netwitness at financial services companies - dell emc · pdf filenetwitness informer is the...

NetWitNess At FiNANCiAL seRViCes CoMPANies A Wealth of Customer Experiences

tAbLe oF CoNteNts

introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Advanced threat Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Zero Day Malicious Code — Closing the Exposure Window Faster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Unique Benefits Provided by NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Spear Phishing — Stopping the Truly Targeted Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3


enterprise security integration . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Integrating Netwitness Alerts Into the SIEM . . . . . . . . . . . . . . . . . 4

Getting More Value Out of the SIEM — Netwitness Enriches the Event Stream . . . . . . . . . . . . . . . . . . . . . . . 5


Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

FTP Transfers of Sensitive Content — How Bad Is It? . . . . . . . 6

Mergers and Acquisitions — Keeping the Secrets Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Nextgen: A DLP for Advanced and Complex Threats . . . . . . . 6


Additional use Cases — What Do You Need to Know? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Staying Current with Emerging Threats . . . . . . . . . . . . . . . . . . . . . . 8

Online Banking — Stopping External Fraud . . . . . . . . . . . . . . . . . . 8


HR, Fraud, Compliance, Audit, and More . . . . . . . . . . . . . . . . . . . . . 9

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

NetWitNess At FiNANCiAL seRViCes CoMPANies

2

iNtRoDuCtioN

Faced with an increasing volume of advanced threats and an

onerous regulatory compliance burden, top financial services

organizations in the U.S. have invested in a broad array of

information security point solutions and have implemented

security programs capable of sophisticated defensive

operations. This paper describes the cumulative experience of

a number of financial services security teams who have turned

to NetWitness® to complement prior investments and complete

their defensive infrastructure.

» NetWitness NextGen™ represents the next generation of

network monitoring, providing a virtual Swiss Army knife of

analytic tools and capabilities to defend against a broad range

of complex problem sets.

» By recording all the traffic crossing key network interfaces,

NetWitness NextGen offers the organization the ultimate truth

and irrefutable record regarding the actions and behaviors of

the network and the entities accessing network resources.

» Through the patented indexing and database technologies

supporting the NextGen infrastructure, NetWitness provides

an easily searchable, distributed network database of

metadata representing the deep content and context of all

network communications from OSI layers 2 through 7.

» The automated analytics and interactive network forensics

within NextGen provide both gap coverage for deficiencies

in current defense-in-depth infrastructures and infinite

extensibility for new capabilities to detect emerging and

advanced threats faced by many organizations.

Each section of this paper provides examples of specific business

use cases under which NetWitness NextGen is providing a world

of value to top financial services companies:

» Advanced Threat Management

» Enterprise Security Integration

» Data Loss Prevention

» Additional Use Cases

ADVANCeD thReAt MANAgeMeNt

ZeRo DAY MALiCious CoDe — CLosiNg the exPosuRe

WiNDoW FAsteR

In the current threat environment, cyber criminal-driven malware

distribution occurs with two specific goals:

» Propagating botnets for a variety of reasons;

» Theft of information (login credentials, financial information,

customer records, etc).

A typical use of NetWitness at financial services companies

involves the identification of malicious code and unauthorized

network traffic that is evading current security controls and

network monitoring techniques.

To further complicate this scenario, much of today’s malicious

code uses encrypted and obfuscated communication methods

through allowed paths (e.g., port 443) to hamper detection

and identification. It is this capability that renders most current

data loss protection mechanisms and investments marginally

effective, if effective at all, against these threats. The current

response focus at many financial services companies is to react

to malware infections after the malware has successfully infected

an endpoint. While this may be an effective way to limit internal

botnet propagation, it has limited effectiveness against immediate

data loss. To attack this problem proactively using NetWitness

NextGen, our customers implemented the following practices:

» Deployed NetWitness NextGen at gateways and critical

connection points, and fused corporate network traffic with

the multi-source threat feeds contained in NetWitness Live to

identify any and all sessions to known malicious locations.

