Ensuring vigilant digital transformation in the financial sector

Financial services are at the crossroads of innovation and threats from ever-more sophisticated cybercriminals. “In my 25 years in cybersecurity, I’ve never seen it this bad,” said Tom Kellermann, Executive Vice President of Cybersecurity Strategy at Contrast Security. 

At this critical juncture, current Application Security (AppSec) approaches are falling flat. Why? Kellermann — former Deputy CISO for the World Bank Treasury — recently discussed the problem and its repercussions with Eric Baran, Principal Segment Leader of DevOps, AWS Global Financial Services, in a webinar. 

We explore key takeaways below, including:

• Brand damage from island hopping
• Current AppSec methods’ shortcomings
• How Runtime Security can help

1. The modern threat landscape mandates an overhaul of traditional security

In addition to geopolitical tensions metastasizing into cyberattacks around the globe, Kellermann, author of the long-running study Modern Bank Heists, described new motivations for cybercriminals. “The modus operandi of cybercrime cartels has shifted from burglary to home invasion,” he said. In other words, “they compromise and hijack financial services organizations’ digital transformation and use it to attack their constituencies — their network, applications and cloud. We must change how we conduct cyber vigilance in this space,” he stated.

One of the most alarming trends is the rise of digital insider threats. Traditional surveillance tools are powerless against scenarios where adversaries compromise applications to access sensitive information. Kellermann explained, “You no longer have to be an insider. Adversaries use vulnerable applications to conduct digital insider trading or front-running, where adversaries steal non-public market information from financial institutions and use it in the markets to benefit their portfolios.” This shift necessitates a new breed of tools capable of detecting real-time anomalies.

“We've seen a 50% increase in zero days released into the wild and exploited over the past year, according to Google Mandiant,” he professed. Further, applications are under siege, attacked an average of 800 times daily, according to Kellermann. 

Both experts agreed that such relentless targeting calls for a proactive overhaul of financial institutions' security approaches. Given the limitations of current AppSec approaches, modern threats demand solutions that provide continuous, runtime behavioral monitoring at the application layer.

“We’re seeing a massive need for modernizing legacy tooling while moving workloads to the cloud,” said Baran. “Security must now encompass application logic, application programming interfaces (APIs) and real-time protection.” 

Legacy security measures like web application firewalls (WAFs) and tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) need to be revised. Kellermann illustrated the limitations: “WAFs are like security guards at the front door. They can’t see backend attacks or intricate exploits.”

2. The weakest link: The application layer

APIs have become a hotbed for vulnerabilities, putting organizations at tremendous risk. Kellermann put threats to APIs in context: “API attacks are exploding. We have to appreciate that. No one knows where they end and begin metaphorically. If an API is compromised, hackers can burrow their way into anything,” he explained, underscoring the urgency of securing both APIs and applications — the application layer — to mitigate risks.

Kellermann argued that while network and endpoint-level telemetry through Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) have matured, application-layer monitoring remains a blindspot. "These tools don't see what's going on in runtime," he said, emphasizing the need to monitor for behavioral anomalies continuously. This evolution, he stated, is critical to combating modern cyber threats like zero-day attacks and nation-state actors, as cybersecurity must "evolve just like the adversary."

With more than 20 years in software development, Baran understands the transformation brought by open-source adoption and the rise of API usage, stating that “99% of production workloads now rely on open-source components.” While tools like SAST, DAST and open-source scanners help accelerate innovation, they also introduce risks and "daunting technical debt for CISOs to address.” 

Keep vulnerability-plagued APIs out of production with a platform
that builds, tests and protects APIs.

Baran described APIs as "the next iteration of the open-source economy," driving transformation and offering "new routes to market." However, they underscore the need for robust governance and runtime protection across the "app layer, API layer and code layer" to balance innovation with security in modern software delivery.

3. How to secure systems during and after a move to AWS

Financial institutions are undergoing a digital transformation, which Baran likens to turning a massive ship. As they migrate to cloud platforms like AWS, they face a dilemma: how to secure systems during and after the transition.

Reflecting on his journey at AWS and work helping financial services clients navigate cloud adoption, Baran emphasized AWS’s foundational commitment to security, noting that "security is always job zero." He discussed how the cloud offers significant efficiency gains for infrastructure and application workloads. However, migrating workloads introduces new complexities, especially in application-layer security and compliance.

He highlighted the growing importance of "automating compliance guardrails" and customizing control frameworks to meet varied industry standards. While the financial sector benefits from AWS's infrastructure, it faces challenges in creating consistent, standardized approaches to compliance and security across its diverse ecosystems, underscoring AWS's role in addressing these evolving needs.

Baran advocated for runtime security as a buffer. “It’s like implementing bumpers to protect you while you turn the Titanic around,” he said. 

Kellermann talked about the need to shift right to shift left. “You have to eliminate exploitable security debt in production first. Once that’s solved, you can focus on shifting left to improve development practices.”

Baran concurred, highlighting the role of observability. “Modern security involves feeding runtime data into observability layers. This correlation allows teams to prioritize fixes without stalling innovation.”

