netwitness at financial services companies - dell emc · pdf filenetwitness informer is the...
TRANSCRIPT
NetWitNess At FiNANCiAL seRViCes CoMPANies A Wealth of Customer Experiences
tAbLe oF CoNteNts
introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Advanced threat Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Zero Day Malicious Code — Closing the Exposure Window Faster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Unique Benefits Provided by NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Spear Phishing — Stopping the Truly Targeted Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Unique Benefits Provided by NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
enterprise security integration . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Integrating Netwitness Alerts Into the SIEM . . . . . . . . . . . . . . . . . 4
Getting More Value Out of the SIEM — Netwitness Enriches the Event Stream . . . . . . . . . . . . . . . . . . . . . . . 5
Unique Benefits Provided by NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
FTP Transfers of Sensitive Content — How Bad Is It? . . . . . . . 6
Mergers and Acquisitions — Keeping the Secrets Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Nextgen: A DLP for Advanced and Complex Threats . . . . . . . 6
Unique Benefits Provided by NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Additional use Cases — What Do You Need to Know? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Staying Current with Emerging Threats . . . . . . . . . . . . . . . . . . . . . . 8
Online Banking — Stopping External Fraud . . . . . . . . . . . . . . . . . . 8
Unique Benefits Provided by NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
HR, Fraud, Compliance, Audit, and More . . . . . . . . . . . . . . . . . . . . . 9
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
NetWitNess At FiNANCiAL seRViCes CoMPANies
2
iNtRoDuCtioN
Faced with an increasing volume of advanced threats and an
onerous regulatory compliance burden, top financial services
organizations in the U.S. have invested in a broad array of
information security point solutions and have implemented
security programs capable of sophisticated defensive
operations. This paper describes the cumulative experience of
a number of financial services security teams who have turned
to NetWitness® to complement prior investments and complete
their defensive infrastructure.
» NetWitness NextGen™ represents the next generation of
network monitoring, providing a virtual Swiss Army knife of
analytic tools and capabilities to defend against a broad range
of complex problem sets.
» By recording all the traffic crossing key network interfaces,
NetWitness NextGen offers the organization the ultimate truth
and irrefutable record regarding the actions and behaviors of
the network and the entities accessing network resources.
» Through the patented indexing and database technologies
supporting the NextGen infrastructure, NetWitness provides
an easily searchable, distributed network database of
metadata representing the deep content and context of all
network communications from OSI layers 2 through 7.
» The automated analytics and interactive network forensics
within NextGen provide both gap coverage for deficiencies
in current defense-in-depth infrastructures and infinite
extensibility for new capabilities to detect emerging and
advanced threats faced by many organizations.
Each section of this paper provides examples of specific business
use cases under which NetWitness NextGen is providing a world
of value to top financial services companies:
» Advanced Threat Management
» Enterprise Security Integration
» Data Loss Prevention
» Additional Use Cases
ADVANCeD thReAt MANAgeMeNt
ZeRo DAY MALiCious CoDe — CLosiNg the exPosuRe
WiNDoW FAsteR
In the current threat environment, cyber criminal-driven malware
distribution occurs with two specific goals:
» Propagating botnets for a variety of reasons;
» Theft of information (login credentials, financial information,
customer records, etc).
A typical use of NetWitness at financial services companies
involves the identification of malicious code and unauthorized
network traffic that is evading current security controls and
network monitoring techniques.
To further complicate this scenario, much of today’s malicious
code uses encrypted and obfuscated communication methods
through allowed paths (e.g., port 443) to hamper detection
and identification. It is this capability that renders most current
data loss protection mechanisms and investments marginally
effective, if effective at all, against these threats. The current
response focus at many financial services companies is to react
to malware infections after the malware has successfully infected
an endpoint. While this may be an effective way to limit internal
botnet propagation, it has limited effectiveness against immediate
data loss. To attack this problem proactively using NetWitness
NextGen, our customers implemented the following practices:
» Deployed NetWitness NextGen at gateways and critical
connection points, and fused corporate network traffic with
the multi-source threat feeds contained in NetWitness Live to
identify any and all sessions to known malicious locations.