» Once this “bad” traffic is identified, the banks are able to easily

pinpoint internal infected hosts and use NetWitness Investigator

to analyze these machines and associated network traffic to

determine any second-stage infection traffic, source of infection

and sensitivity of the employee involved.

» Using the information gathered from NextGen during the first

alert, the security team quickly and easily uses NetWitness

Investigator and Informer to provide the network forensics

information needed to extrapolate additional characteristics

regarding the malware including autonomous systems,

hostnames, filenames and traffic patterns. This data is pushed

back into NextGen for additional analysis. This process frequently

results in the identification of additional compromise that is

completely undetected by existing controls.

» On multiple occasions, entire network ranges and autonomous

systems are blocked from communication with the

organization based on this information.

» Cyber criminals tend to find hosts that are friendly to their

activities and park command and control and drop sites in

these locations, which are reused across malware campaigns.

A WeALth oF CustoMeR exPeRieNCes

3

unique benefits Provided by NetWitness

» Dramatically improved visibility for the security team of what

is really happening on the organization’s internal network and

Internet traffic and how these events actually were affecting

internal IT assets and devices.

» Allows proactive identification, prioritization, and timely

provision of information required to block malicious locations

based on actual impact to the organization’s business

operations and data.

» Shortens the gap exposure window — e.g., proactive removal

of zero day events versus waiting for AV and IDS/IPS vendors

to catch up and detect already infected hosts.

sPeAR PhishiNg — stoPPiNg the tRuLY

tARgeteD MessAges

For a number of our financial services customers, highly targeted

spear phishing of employees (e.g., an email created specifically

to target an individual within the bank) had resulted in significant

dollar losses. Most modern email filtering/attachment scanning

and gateway systems do a decent job of holding back the tide

of spam, run-of-the-mill phishing attempts, and known malware.

However, well-engineered spear phishing attacks that leverage

custom malware, well-researched message content (the message

is crafted specifically for that individual) and zero-day exploits

slip through the cracks. Once the adversary has a foothold on

the network, it is only a matter of time until other footholds

are established via lateral movement, additional sophisticated

malware is installed on systems that house valuable information,

and data exfiltration begins.

Successful detection, identification and remediation of

sophisticated spear phishing in an organization that receives

hundreds of thousands of emails every day had been difficult

before NextGen, and most anti-spam/phishing technologies

are attenuated at the enterprise level to tune out the noise

versus the most sophisticated attacks. Despite having a state-

of-the-art filtering system, the well-engineered spear phishing

attacks almost always slip through this barrier undetected. By

leveraging inherent analytic capabilities unique to NetWitness,

however, this very difficult task is now fairly routine. Using a

combination of custom NetWitness Flex Parsers (i.e., SMTP

character set, spoofed sender, identification of attachment PE file

header information, and others), keyword hits in subject and/or

attachments, examining country of origin, and fusion with custom

NetWitness Live threat feeds, it is possible to ferret out these

needles in the haystack.

NetWitness Flex Parse technology provides a facility making it

easy for security analysts in the organization to create custom

parsers to detect and alert on certain combinations of incoming

email traffic that presented the highest risk. In the case of this

spear phishing problem, Flex Parser vectors include SMTP

character set, detection of spoofed email sender addresses,

identification of Windows executable files masquerading as

other file types, and extraction of certain combinations of

characteristics of PDF files.

Because Flex Parsers are implemented as part of the real-time

capture and index technology with NetWitness Decoder and

Concentrator appliances, if an email possesses some or all of

these characteristics, NextGen generates an appropriate alert

(e.g. “High_Risk_Spearphishing”) so that the bank’s security

iNVestigAtoR AND iNFoRMeR

NetWitness investigator is the award-winning network forensics application that provides security teams, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of massive volumes of raw network data captured and reconstructed by the Nextgen infrastructure. With its groundbreaking user interface and unprecedented analytics, investigator lets you see your network traffic in a new way. both novice and expert users can use investigator to dive deeply into the context and content of network sessions in real-time -- making threat analysis that once took days, take only minutes.

