Financial services (finserv) is one of America’s defined critical infrastructure sectors. The DHS summarizes, “The Financial Services Sector represents a vital component of our nation’s critical infrastructure. Large-scale power outages, recent natural disasters, and an increase in the number and sophistication of cyberattacks demonstrate the wide range of potential risks facing the sector.”
One specialized sub-section of finserv is the trading floor, which is increasingly automated. Traders deal in many billions of dollars every day, with buy or sell decisions often based on algorithms monitoring market conditions. The integrity of the trading floor — its systems and its algorithms — needs to be protected and validated. The consequences could be dire.
In October 2016, the value of sterling fell by 8% overnight. In this instance it was thought to be caused by an algorithm triggered by a negative comment from the French president following the UK’s Brexit vote — but it should not have happened.
This crash was caused by false logic in an algorithm — but it could equally be caused by malicious manipulation. Guarding against such occurrences in many of the world’s leading trading floors is Corvil, a Dublin-based security firm that uses algorithms to monitor and protect trading activity.
But while trading networks have Corvil security analyzing trading patterns, they have very little traditional security software. Their problem is similar to that affecting OT networks and ICS — the priority is maintaining operation rather than adding new security overheads. For trading floors, the absolute priority is performance and minimal trading latency — speed is the trader’s primary advantage over competitors.
Nevertheless, financial exchanges are becoming increasingly concerned about their cyber security. Last month, a sys admin with KCG, a global American securities trading firm, was arrested and accused of creating malware to steal valuable source code and encryption keys that gave him direct access to the data files that are the core of the company’s business. He was detected because he attempted to log into an analyst’s desktop at the same time as the analyst also attempted to do so — on a Saturday. His discovery was serendipitous; but he had already been exfiltrating data undetected for four months.
It is this known difficulty for the IT-centric CISO to see into the workings of the OT-centric trading network that is causing increasing concern in financial exchange organizations. A survey among members of the International Organization of Securities Commissions (IOSCO), Corvil’s director of product management Graham Ahearne told SecurityWeek, highlighted particular concern over “over financial and reputational impact; halting trading activity; ongoing disruption of the market and integrity compromise that might lower confidence in and the reputation of financial actors; the infiltration of multiple exchanges using a range of different types of cyber-attack techniques in tandem; data manipulation and compromise of data integrity; and the leaking of insider information on an ongoing basis…” In other words, all the security concerns of IT networks without any of their security controls.
Corvil already provides a streaming analytics platform to most of the world’s trading floors. It captures, decodes, and learns from network data on the fly. It detects anomalous trading behavior as it happens — but what it doesn’t do is detect the anomalous network behavior that might indicate the presence of a cyber intruder.
Today, Corvil has announced the new Corvil Virtual Security Expert, called Cara — a new tool that “acts as a virtual security expert that autonomously identifies vulnerabilities and possible attacks within the trading environments that often process trillions of dollars’ worth of transactions daily,” says Corvil. It operates on the existing Corvil platform and adds zero overhead to existing network speeds. It is largely just a different set of algorithms interpreting the existing data streams in a different way.
“Cara,” explains Ahearne, “is a software module that sits dormant on the existing network while the market is open. It can sit on any Corvil appliance, which is already installed on the majority of financial exchange trading networks throughout the globe. Because it is dormant, it adds zero overhead to the operation of the trading network. But as soon as the market closes it activates automatically and replays the whole day’s traffic captured during the day. It runs multi-dimensional security analytics that detect patterns of compromise, and pinpoints the most important issues for investigation.”
Cara uses machine learning algorithms to look for known attack techniques, exploit patterns, unusual data movements etc; and presents a summary report of its findings in an email delivered to security stakeholders overnight. The reports are designed to be accessible to non-technical senior management, yet provide enough information for the security team to know exactly where to look for potential problems. “The purpose,” explained Ahearne, “is to both automate anomaly analysis and reduce the customer’s need for highly technical staff.” It would, in fact, have detected the exfiltration of KCG data automatically.
Cara, comments Dan Cummins, a senior analyst at 451 Research, “gives security teams a relatively quick way to extend automated risk assessments, which combine machine-learning anomaly detection and threat detection analytics, to electronic trading networks.”
The approach Corvil has taken provides zero overhead security to what is in effect an OT network. This is a perennial problem for many companies with OT; and provides a long-term expansion path for Corvil. “We have seen the parallels,” Ahearne told SecurityWeek, “and it is a possible future expansion. But for now, we are focused on solving the cyber security problems of trading floors with our Virtual Security Expert.”