This is a guest post by Magnet Forensics CEO Adam Belsher.
In May 2021, the Biden administration issued several new cybersecurity directives and regulations in an executive order to improve the nation’s cybersecurity.
The new directives came in response to an increasing number of cyber attacks threatening both the public and private sector—with financial institutions being one of the most targeted industries, according to the X-Force Threat Intelligence Index 2022 published by IBM Security.
To encourage a fast reaction to threats across the broader financial system, banks would now be required to report a “computer-security incident” within the first 36 hours after the organization has determined an incident occurred. The potential benefits include helping relevant agencies determine if an incident is isolated or widespread, notifying other financial institutions to prevent similar attacks and improving the overall resiliency of the banking industry by mitigating or entirely preventing “adverse liquidity events” due to potential loss of confidence in the system. The Office of the Comptroller of the Currency (OCC), the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC) approved the policy in November 2021 and compliance was required as of May 1, 2022.
While this turnaround time may seem aggressive, it’s not without reason. Ransomware attacks have become increasingly sophisticated, resulting in unmatched damage and costs. As reported in ComputerWeekly, ransomware attacks cost mid-sized financial organizations an average of US$2 million in 2021, exceeding the average global damages of US$1.85 million for all business sectors. Containing and remediating a ransomware attack as quickly as possible can save a bank significant financial resources.
Ransomware attacks fall squarely under the definition of a “computer-security incident,” according to the new policy. The definition of a “computer-security incident” requiring notification, or a “notification incident,” is one “that could materially disrupt, degrade, or impair the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.”
The policy provides additional examples of “notification incidents” such as:
- “Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours)
- A failed system upgrade or change that results in widespread user outages for customers and banking organization employees
- A computer hacking incident that disables banking operations for an extended period of time.”
With all of this in mind, are shorter notification periods a benefit, burden, or of no consequence to the financial industry? That’s up for debate. What is clear is that there is increased pressure on digital forensics and incident response teams to find answers faster. In an article by BankInfoSecurity, Joseph Carson, chief security scientist at cybersecurity firm Delinea, stated that “it will likely increase the burden on incident responders to try and find patient zero and the root cause along with the true scale and impact of security incidents as quickly as possible, indirectly increasing the resources they require for incident response.”
Investing in the right technology can help analysts quickly uncover the true scale and impact of a security incident so that institutions can easily meet new notification deadlines. From a technology perspective, two out of five respondents in IDC’s State of Enterprise DFIR Report 2022 indicated that they need solutions that can collect data from several different sources (cloud, desktop, mobile) in addition to those that allow them to analyze all the data in one place. This is especially important given the skills shortage in the cybersecurity labor market.
There are several factors organizations will want to consider when building their digital forensics and incident response technology stack:
- Cloud-based triage: Investing in a solution that allows security analysts to triage remote endpoints quickly saves professionals from spending valuable time going down a rabbit hole (or two.) By using a triage tool in the Cloud, analysts can access it from wherever they are, saving them the time and expense of travelling onsite to physically collect data. When potentially malicious activity is found, the case is handed off to analysts who can focus their efforts where it matters most and speed up the time to find the root cause.
- Artifacts-first, A.I., and analytics: To discover an incident’s true scale and impact, a deep dive forensics examination is required, which isn’t something incident response tools were designed to deliver. Digital forensic solutions that focus on uncovering new artifacts, even when investigators are unaware of their presence, can help an organization get to the how and why of an incident. But to do this quickly, analysts need a solution that can help them surface more case-relevant evidence from all data artifacts, and all sources, all in one place. This is why IDC recommends that “artificial intelligence and analytics should be built into forensic collections tools to be able to analyze and better target the custodians of those artifacts.”
- Workflow automation: Manually performing tedious, repetitive tasks takes analysts away from using their skills to find the root cause and ultimately delays the overall investigation. When speed is of the essence, automating even the smallest tasks can result in significant time savings. However, simply automating a set of tasks within a single tool isn’t going to be sufficient to save hours of work. Investing in an automation solution that orchestrates and integrates across an entire technology stack lets security teams optimize complete workflows from alert to collection and processing.
Within the industry, it’s recognized that there are pros and cons to shortening the time to notify federal regulators about a security incident. With the right technology in place to improve response times, analysts will be able to identify the root cause faster and potentially protect other organizations from similar incidents by raising awareness sooner. An improved response time across all organizations could save the banking industry and their customers significant financial loss and heartache and ultimately create a stronger, more secure sector.
At Magnet Forensics, we’re working alongside customers in financial services and other industries every day to help solve challenges like responding to security incidents faster. Check out our website at https://www.magnetforensics.com/digital-forensics-for-financial-services to see how Magnet Forensics’ enterprise digital forensics solutions can help you respond to incidents faster and help meet regulatory requirements. Or email email@example.com to speak to an expert.