IT security and network teams at financial institutions around the world must address demands to rapidly adopt new technology, protect intellectual property, secure myriad commercial and custom applications, and comply with regulations. Meanwhile, they must also securely enable access to personal and corporate financial data from a variety of access points – retail bank branches, campus sites, mobile devices, ATM networks and third-party business partner networks – despite the increasing volume and sophistication of threats. The Security Reference Blueprint for Financial Services IT empowers institutions to address all these concerns, augment the security of their existing infrastructure, enable new applications, provide secure access to data and prevent advanced threats without disrupting vital business operations.
The Security Reference Blueprint for Financial Services IT enables institutions to augment the security of their existing infrastructure, enable new applications, provide secure access to data and prevent advanced threats without disrupting business operations. This approach allows institutions to more effectively focus on today's evolving security threats, protect customer and corporate data from compromise, better address the expanding scope of compliance, improve resilience and availability, and meet technological and competitive challenges, such as networked mobile devices or the adoption of cloud-based computing. All this can be accomplished with the Palo Alto Networks® Security Operating Platform while complementing existing security capabilities as part of a layered defense approach.
As the primary custodian of both personal and corporate financial assets and data, the financial services industry remains one of the largest targets for attack, sitting among the top five industries for security incidents and confirmed data loss. Cyberattackers seek to steal funds from accounts; obtain personally identifiable information, or PII, for identity theft or credit card fraud; "jackpot" ATMs; or destabilize global financial markets to further political or other agendas. At the same time, changing end-user preferences for mobile computing, open banking, and the shift toward software, infrastructure and platform as a service – SaaS, IaaS and PaaS – cloud-based extensions can increase business, operational and reputational risks if not appropriately secured. The combination of these realities with the growth in demand from customers, business partners and investors for anytime, anywhere access to their financial information, as well as the considerable regulatory, business and technological changes in financial services environments today, has increased the need for secure networks that can seamlessly evolve in response.
In addition to a steady diet of cyberattacks, the challenges financial institutions face include:
The complexity of these challenges is exacerbated by many institutions having acquired multiple security products that are oblivious to one another and cannot function cohesively, reducing their effectiveness. Some of this security infrastructure sprawl was intentional in support of the belief that "defense in depth" – the notion that if one system misses an attack or instance of malware, another will catch it – equates to "vendor in depth." Regardless, the sophistication of attackers outpaces the capabilities of stand-alone point products, leading institutions to buy the next "best" security technology once more to defend themselves.
Unfortunately, large financial institutions can neither easily unwind nor consolidate their legacy security packages without potentially opening themselves up to significant operational and business risk. To prevent today's threats, existing security infrastructures must be complemented or replaced, where possible, by a new and effective approach to security that incorporates key security principles focused on the current threat environment.
Such an approach can address the types of exposure and damage cited above as well as reduce inefficiencies caused by unauthorized applications or misuse of network resources. This paper discusses using the Palo Alto Networks Security Operating Platform to implement these principles to detect and prevent threats to financial institutions' networks, improving network efficiency while reducing complexity and unnecessary overhead. It also provides a way to secure these environments and gather intelligence about incursions to mitigate or eliminate damage from future attacks. Native integration and automation between the components of the platform work to prevent successful cyberattacks and enable your team to focus on what matters.
This Security Reference Blueprint for Financial Services IT describes a transparent, non-disruptive security framework that uses the capabilities of the Security Operating Platform to buttress and enhance the security of existing infrastructure. Using the blueprint enables IT security and networking professionals to:
The reference blueprint allows financial institutions to detect and prevent today's network threats as well as extend that protection to endpoints. In addition, it will provide an opportunity to gather and correlate data about the intrusion from multiple, integrated data collection points to help the platform evolve and keep pace with the adversary. The reference blueprint incorporates core security principles to effectively and efficiently protect an institution whether traffic travels within or outside its network; whether threats come from the inside or outside, known or unknown; and whether exposure is intentional or accidental.
