Financial Services Cybersecurity

Electronic trading is a specialty in financial services that requires extremely high deterministic performance in its digital systems. This includes the firewalls that protect traffic between electronic trading platforms and the rest of the financial institution, including systems that provide real-time information to customers. If misleading information is transmitted to the banking side of the business in the first seconds after a transaction—or that information is delayed—customer satisfaction suffers. Often, these problems can be traced to “jitter,” in which small packets of data pass through the firewall in nonsequential order.

Testing at two top global banks confirms that FortiGate data center firewalls (DCFWs) provide the lowest latency in the industry, with near zero jitter. At the same time, they deliver highly scalable protection for traffic moving between electronic trading infrastructures and corporate systems. Built-in intrusion prevention system (IPS), intent-based segmentation with zero trust access, and mobile security features eliminate the need for separate point products for these functions. Single-pane-of-glass visibility improves operational efficiency, and API-enabled automation helps organizations tailor policies and workflows to the unique needs of electronic trading.

These cybersecurity features help organizations achieve business requirements such as:

• Meeting federal regulations on traffic inspection between partners without compromising performance metrics
• Improving security effectiveness by segmenting critical customer and business data
• Improving visibility to facilitate automation and simplify management

Companies leveraging automation platforms to deploy infrastructure using an Infrastructure-as-Code (IaC) model realize significant benefits through a streamlined and automated provisioning model. Often used in support of DevOps cycles, IaC means that changes to an organization’s infrastructure can be made quickly and easily. This greatly improves operational efficiency, but it also exposes organizations to potential undiscovered vulnerabilities.

The best way to provide a secure IaC infrastructure is to take a Security-as-Code approach, intentionally building security into the underlying structure of DevOps applications. FortiGate internal segmentation firewalls (ISFWs) leverage intent-based security to intelligently segment infrastructure according to business intent, apply adaptive process control, and provide automated threat protection across the IaC environment. FortiManager and FortiAnalyzer provide centralized network and security management, log correlation, and analytics to enable high performance and robust security from a single console. Fortinet’s open ecosystem enables seamless and deep integration with third-party automation platforms via Fabric Connectors and a robust representational state transfer application program interface (REST API).

A Fortinet Security-as-Code solution protects the IaC infrastructure by:

• Providing protection for critical, time-sensitive network traffic without sacrificing performance
• Segmenting network traffic according to business intent, bolstering compliance and guarding against breaches

No longer is an organization’s infrastructure neatly contained within its in-house data center infrastructure. One recent survey found that 85% of companies operate in multiple public and private clouds. SD-WAN technologies are now routinely moving organizations’ network traffic over the public internet, and Internet-of-Things (IoT) devices are proliferating at the edge. As a result, a perimeter-based approach to cybersecurity is no longer adequate for financial services institutions. It is more effective to think in terms of a content inspection zone—a virtual perimeter that spans corporate data centers, multiple clouds, IoT devices, and network traffic moving on the public internet.

FortiGate next-generation firewalls (NGFWs) utilize purpose-built security processors and comprehensive threat intelligence from FortiGuard Labs to deliver top-rated, high-performance inspection of clear-texted and encrypted traffic. Single-pane-of-glass visibility and control across on-premises and cloud-based environments drives operational efficiency and enhanced security. And the Fortinet Security Fabric enables end-to-end integration of a variety of Fortinet and third-party security tools using Fabric Connectors and an open API. Robust threat intelligence powered by artificial intelligence (AI) underlies the entire security architecture, enabling detection and response to attacks in real time.

An end-to-end, integrated security architecture powered by Fortinet brings many benefits:

• Operational efficiency with the elimination of manual security processes
• Cost avoidance through consolidation of cybersecurity and elimination of redundant licenses
• Simplified compliance reporting, avoiding an all-hands-on-deck approach to audit preparation
• Enhanced security with automated response workflows and real-time threat intelligence

As network traffic increases—especially to and from distant cloud data centers—financial services institutions face increasing costs to maintain acceptable levels of network performance between branch offices and headquarters. Purchasing additional multiprotocol label switching (MPLS) bandwidth is an expensive and time-consuming undertaking, and is not scalable to future network demands. At the same time, remote branches—and edge devices within them—are a target for cyber criminals, who see them as easier to penetrate.

FortiGate Secure SD-WAN enables network traffic to travel securely over multiple connections between branches and headquarters—including the public internet. It eliminates the requirement for all traffic to be routed through the data center for inspection, preventing bottlenecks that result in latency. And it builds scalability into the network infrastructure connecting branch offices with headquarters, thus eliminating future bandwidth investments.

At remote locations, Fortinet SD-Branch enables financial services organizations to combine networking and security capabilities for branch offices—all administered from a single FortiGate NGFW. The solution includes FortiSwitch switches, FortiAP wireless access points, and the FortiExtender LTE WAN extender to ensure secure and high-performance networking at the branch. And the FortiNAC network access control (NAC) solution enables full visibility and control over all IoT devices found at the network edge.

FortiGate Secure SD-WAN and Fortinet SD-Branch enhance security and network performance in the branch network by:

• Enabling security-driven networking, making it harder for adversaries to penetrate the network from a branch location
• Driving operational efficiency by combining networking and security into a single product, centrally controlled through a single device

Attacks from adversaries are increasing in volume, velocity, and sophistication, and financial services firms are among the top targets. Security teams that still rely on manual response to incoming threats are overwhelmed with the number of alerts and cannot stop advanced threats that move at machine speed. At the same time, insider threats—malicious and accidental—pose increasing risk to financial sectors as the value of financial services data increases for threat actors.

To combat these threats, IT for financial services must take a two-pronged approach, targeting both malware and the attackers that create it. The foundation of an attack-based defense is robust, real-time threat intelligence. All Fortinet Security Fabric tools leverage comprehensive, artificial intelligence (AI)-powered threat intelligence technology from FortiGuard Labs, based on one of the world’s largest intelligence networks. AI and machine learning (ML) help identify unknown or zero-day threats, which are increasingly common due to adversaries’ use of advanced techniques like polymorphism.

FortiSandbox provides another layer of defense against zero-day threats. It enables unknown files to be examined in a safe location before being allowed onto the network. And since 60% of malware is now encrypted, the secure sockets layer/transport layer security (SSL/TLS) inspection capabilities in FortiGate next-generation firewalls (NGFWs) allow for inspections to include encrypted traffic—without impacting performance.

An attacker-based defense provides an arsenal of tools to identify and neutralize those who would infiltrate the network—whether they are outside or inside the company, and whether their intent is malicious or benign. FortiDeceptor is designed to lure attackers into identifying themselves before they cause damage. And FortiInsight protects against insider threats by continually monitoring users and endpoints for noncompliant, suspicious, or anomalous behavior that suggests compromise.

This two-pronged approach helps organizations deal with the advanced threat landscape by:

• Creating a multilayer defense to detect zero-day threats
• Catching attackers in the act, matching their technological sophistication to identify them and thwart their campaigns