You are here

Written by: William Nowik, CISA, CISSP, QSA, PCIP
As a means of protection from security threats, most financial institutions have security information and event management (SIEM) in place. This solution combines security information management and security event management, and provides real-time analysis of security alerts. What’s important to note is that SIEM only monitors servers or a subset of servers. It makes sense to monitor servers because they contain an institution’s most sensitive and confidential information and run business applications that allow the movement of funds and automate work flow. However, limiting your monitoring to just the server is risky.

Workstations and servers are networked and connected, meaning that a flaw in one part of the network can result in a full compromise of that network and any other network that is connected (i.e. hosted web applications). In most hacks, the end result involves the hacker trying to obtain access to an institution’s most critical systems, which are typically installed on servers. However the end result is not always the primary point of attack.

Consider this - hackers introduce malware to financial institutions through email (phishing or spear phishing) or through the web (browsing sites) as a way to defeat the typical preventative controls that institutions establish as part of their layered security approach. When employees open their emails or go on the web, they are performing these activities at the workstation level – not on the servers.

Once malware infects a workstation, the attacker can stealthily exfiltrate data such as usernames and passwords through a remote backdoor pathway to the infected workstation. With the usernames and passwords, the attacker can access the servers or business applications because entering correct user information is considered normal activity and will not trigger suspicious activity. Thus rendering the monitoring at the server level useless.   

Monitoring workstations allows institutions to align their monitoring activities with the attack vector that’s most likely to be targeted in a breach. Although monitoring all employee endpoints is expensive, it is critical to include monitoring your workstations as part of your layered security control design so you can better protect your institution from cybersecurity threats. 

If you have any questions about your institution’s cybersecurity posture, please contact William Nowik, CISA, CISSP, QSA, PCIP, Principal in Wolf’s IT Assurance Services Group, at 617-428-5469 or