Triage & Collaboration. Improving a major bank s cyber threat security posture

Transcription

1 CASE STUDY Triage & Collaboration. Improving a major bank s cyber threat security posture Industry: Banking Customer: Global financial institution with over EUR 500 billion in assets EclecticIQ. Intelligence Powered Defense

2 2 Background The banking industry ranks at or near the top of the list of most-targeted industries by cybercriminals. What s more, it s the largest global banks who face the biggest challenges. For a diversified financial institution having diverse lines of business on multiple continents, a cyber security breach at any single point threatens the bank s reputation worldwide. Each line of business has to cope with its own specific threats. Retail banks need to protect a large base of customers and merchants across in-store, ATM, online and mobile payment methods. Corporate banks must alert CFOs and treasurers to targeted spear-phishing s. Wholesale banks face highly sophisticated, coordinated attacks, even on their own interbank communications. It s an immense logistical challenge to coordinate cyber threat intelligence across multiple lines of business and geographies, and the challenge is compounded annually by an increasing number of highly motivated threat actors who are quickly growing in sophistication. That s why global banks have to maintain constant vigilance through real-time awareness of potential threats, attack types and techniques. To gather and assess this information, banks have to connect with numerous intelligence providers, including commercial entities, government agencies, (FS/FI/Retail-)ISACs and open-source providers.

3 3 Situation At the headquarters of a major European financial institution, the cyber security team found themselves overwhelmed with cyber threat intelligence data. The sheer volume and diversity of threat data prevented the bank s intelligence analysts from making sense of the deluge, let alone enabling a timely response. Each new data feed required one of two things either a complex software engineering project to capture, process and disperse a combination of structured and unstructured data; or reliance on hands-on, manual spreadsheet crunching. These choices left little time for thoughtful analysis. Instead of generating actionable intelligence, analysts had to spend their valuable time managing complex projects or performing repetitive data management tasks. In the meantime, country-level subsidiaries across four continents still had to protect themselves. They learned to work autonomously, receiving their own reports and indicators about ongoing threats, impending attacks and remediation techniques. Under attack from virulent cyber threats, they would respond to urgent warnings mostly on their own. But there were too many warnings, having insufficient specificity to their own situations. A new approach was needed. The most pressing need was for the bank to get better at triage, being able to cull actionable intelligence from the massive inflow of data. The headquarters team needed the ability to sort through the global chatter in order to share with each subsidiary an actionable stream of relevant intelligence, such that country-level operations teams can implement remediation efforts ahead of the threat instead of after the fact. Moreover, the bank had to improve collaboration. An effective stance against cyber threats requires not only two-way communication between headquarters and country-level subsidiaries, but also constant peer-to-peer communication with other essential partners. The global threat requires a global response, with attack forensics, threat intelligence and mitigation techniques being shared within and across industries. Furthermore, as part of supporting the global effort to strengthen security, the bank s subsidiaries need the ability to share with headquarters any data associated with attacks against their facilities, channels and customers. Such forensic information can be usefully shared with industry associations, government agencies and other trusted partners to improve global intelligence capabilities and thereby the effectiveness of industry cyber defenses.

4 4 HEADQUARTERS Peers Government FS-ISAC EclecticIQ collaboration Commercial Europe Australia Asia improved detection and prevention USA Requirements To meet the challenges of triage and collaboration, the bank sought to deploy a Threat Intelligence Platform (TIP) solution that could deliver the following benefits to its headquarters team of cyber threat intelligence analysts: Clarity of focus. Eliminate the need for analysts to perform repetitive data management tasks or custom programming, so that they can concentrate their efforts on defending against imminent threats Higher relevance. Give analysts automated tools and ad-hoc capabilities to sort and sift through the entire collected database of threat intelligence to discern specific items of interest pertaining to the bank s global footprint and lines of business. Effective action. Connect analysts directly with enterprise business units and country-level technology teams, allowing cyber security mitigation procedures to propagate quickly throughout customer channels and endpoints. Improved strategy. Cyber threat intelligence teams need the ongoing ability to assess the quality, timeliness and reliability of their threat intelligence providers and information-sharing partners. This requires high-level analytical tools and feedback mechanisms. CTI teams need to be able to quickly introduce new sources of information in parallel with legacy providers, and then compare them side-by-side in order to understand potential sources of noise and bias. Trend analysis. From the SIEM sightings on indicators are recorded in the TIP for getting a better understanding in the (internal)threat landscape.