NetWitness informer is the automated analyst providing enterprise reporting, live charting and alerting for the Nextgen solution. informer leverages the power inherent in the Nextgen data capture and session reconstruction infrastructure to provide detailed reporting, charting and alerting on advanced threats and malware, insider threats, data leakage, compliance verification, it asset misuse, hacker activities, and a host of other problems.


4

operations analysts can react to the content and take

appropriate action. Time is of the essence in these types

of attacks to prevent lateral movement in the network and

mitigate damage.


» Vastly improves the time delta from attack to detection,

preventing additional “infections” and, therefore, reducing

the man-hours required to respond and mitigate damage

(forensic media imaging, documentation and reporting, etc).

» Prevents financial loss and exfiltration of sensitive information

(prevention of fraudulent transactions, adverse media

coverage, regulatory and legal scrutiny, increased oversight,

embarrassment, substantial damage to reputation.)

» Potential for sharing of meaningful sector-specific threat

intelligence in the form of analysis reports (attack signatures

and other indicators) to other financial services companies

and government agencies to determine sector-wide trends

and impacts.

» Substantially decreases the amount of time that security

operations center analysts spend sifting through hundreds

of thousands of messages in the email haystack on a daily

basis. This change in security operations results in increased

productivity and additional man-hours available for more

important tasks.

eNteRPRise seCuRitY iNtegRAtioN

NetWitness is purpose-built to support easy integration into

existing enterprise security operations — both at the systems

integration level and at the people/process levels. Many of our

financial services customers have implemented commercial SIEM

products, including ArcSight ESM and RSA Envision. NetWitness

offers the next logical step for these financial services companies,

providing two equally important paths to integrate the analytic

power of NextGen into their incident response and event

management processes.

» Provision of groundbreaking NextGen analytics and alerts into

the SIEM dashboard and event framework.

» Enrichment of SIEM alerts sourced from legacy security

technologies with the power of NextGen contextual

network forensics.

iNtegRAtiNg NetWitNess ALeRts iNto the sieM

Throughout this paper we describe many types of situations in

which our financial services customers are using NetWitness

NextGen to discover specific problems such as malware, spear

phishing, data exfiltration, unauthorized communications, etc.

For environments in which the organization has implemented

a SIEM, NetWitness provides a simple, but powerful facility to

pass event data from NextGen to the SIEM’s alerting interface.

For example, for some of our banking customers, our alerts

move directly into ArcSight via the vendor’s Common Event

Format (CEF). For customers working with other security

vendors, we provide NextGen event data to syslog servers or

via other output mechanisms designed to integrate easily with

their SIEM alerting interface.

This SIEM integration capability translates to significant

improvements in the efficiency of incident responders and

decreases in corporate risk exposure time when responding

to specific situations. For example, one financial services

customer was particularly concerned about detection and rapid

remediation of successful malicious redirection attacks (e.g.,

“malvertising,” search engine optimization (SEO) poisoning, etc).

This organization created NetWitness Flex Parsers to identify

successful HTTP redirects to malicious sites and files, and used

NetWitness Informer, the automated analyst, to channel alerts

about the affected IT assets directly to ArcSight.

The end result was that the bank’s analysts could identify and

remediate the damage almost immediately on this complex threat

and compromise scenario. Once a NetWitness event appears

within ArcSight ESM as an alert, the bank’s analysts quickly

FLex PARseR iN ACtioN:

if a PDF attachment contains a flag indicating that an action is automatically performed when a page of the document is viewed (/AA = annotation action) or when the document is opened (/openAction = action is performed when PDF is opened) combined with the presence of Javascript (/Js or /Javascript flags), the parser assigns a high risk value to this attachment.

if the sMtP character set of the incoming message is gb2312 or big5, analysis of past successful spear phishing attacks shows that email messages with this type of character encoding present a much higher risk than other character encodings.


5

confirms the malicious activity by simply right-clicking on the alert

within the ArcSight console, thereby sending a request to view the

related session data in NetWitness Investigator.