» Once this “bad” traffic is identified, the banks are able to easily
pinpoint internal infected hosts and use NetWitness Investigator
to analyze these machines and associated network traffic to
determine any second-stage infection traffic, source of infection
and sensitivity of the employee involved.
» Using the information gathered from NextGen during the first
alert, the security team quickly and easily uses NetWitness
Investigator and Informer to provide the network forensics
information needed to extrapolate additional characteristics
regarding the malware including autonomous systems,
hostnames, filenames and traffic patterns. This data is pushed
back into NextGen for additional analysis. This process frequently
results in the identification of additional compromise that is
completely undetected by existing controls.
» On multiple occasions, entire network ranges and autonomous
systems are blocked from communication with the
organization based on this information.
» Cyber criminals tend to find hosts that are friendly to their
activities and park command and control and drop sites in
these locations, which are reused across malware campaigns.
A WeALth oF CustoMeR exPeRieNCes
3
unique benefits Provided by NetWitness
» Dramatically improved visibility for the security team of what
is really happening on the organization’s internal network and
Internet traffic and how these events actually were affecting
internal IT assets and devices.
» Allows proactive identification, prioritization, and timely
provision of information required to block malicious locations
based on actual impact to the organization’s business
operations and data.
» Shortens the gap exposure window — e.g., proactive removal
of zero day events versus waiting for AV and IDS/IPS vendors
to catch up and detect already infected hosts.
sPeAR PhishiNg — stoPPiNg the tRuLY
tARgeteD MessAges
For a number of our financial services customers, highly targeted
spear phishing of employees (e.g., an email created specifically
to target an individual within the bank) had resulted in significant
dollar losses. Most modern email filtering/attachment scanning
and gateway systems do a decent job of holding back the tide
of spam, run-of-the-mill phishing attempts, and known malware.
However, well-engineered spear phishing attacks that leverage
custom malware, well-researched message content (the message
is crafted specifically for that individual) and zero-day exploits
slip through the cracks. Once the adversary has a foothold on
the network, it is only a matter of time until other footholds
are established via lateral movement, additional sophisticated
malware is installed on systems that house valuable information,
and data exfiltration begins.
Successful detection, identification and remediation of
sophisticated spear phishing in an organization that receives
hundreds of thousands of emails every day had been difficult
before NextGen, and most anti-spam/phishing technologies
are attenuated at the enterprise level to tune out the noise
versus the most sophisticated attacks. Despite having a state-
of-the-art filtering system, the well-engineered spear phishing
attacks almost always slip through this barrier undetected. By
leveraging inherent analytic capabilities unique to NetWitness,
however, this very difficult task is now fairly routine. Using a
combination of custom NetWitness Flex Parsers (i.e., SMTP
character set, spoofed sender, identification of attachment PE file
header information, and others), keyword hits in subject and/or
attachments, examining country of origin, and fusion with custom
NetWitness Live threat feeds, it is possible to ferret out these
needles in the haystack.
NetWitness Flex Parse technology provides a facility making it
easy for security analysts in the organization to create custom
parsers to detect and alert on certain combinations of incoming
email traffic that presented the highest risk. In the case of this
spear phishing problem, Flex Parser vectors include SMTP
character set, detection of spoofed email sender addresses,
identification of Windows executable files masquerading as
other file types, and extraction of certain combinations of
characteristics of PDF files.
Because Flex Parsers are implemented as part of the real-time
capture and index technology with NetWitness Decoder and
Concentrator appliances, if an email possesses some or all of
these characteristics, NextGen generates an appropriate alert
(e.g. “High_Risk_Spearphishing”) so that the bank’s security
iNVestigAtoR AND iNFoRMeR
NetWitness investigator is the award-winning network forensics application that provides security teams, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of massive volumes of raw network data captured and reconstructed by the Nextgen infrastructure. With its groundbreaking user interface and unprecedented analytics, investigator lets you see your network traffic in a new way. both novice and expert users can use investigator to dive deeply into the context and content of network sessions in real-time -- making threat analysis that once took days, take only minutes.
