Headquartered in Cincinnati, First Financial Bank (FFB) has more than 100 locations in Ohio, Kentucky and Indiana. As of March 31, it had $6.5 billion in assets, $4 billion in loans, $4.8 billion in deposits and $691 million in shareholders' equity.
That's a lot of dough to protect from marauding cybercriminals. “We were looking to stop malicious software in ways which traditional anti-virus tools could not,” says Brad Stroeh, vice president, network services and security engineering at the regional bank. “Signature-based remedies no longer suffice in today's environment. You have to examine deeply into what a particular piece of malware is doing.”
Bank on it
Jason Brvenik, principal engineer of the Security Business Group, Cisco
Daniel Polly, vice president, enterprise information security officer, First Financial Bank
Brad Stroeh, vice president, network services and security engineering, First Financial Bank
His bank, he says, puts a great degree of trust in his IT team to protect the network and customers' information. “We work hard to achieve these goals,” he says. “That's why we're always evaluating solutions which bring more capabilities than those in use – to close the gaps between what exists and what's possible.”
The challenge at FFB was to get to the point where the IT team could identify malware and then pull it apart and to assemble intelligence into what it was doing, adds Daniel Polly, the bank's vice president, enterprise information security officer. “We also needed to perform this analysis quickly and then implement remediation rapidly.”
It was difficult and time consuming determining what exactly was occurring when the bank experienced an incident, Polly says. But the business side expected his team to do so. “Senior management wants transparency in security operations,” he says. “Demonstrating what's happening with a malware situation – and how you are addressing it – is part of that.”
Stroeh and Polly and their IT team sought a solution and narrowed their choice down to three top contenders, but, Stroeh says, Cisco proved itself well above the others with a product line called Advanced Malware Protection (AMP).
“We discovered that Cisco AMP can provide a vast range of insights,” says Stroeh. “It tells us not only everything about the malware, but it reveals how many systems it's impacting. We can discuss what the incident ‘spread' is within our environment.”
This means FFB's IT team can elaborate in detail the impact, if any, a malware incident has on the organization, says Polly (right). “The ability to quickly and accurately inform interested parties of malware incident details allows us to maintain a high level of credibility. It's similar to when you take your car into the shop. You have more faith in the mechanic if he comes to you with a thorough, accurate diagnosis of what's wrong.”
And all of this is entirely automated, he adds. “It's so much more efficient for us to own a solution in which the analysis is baked in, instead of paying someone on staff to do it manually.”
Plus, Stroeh says, it saves on costs. “You don't have to pay for the internal expertise,” he says. “When you employ someone who's responsible for that, you need enough incidents to keep him or her busy. Of course, you don't want that, because it means you have security problems. With Cisco AMP, we avoid this scenario.”
Handle with care
AMP is an advanced malware protection system designed to provide visibility, context and control for files across the extended network, says Jason Brvenik, principal engineer of the Security Business Group at Cisco. “It combines instrumentation of devices and systems that deal with files – good, bad, unknown – to understand their activities and relationships with a central analytics system that allows for the determination of a given files disposition and the subsequent handling of files and their lineage.”
Further, combining Big Data analytics with a continuous approach, AMP for Networks and AMP for Endpoints help organizations bridge the gap between network and endpoint protection, providing coordinated detection, investigation and response, Brvenik says. “Sharing information, they continuously analyze file behavior for malicious indicators, detecting and correlating indications of compromise from multiple sources across the extended network as attacks unfold to stop threats when and where they happen.