From here, the analysts have complete information — the entire

content and context surrounding the alert in question. Without

NextGen, the bank would not have been able to easily produce

this alert. Even if it had created the alert using some combination

of legacy technologies, the bank would not have had the ability

to instantly view the actual reconstructed network session data

associated with the suspect network traffic and perform pinpoint

network forensics and short term remediation.

As a final step in the lifecycle of this type of problem, the bank’s

analysts used data gleaned from a combination of Flex Parsing

and NetWitness Decoder application rules to identify patterns

in the malicious traffic and translate this logic into HTTP/HTTPS

proxy filtering on other technologies that caught and blocked

over 95% of future similar attacks.

gettiNg MoRe VALue out oF the sieM — NetWitNess

eNRiChes the eVeNt stReAM

Another financial services customer is an advanced SIEM user. This

organization had invested heavily in SIEM and log aggregation

solutions both with hard dollars for the technology and with

hundreds of human hours in terms of system integration and fine

tuning. Unfortunately, the SIEM capability still was not helping the

bank close the most difficult security issues quickly enough to

limit financial damage. At the outset of our relationship with the

bank, they were in the middle of trying to clean up a zero-day virus

footprint on network and understand the answer to an important

question: how their systems were infected and what damage had

occurred due to unauthorized outbound communication from

sensitive areas of the organization after infection? The bank simply

did not possess enough information to answer this question in

spite of all their investments.

One technological constraint was the lack of detailed contextual

data contained in SIEM alerts due to the inherent limitations of

classic SIEM inputs such as log files and flow messages. Another

major issue was the challenge of searching through millions of

lines of firewall and IDS logs in an attempt to perform network

forensics to get to the root cause of the virus issue and the

potential subsequent lateral malware activity and data exfiltration

damage. The customer deployed NetWitness NextGen across their

gateways and our SIEMLink product on their incident responders’

desktop consoles. Using this combination, whenever their SIEM

flags an event of interest, the bank’s analysts are able to display

the alert on the SIEM console, and then use SIEMLink to send the

alert parameters to NetWitness Investigator. In this manner, the

bank’s security analysts perform numerous functions, such as the

investigation of IDS/IPS alerts and verification of rules in place

(denies on proxies, blocking of threats such as IRC or various

“beaconing” techniques).

No matter what the issue, the banks analysts have the option of

viewing every SIEM alert within the full content and context of

the associated network sessions, and perform immediate network

forensics from the correct starting point. This capability does not

exist in any other technology on the market today. Competitor

approaches that involve partial packet captures triggered from

IDS or SIEM rules or the use of “high speed” sniffer boxes or

PCAP stores relegate the bank’s analysts to hours of searching

without the benefit of exact event integration, complete event

context, and the rich application layer metadata only found in the

NextGen data framework.

At this same financial institution, the customer also developed

their own unique analytics using Flex Parse to detect the

presence of the Financial Information Exchange (FIX) protocol.

With full visibility into this protocol, the analysts track network

layer issues such as the FIX being used over non-standard ports,

and at the application layer, the tracking of arbitrage anomalies

to help improve compliance with SEC reporting requirements.

All of the alerts associated with these unique uses of NextGen

are brought directly into the organization’s SIEM via ArcSight

CEF, are alerted on the ArcSight ESM console, and then can be

analyzed in detail using NetWitness Investigator using a single

mouse click in ArcSight.

WhAt is sieMLiNK?

sieMLink™ is a breakthrough in network security monitoring innovation, enabling instant integration of NetWitness Nextgen technology with existing enterprise security infrastructures. sieMLink is a light-weight Windows application designed to act as a transparent, real-time translator of critical security event data between Web-based consoles, such as security event and information management (sieM) systems, iDs/iPs, and network and system management (NsM) programs. unlike other techniques used to interface event data sources, sieMLink™ requires no special coding or systems integration work to link an organization’s existing sieM with Nextgen.


6


» NetWitness provides a powerful new source of alert

information to the SIEM, both in terms of unique network and

application layer analytics generated as events to the SIEM,

and as a network forensics framework for examining SIEM

alerts from all legacy technologies. This approach helps our

financial services customers work smarter and faster, and

empowers expensive and dedicated analyst cycles to ensure

focus on the most difficult problems.