NetWitness informer is the automated analyst providing enterprise reporting, live charting and alerting for the Nextgen solution. informer leverages the power inherent in the Nextgen data capture and session reconstruction infrastructure to provide detailed reporting, charting and alerting on advanced threats and malware, insider threats, data leakage, compliance verification, it asset misuse, hacker activities, and a host of other problems.
NetWitNess At FiNANCiAL seRViCes CoMPANies
4
operations analysts can react to the content and take
appropriate action. Time is of the essence in these types
of attacks to prevent lateral movement in the network and
mitigate damage.
unique benefits Provided by NetWitness
» Vastly improves the time delta from attack to detection,
preventing additional “infections” and, therefore, reducing
the man-hours required to respond and mitigate damage
(forensic media imaging, documentation and reporting, etc).
» Prevents financial loss and exfiltration of sensitive information
(prevention of fraudulent transactions, adverse media
coverage, regulatory and legal scrutiny, increased oversight,
embarrassment, substantial damage to reputation.)
» Potential for sharing of meaningful sector-specific threat
intelligence in the form of analysis reports (attack signatures
and other indicators) to other financial services companies
and government agencies to determine sector-wide trends
and impacts.
» Substantially decreases the amount of time that security
operations center analysts spend sifting through hundreds
of thousands of messages in the email haystack on a daily
basis. This change in security operations results in increased
productivity and additional man-hours available for more
important tasks.
eNteRPRise seCuRitY iNtegRAtioN
NetWitness is purpose-built to support easy integration into
existing enterprise security operations — both at the systems
integration level and at the people/process levels. Many of our
financial services customers have implemented commercial SIEM
products, including ArcSight ESM and RSA Envision. NetWitness
offers the next logical step for these financial services companies,
providing two equally important paths to integrate the analytic
power of NextGen into their incident response and event
management processes.
» Provision of groundbreaking NextGen analytics and alerts into
the SIEM dashboard and event framework.
» Enrichment of SIEM alerts sourced from legacy security
technologies with the power of NextGen contextual
network forensics.
iNtegRAtiNg NetWitNess ALeRts iNto the sieM
Throughout this paper we describe many types of situations in
which our financial services customers are using NetWitness
NextGen to discover specific problems such as malware, spear
phishing, data exfiltration, unauthorized communications, etc.
For environments in which the organization has implemented
a SIEM, NetWitness provides a simple, but powerful facility to
pass event data from NextGen to the SIEM’s alerting interface.
For example, for some of our banking customers, our alerts
move directly into ArcSight via the vendor’s Common Event
Format (CEF). For customers working with other security
vendors, we provide NextGen event data to syslog servers or
via other output mechanisms designed to integrate easily with
their SIEM alerting interface.
This SIEM integration capability translates to significant
improvements in the efficiency of incident responders and
decreases in corporate risk exposure time when responding
to specific situations. For example, one financial services
customer was particularly concerned about detection and rapid
remediation of successful malicious redirection attacks (e.g.,
“malvertising,” search engine optimization (SEO) poisoning, etc).
This organization created NetWitness Flex Parsers to identify
successful HTTP redirects to malicious sites and files, and used
NetWitness Informer, the automated analyst, to channel alerts
about the affected IT assets directly to ArcSight.
The end result was that the bank’s analysts could identify and
remediate the damage almost immediately on this complex threat
and compromise scenario. Once a NetWitness event appears
within ArcSight ESM as an alert, the bank’s analysts quickly
FLex PARseR iN ACtioN:
if a PDF attachment contains a flag indicating that an action is automatically performed when a page of the document is viewed (/AA = annotation action) or when the document is opened (/openAction = action is performed when PDF is opened) combined with the presence of Javascript (/Js or /Javascript flags), the parser assigns a high risk value to this attachment.
if the sMtP character set of the incoming message is gb2312 or big5, analysis of past successful spear phishing attacks shows that email messages with this type of character encoding present a much higher risk than other character encodings.
A WeALth oF CustoMeR exPeRieNCes
5
confirms the malicious activity by simply right-clicking on the alert
within the ArcSight console, thereby sending a request to view the
related session data in NetWitness Investigator.
