Security chiefs at three of Australia's big four banks are turning to "detective" controls and predictive analytics in the hope of identifying new threats, attacks or instances of fraud before they turn into bigger problems.
National Australia Bank's head of cyber security Nick Scott highlighted the importance of speed to detection and response at FST Media's Future of Security in Financial Services Summit last week.
He said the challenge for NAB and other institutions was being able to pick up "really early indicators" of an impending security event.
"An adversary often starts with reconnaissance [but] it's very rare for an organisation to detect at the reconnaissance phase a new adversary [and] the fact that they're starting to target you," Scott said.
"That sort of information doesn't stand out - it's not clear, it's not a giant blip on the screen that shows you a new attack."
Scott said the first indicators of a new attack may be as unassuming as an entry in a log file.
"It could be an 'Error 500', which by itself could be just a normal application problem, but if you combine that with some other factors, [such as] an IP address that we think is potentially suspect, [then] maybe what seems like a glitch may not be just a glitch.
"It might be that first indicator to you that somebody is starting to target you, your application or your organisation."
NAB's answer is to focus on detection at the time a customer tries to connect with the bank, rather than letting them get to a point where they might be able to execute a transaction.
"Banks have always had really good detection capabilities but it tended to be at the transaction stage and after the fact," Scott said.
"We use today a variety of indicators through our data analysis suite to be able to ensure that when a person connects to our environment - let's say for a banking transaction through internet banking - that they are actually the customer we think they are. This is before a transaction has occurred - we're doing this at the connection stage."
Mining incoming connections requires significant data matching capabilities, and time is of the essence. Scott said such capability has become achievable in part due to advances in big data.
"Previously if I had thought about the number of pieces of data I had to bring together in a timely manner ... it was just not achievable," he said.
"When I say timely, I mean the connection has just come in from the customer, they're starting to do the transaction, the clock is running against me now. If it turns out to be fraudulent I've got potentially minutes to try and find a way to stop that transaction from occurring."
Westpac chief information security officer (CISO) Richard Johnson told the same event that his institution was embedding what he called "invisible controls" in its online banking processes that would enable the bank to reduce its reliance on visible - but less user-friendly - controls.
"By doing analysis of individual behaviour deep inside our systems we can develop over time an understanding of what is a normal pattern of behaviour for a given customer," Johnson said.
"This means we are more readily able to spot what is unusual, aberrant or likely risky behaviour, and this means that we can reduce the frequency with which we need to ask our customers to enter SMS one-time passwords to authorise a transaction.
"In effect, a control four or five steps back that we're strengthening and is utterly invisible to our customer is driving maximum customer advantages at the front end because we're bothering them less often with a control that we can see."
Those invisible controls could also be used to detect new malware threats and to warn customers who were inadvertently infected.
"We have our analysts checking our systems using some of those invisible controls - which will remain nameless - to detect new malware in the wild targeting our customers," Johnson said.
"We can identify it, obtain a sample of it, bring it back into our lab, break it apart, reverse engineer it, decrypt it, figure out the algorithm or a signature that's unique to it, and post that on our controls online so we can detect it while handing it off to AV vendors and others."
He said this approach meant the bank could now detect the existence of malicious code on any customer's PC coming into its network before anything bad has happened.
"We can protect the customer by simultaneously contacting them and advising them, 'Hello, this is your bank. We just want to let you know we've found something unusual on your computer. Don't worry - there's been no fraud, and here's a utility you can use to repair it. Let us know when you're done and we can help you out.'
"That is a real world example today, and that to us from a customer point of view is maximising customer trust."
The Commonwealth Bank of Australia also confirmed it is focused on predictive technologies and controls for threat intelligence.
"As we think about some of the threats we have been naturally rebalancing some of our investments from just preventative technologies into detective, responsive and predictive or intelligence based technologies and controls," CBA's chief information security and trust officer Ben Heyes told a CEDA Digital Bytes event in Sydney yesterday.
"That is an area that is ripe for some research."