Every day is a fire drill for bank cybersecurity teams

Cyberthieves continually hack away at weaknesses in banks' digital defenses, sometimes coming in waves that involve thousands of attacks.

The startup XM Cyber proposes that banks steel their defenses in much the same way by using its automated attack-simulation platform. Not only can its virtual simulations safely replicate attacks, the startup says, but they can be continuously repeated and updated with viruses and attack methods that evolve faster than most information technology teams can track.

XM Cyber recently raised $22 million in Series A funding, a round that included the investment firms Macquarie Capital, Nasdaq Ventures, Our Innovation Fund and UST Global.

The Israeli company (which has New York, London and Sydney offices) has raised a total of $32 million, following a previous seed round of $10 million from Swarth Group. XM Cyber said it will put funding toward sales growth, marketing and engineering.

Noam Erez, XM Cyber's chief executive, claimed that banks who employ the platform and train their IT teams to use it can supplant the spending they would traditionally allocate to IT training. Security certifications can run into the thousands of dollars for a single employee.

Historically, banks and other companies have had to spend a lot of money on repeated training for IT staff and on vulnerability testing, such as hiring penetration-testing firms and performing round-the-clock scanning services.

“Part of the allure of going with an automated capability versus using a human red or blue team is that it's fast and will keep going,” said Scott Ramsey, managing principal at Capco.

Speed is essential to keep pace with the threat facing banks. In September, The Wall Street Journal reported that federal authorities warned Bank of America, Citigroup, Wells Fargo and JPMorgan Chase that hackers were combing their defenses for weaknesses.

JPMorgan recently turned to ethical hackers to probe its websites for soft spots as one way of coping with the constant threat.

XM Cyber belongs to a new class of cybersecurity solution for banks to consider, competing against products such as Tenable’s Nessus Security Center and Rapid 7’s Nexpose.

“There has been a fundamental shift within cybersecurity where a lot of interesting R&D projects and university projects are coming to market that you didn’t see 15 to 20 years ago,” said Alissa Knight, senior analyst at Aite Group. While XM Cyber was founded in 2016, the company did not come out of stealth mode until January 2018.

The class of cyberdefense companies including XM Cyber are causing professionals in vulnerability management to think about automating the “kill chain” — the steps that make up an attack scenario.

XM Cyber requires clients to define devices, data and networks before creating an IT risk management program. Many companies do not know what their most critical assets are or do not realize that assets are more than just servers, workstations and printers, Knight said.

Many chief information security officers "don’t even know where that data is — thinking their data is only on the servers where their [data loss prevention] is installed but fail to realize it’s been copied to other shared folders and people’s workstations,” Knight said.

Capco’s Ramsey cautioned that technology such as XM Cyber's will only remain effectIve "so long as you update it,” he said.

Another downside of using an automated product, he said, is that the machine might not be able to comprehend the complexity of the system it is supposed to simulate.

Ramsey recommended that banks use a combination of automated and human intelligence so that red teams — internal IT members who are tasked with challenging their firm’s security measures — do not get complacent.

Some IT professionals raise concerns that while an automated simulation is running during business hours, their organization may be more vulnerable to an actual attack happening at the same time.

However, Knight said most companies should be able to deal with that problem.

“One of the things companies can do when it comes to friendly fire is whitelist the XM Cyber IP addresses that they know are performing these attacks,” Knight said.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Customer data Start-up funding Fintech JPMorgan Chase Bank of America Wells Fargo Citigroup
MORE FROM AMERICAN BANKER