From here, the analysts have complete information — the entire
content and context surrounding the alert in question. Without
NextGen, the bank would not have been able to easily produce
this alert. Even if it had created the alert using some combination
of legacy technologies, the bank would not have had the ability
to instantly view the actual reconstructed network session data
associated with the suspect network traffic and perform pinpoint
network forensics and short term remediation.
As a final step in the lifecycle of this type of problem, the bank’s
analysts used data gleaned from a combination of Flex Parsing
and NetWitness Decoder application rules to identify patterns
in the malicious traffic and translate this logic into HTTP/HTTPS
proxy filtering on other technologies that caught and blocked
over 95% of future similar attacks.
gettiNg MoRe VALue out oF the sieM — NetWitNess
eNRiChes the eVeNt stReAM
Another financial services customer is an advanced SIEM user. This
organization had invested heavily in SIEM and log aggregation
solutions both with hard dollars for the technology and with
hundreds of human hours in terms of system integration and fine
tuning. Unfortunately, the SIEM capability still was not helping the
bank close the most difficult security issues quickly enough to
limit financial damage. At the outset of our relationship with the
bank, they were in the middle of trying to clean up a zero-day virus
footprint on network and understand the answer to an important
question: how their systems were infected and what damage had
occurred due to unauthorized outbound communication from
sensitive areas of the organization after infection? The bank simply
did not possess enough information to answer this question in
spite of all their investments.
One technological constraint was the lack of detailed contextual
data contained in SIEM alerts due to the inherent limitations of
classic SIEM inputs such as log files and flow messages. Another
major issue was the challenge of searching through millions of
lines of firewall and IDS logs in an attempt to perform network
forensics to get to the root cause of the virus issue and the
potential subsequent lateral malware activity and data exfiltration
damage. The customer deployed NetWitness NextGen across their
gateways and our SIEMLink product on their incident responders’
desktop consoles. Using this combination, whenever their SIEM
flags an event of interest, the bank’s analysts are able to display
the alert on the SIEM console, and then use SIEMLink to send the
alert parameters to NetWitness Investigator. In this manner, the
bank’s security analysts perform numerous functions, such as the
investigation of IDS/IPS alerts and verification of rules in place
(denies on proxies, blocking of threats such as IRC or various
“beaconing” techniques).
No matter what the issue, the banks analysts have the option of
viewing every SIEM alert within the full content and context of
the associated network sessions, and perform immediate network
forensics from the correct starting point. This capability does not
exist in any other technology on the market today. Competitor
approaches that involve partial packet captures triggered from
IDS or SIEM rules or the use of “high speed” sniffer boxes or
PCAP stores relegate the bank’s analysts to hours of searching
without the benefit of exact event integration, complete event
context, and the rich application layer metadata only found in the
NextGen data framework.
At this same financial institution, the customer also developed
their own unique analytics using Flex Parse to detect the
presence of the Financial Information Exchange (FIX) protocol.
With full visibility into this protocol, the analysts track network
layer issues such as the FIX being used over non-standard ports,
and at the application layer, the tracking of arbitrage anomalies
to help improve compliance with SEC reporting requirements.
All of the alerts associated with these unique uses of NextGen
are brought directly into the organization’s SIEM via ArcSight
CEF, are alerted on the ArcSight ESM console, and then can be
analyzed in detail using NetWitness Investigator using a single
mouse click in ArcSight.
WhAt is sieMLiNK?
sieMLink™ is a breakthrough in network security monitoring innovation, enabling instant integration of NetWitness Nextgen technology with existing enterprise security infrastructures. sieMLink is a light-weight Windows application designed to act as a transparent, real-time translator of critical security event data between Web-based consoles, such as security event and information management (sieM) systems, iDs/iPs, and network and system management (NsM) programs. unlike other techniques used to interface event data sources, sieMLink™ requires no special coding or systems integration work to link an organization’s existing sieM with Nextgen.
