Woman analyzes data showing security monitoring for financial institutions

Security Monitoring Must Do’s for Financial Institutions – How Visibility Helps Find and Prevent Breaches and Maintain Compliance

It is no surprise that cybercriminals are after the money and financial institutions have plenty of it lying around. Financial data is irresistible, and hackers have a field day attacking complex financial IT systems boasting more connections than a Hollywood agent. The attack surface is huge with countless paths to follow.

Here are some statistics to show how damaging cyberattacks can be for financial institutions:

  • According to Forbes, 35% of all data breaches impact the financial services industry.
  • Security attacks are unremitting, as according to a survey by Vanson Bourne of 100 financial services decision makers in the UK, 70% were hit by a security incident in the past twelve months.
  • Meanwhile, the Boston Consulting Group finds that, “Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack. Dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.”
  • COVID made attacks on financial services explode, finds Fintech News. “COVID-19 is blamed for a 238% increase in cyberattacks in FinTech, with 80% of firms worldwide increasing their digital security infrastructures,” Fintech found.

When security tools do more harm than good

Unfortunately, the systems designed to help (such as alerting or monitoring tools) can overwhelm a bank’s IT department. Ovum’s research of banks found that 40% get hit with an average of 160,000 mistaken, redundant or irrelevant alerts every day. The culprit? Alert overload from myriad security tools. Ovum found that 73% of IT departments have at least 25 separate security tools.

Financial security pain points

Financial services firms face an array of security and compliance pain points, including:

  1. Compliance: Taking improper care of data leads to compliance violations and regulations and fines.
  2. Identities and authentication: Financial institutions must not only control access to data from employees and outsiders, but systems must also be protected through proper credentials for the IT pros themselves.
  3. Security: A financial institution breach is front-page news, invading customer privacy and harming the organization’s reputation.

Ways security monitoring eases the ouch

Risk-based monitoring

Always start with knowing what the most plausible risks are and attacks your company will face. Knowing which specific cyberattacks your organization can be affected by will give you an idea of which devices or log information you will need to prioritize and send to your monitoring solution. Every monitoring solution has associated costs and there simply aren’t enough data sources to process this information regularly, nor is there enough manpower in your security team to triage all the alerts.

Moreover, you will need to be conscientious of what data you are looking to monitor. Take an iterative approach to continuously tune and refine your monitoring system so it can focus on your organization’s top risks. An overabundance of data causes a lot of noise and false positives and your teams to react and respond to. I will provide an example later in this article.


Compliance reporting is critical, as these reports keep security and IT teams aware of potential problems that could result in a breach. In the case of an incident, violations of compliance to policies and regulations are useful for what exactly happened and what may have been violated. Monitoring enables visibility by collecting, analyzing and archiving logs that tell the activity tale. Collect logs on key pieces of the infrastructure and use that data to understand flaws and areas where your compliance is either not there or is suspect.

Identities and authentication

Taking over a corporate IT system is hacker’s gold. A network monitoring solution, for instance, shows all the network elements as well as how they are configured and used, and by whom. Use Least Privilege Access to protect this vital resource with tight credentials based on user identity and strong authentication, which  is usually where attackers start. Cybercriminals may start with phishing attacks, look for compromised passwords on the Internet, or use password cracking solutions. An attacker doesn’t have much unless they have any kind of access to user credentials.

Monitor with greater visibility

You can get complete visibility into the status of systems and applications to see network devices, servers, virtual machines, cloud and wireless environments in context. The vast amount of monitoring data will provide you the footprints or (if it’s large enough) blast radius for any cyberattack.

Network monitoring also makes it easy to get detailed visibility into your network traffic to see which users, applications and protocols are consuming bandwidth as well as the traffic sources and destinations. This insight allows you to set up bandwidth usage policies and detect unusual use to known adversarial destinations that could indicate a security issue.  Also, the sources and destinations of traffic can give you clues on attribution and enable you to know who and what types of attack patterns your adversary is known for.

Find breaches faster

With modern monitoring tools, you can combine telemetry to give you a broader picture of the activity that is occurring in your operating environment and automate alert notifications to your security team or IT pros. Setting up alerts to send an email, chat message or text notifications for changes to the configuration of devices, authentication policies or activities that are consistent with known indicators of compromises (typically shared information from known breaches or attacks) is a great start. Automate as much as you can and let the computers do the hard work.

Avoid alert overload

Alert fatigue: The phrase “less is more” may sound counterintuitive but it’s one of the best practices for cybersecurity. Here is a perfect example. We came across a customer who was repeating the same actions every two minutes. When a system became unavailable, they’d get an email alert – even when it was only down for a minute. Every two minutes after that, the network monitoring tool kept emailing. They got so used to it, people started ignoring the alerts. When there are too many alerts, people tune them out.

Our recommendation is to make sure emails only go out when someone logs in and does something crucial. But, to go along with our recommendation, make sure to configure the system so it is not spamming users with messages even if no one is logging in.

Put it all together and test

All IT and security teams are busy and may end up overlooking areas that attackers are bound to uncover. It doesn’t mean they are incompetent – it is possible that inertia was getting in the way. Leverage your annual vulnerability or penetration tests and see if your IT or security teams can see their testing activities. I am a big fan of “Red Team” (offensive black box tests). Red Team tests are complete adversarial simulations with the goal of simulating an attack as closely as possible. These types of tests   are usually only known by a limited number of individuals within an organization. However, after a Red Team test, other teams may not favor you or your team because what they thought was a “real” breach was actually an exercise replicating a potentially severe breach. The alternative, taking a more collaborative approach to the test, is called a “Purple Team” test. A Purple Team test combines and coordinates both offensive and defensive exercises to determine if the attacks launched are alerted on or viewable by your IT or security teams.