Threat Management

With more remote workers, financial firms face greater SaaS, custom application attacks

A man carries a briefcase as he walks through the Financial District on Jan. 4, 2019, in New York City. (Photo by Drew Angerer/Getty Images)

In recent years, software as a service (SaaS) and custom-made applications have become far more popular for financial institution employees and customers alike, especially as more of them are working remotely in the wake of pandemic lockdowns.

And, with greater popularity for users comes a higher rate of attacks, aimed at preying on potential accounts, money and data.

Software-as-a-service and custom-built applications, increasingly popular with technology contractor-dependent financial firms, has become a “common practice,” especially for enterprises with more than 1,000 employees, which use more than 150 applications on average, according to Doron Hendler, CEO and co-founder of RevealSecurity, which works with global banks and insurance companies.

But sometimes those application-loving employees go rogue. Indeed, 4 out of 5 (80%) of surveyed employees use applications that “may not be compliant with an organization’s security and compliance policies,” Hendler said. “Insider threats are costly to organizations since, on average, it requires 77 days to detect and contain such a breach.”

“The market-wide shift from on-premise to SaaS technologies, compounded by a growing trend of employees working remotely, has extended the attack surface for malicious activities in SaaS applications,” Hendler said.

“Abuse, misuse and malice now happen anytime and from anywhere, creating a market need for a solution that addresses application detection and response (ADR) in a way that can scale across multiple different applications,” he added.

According to Hendler, there are two main IT security reasons they are called in by companies in the financial industry — one aimed at customers, and the other at financial employees. With custom-built applications, which are often used for a bank’s or insurance company’s consumer-facing website, there are more commonly anomalies created by imposters. One common hack is when cybercriminals make changes to an account without the owner’s knowledge, Hendler said.

However, when monitoring SaaS applications used by employees, contractors and agents, which currently includes most Microsoft365, Salesforce, Google Workspace and Amazon Web Services applications, RevealSecurity detected anomalies created by malicious insiders. Case in point: When an employee tries to take advantage of access or information by using these applications.

“Misuse is more common now that employees are working remotely,” Hendler said. He pointed out a recent example where one of his clients had “an authorized employee accidentally deleting an insurance policy that affected thousands of people. In most companies, a mistake like that could take weeks to detect, as they’re only looking for anomalies they’ve seen before.”

So, what are financial firms to do to mitigate this risk? Multi-factor authentication can significantly decrease the risk of unauthorized access, however per Hendler “[This approach] has yet to provide a hundred percent protection, making any security team vulnerable to greater risks of an insider threat from a trusted, authenticated user.”

Hendler said that accuracy is key, “as false alerts and high signal-to-noise ratios have become debilitating for security teams. Most detection solutions in today’s market are still predominantly rule-based, thereby costly and ineffective.”

“Data science must be applied to application log files instead of rules” he added, “identifying and responding to sophisticated threat tactics in applications so that employees and customers can continue to operate in safe, trusted environments.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.