These core security principles include:
The sections that follow address each of these principles in detail.
To effectively protect a financial institution, security and network teams must have visibility into applications, connected devices and individual users as well as their impact on security. Internal teams can make contextual, policy-based decisions about which applications to allow or block for specific user communities or groups. This provides much more flexibility when catering to the needs of specially designated network users or user groups while drastically reducing the volume of threats on the network.
Using a next-generation firewall to characterize applications, financial institutions can immediately reduce their threat exposure. Institutions can choose to block applications that carry the highest risk, such as peer-to-peer applications, immediately reducing the network's threat footprint, exposure to potentially malicious software and likelihood of data breaches.
To protect the network with this level of visibility, the Security Operating Platform can provide:
As part of the application policy creation process, financial institutions can approve applications by user group in context – ensuring access to the applications they need. It is important to note here that using a port-based firewall or applying port-based policies on a firewall cannot distinguish the status of an application as risky; it can only identify applications as unauthorized or safe and of business value.
Application-based security policies can help control access in the following ways:
By implementing granular application identification instead of only port-based filtering, administrators can gain greater visibility and precise control, reducing risk significantly.
In some more recent targeted attacks, attackers have used spear phishing and social engineering techniques to gain initial access through unwitting victims. Many attackers can penetrate a target network, successfully establish a beachhead and remain undetected for a significant period while performing damaging actions.
The Zero Trust approach to enterprise network architecture, coined by Forrester Research, makes it very difficult for such adversaries to succeed and for everyday malware, or even malicious insiders, to move across the network. Based on verification of all users, devices and applications traversing your network, establishing Zero Trust boundaries effectively compartmentalizes your user groups, devices and/or data types, such as PCI and banking-regulated data.
Segmenting your network into discrete zones based on data criticality carries three major benefits:
Network segmentation can focus on isolating and protecting systems based primarily on the sensitivity of the data in the zone and the level of risk if that data is exposed. Next-generation firewalls can inspect all traffic entering a zone and use whitelisting to allow only known, trusted traffic, which is then continuously monitored for security vulnerabilities and malicious activity.
This tactic stops unknown, malicious traffic from entering a zone. Next-generation firewalls can also be configured to control which users have access to data or applications within a zone. Additionally, segmentation reduces the effort required to demonstrate compliance by limiting reviews to only the zone or zones in which data of interest resides.
There are two separate but complementary segmentation strategies:
Zero Trust boundaries, zones or virtual segments in a network enable you to defend each zone from any malicious traffic entering or exiting that zone. To prevent malware activity and lateral movement of advanced attackers through a financial services network, it is necessary to apply the controls at all key entry and exit points. Examples of segmentation zones include:
Each zone in the network should be protected by a next-generation firewall, which brings several benefits. Beyond validating the whitelisted applications and their intended users, the Security Operating Platform performs several other important security functions on traffic entering and exiting a zone:
Although Zero Trust should be the ultimate goal, many financial institutions have essentially open internal networks and may still perceive it as a significant challenge. However, even taking a few steps toward Zero Trust network segmentation can help institutions better protect critical financial functions and sensitive information, reduce the exposure of vulnerable systems, and prevent movement of malware through their networks. As a recent example, after a series of successful attacks on its members, SWIFT imposed a set of mandatory security controls that includes the separation of local SWIFT-related infrastructure from the rest of a financial institution's IT environment.
In addition to application visibility and network segmentation, there are a few other considerations for your network to ensure effective security across the cyberattack lifecycle.
Although network segmentation addresses the protection of "north-south" traffic entering and exiting data centers as well as that of "east-west" traffic between applications in their own segments within data centers, it's worth noting a few more considerations for these environments:
The move from traditional data center architecture to hybrid cloud infrastructure is a growing trend in the financial services industry. Implementing virtualization for existing applications within a data center reduces costs, enhances business flexibility and may even improve security. Moreover, since Palo Alto Networks next-generation firewalls have the same features across physical and virtual form factors, virtualization lays a foundation that simplifies future cloud migration.