NetWitNess At FiNANCiAL seRViCes CoMPANies
6
unique benefits Provided by NetWitness
» NetWitness provides a powerful new source of alert
information to the SIEM, both in terms of unique network and
application layer analytics generated as events to the SIEM,
and as a network forensics framework for examining SIEM
alerts from all legacy technologies. This approach helps our
financial services customers work smarter and faster, and
empowers expensive and dedicated analyst cycles to ensure
focus on the most difficult problems.
» NetWitness integrates easily with SIEM products. There is no
complex coding or expensive system integration required, and
incident responders experience the benefits immediately.
» NetWitness enriches existing SIEM data sources and increases
the value of your current security tools by providing context
and content to the alert output.
DAtA Loss PReVeNtioN
NetWitness NextGen often is compared to the Data Loss
Prevention (DLP) category of security products. While not a
DLP by the industry analyst definition of the product space,
our financial services customers have demonstrated to us that
their implementations of NextGen both complement existing
DLP installations in situations (where DLPs cannot meet specific
technical requirements) and replace DLPs in situations where the
financial institution has not implemented a DLP and is looking for
a broader and deeper range of capabilities in a single enterprise
platform. This section illustrates a few use cases in which our
financial services customers have benefited from NetWitness
NextGen in a DLP use case context.
FtP tRANsFeRs oF seNsitiVe CoNteNt — hoW bAD is it?
One of the largest banks in the U.S. had implemented the
highest-rated DLP product, but had received no alerts on FTP
transfers of sensitive content. The security team uncovered
unusually large FTP sessions using netflow-based technologies,
but it was unclear from the logs what data actually was
transferred to the destination countries (primarily China and
Russia). These transfers apparently had been occurring for some
time. The bank had initially felt that among the DLP, IPS, and
NBAD (netflow) technologies, they had everything needed to
detect data leakage problems of this type, but they agreed to do
a pilot of NetWitness NextGen.
During the pilot, the NetWitness NextGen infrastructure provided
the organization full packet capture and session reconstruction
for all of these FTP sessions versus the high-level packet header
inspection associated with their legacy NBAD technology.
NetWitness also took a port agnostic view of these FTP sessions
and found sessions with sensitive data that were invisible to DLP
technologies. In the final analysis, the rogue FTP sessions did
contain valuable and sensitive data and were associated with
ongoing data exfiltration activity from compromised internal
servers. After the purchase of NextGen, the bank implemented
the capability to detect these FTP sessions and other types of
advanced data leakage activities in real-time, and provide alerts
to their security operations center.
MeRgeRs AND ACquisitioNs — KeePiNg the
seCRets seCRet
In another situation, a public financial services client wanted
real-time tracking of about 100 keywords associated with
some of its most sensitive activities involving pending mergers
and acquisitions, and network traffic associated with their top
executives and other “persons of interest.” In the past, this
company had not adequately detected attempts to share insider
information with outside entities in violation of SEC regulatory
requirements. This organization owns a well-known DLP product,
but had a number of situations in which DLP came up short in
terms of either preserving any meaningful amount of session
data associated with the keyword alerting requirement, or
the DLP simply did not detect the problem due to a specific
unsupported network or application-layer protocol beyond the
scope of typical office automation applications.
Using NetWitness NextGen, the organization was able to
complement their DLP alerts with the full content and context
of the problem, and maintain a SHA-256 hashed evidence trail in
the case of a potential SEC violation or law enforcement activity.
For issues outside of the scope of their DLP, NextGen provides
visibility into advanced data leakage scenarios, including in this
case, a problem where two end users in highly sensitive areas had
downloaded BearShare and had accidentally shared their entire
hard drive on a public peer-to-peer (P2P) network. This data loss
problem was detected within minutes of occurrence, displayed on
the organization’s SIEM using the techniques described earlier, and
immediately remediated by the security team.
NextgeN: A DLP FoR ADVANCeD AND CoMPLex thReAts
The specter of data loss in a large financial services company is
the nightmare scenario for everyone from the security staff to
the top executives. One need only look at the daily news to get
a reminder of the prevalence of malicious hackers and insiders
successfully infiltrating a corporate network and exfiltrating PII,
corporate secrets and credit card data. Serious cyber-related
losses at financial services companies rarely become publicly
A WeALth oF CustoMeR exPeRieNCes
7
known with the exception of required regulatory reporting. In
the past, many financial services companies turned to traditional
DLPs for help with regulatory compliance and reporting relative
to sensitive data leakage and compliance with information
control and integrity objectives. One of our largest financial
services customers realized that DLP was not enough, however,
and that they needed another approach to combat the most
advanced and complex threats they are facing.
