabilities
4. Contextual Vulnerability Prioritization Distribution: Displays the CVS Score and prioritizes vulnerabilities based on the severity of the risk.
VDR AI feature on the software prioritizes the vulnerabilities and presents a graph for deep analysis. Under vulnerability prioritization, an analyst can see how the score changed from CVS to CPS (Contextual Prioritization Score).
Secureworks has not disclosed the benefits of VDR for the entirety of its clients in the banking sector. But for at least one of their aviation sector clients, Secureworks claims that their client saved:
- $6 million in ransomware
- $1.8 million annually in data breaches, and
- $ 2 million in cyberattacks.
Detailed calculations on these claims and metrics from Secureworks can be found here.
To achieve a comprehensive vulnerability management program, businesses must combine various factors. First is the knowledge base, which includes the list of company assets ranked by critical importance. Second, transform the list into a map of vulnerabilities that can work as a foundation for vulnerability strategy.
In the end, the right tools will help make the process much easier and more effective.