The Cybersecurity arms race, the best defenses, the biggest risks: Corvil’s David Murray explains
As we face an increasingly algorithmic, bot-oriented world, it’ll be a battle of who has the better machine learning algorithms to either attack or protect a company’s assets, says Corvil’s David Murray.
The latest cyber attacks on corporate networks have raised concerns across many industries, including the online trading sector. How vulnerable are trading networks and what is the best way to protect them? FinanceFeeds has turned to David Murray, Chief Business Development Officer at Corvil, the company that aims to safeguard businesses in a machine world.
Mr Murray has kindly agreed to share his perspective on a variety of cybersecurity topics, ranging from the role of robots, to MiFID II and the amount of money to spend on protecting a company’s assets.
- Cyber security is high on the agenda now. Companies know about protocols, encryption, and multiple-level authentication. What are they missing when they think of cyber security?
While companies are employing increasing measures to safeguard their business, something frequently overlooked in enterprise security is that breaches can come from within more often than not. For example, employees, unbeknownst to them, could plug compromised devices back into the network, or gain access to unauthorized areas of the network through rogue activity. As Gartner Group indicated in a 2016 note: “All organizations should now assume that they are in a state of continuous compromise.”
That’s why it’s important for companies to prioritize network visibility and implement solutions to better detect anomalies and identify sources of potential threats. The rich communications flowing over the network provide insight into historical blind spots such as uninstrumented, mobile, and smart devices; cross-device user activity and behavior; and specific file access and transfer details (including those directly from network-attached storage devices).
Further, companies should educate non-IT employees on best practices for network security. Whereas cybersecurity has historically been more about building up a perimeter, this sort of thinking is now naive, because hackers are presumably everywhere already. Cyber security teams will increasingly realize the importance of surveillance — monitoring what’s being accessed, user behaviors, and what the communication patterns are within the network.
- How exactly is MiFID II problematic for the performance of trading networks?
It isn’t so much that MiFID II is problematic for the performance of trading networks. As with many regulatory regimes, there are key requirements that drive technology solutions that may create overhead – many in the name of greater transparency, causal understanding and reconstruction of market events. For example, in the past, requirements for pre-trade risk checks, reporting, etc. drive new or additional technology and potentially impact gross or net latency across trading environments or systems.
In the case of MiFID II, market participants must meet many new requirements including those related to real-time monitoring, surveillance, timestamping, clock synchronization, transaction capture and reporting, among others.
In terms of security, MiFID II in RTS 6 (e.g.requirements of investment firms engaged in algorithmic trading, providing direct electronic access and acting as general clearing members) requires that investment firms set up and maintain security to minimize risks of attacks, promptly report on breaches, implement safeguards against attackers, and ensure they monitor their access to IT systems to ensure traceability at all times.
Most banks have robust investments in overall information security. However, the implications to the financial system of a significant breach or manipulation of algorithmic trading activity are significant, as called out by ESMA, IOSCO, and the SEC.
Trading networks tend to be segmented from the rest of the enterprise infrastructure because they are high-volume, high-performance, critical environments. This segmentation generally leads to the perspective that these environments are not vulnerable.
In fact, given their volatility combined with the hackers’ increasing ability to disguise errant behaviors, and the likelihood of breaches involving hijacking of authorized user accounts, there are real risks. Most cybersecurity solutions (encryption, firewalls, endpoint agents, etc.) can interfere with the performance of the trading network, so there is a reluctance to employ them to that area of the network.
Independent of MiFID II (which is among a growing number of regulations now to begin explicitly referencing cybersecurity requirements) it is a risk to the global financial system of a breach in electronically-traded markets, that makes security for trading environments such as an important topic. Today’s electronic trading businesses are looking to solve escalating concerns over cyber attacks while still demonstrating compliance with ever-evolving, increasingly complex regulations. Of course, the easier and more cost-efficient way they can do this without affecting their trading network, the better.
- Are you suggesting that current cyber security solutions risk disrupting the trades during peak hours? How is that possible? Would you explain?