NextGen does not perform prevention like a DLP, but for advanced
threats, no DLP would. In the case of this financial services company,
NetWitness provided a broad range of data leakage capabilities that
transcended the capabilities of their existing DLP:
» Offshore partners with access to sensitive information were
monitored with NetWitness NextGen using targeted watch lists.
This allowed investigatory teams to perform on-demand research
into suspicious activity and to quickly respond to events.
» The bank’s security team monitored email traffic with “auto-
forwarding” enabled with NetWitness NextGen. This monitoring
involved almost daily detections of users forwarding sensitive
information to non-corporate email addresses, which were then
sent to fraud teams for investigation.
» The bank used NetWitness NextGen to detect internal users
bringing up encrypted tunnels to off-site networks through
allowed paths (typically port 80). In one particular case, a user
was observed connecting to a home router that had been
upgraded to aftermarket firmware. His manager was notified
prior to any data loss. This detection also lead to further
evaluation of aftermarket router packages, and additional
detection of access to the common status pages that these
devices often provide over port 80.
» Using regular expression functionality in NetWitness NextGen,
the bank monitored all SSN and credit card numbers traversing
the network across any protocol in plain text.
» NetWitness NextGen was used to monitor access to third-
party file storage services and web hosting services. This
approach resulted in many detections of file sharing and non-
corporate webmail use.
» The bank used NetWitness NextGen to monitor for common
third-party proxy packages that allow users to quickly proxy
around existing corporate content-filtering controls.
unique benefits Provided by NetWitness
» NetWitness NextGen performs many of the data leakage
detection functions of a DLP such as rules-based and
keyword/regex searches, but does not block network traffic.
» For some of our financial services customers, NextGen is a
complement to their DLP. Unlike most DLPs, NextGen records
and stores all packets, enterprise-wide, reassembles and
models all network traffic at the network and application
layers, and provides port-agnostic service identification.
» For other financial services customers, NextGen is their only
DLP-like product. In addition to the stated capabilities, it also
provides customizable network and application parsing that
can leverage live threat feeds and be used in a wide variety of
security operations scenarios across the enterprise.
ADDitioNAL use CAses — WhAt Do You NeeD to KNoW?
Another of our financial services customers told us that they
position NetWitness to groups within their organization such as
security teams, Legal, Fraud, Audit, HR and other consumers of
the information from NextGen. NetWitness has built NextGen
as an agile, open platform that will scale to enterprise security
needs. This section highlights some additional use cases within
our financial services customer base.
WhAt is NetWitNess LiVe?
NetWitness Live is an online, 24x7 intelligence service that provides immediate access to multi-source threat intelligence and reputational content and fusion for your NetWitness infrastructure. this approach helps organizations determine real-time risk to electronic operations, intellectual property, and customer data flows. it also provides continuous augmented awareness into rapidly advancing risks, and strengthens your ability to identify and prioritize changes based upon the internal and external threat landscape.
NetWitness Analyst
NetWitness Live is powered in part by:
NetWitNess At FiNANCiAL seRViCes CoMPANies
8
stAYiNg CuRReNt With eMeRgiNg thReAts
The current threat landscape is a rapidly changing series of
system compromises, malware pushes, phishing attempts,
botnet-based DDOS attacks and zero-day vulnerabilities. The
threat element understands technology and best practices and
more importantly, how to exploit these items for financial and
technological gain. One of the main issues with these threats
and the current crop of “best practice” security tools is that they
do not scale without retooling and reconfiguration. To further
complicate matters, these tools are typically deployed in a
large enterprise environment to meet regulatory and business
requirements first and security requirements second. This
approach often results in the removal of or watering-down of
features to avoid business impact (e.g., heuristic AV detection
and intrusion prevention capability in modern intrusion detection
and application firewall systems). Imagine how an enterprise
would deal with these situations:
» A recent botnet-driven DNS reflection attack involved a large
number of bots sending spoofed DNS queries to Internet-
based DNS servers. This attack involved sending a single “.”
