The cold hard facts are not pretty. Despite repeat and ample warnings of security vulnerabilities, the Security and Exchange Commission (SEC) is finally adhering. Because they’re on the receiving end of a breach. SEC Chairman Jay Clayton is set to explain the details of the SEC breach before Congress. But since he only joined in May, he’s not likely to have all the history, nor bear all the responsibility. That doesn’t mean he won’t have tough questions to answer.
Meanwhile, in light of this and the recent Equifax breach, Sen. Mark Warner, a member of the Senate Banking Committee, issued this statement: “…government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”
SEC breach as a result of EDGAR security vulnerabilities
The SEC is the federal government’s main arm for enforcing rules and regulations on Wall Street. It employs an online system called EDGAR, which has been in use for over twenty years. EDGAR facilitates publicly traded companies in uploading digital financial market disclosure documents, which these companies are required to share with investors. The SEC’s EDGAR system processes over 1.7 million electronic filings a year. Taking advantage of software vulnerabilities, hackers gain access to files before becoming available to the general public.
Foreign nation state actors are still in the ruling from being behind the SEC breach. If hackers can see this type of information before the rest of the investment community, they have an unfair trading advantage. While the agency discovered the breach last year, the SEC revealed it only became aware last month that information obtained by the intruders may have been used for illegal trading profits. Critics say the SEC isn’t meeting the same security standards it demands of corporate America. Expressing concerns regarding the SEC security practices and systems is also happening.
In a situation of being between a rock and a hard place
In this case, what the SEC and many federal organizations need is cutting-edge security solutions to protect their assets. Consequently something early adopters of advanced security analytics solutions in private enterprise have seen the value of. When the decision makers in the private sector see the value, they can get budget approval in short order, and be on the road to implementation in less than a year.
However, unlike private enterprises, federal agencies must undergo numerous checks and balances for new technology. This assures the vetting in their investment, establishes value, and meets a budget spending line item that is often set in place long before knowing about the technology. This is a much, much slower process. It can take years, making the acquisition and implementation of new technology and leading-edge security solutions lag well behind private industry. Because of this, the SEC and many other federal agencies are not as current in their security strategies as private enterprise.
Security vulnerabilities on the rise for federal agencies
On that very topic, Robert D. Rodriquez, Chairman and Founder of Security and Innovation Network (SINET) made this observation in chapter 5 of the book Borderless Behavior Analytics.
Inherent risk takers, versus risk-averse people that depend on legacy systems, are early adopters…. Part of the challenge, however, and especially in the government, is that there’s no reward for failure. There is no profit margin or shareholder value, no driving motivation to deliver more for less. As a result, there’s no reward for taking risks. So the culture there is different than in the commercial world.
The SEC also has a host of other legacy security practices to address, both in physical security vulnerabilities and cyber security areas. In response to the SEC breach, the agency quickly announced they had formed a new cyber security group to target hacking and market manipulation. But the devil is always in the details.
Advance security analytics driven by machine learning is the solution
The outstanding question is what tools or solution to employ? Some experts say new requirements should include a battery of new user authentication procedures. But the key to cyber security is knowing in real time what the users are doing in the environment. Maybe the solution is not about being in compliance with the most recent regulations. This gathers the known bad security vulnerabilities and risks but it only represents a snapshot in time. An effective solution means a risk-based approach. Hence advanced security analytics driven by mature machine learning and drawing context from unsiloed big data.
All that said, now with the Equifax breach being considered a tipping point in high-stakes security, the SEC and other federal agencies will be looking with urgent and renewed interest in what advanced security analytics solutions they should adopt. The question is, which ones are they are considering? Yesterday’s fad, that may have a degree of brand recognition, but no true machine learning capabilities, or tomorrow’s real-world solution based on proven machine learning analytic capabilities and a wide range of established use cases, along with automated risk response capabilities?
Director, Federal Systems Engineering, Gurucul