4. ADR: Catch and stop attacks at the front line

Applications represent digital branches for financial institutions. Protecting these applications is not just about security; it’s about safeguarding the brand. Kellermann stated, “Applications are an extension of the organization. Defending them is brand protection because they represent you.” 

Application Detection and Response (ADR) transforms how financial institutions combat cyber threats. Unlike traditional tools that rely on static assessments or perimeter defense, ADR monitors application behavior in real time. For years, security operations centers (SOCs) have been blind to what happens at the application layer. Kellermann explained that ADR fills this gap by providing a living, dynamic blueprint of an application’s security posture, attack paths and backend connections

This dynamic approach helps institutions proactively detect behavioral anomalies and respond to threats through real-time application-layer visibility. ADR also allows organizations to combat sophisticated threats such as API vulnerabilities, deserialization attacks and encoded exploits that WAFs and legacy tools often miss, along with zero-day vulnerabilities and insider threats.

“A zero day is essentially a behavioral anomaly at the application layer, and ADR can detect it before it manifests into something more significant,” according to Kellermann. “It’s like placing security personnel inside the vault rather than at the front door.”

Kellermann explained that ADR empowers financial institutions to detect attacks, understand how they’re being attacked, and determine whether they’ve been compromised. ADR is also uniquely equipped to identify digital insider threats, where adversaries exploit vulnerable applications to access sensitive data or conduct fraud. 

“ADR fills the gap, allowing institutions to identify and neutralize threats within their applications before they escalate,” said Kellermann. He called for “vigilant digital transformation,” urging institutions to adopt ADR for real-time insights and proactive defense.

5. Contrast and AWS: Making security a shared responsibility

Kellermann and Baran advocate for a shared responsibility model as the financial sector grapples with the dual pressures of innovation and security. From strengthening APIs to embracing runtime security, the path forward requires collaboration and a commitment to continuous vigilance.

“In the end, it's all about vigilant digital transformation,” said Kellermann. “I think this partnership [between Contrast Security and AWS] exemplifies that to a ‘T’. I look forward to having further conversations with the financial sector to understand what keeps them up at night, but more importantly, how we can better defend one another in that shared model.”

Kellermann pointed to Verizon’s recent Data Breach and Incident Report (DBIR), which revealed that 55 days after a patch is released, only half of critical vulnerabilities are addressed. “There's too much vulnerability debt and management debt, and that's what we're trying to solve with this partnership here today.”

Baran agreed. “It's been fun to use platforms like Contrast and partner together as a level of protection and guarding while we're helping the client accelerate time to value in the AWS backend.” 

Kellermann concluded the discussion with a thought-provoking quote from the movie “The Usual Suspects”: “The greatest trick the devil ever pulled was convincing the world he didn’t exist. That devil is somewhere in your application layer.” By recognizing and addressing this reality, financial institutions can stay ahead in the ever-evolving cybersecurity landscape.

Baran re-emphasized the significant advances stemming from AWS’s partnership with Contrast. “The good news is AWS, working in tandem with platforms like Contrast, allows clients to stay ahead… we’re helping them watch what's going on and improve their overall posture and process as we continue to help clients maximize the value of the cloud backend.”

Take a look at ADR and Runtime Security: Call us to set up a demo. 

Read more:

• ADR white paper: The Case for Application Detection and Response (ADR) 
• Contrast explainer video: Contrast Application Detection and Response (ADR)
• Contrast demo video: Contrast Security ADR Demo
• Contrast press release: Contrast Security Application Detection and Response (ADR) Praised by Industry Analysts for Addressing Gap in Cybersecurity Defenses 
• Contrast press release: Contrast Security Introduces Application Detection and Response (ADR) to Identify and Block Attacks and Zero Days on Applications in Production 
• Contrast glossary: What is ADR?
• Contrast blog: Why Contrast Security is making the case for Application Detection and Response (ADR)
• Contrast blog: Contrast Security founder Jeff Williams explains how to fix AppSec in production
• Contrast blog: 5 ways Contrast Security ADR closes the gap in protection for apps & APIs

• Contrast blog: Understanding ADR’s detection and response layers
• Contrast blog: Why application detection and response is sparking excitement in cybersecurity
• Contrast blog: August attack data: A look beyond the numbers
• Contrast blog: Anatomy of an attack
• Contrast blog: Analyst: Application Detection and Response is an ‘emerging category’
• Contrast blog: September attack data: Spotlight on path traversal, one of the gnarliest application attack types
• Contrast blog: Wake up, CISOs: You need an ADR flashlight to see into critical application blindspots
• Contrast blog: Bringing the application layer into cybersecurity monitoring and response
• Contrast blog: If only I’d known ADR was possible when I was a SOC analyst!
• Contrast blog: October attack data: The Expression Language injection attacks that skipped past SAST/DAST/WAFs
• Contrast blog: Smarter AppSec: How ADR, secure by design and 'shift smart' are redefining cybersecurity