request, which returned the full list of root DNS servers to
the spoofed address, potentially overwhelming the target
with requests. Making Internet DNS changes to a Fortune 50
financial services company is not a task that is undertaken
and planned lightly. NetWitness NextGen allowed the InfoSec
teams at our clients to monitor this attack using the charting
function in Informer and provision an effective active network
monitoring solution to the security operations center in
approximately four hours from discovery of the attack.
» At another institution, an Internet-based hacker sent information
and attachments via email to a number of senior executives
claiming to be interested in releasing “company secrets.”
Unfortunately, these attachments were stripped by perimeter
email controls, so the response teams had no idea what the
“compromised” information involved. The very nature of the
NextGen full packet infrastructure permitted the security team
to recover the attachments in question forensically and view the
content in question in its native form.
» Most of our financial services customers track and report
newly revealed zero-day attacks using NetWitness NextGen.
While most enterprises are focused almost exclusively on
patching Microsoft vulnerabilities, the capability to monitor
third party vulnerabilities at will (e.g., PDF and Flash) is
a tremendous advantage in shortening the risk exposure
window associated with new attacks and vulnerabilities.
Cyber criminals are aware of the difficulty in patching third-
party applications in an enterprise environment and they are
attacking these applications on a daily basis.
» Using NextGen at one financial services organization, a
contract staffing vendor to the bank was discovered with
a compromise on their business website, which internal
contractors where using on a daily basis. This detection came
about due the monitoring of injected iframes, as the vendor
site appeared as an HTTP referrer to the exploit site.
oNLiNe bANKiNg — stoPPiNg exteRNAL FRAuD
Online banking (OLB) fraud is an information risk area in which
banks lose millions of dollars each year and incur significant
reputational risk with customers and investors. One NetWitness
financial services customer uses NextGen to identify potentially
fraudulent transactions involving Internet hosts connecting
into their OLB infrastructure. Our customer’s team began their
work by asking if NextGen could help them answer a question:
“What are the characteristics of fraudulent OLB transactions on
the network and can we detect them quickly and accurately?”
Among the many dimensions to the response, the bank’s security
team knew from experience that blacklisted IP addresses
connecting to OLB had a significantly higher risk of fraud.
The bank’s security team deployed an infrastructure of
NetWitness NextGen Decoders and Concentrators to capture and
index the network traffic within their OLB area. Simultaneously,
using NextGen, they fused their real-time traffic with the multi-
source threat intelligence feeds contained in NetWitness Live.
Using this approach, the bank immediately discovered malicious
proxy bots connecting to OLB via SSL and forwarded them to
DeCoDeR AND CoNCeNtRAtoR
the NetWitness Decoder appliance is the cornerstone of the NetWitness Nextgen™ infrastructure and the key component of an enterprise-wide network data recording solution. Decoder is a real-time, distributed, highly configurable network recording appliance that enables users to collect, filter, and analyze full network traffic in an infinite number of dimensions.
the NetWitness Concentrator appliance facilitates real-time and historical reporting and alerting, and extends the reach of Nextgen across multiple capture locations. Concentrator is designed to aggregate data hierarchically for ultimate scalability and deployment flexibility across various organization-specific network topologies and infrastructures.
A WeALth oF CustoMeR exPeRieNCes
9
the bank’s fraud team for action. The fraud team verified that
these transactions, in particular, were almost 80% fraudulent, and
had not been discovered previously by existing fraud controls.
The security team also knew from experience that key logging
and form logging Trojans on the client side will log additional
fields when a user attempts a login to OLB. If the bank’s
legitimate web form asks for a username/password pair, the form
logger might request additional fields for credit card or ATM card
number, PINs, expiration dates and CVV2 numbers. The Trojan
will then pass these values to the legitimate banking web server
in order to disguise the existence of the form logger. The bank’s
security team uses NetWitness NextGen and its inherent ability
to perform session-level SSL decryption to monitor OLB sessions
at the application layer to look for these additional form fields in
OLB transactions, providing timely indications and warnings of
compromised customer accounts and fraudulent activities.