Although security concerns have made the financial services industry relatively slow to adopt the public cloud, many institutions are now taking steps to explore it, if not embrace it. In line with their multi-vendor approach, many financial institutions will likely adopt more than one public cloud provider for diversity and flexibility.
For more peace of mind, continuous monitoring of public clouds allows institutions to deploy applications with confidence, knowing that security is enabled. Moreover, financial institutions can achieve continuous compliance by analyzing the configurations of all cloud services and account settings against organization- or industry-defined controls.
Additionally, extending next-generation security capabilities to your SaaS environments and cloud storage services is important to protect data from accidental disclosure and from threats originating in the public cloud.
To effectively protect all endpoints on the network, IT teams should enforce the Zero Trust model everywhere, down to laptops, desktop PCs and servers.
Attention should be paid to endpoints vulnerable to external threats that could affect critical business processes. For example, endpoints dedicated for use by business process outsourcing or third-party software developers may warrant greater protection than employee desktop PCs. Even employee endpoints are not all created equal; desktop PCs for bank tellers or financial advisers may be more valuable targets than those of the procurement team.
Your endpoint security strategy should cover all endpoints, including virtual and physical desktops, laptops, servers, and ATMs, regardless of patch or software update level.
The two main threats to endpoints are executable malware and exploits that target specific application vulnerabilities. It is critical to protect against both, but exploit prevention is particularly important, even within whitelisted applications, as zero-day threats can appear at any time.
To effectively protect the endpoint:
Security and IT teams should also enforce the Zero Trust model for mobile and specialized devices, of which there are three major categories to consider: Windows® or Mac® laptops; smartphones and tablets; and specialized devices, such as ATMs and point-of-sale terminals. Depending on the type of device, you should implement the following capabilities in your security program for mobile devices where possible:
You must handle advanced attacks and zero-day malware quickly, using automation to ensure threat prevention immediately upon discovery. This is critical to prevent subsequent evasion and further attack attempts. When any unknown file attempts to enter a trusted perimeter or network zone, that file should be thoroughly inspected in an advanced malware execution environment for static and dynamic analysis, with multiple means to address evasion techniques. Finally, automatically generated protections against any newly discovered threats should be published to all subscribed next-generation firewalls. WildFire distributes new protections automatically in as few as five minutes, in addition to pushing information on newly discovered command-and-control domains and other malicious websites to URL filtering databases.
Cohesion between IT, cybersecurity and intelligence professionals reduces the danger threats pose to your network. Coordinating your endpoint, data center, networking and security teams will help your institution fully understand the potential threats to your network, ensure immediate access to priority events, and enable automatic sharing and distribution of intelligence.
With interoperability across all the security capabilities discussed here, the Security Operating Platform makes this coordination and collaboration easy. Individual next-generation firewall and management appliance views can be customized for each administrator or department while maintaining shared views into alerts and other activities of interest across your network. Refer to the next section for an overview of specific capabilities that improve reporting and threat intelligence correlation.
The key security principles outlined in this paper can be fully realized with the capabilities of the Palo Alto Networks Security Operating Platform to protect your institution from endpoint to network core to cloud. This section provides a high-level reference blueprint for financial services IT that incorporates the described principles using the Security Operating Platform.
Figure 1: Security Reference Blueprint for Financial Services IT
Although your unique network requirements will guide your architecture decisions, including appropriate network segmentation, the financial institution network in this example is segmented into a "demilitarized zone," or DMZ; a data center zone; private and hybrid clouds; internal corporate access points for campus and remote offices; and external zones for third parties, such as partners, vendors and customers. Within the data center, further segmentation by line of business, such as consumer banking, institutional banking and corporate services, is also depicted.
