In an increasingly vulnerable world where there’s a high-profile hack almost every other week, network security has never been more urgent. However, there are multiple challenges that hinder tech teams from effectively and efficiently securing their companies’ networks, especially in the electronic trading environment in the world’s financial markets.
Financial markets are possibly the most vulnerable industry, where the importance of safeguarding data is critical, and algorithmic electronic trading has transformed IT infrastructure and necessitated new ways of thinking about security and analytics. Fergal Toomey and Graham Ahearne explore the challenge of ensuring network security—a vital job as financial organizations are increasingly targeted, evidenced by the recent high-profile SWIFT hacks—and share key lessons learned from their experiences safeguarding electronic trading environments at Corvil, the end-to-end analytics provider used by the world’s largest stock exchanges and leading global banks and brokerages to monitor transactions worth billions of dollars every day.
Fergal and Graham begin by walking you through some of the challenges in securing the network. Attackers are capitalizing on technological advancements to conduct their end-to-end attacks faster, while networks are increasingly becoming perimeter-less. Companies also have more of their IP and core value in their data, which is being transacted on the networks every minute. Further, when coupled with the increase in data volumes, rates, and complexity, it is more difficult to know when abnormal activity is occurring in the network, and the current explosion in device types, such as those part of the IoT, introduces a new entry point for adversaries. All of these challenges to securing the network revolve around data, and the effectiveness of an IT team’s insights and abilities is directly tied to how reliable, effective, granular, and live its data source is.
Fergal and Graham then share advice for successfully using data to secure a high-volume network, explaining the advantages that can be achieved by moving beyond flow-level data to leverage application-layer detail and how this information can be used to model the behavior of both users and machines—and ultimately detect and rank security threats. When the user is the core of the attack activity, using IP alone leads to dead ends and an incomplete picture; similarly, only using signatures would not detect certain aspects of an attack. Instead, tech teams must be able to map out a user’s normal activity in order to spot deviations. Packet data provides a uniquely valuable source of information for this, allowing a network tap and machine time analytics to build a very rich picture of activity and drill down to a forensics level of detail, so as to replay traffic/exploits, extract file artifacts, or prove compliance.
Fergal and Graham conclude by highlighting how machine learning and machine time network data analytics can solve these challenges by effectively monitoring and safeguarding trading environments and demonstrate the benefits of integrating machine-learning approaches with user context and threat intelligence for correlation and cross-validation of results. Automation can help prioritize events detected by other means and also provides a unique way to detect attack vectors for which signature rules do not yet exist but which can potentially be identified as a deviation from normal behavior in an unsupervised learning context. From their experiences safeguarding financial markets, Fergal and Graham explain how to process packet data at very high volumes for machine time processing and machine-learning analytics and address some of the challenges and vulnerabilities of machine learning and machine time network data analytics—specifically, they note the complexity of building models from network data sources, including the diversity of protocols and applications seen in typical large-scale IT environments, and the range of different behaviors observed.
Graham Ahearne is director of product management for security analytics at Corvil, where he is actively building the next generation of accelerated threat detection and investigation, powered by true real-time analysis of network data. A recognized industry expert, Graham has been advising and building information security solutions for Fortune 500 companies for over 15 years. His expertise and experience spans a broad range of information security technology types, with specialist focus on network forensics, security analytics, threat intelligence, managed services, and host-based security controls. Graham is a Certified Information Systems Security Professional (CISSP).
Fergal Toomey is a specialist in network data analytics and a founder of Corvil, where he has been intensively involved in developing key product innovations directly applicable to managing IT system performance. Fergal has been involved in the design and development of innovative measurement and analysis algorithms for the past 12 years. Previously, he was an assistant professor at the Dublin Institute for Advanced Studies, where he was a member of the Applied Probability Group, which also included Raymond Russell, Corvil’s CTO. Fergal holds an MSc in physics and a PhD in applied probability theory, both from Trinity College, Dublin.
©2017, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org