More often than I want to admit, I hear financial institutions say “We recently purchased a security service from our core processor”. Immediately, I ask them to explain what their core is providing? Is this from the core processor for personal or business customers? Do they handle mobile and web based protection? How are they analyzing the threat across the entire business? I don’t get many clear answers to these questions.
Typical services fall under a few common categories:
1.) Fraud Management – Algorithms analyze transactions and look for suspicious activity. In some cases the services also look at organizational fraud and money laundering. Have these tools been circumvented in the past? Absolutely. However, they are improving and attempting to keep pace with the adversary, who also knows the thresholds that trigger an alert.
2.) Core Security – Protecting the core from attack. This is basically a manged service placed around the transactional environment to thwart technical attacks targeting the network, platform and application layer. This is what they should be doing in the first place to protect their own product, but it is marketed as a additional service.
3.) Online Banking Security – Protection for sites hosted by the core provider (note: not your institution’s website). This encrypts sites with SSL, session management, various types of authentication options, and in some cases (however rare) connection analysis. If you look around the financial industry there are hundreds of these sites like ibankingservice.com or mysecurecreditunion.com. It still amazes me how frequently we find legacy servers and code exposed to the internet that hasn’t been updated since 2006. These domain names even sound like they are from the dot-com boom!
4.) Other – This is a mixed bag from one processor to the next including secure hosted email, network connection monitoring and managed firewalls. Some of these offerings are byproducts of acquisitions others are solid offerings which the core has contracted out or developed in house.
The model above is a bottom up strategy. Cores introduce security stove piped within the financial institutions’s architecture and sell protection services up through the business. This is like launching a corporate wellness program by putting a padlock on the candy machine.
In analyzing the most successful institutions you find a defense in depth strategy. In conjunction with their core processor, they lean on providers that focus on security as their primary business. Keeping pace with threats is a hands on, full time job. It works when the security strategy is developed in a top down manner, taking into account all services, cores, organizational structures, and missions.