5 5 Solution The bank selected EclecticIQ for its ability to bring together intelligence, legal, security, technology, and business expertise in a single Threat Intelligence Platform built to meet the enterprise needs of a threat intelligence practice. The EclecticIQ Threat Intelligence Platform gives intelligence analysts automatic access to a normalized and consolidated set of intelligence data from the organization s preferred commercial suppliers, industry partners and open-source providers. Threat Incident Security Fraud Risk Open Source Community Threat Management, Analysis, Production & Collaboration Normalization Enrichment Analysis Executives, Business Stakeholders, Security Operations, Incident Response, etc. Commercial Government Correlation Production Collaboration Knowledge Management Triage HPE ArcSight, IBM QRadar, Splunk, Hadoop, etc. Incoming EclecticIQ Platform Outgoing EclecticIQ consolidates and curates multiple intelligence sources, reducing the time required to uncover relevant threats to an organization. Furthermore, the EclecticIQ Threat Intelligence Platform integrates cleanly into existing security controls including SIEM, IDS, IDP and endpoint detection and response solutions. This enables an efficient workflow with reduced IT staffing requirements and better utilization of intelligence analysts. EclecticIQ is a core participant in the development of STIX and TAXII, which are OASIS standards for exchanging cyber threat intelligence data. Accordingly, the EclecticIQ Threat Intelligence Platform is at the forefront of enabling organizations to become full participants in industry-wide efforts to improve threat awareness. Through sharing data, analysts learn from peer organizations how to improve their own ability to detect and repel cyber threats. This collaborative approach enables a dynamic approach to cyber defense, with improved predictive capabilities and a clearer picture of emerging threats.

6 6 Benefits Key benefits of the EclecticIQ Threat Intelligence Platform include: Rapid onboarding of new intelligence feeds Maximize value of existing investments in cyber threat intelligence feeds Contribute to institutional and industry knowledge of extant cyber threats Faster discovery of zero-day exploits and low-frequency threats Improved situational awareness Improved utilization of intelligence professionals Pre-defined workflows for triage, threat hunting and research Integration of IOC data into enterprise operations Integration of intelligence into existing security controls Active participation and leadership in intelligence-sharing initiatives The deployment of the EclecticIQ Threat Intelligence Platform establishes cost-effective and stable workflows for the bank s Threat Intelligence Practice, improving the efficiency and expanding the capabilities of cyber threat intelligence analysts. These comprehensive efforts contribute to a stronger security posture for the bank as an organization, while supporting the mutual defense of the community at large.

7 EclecticIQ is an applied cyber intelligence technology provider, enabling enterprise security programs and governments to mature a Cyber Threat Intelligence (CTI) practice, and empower ing analysts to take back control of their threat reality and to mitigate exposure accordingly. EclecticIQ s mission is to restore balance in the fight against cyber adversaries. Its flagship product, EclecticIQ Platform, is a Threat Intelligence Platform (TIP), which enables operationalization of security information exchange, empowers collaborative analyst workflow and ensures timely integration of cyber threat intelligence detection, prevention and response capabilities. EclecticIQ is headquartered in Amsterdam and holds offices in London and Chișinău. The company was awarded the 2015 EU IPACSO Cyber Security Award, and is partner of the Security Incubator project of the NATO Communications and Information Agency (NCIA) and a member of OASIS CTI TC and affiliate member of FS-ISAC. For more information or to schedule a personal demo, please visit