Discovering Unknown Problems in the Alert Pipeline

Financial services institutions (FSIs) have become an increasingly common target for malicious actors. According to Boston Consulting Group, FSIs are 300 times more likely to face cyber attacks than other sectors, and the 2022 VansonBourne report noted that 94% of the FSIs it surveyed experienced a cyber attack in the last 12 months. 

Why? FSIs maintain a goldmine of personal and financial data that is particularly appealing to malicious actors. This data is also more accessible than ever before, due to digital transformation and cloud-based initiatives aimed at meeting customer demands for more digital products, services, and experiences. As a result, FSI security teams are left to grapple with the challenge of ensuring this sensitive data remains secure.  

To combat this challenge, a leading FSI adopted an innovative approach that utilized automated health checks for their incident response tools and processes. These health checks involve simulating realistic attack scenarios—a process that leverages the SafeBreach breach and attack simulation (BAS) platform—to validate the end-to-end efficacy of the organization’s security tools, alert and detection systems, and incident response workflows.

The FSI recently shared their approach at SafeBreach’s 2023 Validate Summit, a yearly event that brings together experts in the security community to discuss challenges, best practices, and key considerations for building a proactive security program. Read on to learn more about the specific challenges that motivated the FSI to take action, how they implemented the SafeBreach platform, and the benefits they’ve experienced by incorporating BAS into their security program.

---

Want to learn more about how SafeBreach can help financial services institutions? Visit our FSI resource hub.

---

The Motivation: Enhancing Detection and Incident Response

While this FSI had a mature security program in place, they faced a significant issue with their internal alert chain. Notifications around potential malicious activity often weren’t delivered to incident responders or were delayed—sometimes for several hours—due to the complex pipeline of technologies the alerts traversed. This created a critical, and somewhat invisible, gap that malicious actors could exploit. 

The Approach: Automating Health Checks with SafeBreach

To tackle these challenges, the FSI leveraged SafeBreach’s BAS capabilities to automate health checks of their security tools and incident response processes. They set out to answer two critical questions: 

• Were their detection mechanisms operational and effective?
• Could they confidently assert that their incident responders would have detected and responded to specific events? 

They began by using the SafeBreach platform to create scenarios that mimicked realistic attack techniques, including both known attacks and customized simulations. The key was to ensure they had an outcome in response to these attacks that could be definitively validated, either through alerts or incident response actions.

Next, they integrated both their ticketing system and security information and event management (SIEM) system with SafeBreach. This allowed them to establish a closed loop, where simulated attacks triggered notifications that traversed the typical alert pipeline to reach their incident responders, as they would in a real-world scenario. As a result, the customer was able to discover several issues, including: 

• Delayed alert log collection and processing with the SIEM. There were significant delays in log collection and processing, creating blind spots that could eventually lead to security incidents. SafeBreach closed the gap in delays by enabling the logs to be pushed through to the SIEM partner faster and more efficiently.
• Disrupted security alert ticketing processes. Whenever software updates or process changes occurred within the security alert ticket parsing system, it disabled the alerting process entirely. This left security analysts unaware of potential risks to the network. 
• Missing intrusion detection system (IDS) packet telemetry. The customer’s IDS wasn’t receiving alert logs. Since the flow of packet telemetry stopped, the system was unable to detect suspicious or malicious behavior.
• Missed digital certificate renewal deadlines. Automated certificate renewal notifications weren’t being generated when expiration dates neared. The consequences of this lapse could have been catastrophic with the unencrypted alert logs transmitting across the network.
• Disruptions to alerting system from firewall adjustments. Through the SafeBreach platform, the customer learned that if security analysts made network configuration changes and closed certain ports to protect the network from unauthorized access, then telemetry and monitoring capabilities were disabled.
• Corruption of log forwarding. The critical process of log forwarding to the SIEM was corrupted. This corruption presented challenges in maintaining the integrity of log data and the detection of possible security incidents.
• Exclusion of critical log information in the ticketing and alerting process. There was a significant issue in the ticketing and alerting process that stemmed from part of logs being unintentionally excluded, resulting in the ticketing process being disabled and alerts unsent.  

The Results: Gaining Confidence in Cybersecurity Posture

With this setup in place, the FSI was able to proactively monitor and validate their security tool stack. They could confirm that their detection tools effectively identified specific scenarios, and their incident response workflows were operational. This approach also enabled them to identify issues they might not have otherwise discovered. For instance, they uncovered previously unknown limitations with their ticketing system, service interruptions, and log corruption that could impact their cybersecurity posture.

By regularly running health checks utilizing the SafeBreach BAS platform, the FSI could:

• Validate the efficacy of their security tools and detection mechanisms using customized attack scenarios that accurately simulated real-world threats.
• Proactively identify alerting issues and discrepancies early, before they became critical.
• Establish and maintain confidence in their ability to detect and respond to threats effectively.
• Create end-to-end visibility with a closed-loop approach that triggered alerts, simulated response actions, and validated outcomes.

Looking to the Future

Automated health checks leveraging BAS have the potential to revolutionize the way organizations approach cybersecurity. By combining realistic attack simulations with robust validation mechanisms, organizations can ensure that their security posture remains strong and responsive in an ever-evolving threat landscape. It also lays a powerful framework to continually enhance the maturity of any security team. This FSI plans to expand the scope of their health checks beyond endpoint alerts to cover a broader range of event types, such as web application firewall (WAF) and email scenarios. They’re also working on automating the process of generating incidents based on the health check results to further streamline their incident response workflow.Interested to learn how other FSIs are leveraging BAS to transform their security programs? Check out our FSI resource hub or connect with a SafeBreach cybersecurity expert.