Managed Detection & Response for Hedge Funds

by Carrie Bowers 0 Comments

Have a plan for the unplanned

No cybersecurity apparatus is impenetrable, which means it’s essential for hedge funds to have robust strategies for detecting and responding to threats. But not every Managed Detection & Response (MDR) service provider has the industry-specific expertise to assess and address what you’re facing.

The best security methods for hedge funds include proactively monitoring your unique IT systems, specifically Eze OMS. Your MDR solution should implement these seven industry-specific cybersecurity rules to help keep your data safe by quickly alerting engineers to possible breaches within your unique environment.

Rule 1: Windows Login from an Unexpected User

Identify which users are authorized to access the Windows application and database servers for Eze OMS. Once you know who has access, your MDR service provider can build out a list of expected users, functioning as a whitelist, to trigger an alert if any user who is not on the list tries to access the Eze OMS Windows application or database servers, whether that person is a well-intentioned employee or a bad actor.

Why does this matter? It’s important to monitor who logs in to Eze OMS because a bad actor could delete or manipulate auditing records from the servers, which would be a compliance concern if your firm is ever audited by the SEC. An attacker could also change the Eze system’s configurations, which could potentially directly impact your FIX connection and limit your ability to trade. Or, an attacker might hide in the servers, monitoring the application logs and using siphoned information to capitalize on in the market.

Rule 2: SQL Login from an Unexpected User

Similarly, you should identify which users are authorized to access the actual Eze OMS database. This will enable your MDR service provider to create another expected user list and receive alerts whenever an unapproved user interfaces with the database itself.

The risks of an unauthorized user accessing your firm’s Eze OMS database are akin to those just described: a bad actor who infiltrates the database can potentially manipulate or delete data and steal information. An attacker could also lie in wait for the right opportunity to strike. The intruder might lie dormant in your firm’s system indefinitely until prepared to leverage the breach to its full effect.

Rule 3: Windows Login from an Unexpected Source

It’s important not to just track the specific users who have access to your Eze system, but the specific computers that have access as well. Determine which machines have authorized IP addresses to log in to your firm’s Eze OMS Windows application server and database server. Your MDR service provider can then build out a list of expected machines, and this rule will trigger an alert for any unrecognized machine that gains access.

This line of defense is effective if a bad actor steals the credentials of an approved user, then uses those credentials to access your Eze system on a different computer. If your MDR service provider is only monitoring user logins and not the actual machines that are being used, your system could be breached without you ever knowing.

Rule 4: SQL Login from an Unexpected Source

Once again, you should also determine which machines have authorized IP addresses to access the actual Eze OMS database. This will allow your MDR service provider to create an expected machine list and receive alerts whenever an unapproved machine interfaces with the database itself.

By now, you are aware of the risks posed by a bad actor infiltrating your firm’s database. In addition to altering, deleting, or stealing data, an attacker could also lock users out of Eze OMS and hold your data hostage. Timing is critical with any security threat, and an early alert to your MDR service provider could prevent an isolated case of unauthorized access from becoming a full-scale attack on your firm’s data.

Rule 5: Windows Login from a Public IP

What are the approved remote access procedures for logging in to and administrating the Eze OMS Windows application and database servers? Once this question is answered, your MDR service provider can recognize the expected procedures and flag any unapproved attempt—whether successful or unsuccessful—to remotely access the system.

A user successfully logging in to the Eze OMS Windows application server or database server from a public IP address would most likely be the result of a misconfiguration. Having your firm’s servers exposed to the public internet could possibly allow a bad actor to gain access through a brute force attack, such as credential stuffing or password guessing. The attacker could then compromise the integrity or availability of your firm’s data. Another concern would be that the attacker, once inside the system, could easily pivot to other machines in the environment and cause more damage.

Rule 6: Windows Login from an International IP

Ascertain the authorized IP addresses or remote employees outside of the United States permitted to access the Eze OMS Windows application and database servers. Your MDR provider can then create a list of approved countries, and this rule will trigger an alert for any access attempts or entries into the system from entities in an unapproved country.

An unauthorized foreign user gaining entry to your firm’s servers would, once again, likely be the result of a misconfiguration that permits access from the public internet. That kind of system vulnerability could jeopardize your firm’s data and greatly affect compliance and trading.

Rule 7: Honeytoken Access

You catch more flies with honey. As a secondary layer of protection, your MDR partner should build a honeytoken document—with an enticing name, like “passwords”—that lives on both the Eze OMS Windows application server and the database server. Then, if a bad actor already happens to be in the system and opens the file, an alert will be sent to your security team. This additional method of detection is useful because it’s impossible to prevent 100% of unauthorized access.

Hedge Fund Rule Roundup

There is no reason for your MDR service provider to take an exclusively reactive approach to keeping your firm safe. Combating unknown cybersecurity threats is complex and difficult, but these seven straightforward measures can be taken to monitor and control some of the variables. Having alert triggers in place for when an unexpected user or machine accesses your firm’s Eze OMS is a proactive way to protect your critical data. It is also advantageous to work to root out existing threats before they become more serious. Contact us to learn more about our tailored cybersecurity approach for hedge funds.