A case study in advanced information security

One of the largest financial services companies with a global footprint — involved in all aspects of the industry from wealth management and investment services, to retail and commercial banking, to credit cards and investment banking — operates on an IT infrastructure responsible for processing billions in financial transactions daily and is among the most complex and aggressively-targeted by cybercriminal communities and nation-state sponsored actors.

Against a dynamic threat landscape, where the adversaries are countless and their methods are increasingly more sophisticated, the company's executives have invested in one of the world's most advanced information security programs. To protect the assets of its millions of customers, the company operates in a state of elevated vigilance. It maintains a centralized Internet gateway strategy and significantly invests in security solutions, such as firewall, anti-virus, intrusion detection systems (IDS) and data loss prevention (DLP) technologies to minimize potential intrusion points. The company's security team constantly evaluates its security policies, validates their effectiveness and seeks out new threats because it recognizes that the security of sensitive information is as important to clients as the company's services.

Despite their current security investments, the infrastructure in place wasn't supporting their complex and critical mission objectives. In particular, they recognized that the information they were getting from their existing devices was just a snapshot, not a consistent and pervasive understanding of their network activity. Existing IDS and DLP solutions provided alerts, but the team had no way to easily determine if threats were legitimate or false positives without complete contextual information of the event. As a result, the security team was required to spend countless hours sifting through system data trying to determine what was actually happening on the network - hours that are critical during an incident.

Rethinking the Problem

When the company began the project to enhance the capabilities of its security infrastructure, the staff was primarily focused on anomaly detection. They thought they were looking for a solution that could help analysts better monitor traffic peaks - significant upswings in traffic that can indicate connections with command and control networks or botnets. While they leveraged the information generated from existing solutions, they had become disappointed with the results of flow-based anomaly detection solutions. The problem was due to both the nature of anomaly detectors and the company's complex network architecture. It wasn't that the products didn't do what they claimed - they weren't designed sufficiently to meet the needs of a large international financial institution. The security team began discussions with their peers in the industry, who recommended NetWitness as a possible solution that could help identify real-time advanced threats and data exfiltration attempts in large scale environments.

Initially, the company was looking at NetWitness simply as a forensics tool. As they further evaluated the platform's capabilities, they found that it actually solved a number of other problems plaguing their operations because of the pervasive network visibility into the content of all network traffic and discrete behavior of entities operating across the network. Overall, it became obvious that the total capabilities of NetWitness NextGen provided additional benefits well beyond network forensics.

With a detailed understanding of NetWitness through a series of executive-level discussions, the company decided to conduct a proof of concept. According to an IT executive at the company, "The results were quite extraordinary. There was definitely an 'oh wow' moment. Our current log files contain 70 million lines per day - of that 70 million, identifying those that might be Trojan communications was previously a very difficult undertaking. Using NetWitness we were able to immediately zero in on malicious traffic, cutting days of work out of our process." Based on successfully testing NetWitness NextGen, the company decided its centralized Internet gateway and a few international locations would make up a Phase 1 deployment.

Visibly Transforming Operations

Within days, the initial deployment produced significant benefits. The most important difference in the environment with NetWitness in place is that the company's security team now had complete visibility into all traffic - whether Internet-based or within the company's VPN infrastructure. The new level of contextual knowledge enables the security staff to take precise actions that limit the business impact of cyber threats.

Due to the centralized architecture of the company's Internet connectivity, NetWitness' positive impact has spread across their global network operations. They have been able to more quickly and efficiently identify security issues - converting the problem from a manual, time-consuming human task to an automated process that is both faster and much more actionable than previously achieved.

Within specific countries of concern, they are now able to monitor traffic for any potential cyber threat - giving the security team confidence that their assets and the identities of their customers are protected. The staff is able to automatically generate reports based on advanced threat characteristics and perform in-depth analytics on the results daily. This enables the security team to streamline operational processes that once took hours and days down to a matter of minutes for more proactive remediation.

Proven Extensibility

One aspect of the deployment that has surprisingly benefitted the team, they are continually discovering new potential use cases for NextGen. They have taken advantage of the broad NetWitness community for help and suggestions with new ideas based on real-world applications of the NextGen platform. In addition, the team's hands-on experience has enabled them to develop a number of innovative uses internally, such as complex eDiscovery through the use of NetWitness Visualize.

The company's initial experience with NetWitness has delivered tangible value; as a result, they are now planning to expand the relationship in two directions. First, they will be using NetWitness as a rapid security deployment solution when an in-country incident requires deep forensic analysis. Secondly, they will be adding several additional international locations to the permanent enterprise monitoring architecture. NetWitness has become a core platform for the security operations team to gain unparalleled visibility and the agility to detect and respond to changes in the enterprise's risk profile and the threat landscape.