Palo Alto Networks next-generation firewalls, physical or virtual, can scan all traffic entering and leaving different zones to guard against malicious payloads or inappropriate data leakage, and enforce policies that make use of application, user and content identification.
The DMZ, which is externally facing, as shown in Figure 1, has several functions. The outer portion of the DMZ provides the primary line of defense, including protection against DDoS attacks. The DMZ proper contains externally visible resources such as web servers and web proxies. Finally, the inner portion controls traffic headed for the internal network and can provide first-level URL and content filtering for outbound traffic. Credential theft prevention – blocking the submission of corporate credentials to external phishing websites – can also be performed at the perimeter firewall.
Although Figure 1 depicts a single NGFW for the network perimeter, it can also easily be designed with a separate security appliance for each external entry point or function. For example, separate NGFWs may service inbound customer traffic via the internet and traffic from third-party partners, respectively. This separation may be warranted to reduce the fault domain and suit business-specific change control windows.
A separate NGFW controls north-south traffic into and out of the data center zone. Using the Zero Trust model, the NGFW rejects all but whitelisted traffic to ensure only authorized applications, users or content can traverse the network. Network segmentation of resources by function, such as development, test or production, is another option in the data center.
The use of private and public clouds is growing, and both can benefit from the protection of next-generation firewalls – physical or virtual in the private cloud, virtual in the public cloud. Palo Alto Networks VM-Series virtualized next-generation firewalls support the same security features as their physical counterparts to safely enable applications flowing into and across your private, public and hybrid cloud computing environments. VM-Series firewalls work with many popular hypervisors and public cloud service providers.
For orchestration, Palo Alto Networks offers an XML management API that enables external cloud orchestration software to connect over an encrypted SSL link to manage and configure next-generation firewalls. The exhaustive and fully documented REST-based API allows configuration parameters to be viewed, set and modified as needed. Turnkey service templating can be defined for cloud orchestration software so that the security features within the next-generation firewall become part of the data center workflow. Palo Alto Networks Panorama™ network security management can ensure policies keep pace with the rate of change to your virtualized workloads.
To address the IaaS use case, Palo Alto Networks virtual next-generation firewall is supported by the three most prominent public cloud service providers. Adoption of cloud-delivered services, such as Salesforce® and Office 365®, continues to grow among financial institutions as well. Additionally, applications may make use of object storage, caching and database platforms in the cloud. Securing access to such SaaS and PaaS offerings is accomplished by a combination of the next-generation firewall, Aperture™ SaaS security service and Evident. The NGFW provides inline protection of the cloud workload through application visibility at the network level.
Aperture offers data classification, data leakage protection and threat prevention for data in SaaS environments. Evident monitors public cloud resources and storage services, and generates compliance reporting on cloud security. Both Aperture and Evident utilize APIs from public cloud service providers to obtain visibility into those environments.
Traffic from retail branch offices or campus sites access the corporate data center zone via wide area networks – including software-defined wide area networks – or internet connections. Desktop computers, mobile devices and servers in these locations may be protected by a local NGFW. Different departments at these remote locations may also be segmented from one another to limit exposure in the event of a compromise.
Whether in the data center or in a remote office, current software levels on endpoints are difficult to maintain due to challenges with patch management. Palo Alto Networks Traps™ advanced endpoint protection, with its multi-method prevention techniques for malware and exploits, can serve as a compensating control as well as a suitable replacement for antivirus.
Traps can protect Windows, macOS® and Linux endpoints to ensure that any exploits on vulnerable systems, regardless of patch status, are immediately thwarted. The Traps agent will automatically prevent attacks with blocking techniques, such as thread injection. When it discovers unknown executable files, the Traps agent will automatically engage WildFire threat analysis to assess potential malicious behavior. Traps can protect physical endpoints as well as virtual desktops and servers.
Palo Alto Networks GlobalProtect™ network security for endpoints can protect remote and/or mobile devices, including PCs and handheld devices. To create logical network segmentation,
GlobalProtect uses an IPsec tunnel and enforces security policy within the internal network, where partitioning with a physical NGFW is not feasible.