Electronic trading environments are unique infrastructures that need to be highly optimized for performance and consistency. Just like racecars that cut out exhaust systems, airbags, and other measures to reduce weight and maximize speed, trading networks also need to eliminate overhead. Thus, there’s a general reluctance to burden those systems with current cyber security solutions and tools, like encryption, endpoint security, or firewalls. Firewalls add latency to traffic. Security agents on servers consume memory and other resources (and, should they crash, can sometimes affect the host on which they are running).
- Let’s talk money. How much should a firm (say, one of your typical clients) set aside for cyber security? Would you suggest an estimate as a percentage of expenses (budget) of that firm?
Global spend on cybersecurity has surpassed $75 billion and is expected to grow to well over $100 billion by 2020. Over the last year or two, JPMC announced they would be doubling spending to approximately $500M per annum. Bank of America’s CEO indicated a figure closer to $400M, but asserted that the budget was essentially unlimited.
This is an arms race in many ways, so there isn’t a clear figure or guidance of what the appropriate spend is. It depends on factors relating to the robustness of existing systems, current cybersecurity infrastructure, process maturity, and more.
It also depends on what the enemy spends and whether the firm is adopting a more aggressive posture. The “right amount” is whatever is necessary to defend against well-funded threat sources such as Hacktivism, Criminal Organizations, Espionage, and Nation States.
- Who, in your opinion, poses higher risk for cyber security: people or automated programs, that is, robots?
Bit of a chicken and egg question, isn’t it? People are almost always the weakest point in any environment, because they are at times, emotional, unpredictable, careless, and susceptible to social engineering. Since people create automated programs or robots, is their weakness, risk, or oversight inherent in their creations?
Having said that, automation takes the stakes to a new level. Human misstep in the course of a second is a small fraction of what a computer can accomplish in the same time (potentially millions of instructions during that timeframe). As has always been, the more optimal the machine, the greater the impact of even a minor disruption.
At the same time, the best cybersecurity defenses today are based on living, breathing, and actively learning algorithms.
Ultimately, it’s the automated programs in the hands of the wrong people that pose the greatest risk. As we face an increasingly algorithmic, bot-oriented world, it’ll be a battle of who has the better machine learning algorithms to either attack or protect a company’s assets.
In financial markets, hackers don’t have to steal data or install ransomware or modify existing code. Although, as we saw last month in the case of the KCG employee employing malware in an attempt to steal their trading algorithms, that can happen. They may simply need to add, modify, or disrupt data inputs to an algorithm to create a certain behavior. Electronic trading environments are heavily automated, but they play such a huge role in the global economy, that a rogue trading algorithm (or a properly operating one with manipulated inputs) could do significant, wide-ranging damage to financial systems and consumer confidence. Whether they are nation state attackers, criminals, hacktivists, or simply careless employees, by manipulating a highly optimized machine, subtle disruptions can have a substantial impact.
- Would you highlight the biggest challenge in the area of cyber security? How does Corvil plan to handle it?
One of the biggest challenges in cyber security is simply having enough time and resources to truly monitor all aspects of and environment and protect company data. The ask of security professionals is a little like being tasked with finding contamination in the ocean in that they must contend with everything from the determination of what constitutes “contamination” to the vastness of the surface area and depth to the impact of external weather systems, to the implications or contribution of flora, fauna, or debris from within. Are there any definitive safe havens?
Recently Corvil released a virtual security expert, Cara, a solution that autonomously identifies anomalies and errant behaviors on the trading networks and leverages machine learning to reduce false positives. Cara pinpoints areas for investigation, and reduces much of an analyst’s investigative workload by automatically running assessments he or she would otherwise have to carry out manually. Problems of this scale required a “consumption economics” approach to resolve. That is, Corvil looks to reduce the number of events a security team must investigate and then shorten the amount of time it takes to complete each investigation. Reducing a security team’s investigation time means the ability to more quickly apply expertise to mitigate real risk and take action when necessary.