» NetWitness integrates easily with SIEM products. There is no

complex coding or expensive system integration required, and

incident responders experience the benefits immediately.

» NetWitness enriches existing SIEM data sources and increases

the value of your current security tools by providing context

and content to the alert output.

DAtA Loss PReVeNtioN

NetWitness NextGen often is compared to the Data Loss

Prevention (DLP) category of security products. While not a

DLP by the industry analyst definition of the product space,

our financial services customers have demonstrated to us that

their implementations of NextGen both complement existing

DLP installations in situations (where DLPs cannot meet specific

technical requirements) and replace DLPs in situations where the

financial institution has not implemented a DLP and is looking for

a broader and deeper range of capabilities in a single enterprise

platform. This section illustrates a few use cases in which our

financial services customers have benefited from NetWitness

NextGen in a DLP use case context.

FtP tRANsFeRs oF seNsitiVe CoNteNt — hoW bAD is it?

One of the largest banks in the U.S. had implemented the

highest-rated DLP product, but had received no alerts on FTP

transfers of sensitive content. The security team uncovered

unusually large FTP sessions using netflow-based technologies,

but it was unclear from the logs what data actually was

transferred to the destination countries (primarily China and

Russia). These transfers apparently had been occurring for some

time. The bank had initially felt that among the DLP, IPS, and

NBAD (netflow) technologies, they had everything needed to

detect data leakage problems of this type, but they agreed to do

a pilot of NetWitness NextGen.

During the pilot, the NetWitness NextGen infrastructure provided

the organization full packet capture and session reconstruction

for all of these FTP sessions versus the high-level packet header

inspection associated with their legacy NBAD technology.

NetWitness also took a port agnostic view of these FTP sessions

and found sessions with sensitive data that were invisible to DLP

technologies. In the final analysis, the rogue FTP sessions did

contain valuable and sensitive data and were associated with

ongoing data exfiltration activity from compromised internal

servers. After the purchase of NextGen, the bank implemented

the capability to detect these FTP sessions and other types of

advanced data leakage activities in real-time, and provide alerts

to their security operations center.

MeRgeRs AND ACquisitioNs — KeePiNg the

seCRets seCRet

In another situation, a public financial services client wanted

real-time tracking of about 100 keywords associated with

some of its most sensitive activities involving pending mergers

and acquisitions, and network traffic associated with their top

executives and other “persons of interest.” In the past, this

company had not adequately detected attempts to share insider

information with outside entities in violation of SEC regulatory

requirements. This organization owns a well-known DLP product,

but had a number of situations in which DLP came up short in

terms of either preserving any meaningful amount of session

data associated with the keyword alerting requirement, or

the DLP simply did not detect the problem due to a specific

unsupported network or application-layer protocol beyond the

scope of typical office automation applications.

Using NetWitness NextGen, the organization was able to

complement their DLP alerts with the full content and context

of the problem, and maintain a SHA-256 hashed evidence trail in

the case of a potential SEC violation or law enforcement activity.

For issues outside of the scope of their DLP, NextGen provides

visibility into advanced data leakage scenarios, including in this

case, a problem where two end users in highly sensitive areas had

downloaded BearShare and had accidentally shared their entire

hard drive on a public peer-to-peer (P2P) network. This data loss

problem was detected within minutes of occurrence, displayed on

the organization’s SIEM using the techniques described earlier, and

immediately remediated by the security team.

NextgeN: A DLP FoR ADVANCeD AND CoMPLex thReAts

The specter of data loss in a large financial services company is

the nightmare scenario for everyone from the security staff to

the top executives. One need only look at the daily news to get

a reminder of the prevalence of malicious hackers and insiders

successfully infiltrating a corporate network and exfiltrating PII,

corporate secrets and credit card data. Serious cyber-related

losses at financial services companies rarely become publicly


7

known with the exception of required regulatory reporting. In

the past, many financial services companies turned to traditional

DLPs for help with regulatory compliance and reporting relative

to sensitive data leakage and compliance with information

control and integrity objectives. One of our largest financial

services customers realized that DLP was not enough, however,

and that they needed another approach to combat the most

advanced and complex threats they are facing.

