Interview by Matthew Dove
Crooks don’t rob banks with guns and masks anymore. Now all they need is a laptop and a few lines of code. Each new innovation puts another weapon into the arsenal of those who seek to exploit the weaknesses in our society’s institution framework. Here, TFT asks Greg Day, VP and CSO EMEA, Palo Alto Networks to describe his view from the frontline of financial cybersecurity…
Are advances in fintech making our personal data safer or is risk growing with each new innovation?
Most would agree the principles of finance progress cautiously yet technology in this sector is evolving at an exponential pace. And, this is being exploited by cyber adversaries.
The most common goal for criminals is financial gain, and in just a few years we have seen adversaries migrate from card fraud to information theft and ransom and now targeting crypto currencies. Because of the digitisation of so many financial processes, the route to revenue is getting shorter and the potential return is growing. All of this means criminal investments in this space are only likely to increase, and they are using more automation to improve their own criminal business model.
The financial services sector isn’t unaware of cyber risks but it’s having to consider how fintechs complicate the picture and introduce new vulnerabilities that must be mitigated.
While PSD2 is a laudable tool for creating innovation in financial services, for example, it has opened up data breach risks from how customer data is shared with third parties who may not have consistently high levels of cybersecurity.
Will the future of the sector be a face-off between AI cybercriminals and AI cybersecurity? If so, what are the implications for human agency in the field?
While cybersecurity experts look for new ways to spot adversaries using machine learning techniques, and leverage AI against the mass of threat indicators gathered, adversaries will be increasingly looking to subvert machine learning and AI. They will be trying to find ways to trick such solutions, looking for the cracks to sneak through. We can also be sure cyber attackers are also looking to leverage AI for their own purposes.
Cybersecurity is moving into a machine versus machine fight with humans on hand to help and apply judgment. And, this is a scenario that the general public is increasingly comfortable with. Recent research by Palo Alto Networks alongside sociologist Dr Jessica Barker and YouGov found a quarter of Europeans would prefer that AI protected their online lives.
AI is already playing a vital role in cybersecurity, helping to detect and prevent breaches at scale and speed with new capabilities that the human brain simply could not achieve. It is encouraging, therefore, to see the gap closing between AI- and human-managed cybersecurity technologies, and the positive attitude towards cybersecurity checks that comes with a preference for AI technologies is one we hope to see embraced by more people in the future. Humans are risk averse, yet innovation requires taking new steps, and many still see change as risk.
Cybersecurity leaders in all sectors including finance must focus on their ability to be as agile as the businesses they support. Key to this is considering how the tools and processes behind your cybersecurity can be automated. If we can’t take humans out of many of the processes involved in cybersecurity we will never be as automated or as fast effectively as the adversary. It’s like human racing against a car over 500 metres, it’s simply an unfair challenge.
What role will blockchain technology play in securing the IoT and in allowing users to control their own cybersecurity data?
Blockchain has lots of potential. Its distributed ledger technology can slash costs and speed transactions, as well as foster trust and root out fraud. But, it is important to remind ourselves that blockchain is a tool and not a miracle cure.
Few would dispute blockchain is hugely overhyped and the reality is that it is hard to deploy and, perhaps, its use cases are rather more limited than some have breathlessly promoted.
Yet, cybersecurity could be one of those use cases because of how blockchain could verify digital identities. So, it is no surprise that the World Bank and the US Defence Department’s Advanced Research Agency are evaluating what’s possible.
Few would dispute blockchain is hugely overhyped and the reality is that it is hard to deploy and, perhaps, its use cases are rather more limited than some have breathlessly promoted.
Nonetheless, it is early – and exciting – days to know how much this technology will affect cybersecurity. The real future gains will come from much greater and creative use of AI and cloud computing and storage to prevent attacks, and protect everyone’s digital lives.
How vulnerable to breach are legacy institutions when attempting “digital transformation”? What extra measures should they adopt to prevent attacks during periods of technological overhaul?
Legacy institutions must ensure they can maintain visibility of what and where their business processes are being digitised and ensure that the risks and security controls are maintained to high standards and agile.
Technical debt presses down on legacy institutions much more than fintechs. Most of the processes and the associated technologies supporting them have a defined lifespan. However, vendors continue to evolve their technology at a faster pace that can often leave organisations with systems that are considered legacy and no longer supported by the manufacturer, yet the business simply can’t evolve to newer platforms at the same pace. Behind this is the human factor which is both the innate ability for people to do the unexpected and at the same time the ongoing lack of knowledge in cybersecurity, both societally but also in not having enough experts to apply the right processes and cybersecurity capabilities.
Financial institutions need to arm themselves with highly automated, prevention-focused security platforms that leverage machine learning, not only within individual appliances but across the platform. Native integration of up-to-the-minute threat intelligence across key enforcement points, like networks and all kinds of endpoint from desktop to the smartphone, is ultimately what will make a difference and usher in a new era of digital security. But for people who manage risk for a living, having the courage to do something fundamentally different is a rare occurrence. Nonetheless, they can take impetus from how the regulators are looking at how data is secured to a higher standard.
What will cybersecurity look like in 10 years?
From a technology innovation stance 2030 is a long way out; most chief information security officers (CISOs) today struggle to look forwards more than a few years as the pace of technology evolution shows no signs of abetting.
What we can predict is by then 5G should be ubiquitous, and potentially superceded at some level. Why is this key? 5G has the ability to enable such low latency that computing can be used effectively in real time, and with the growth in capacity, speed and devices that can connect, 5G will enable much greater use of IoT. This means that cybersecurity will have to work faster because it simply cannot add delay to things such as cars communicating or doctors doing remote surgery.
What we can predict is by then 5G should be ubiquitous, and potentially superceded at some level.
The rules of cybersecurity must change. Or to put it more bluntly, we have to revolutionise how we identify individual data flows in a huge mesh of traffic, the concept of trusted users won’t exist, instead we will verify and restrict to only what is required. With such a hyper-connected world, open networks will be a thing of the past, each connection will be like a micro-ecosystem. Whilst this might seem untenable, this is exactly what DevOps offers from a development stance and today we have the capabilities to do this from a security stance. We must break security into small bite-size elements that are agile and adaptable both to keep pace, but also contain incidents as they occur.
Just as business processes are moving to the cloud, so security controls will also move to the cloud. As the number of algorithms to detect complex adversaries increase, so do the volume of intelligence created and logged from these. Only through the use of cloud will we have both the capacity to store and more importantly process the intelligence as the pace required to prevent impact. As most of our data is in the cloud it makes sense anyway.
