In focus: MDR for finance

Financial institutions beware: Ransomware-as-a-service is the next-level evolution of ransomware. RaaS utilizes the skills of more than one attacker – and these threat actors are getting paid to wreck your organization’s infrastructure. 

Using the RaaS business model, skilled operators provide affiliates pay-to-play access to readymade ransomware kits on the dark web. That means that affiliates lacking the technical chops can more easily acquire a kit and then redeploy that malware on whichever victims they please (for a fee, of course).

Managed detection and response (MDR) is the counterweight to RaaS: Paid experts who analyze your digital environment for the purpose of protection. 

In a MDR partnership, a cybersecurity vendor serves as an extension of the customer’s security operations center (SOC), dedicating professional threat hunters and advanced technologies toward investigating threats and vulnerabilities lurking in a customer’s attack surface. 

  • Threat hunters are elite security practitioners who combine intuition and a deep understanding of the latest adversary tactics, techniques and procedures (TTP) to proactively eliminate threats before damage is done to the customer. 
  • MDR threat hunters and incident responders perform threat monitoring around the clock, taking shifts on a rotational basis to make sure that nothing escapes their notice. They can do this because they are extremely well-staffed and have well-established processes and tools for sharing threat intelligence at the beginning and end of every shift, which means that operators are always working off of the most up-to-date information.
  • Because the MDR vendor serves a global customer base numbering in the thousands, they also have visibility over a far larger trove of data than the average organization. This means that if they detect a threat in one corner of the globe, they can immediately notify the affected customer as well as all other customers who could be impacted down the value chain.

These benefits could substantially help security teams working in financial services who feel under-resourced and overwhelmed by the ransomware scourge.

Ransomware attacks on the financial sector

Ransomware actors have stepped up their game, using RaaS kits to get past the banking sector’s digital vaults. 

According to a 2022 survey fielded by cybersecurity vendor Sophos:

  • Ransomware attacks on financial services have increased – 55% of organizations were hit in 2021, up from 34% in 2020
  • 52% of financial services organizations paid the ransom to restore data, which is higher than the global average of 46%
  • The rate of ransom payment by the financial services sector more than doubled: up from 25% in 2020 to 52% in 2021. The global average in 2021 was 46%
  • The average remediation cost in financial services was US$1.59M, which is above the global average of US$1.4M

Other types of breaches and cyberattacks hitting the industry, which paint a similarly grim picture: 

  • In Verizon’s 2022 Data Breach Investigations Report, the Finance industry yielded more data breaches than any other industry.   
  • Financial breaches accounted for 49% of data breach notification-related calls by consumers in 2022, compared with 32% for healthcare data breaches, even though healthcare was the most breached sector last year, according to HealthITSecurity.
  • In its annual global intelligence threat report, FS-ISAC reported that the financial industry's cyber threats have gotten worse in the shadow of the war as both sides have unleashed hacktivist groups who have carried out distributed denial of service (DDoS) attacks, website takeovers, and other activities, with many targeting financial institutions in countries whose governments are at odds with Moscow and President Vladimir Putin. 

These conditions make it exceedingly difficult for financial organizations to operate productively and securely. In an effort to reverse these trends, some companies have begun subscribing to the MDR model. Here are some reasons why.

MDR for financial services

Here’s why financial organizations are using MDR to combat ransomware and RaaS.

1: Access to diverse security expertise

The cybersecurity skills shortage continues to leave budget-strapped organizations vulnerable to data breaches. Even companies that do have in-house experts can find themselves overwhelmed by a constant barrage of alerts, contributing to security fatigue and burnout over time. But with MDR, organizations can add expertise without adding to the headcount, tapping into a community of skilled cyber veterans who know how to parse through false positives and separate real threats from the noise.  

2: Active threat intelligence

MDR vendors relay threat intelligence on an ongoing basis to the customer, providing weekly and monthly reports of network activity and periodically sharing insights into security investigations or alerts meriting customer attention. The MDR vendor can provide customers access to a dashboard where they can view real-time alerts, scheduled reporting, and other intelligence that threat hunters have collected in their investigations. The vendor can also conduct routine account health scans to inform customers of basic settings and configurations of endpoints in the network.

3: XDR and telemetry capabilities

MDR vendors combine extended detection and response tools, or XDR, with robust telemetries to gain continuous visibility and automated analysis of an organization’s entire information environment – including endpoints, cloud assets, network data, user identities and so on. Context is crucial to identifying suspicious behavior, and MDR vendors harness the full range of contextual data by leveraging third-party telemetry to investigate threats that escaped detection of basic tool sets. An added advantage is that if MDR detects a vulnerability in one customer’s environment, they can then fix that vulnerability within every other customer’s environment where it is present.

4: MDR providers have the expertise to integrate and understand third-party tools

Ransomware attacks and tools are evolving, and financial services have responded by acquiring a larger portfolio of third-party security tools. However, sometimes these tools resist being easily integrated with one another, which can reduce efficiency of how organizations respond to ransomware. MDR providers can assist organizations with integrating third party tools, even if those tools don’t belong to the MDR vendor. 

5: 24/7 monitoring and speed to response

MDR vendors tend to carry a much larger geographic footprint, employing multiple SOC teams around the world and at all hours of the day. Many attacks happen at night or over the weekend when criminals suspect the majority of the workforce is at home. Even if suspicious activity is flagged and an alert is generated, it could easily be lost in a multitude of other lookalike noise. But MDR personnel in charge of monitoring a customer’s network around the clock will have the resources to immediately thwart an attack before data or services are compromised. 

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.