What does the SEC Breach, Despite Ample Warnings of Their Security Vulnerabilities Mean?


Jason Ohs

Director, Federal Systems Engineering, Gurucul

Oct 16, 2017

The cold hard facts are not pretty. The Security and Exchange Commission (SEC) was breached, despite repeated and ample warnings1 that its security systems and practices were vulnerable. The chair of the SEC, Jay Clayton, is due to explain before Congress exactly what happened. But since he only joined in May, he’s not likely to have all the history, nor bear all the responsibility. That doesn’t mean he won’t have tough questions to answer. Meanwhile, in light of this and the recent Equifax breach, Sen. Mark Warner, a member of the Senate Banking Committee, issued this statement: “…government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”

Here’s what happened. The SEC, the federal government’s main arm for enforcing rules and regulations on Wall Street, employs an online system called EDGAR, in use for over twenty years, that facilitates publicly traded companies in uploading digital financial market disclosure documents which these companies are required to share with investors. The SEC’s EDGAR system processes over 1.7 million electronic filings a year. Taking advantage of a software vulnerability, hackers gained access to these files before they were available to the general public. Foreign nation state actors have not been ruled out from being behind the attack. If hackers can see this type of information before the rest of the investment community, they have an unfair trading advantage. While the agency discovered the breach last year, the SEC revealed it only became aware last month that information obtained by the intruders may have been used for illegal trading profits. Critics say the SEC isn’t meeting the same security standards it demands of corporate America. Other concerns regarding the SEC security practices and systems have been expressed as well.

But the SEC, like most federal agencies, is in a situation of being between a rock and a hard place. In this case, what the SEC and many federal organizations need is cutting-edge security solutions to protect their assets, something early adopters of advanced security analytics solutions in private enterprise have seen the value of. When the decision makers in the private sector see the value, they can get budget approval in short order, and be on the road to implementation in less than a year. Unlike private enterprises, however, federal agencies are forced to undergo numerous checks and balances for new technology, to assure their investment is vetted, proven to have well-established value, and meet a budget spending line item that was often set in place before they even knew about the technology. This is a much, much slower process. It can take years, making the acquisition and implementation of new technology and leading-edge security solutions lag well behind private industry. Because of this, the SEC and many other federal agencies are not as current in their security strategies as private enterprise.

On that very topic, Robert D. Rodriquez, Chairman and Founder of Security and Innovation Network (SINET) made this observation in chapter 5 of the book “Borderless Behavior Analytics.”Inherent risk takers, versus risk-averse people that depend on legacy systems, are early adopters…. Part of the challenge, however, and especially in the government, is that there’s no reward for failure. There is no profit margin or shareholder value, no driving motivation to deliver more for less. As a result, there’s no reward for taking risks. So the culture there is different than in the commercial world. 

The SEC also has a host of other legacy security practices to address, both in physical security practices and cyber security areas. In response to the breach, the agency quickly announced they had formed a new cybersecurity group to target hacking and market manipulation. But the devil is always in the details.

The outstanding question is what tools or solution will be employed? Some experts say new requirements should include a battery of new user authentication procedures. But the key to cyber security is knowing what the users are doing once they are in the environment, in real time. The solution is not about being in compliance with the most recent regulations, based on the known bad vulnerabilities and risks. That only represents a snapshot in time. An effective solution means a risk-based approach, with advanced security analytics driven by mature machine learning, drawing context from unsiloed big data. All that said, now with the Equifax breach being considered a tipping point in high-stakes security, the SEC and other federal agencies will be looking with urgent and renewed interest in what advanced security analytics solutions they should adopt. The question is, which ones are they are considering? Yesterday’s fad, that may have a degree of brand recognition, but no true machine learning capabilities, or tomorrow’s real-world solution based on proven machine learning analytic capabilities and a wide range of established use cases, along with automated risk response capabilities?

To learn more about Gurucul Risk Analytics, click here. To learn more about the challenges and solutions of advanced security analytics, read the book “Borderless Behavior Analytics – Who’s Inside? What’re They Doing?” by Gurucul’s CEO, Saryu Nayyar — www.borderlessbehavioranalytics.com.

External URL: http://www.chicagotribune.com/business/sns-bc-us–sec-cyber-breach-20170921-story.html