NextGen does not perform prevention like a DLP, but for advanced

threats, no DLP would. In the case of this financial services company,

NetWitness provided a broad range of data leakage capabilities that

transcended the capabilities of their existing DLP:

» Offshore partners with access to sensitive information were

monitored with NetWitness NextGen using targeted watch lists.

This allowed investigatory teams to perform on-demand research

into suspicious activity and to quickly respond to events.

» The bank’s security team monitored email traffic with “auto-

forwarding” enabled with NetWitness NextGen. This monitoring

involved almost daily detections of users forwarding sensitive

information to non-corporate email addresses, which were then

sent to fraud teams for investigation.

» The bank used NetWitness NextGen to detect internal users

bringing up encrypted tunnels to off-site networks through

allowed paths (typically port 80). In one particular case, a user

was observed connecting to a home router that had been

upgraded to aftermarket firmware. His manager was notified

prior to any data loss. This detection also lead to further

evaluation of aftermarket router packages, and additional

detection of access to the common status pages that these

devices often provide over port 80.

» Using regular expression functionality in NetWitness NextGen,

the bank monitored all SSN and credit card numbers traversing

the network across any protocol in plain text.

» NetWitness NextGen was used to monitor access to third-

party file storage services and web hosting services. This

approach resulted in many detections of file sharing and non-

corporate webmail use.

» The bank used NetWitness NextGen to monitor for common

third-party proxy packages that allow users to quickly proxy

around existing corporate content-filtering controls.


» NetWitness NextGen performs many of the data leakage

detection functions of a DLP such as rules-based and

keyword/regex searches, but does not block network traffic.

» For some of our financial services customers, NextGen is a

complement to their DLP. Unlike most DLPs, NextGen records

and stores all packets, enterprise-wide, reassembles and

models all network traffic at the network and application

layers, and provides port-agnostic service identification.

» For other financial services customers, NextGen is their only

DLP-like product. In addition to the stated capabilities, it also

provides customizable network and application parsing that

can leverage live threat feeds and be used in a wide variety of

security operations scenarios across the enterprise.

ADDitioNAL use CAses — WhAt Do You NeeD to KNoW?

Another of our financial services customers told us that they

position NetWitness to groups within their organization such as

security teams, Legal, Fraud, Audit, HR and other consumers of

the information from NextGen. NetWitness has built NextGen

as an agile, open platform that will scale to enterprise security

needs. This section highlights some additional use cases within

our financial services customer base.

WhAt is NetWitNess LiVe?

NetWitness Live is an online, 24x7 intelligence service that provides immediate access to multi-source threat intelligence and reputational content and fusion for your NetWitness infrastructure. this approach helps organizations determine real-time risk to electronic operations, intellectual property, and customer data flows. it also provides continuous augmented awareness into rapidly advancing risks, and strengthens your ability to identify and prioritize changes based upon the internal and external threat landscape.

NetWitness Analyst

NetWitness Live is powered in part by:


8

stAYiNg CuRReNt With eMeRgiNg thReAts

The current threat landscape is a rapidly changing series of

system compromises, malware pushes, phishing attempts,

botnet-based DDOS attacks and zero-day vulnerabilities. The

threat element understands technology and best practices and

more importantly, how to exploit these items for financial and

technological gain. One of the main issues with these threats

and the current crop of “best practice” security tools is that they

do not scale without retooling and reconfiguration. To further

complicate matters, these tools are typically deployed in a

large enterprise environment to meet regulatory and business

requirements first and security requirements second. This

approach often results in the removal of or watering-down of

features to avoid business impact (e.g., heuristic AV detection

and intrusion prevention capability in modern intrusion detection

and application firewall systems). Imagine how an enterprise

would deal with these situations:

» A recent botnet-driven DNS reflection attack involved a large

number of bots sending spoofed DNS queries to Internet-

based DNS servers. This attack involved sending a single “.”

request, which returned the full list of root DNS servers to

the spoofed address, potentially overwhelming the target

with requests. Making Internet DNS changes to a Fortune 50

financial services company is not a task that is undertaken

and planned lightly. NetWitness NextGen allowed the InfoSec

teams at our clients to monitor this attack using the charting

function in Informer and provision an effective active network

monitoring solution to the security operations center in

approximately four hours from discovery of the attack.

