Without both perspectives, security teams may stop intrusions at the surface while missing their deeper potential impact, or they may incorrectly secure vertical workflows because they lack a full understanding why attackers will likely enter in the first place.
In practice, security teams tend to prioritize horizontal defense, viewing attacks and breaches as eradication priorities without considering business impacts or the context of risk. Tickets are closed, but the potential compromise of business-critical workflows goes unexamined. This is problematic because the most impactful compromises occur in vertical processes: the workflows that move funds, control heavy machinery, adjudicate clearances, or finalize market disclosures.
Impact: When vertical processes are compromised, key business functions are damaged, causing significant losses.
The impact of vertical compromises is significant because it directly affects revenue and value-generating business. Unlike malware outbreaks that may just inconvenience IT, vertical breaches change key business outcomes: money is moved, contracts are altered, deals are lost, identities are stolen, and public trust is eroded.
The following two high-profile case studies demonstrate this trend. What distinguishes these incidents is not that attackers evaded initial detection (though they did in both cases), but that they understood unique business processes well enough to exploit them- and that defenders failed to connect the dots between horizontal and vertical defenses to stop the compromises:
$81M Bangladesh Bank Heist (2016)
In 2016, attackers successfully stole $81 million from Bangladesh Bank in a massive digital heist.
Attackers gained horizontal entry through malware after exploiting basic security gaps including unmonitored servers and a lack of firewalls. Over several months, they used keystroke loggers to observe the bank’s SWIFT payment processing workflow and acquire employee credentials, gaining critical vertical context.
The attackers then exploited weak cross-border vertical communication workflows by initiating nearly $1 billion in fraudulent transfers during a holiday weekend. They covered their tracks by manipulating or suppressing the SWIFT transaction logs and printouts.
Throughout the operation, a series of horizontal red flags appeared including fraudulent SWIFT transfer requests, a SWIFT system error, and a malfunctioning printer that stopped generating copies of transfers. However, because these technical signals were not tied to the financial process they governed, they were initially treated as isolated IT and financial issues, not as potential evidence of a broader operation.
From a security perspective, numerous anomalies should have been flagged and escalated with appropriate vertical context to prevent the fraudulent transfers:
- The presence of malware in the bank’s SWIFT access system
- Unauthorized access to and tampering with the SWIFT system
- The sheer volume of unusual transaction requests, particularly during holiday/closure timing
- Poor inter-bank/cross-border controls
For a detailed explanation of the heist, we recommend this writeup in New York Times Magazine.
OPM Breach (2015)
The 2015 Office of Personnel Management (OPM) breach exposed sensitive background-check records (including SF-86 forms) for approximately 21.5 million individuals, and earlier compromised personnel records for about 4.2 million federal employees and contractors.
Attackers stole SF-86 and similar forms that contained personal information, fingerprints, and background investigation data, offering a potential treasure-trove of strategic intelligence on relationships, vulnerabilities, and leverage points which could be used in targeted disinformation, recruitment, or influence operations.
The attackers, widely attributed to Chinese-government-linked state-sponsored groups, first breached OPM networks around late 2013 by exploiting horizontal weaknesses including insufficient multi-factor authentication and weak network segmentation. Though OPM became aware of malicious activity in 2014-15, full system ejection/remediation was delayed, and during that period the adversaries had time to harvest credentials, deploy malware, move laterally into privileged systems, and access the background-investigation databases.
Multiple horizontal indicators (e.g., anomalous logins, unencrypted databases, old assets without oversight) surfaced, but because these signals were not aligned with the clearance-workflow mission and lacked financial-fraud style triggers, they were not escalated as a strategic national-security incident. OPM’s response was fragmented and the lack of forward‐looking context regarding how such data could be exploited (rather than just stolen) impaired the escalation and containment process.
From a security/forensics perspective, the following anomalies should have been detected with appropriate vertical security controls:
- Presence of weak or missing authentication controls and insufficient segmentation of high-value assets.
- Unauthorized privileged access and exfiltration of background-investigation systems (rather than mere data theft).
- The volume and sensitivity of unusual access requests (i.e., access to SF-86 and fingerprint data) should have triggered a mission-context alert beyond standard IT incident response.
Action: Align horizontal and vertical security to enable context-informed detection, response, and resolution.
1) Map assets and identities based on vertical business functions
Horizontal security tools like SIEMs provide raw alerts. Vertical context turns those alerts into actionable intelligence- as I recently spoke about in an article for the National Security Institute.
Classify assets and identities based on their associated business function(s) to add vertical context. Every endpoint, server, and identity should be tagged by the function it serves, not just its hostname, to enrich horizontal security data. Examples of tags might include: RTGS operator console, FX desk workstation, filing disclosure server, SCADA HMI, or clearance adjudication system.
SPHERE helps organizations maintain clean identity and permissions environments, ensuring that user roles are mapped directly to sensitive vertical functions.
Rita Gurevich Founder and CEO, SPHERE
Mohit Tiwari Co-founder and CEO, Symmetry Systems
Vinnie Liu Co-founder and CEO, Bishop Fox