In many cases, phishing sites can be identified by examining
referrer information from web visits to the customer portal.
Phishing sites will often redirect visitors to the legitimate banking
site after collecting credentials and may give themselves away.
The bank’s security team uses NetWitness NextGen to shorten
the potential risk exposure window by identifying HTTP referrer
information to OLB portals and revealing active phishing sites prior
to notification by customer or contracted takedown services.
unique benefits Provided by NetWitness
» Using NetWitness NextGen the bank achieved a +$6 million
dollar reduction in online banking fraud over a six-month
period. Financial services security teams can develop a
strong business case attaching a specific ROI to the use of
NetWitness within critical environments.
» NetWitness NextGen provides financial institution customers
an extensible, agile platform that supports the detection and
mitigation of the most advanced threats and fraud techniques.
hR, FRAuD, CoMPLiANCe, AuDit, AND MoRe
NetWitness can provide advanced visibility and analytics
into everything crossing the wire, so there are many potential
stakeholders throughout the organization for NetWitness Informer
reports, and network forensics analyses using NetWitness
Investigator. For some of our financial services customers, many
sensitive investigations begin and end with NextGen.
» HR/Fraud: data to support investigations of all types. NextGen
natively reconstructs user application protocols such as HTTP,
mail, chat, VoIP, and much more. Using NetWitness Live and
NetWitness Identity, an organization’s entire user directory
(i.e., Active Directory) can be linked to all corresponding user
sessions and DHCP assignments, ensuring that any actions and
behaviors on the part of the bank’s end users can be tagged,
reconstructed, and viewed as the user experienced them. Many
of our financial services customers use NextGen to support
both fraud and HR investigations of all levels of complexity.
» Compliance and Audit: security controls only are valuable if
they are working. Historically, the efficacy of many network-
based security controls have been difficult to verify without
detailed audits and penetration tests. NextGen inherently
facilitates the verification of scores of network security
controls, either interactively through Investigator, or through
periodic automated reporting using Informer. For many critical
network security controls, continuous compliance assurance
can be achieved using NetWitness NextGen.
CoNCLusioNs
Financial services companies across the globe irrefutably comprise
some of the top cybercrime and fraud targets. Similar to many
U.S. government agencies, the top financial services firms are
taking a close look at NetWitness NextGen as the next logical
step in the evolution of their computer network defense program.
With NextGen deployed, a number of the top financial institutions
already are gaining key benefits described in this paper:
» Lowering the risks associated with advanced and emerging
threats by increasing network visibility and decreasing gap
closure time.
» Liberating precious staff hours to focus on security problems
and challenges that matter most, versus sorting through
meaningless log files and data streams.
» Finding real fraud and complex data leakage, and stopping the
exfiltration of cash, customer records and intellectual property.
» Investing in a platform that will not be obsolete when the
next exploit appears, and that will grow as the organization’s
needs increase.
» A solution that creates tangible value across a wide spectrum
of business requirements.
NetWitness Corporation | 500 Grove Street, Suite 300 | Herndon, VA 20170 T: 703.889.8950 | F: 703.651.3126 | [email protected] www.netwitness.com
About NetWitNess
NetWitness® Corporation is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial
organizations detect, prioritize and remediate complex IT risks. NetWitness solutions concurrently solve a wide variety of information security problems
including: advanced persistent threat management; sensitive data discovery and advanced data leakage detection; malware activity discovery; insider threat
management; policy and controls verification and e-discovery. Originally developed for the US Intelligence Community, NetWitness has evolved to provide
enterprises around the world with breakthrough methods of network content analysis and host-based risk discovery and prioritization. NetWitness customers
include Defense, National Law Enforcement and Intelligence Agencies, Top US and European Banks, Critical Infrastructure, and Global 1000 organizations.
NetWitness has offices in the U.S. and the U.K. and partners throughout North and South America, Europe, the Middle East, and Asia.