» At another institution, an Internet-based hacker sent information

and attachments via email to a number of senior executives

claiming to be interested in releasing “company secrets.”

Unfortunately, these attachments were stripped by perimeter

email controls, so the response teams had no idea what the

“compromised” information involved. The very nature of the

NextGen full packet infrastructure permitted the security team

to recover the attachments in question forensically and view the

content in question in its native form.

» Most of our financial services customers track and report

newly revealed zero-day attacks using NetWitness NextGen.

While most enterprises are focused almost exclusively on

patching Microsoft vulnerabilities, the capability to monitor

third party vulnerabilities at will (e.g., PDF and Flash) is

a tremendous advantage in shortening the risk exposure

window associated with new attacks and vulnerabilities.

Cyber criminals are aware of the difficulty in patching third-

party applications in an enterprise environment and they are

attacking these applications on a daily basis.

» Using NextGen at one financial services organization, a

contract staffing vendor to the bank was discovered with

a compromise on their business website, which internal

contractors where using on a daily basis. This detection came

about due the monitoring of injected iframes, as the vendor

site appeared as an HTTP referrer to the exploit site.

oNLiNe bANKiNg — stoPPiNg exteRNAL FRAuD

Online banking (OLB) fraud is an information risk area in which

banks lose millions of dollars each year and incur significant

reputational risk with customers and investors. One NetWitness

financial services customer uses NextGen to identify potentially

fraudulent transactions involving Internet hosts connecting

into their OLB infrastructure. Our customer’s team began their

work by asking if NextGen could help them answer a question:

“What are the characteristics of fraudulent OLB transactions on

the network and can we detect them quickly and accurately?”

Among the many dimensions to the response, the bank’s security

team knew from experience that blacklisted IP addresses

connecting to OLB had a significantly higher risk of fraud.

The bank’s security team deployed an infrastructure of

NetWitness NextGen Decoders and Concentrators to capture and

index the network traffic within their OLB area. Simultaneously,

using NextGen, they fused their real-time traffic with the multi-

source threat intelligence feeds contained in NetWitness Live.

Using this approach, the bank immediately discovered malicious

proxy bots connecting to OLB via SSL and forwarded them to

DeCoDeR AND CoNCeNtRAtoR

the NetWitness Decoder appliance is the cornerstone of the NetWitness Nextgen™ infrastructure and the key component of an enterprise-wide network data recording solution. Decoder is a real-time, distributed, highly configurable network recording appliance that enables users to collect, filter, and analyze full network traffic in an infinite number of dimensions.

the NetWitness Concentrator appliance facilitates real-time and historical reporting and alerting, and extends the reach of Nextgen across multiple capture locations. Concentrator is designed to aggregate data hierarchically for ultimate scalability and deployment flexibility across various organization-specific network topologies and infrastructures.


9

the bank’s fraud team for action. The fraud team verified that

these transactions, in particular, were almost 80% fraudulent, and

had not been discovered previously by existing fraud controls.

The security team also knew from experience that key logging

and form logging Trojans on the client side will log additional

fields when a user attempts a login to OLB. If the bank’s

legitimate web form asks for a username/password pair, the form

logger might request additional fields for credit card or ATM card

number, PINs, expiration dates and CVV2 numbers. The Trojan

will then pass these values to the legitimate banking web server

in order to disguise the existence of the form logger. The bank’s

security team uses NetWitness NextGen and its inherent ability

to perform session-level SSL decryption to monitor OLB sessions

at the application layer to look for these additional form fields in

OLB transactions, providing timely indications and warnings of

compromised customer accounts and fraudulent activities.