Panorama network security management enables you to control your distributed network of next-generation firewalls from a central location via a physical or virtual machine in your private or public cloud. You can view NGFW activity, manage all aspects of device configuration, push global policies, and generate reports on traffic patterns or security incidents, all from a single console. Panorama reduces network complexity with logical, functional device groups, simplifies network management with global policy control, and reduces the time threats linger on your network with actionable data highlighting critical information for response prioritization. Leading automated threat correlation connects the dots between indicators of compromise across your entire network, enabling you to detect advanced threats that would otherwise go unnoticed.
Within your financial services network, Palo Alto Networks AutoFocus™ contextual threat intelligence service provides prioritized, actionable security intelligence on attacks that merit immediate attention. AutoFocus builds on billions of threat artifacts from more than 24,000 WildFire subscribers and applies unique, large-scale statistical analysis, human intelligence from the Palo Alto Networks Unit 42 threat intelligence team, and tagged indicators from your organization as well as a global community of cybersecurity experts. AutoFocus provides full context on attacks, such as the perpetrators, their tactics and any indicators of compromise present on the network. Moreover, AutoFocus can filter security intelligence explicitly for the financial services industry.
Specific industries often face multiple attacks by the same adversary, highlighting the need to share intelligence within the community. Palo Alto Networks cloud-delivered threat intelligence enables rapid sharing of threat signatures so that all parties can benefit from threats discovered across all organizations and within your industry. AutoFocus enables organizations within a given industry to understand what others have already seen on their networks.
You can also integrate public, private and commercial intelligence feeds with MineMeld™ threat intelligence syndication engine, available as an open source tool or as part of AutoFocus. Additionally, MineMeld can automatically create new prevention controls for Palo Alto Networks next-generation firewalls based on aggregated intelligence.
For even greater visibility into malicious activities within your environment, Magnifier™ behavioral analytics profiles user and device behavior and generates alerts on anomalies indicative of attacks. By applying machine learning and cloud-delivered behavioral analytics on rich network, endpoint and cloud data, Magnifier can quickly find and stop targeted attacks, insider abuse and compromised endpoints.
When you're ready to realize the threat prevention benefits of the Security Operating Platform, the Expedition migration tool makes it easy to migrate from IP/port-based firewall rules in legacy firewalls to application-based rules in Palo Alto Networks next-generation firewalls while minimizing the risks of the change. Beyond converting your firewall rules into a PAN-OS® security policy, Expedition uses machine learning to generate additional security policies based on actual traffic flows and compares your configuration against recommended best practices.
Even with Expedition, a phased approach via documented change control is recommended. Successful deployments typically first involve a like-for-like migration of firewall rules to the Palo Alto Networks next-generation firewalls. After about 15 days, your deployment team will use the Expedition tool to begin the iterative process of defining application-based policies to replace your legacy port-based rules. After the last migration phase, port-based rules are removed, and only the application-based policies remain.
In future phases, your deployment team can work with your institution's different lines of business to restrict access to individual applications based on User-ID™ technology, either via Active Directory® security groups or location-based user IP address ranges.
Financial institutions that implement effective security controls with a network segmentation focus can protect critical operational environments and data against compromise. In an environment characterized by legacy platforms, multiple point products and diverse content sources, the great challenge is to implement new security controls that reduce the attack surface and improve protection without causing disruption and outages. Properly deployed as outlined above, the Security Reference Blueprint for Financial Services IT can improve legacy network efficiency and defeat advanced attacks by positively controlling applications, users and content everywhere across the network, all while enabling even the most demanding business users. Notably, your financial institution can start its journey with the Palo Alto Networks Security Operating Platform at the network perimeter, on endpoints, in the cloud or anywhere in between to complement your existing security investments. Adopting additional elements of the platform will further improve your cybersecurity posture.