In many cases, phishing sites can be identified by examining

referrer information from web visits to the customer portal.

Phishing sites will often redirect visitors to the legitimate banking

site after collecting credentials and may give themselves away.

The bank’s security team uses NetWitness NextGen to shorten

the potential risk exposure window by identifying HTTP referrer

information to OLB portals and revealing active phishing sites prior

to notification by customer or contracted takedown services.


» Using NetWitness NextGen the bank achieved a +$6 million

dollar reduction in online banking fraud over a six-month

period. Financial services security teams can develop a

strong business case attaching a specific ROI to the use of

NetWitness within critical environments.

» NetWitness NextGen provides financial institution customers

an extensible, agile platform that supports the detection and

mitigation of the most advanced threats and fraud techniques.

hR, FRAuD, CoMPLiANCe, AuDit, AND MoRe

NetWitness can provide advanced visibility and analytics

into everything crossing the wire, so there are many potential

stakeholders throughout the organization for NetWitness Informer

reports, and network forensics analyses using NetWitness

Investigator. For some of our financial services customers, many

sensitive investigations begin and end with NextGen.

» HR/Fraud: data to support investigations of all types. NextGen

natively reconstructs user application protocols such as HTTP,

mail, chat, VoIP, and much more. Using NetWitness Live and

NetWitness Identity, an organization’s entire user directory

(i.e., Active Directory) can be linked to all corresponding user

sessions and DHCP assignments, ensuring that any actions and

behaviors on the part of the bank’s end users can be tagged,

reconstructed, and viewed as the user experienced them. Many

of our financial services customers use NextGen to support

both fraud and HR investigations of all levels of complexity.

» Compliance and Audit: security controls only are valuable if

they are working. Historically, the efficacy of many network-

based security controls have been difficult to verify without

detailed audits and penetration tests. NextGen inherently

facilitates the verification of scores of network security

controls, either interactively through Investigator, or through

periodic automated reporting using Informer. For many critical

network security controls, continuous compliance assurance

can be achieved using NetWitness NextGen.

CoNCLusioNs

Financial services companies across the globe irrefutably comprise

some of the top cybercrime and fraud targets. Similar to many

U.S. government agencies, the top financial services firms are

taking a close look at NetWitness NextGen as the next logical

step in the evolution of their computer network defense program.

With NextGen deployed, a number of the top financial institutions

already are gaining key benefits described in this paper:

» Lowering the risks associated with advanced and emerging

threats by increasing network visibility and decreasing gap

closure time.

» Liberating precious staff hours to focus on security problems

and challenges that matter most, versus sorting through

meaningless log files and data streams.

» Finding real fraud and complex data leakage, and stopping the

exfiltration of cash, customer records and intellectual property.

» Investing in a platform that will not be obsolete when the

next exploit appears, and that will grow as the organization’s

needs increase.

» A solution that creates tangible value across a wide spectrum

of business requirements.

NetWitness Corporation | 500 Grove Street, Suite 300 | Herndon, VA 20170 T: 703.889.8950 | F: 703.651.3126 | [email protected] www.netwitness.com

About NetWitNess

NetWitness® Corporation is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial

organizations detect, prioritize and remediate complex IT risks. NetWitness solutions concurrently solve a wide variety of information security problems

including: advanced persistent threat management; sensitive data discovery and advanced data leakage detection; malware activity discovery; insider threat

management; policy and controls verification and e-discovery. Originally developed for the US Intelligence Community, NetWitness has evolved to provide

enterprises around the world with breakthrough methods of network content analysis and host-based risk discovery and prioritization. NetWitness customers

include Defense, National Law Enforcement and Intelligence Agencies, Top US and European Banks, Critical Infrastructure, and Global 1000 organizations.

NetWitness has offices in the U.S. and the U.K. and partners throughout North and South America, Europe, the Middle East, and Asia.

netwitness at financial services companies - dell emc · pdf filenetwitness informer is the...

Documents