Charity charge: Case study


It's not just the networks of money-making institutions that are targets of cybercrime these days. 

Because of the troves of data stored on internal databases, even charitable organizations are likely targets for incursions by miscreants desiring to mine the personal information stashed on servers to sell like any other commodity on the underground market for cash. So, the files must be protected just as if they were crown jewels.

The nonprofit Goodwill Industries of Greater NY and Northern NJ, headquartered in Astoria, N.Y., is one of the largest and oldest Goodwills in the country. It serves the 38 most western New York counties – from New York City all the way to the capital region in Albany – and the 10 most northern counties of New Jersey. Last year, with revenues of more than $110 million and employing 1,641 community residents, Goodwill NYNJ served 95,000 persons and placed more than 8,400 individuals in jobs. 

The human service agency is comprised of 30 program sites, 40 retail stores, four Attended Donation Centers and three campuses with a cluster of offices. Its 70 programs offer services for people facing economic challenges and other barriers to employment, including persons with all types of disabilities, children and youth at risk, U.S. veterans and individuals lacking education, training, work experience or skills. 

Goodwill NYNJ faces the same security concerns as most other small and medium-sized enterprises: How to protect sensitive customer and financial information. Industry experts agree that traditional security solutions like anti-virus and network perimeter although necessary components, are not single-handedly effective at detecting and stopping advanced threats. Goodwill's 15-person IT staff  needed to find a cost-effective, but strategic approach to better security. 

Most organizations (even regardless of industry and size) are coupled with tight IT budgets and limited qualified personnel. As a result, security teams are struggling to properly handle the overwhelming influx of data and threat alerts. In Goodwill NYNJ's case, prior to the execution of a more advanced security strategy, Chief Information Officer Andre Bromes (left) and his team were seeing isolated instances of attempted intrusion attacks across the network. It was clear that the organization's current level of cybersecurity enforced wasn't enough. Goodwill NYNJ needed to ensure that its security team was able to detect attacks across the network and endpoints first, and then efficiently remove the threats from the system. 

By not executing an advanced security strategy, Goodwill NYNJ would have left financial information and other critical data at risk of being compromised. A targeted breach had yet to occur, however Bromes and his team were not willing to wait around and become the next target. If its retail stores were compromised, the repercussions would be two-fold: the loss of the organization's hard-fought and duly-earned community reputation as well as the dissemination of monies that would otherwise be spent on the community programs that Goodwill NYNJ supports. 

Collectively, Bromes and his team recognized the need for a defensive measure, one that could operate at machine speed. Because budget was an important factor to the overall decision, the team knew that the solution to their problem needed to not only be affordable, but also easily integrated within the specific constraints of a retail organization.

At first, the group evaluated the more traditional security systems used by larger retailers, such as hosted security solutions that route all traffic through a remote security operations center for analysis. These solutions were far outside of Goodwill NYNJ's price range: The up-front costs associated with installing hardware at every single store, community program sites and office complex in the region were too high. A lot of them also required Goodwill NYNJ to upgrade its internet connections in order to handle the high-speed needed to transmit all of the data. Additionally, these systems were not adequately designed for retail organizations, especially ones similar to Goodwill NYNJ's size. 

The search to protect the network as well as the disparate endpoints, took them to Patriot Technologies, a Frederick, Md.-based security-focused reseller and manufacturer of cybersecurity technology. Experts there recommended that Bromes consider HawkEye G, a next-generation endpoint detection and response platform that can continuously detect, verify and remediate threats at machine speed. The tool, developed by Hanover, Md.-based Hexis Cyber Solutions, a wholly-owned subsidiary of The KEYW Holding Corp., provides advanced cybersecurity solutions for commercial companies and government agencies. 

Immediately on testing HawkEye G's capabilities, Bromes and his team were impressed that unlike most other security programs that solely focused on network traffic, HawkEye G actually monitors the data by installing host sensors on each individual endpoint. HawkEye G can detect and analyze even the smallest changes that occur on endpoints, automatically verifying them and eliminating malicious threats almost instantaneously. All of this activity can be achieved without having to power down or lose sight of an endpoint. This is especially crucial to retail organizations that rely heavily on point-of-sale (POS) systems to constantly generate income. What's more, HawkEye G keeps a record of all activity executed, supplying security professionals with the intelligent insight needed to analyze attacks and create defenses against future assaults.

Further, while HawkEye G is regularly sending data from the endpoint-installed sensors to its management console, the solution is configured to support high traffic flow without negatively impacting network performance. Even sites with slower technology like DSL can handle the traffic. 

“With HawkEye G, customers are able to detect known, unknown and zero-day threats; leverage behavioral analytics and anomaly detection for malicious endpoint activity; benefit from third-party integration with solutions like Palo Alto Networks and FireEye for increased endpoint and network alert correlation; and integrate with SIEM reporting systems and Splunk real-time dashboards,” says Chris Carlson (left), VP of product management, Hexis Cyber Solutions.

The tool offers a vast array of countermeasures which can be flexibly deployed in automated or machine-guided mode based on a company's unique policy settings, he adds. “These response tactics include kill process, quarantine file, remove registry key persistence DNS injection, IP redirects, and URL blocking.” 

HawkEye G is also offered as a managed service offering, which provides around-the-clock monitoring, threat analysis, and support directly from the Hexis Security Operations Center.

Installation was a breeze

Bromes says that the installation of HawkEye G across the Goodwill NYNJ network was quick, seamless and did not disrupt employee productivity. Support from the Hexis Cyber Solutions team helped Bromes and his team customize the management interface policies to suit the specific needs of their environment. “I know I sleep better at night,” says Bromes of his decision. “HawkEye G mitigates threats at Goodwill NYNJ at machine speed, whereas before it might take someone hours to analyze a single threat from one attack. And because HawkEye G is eliminating threats so quickly, there is no danger of an analyst getting distracted by nuisance or decoy attacks designed to let a real threat slip through.”

Within the first eight months of installation, Bromes and his team can confirm that the HawkEye G technology has performed very well, especially its ability to instantly eliminate threats, even if they are only quietly infiltrating just a single endpoint. 

“HawkEye G offers an unparalleled level of integrated detection capabilities that span across the endpoint and network,” says Carlson at Hexis. It uses multiple detection mechanisms, he explains, including behavior- and signature-based detection, threat intelligence feeds, a cloud malware verification service and threat indicators from other security controls, currently Palo Alto Networks and FireEye. 

Endpoint plus network enabled

As far as differentiation, Carlson says many of the other next-generation endpoint detection and response solutions only focus on endpoints whereas HawkEye G has both endpoint and network capabilities. “This is critical given that advanced threats look to infect and traverse both endpoints and the network to achieve their objectives. Additionally, many other endpoint solutions can only detect malicious behavior. While detection is important, it's equally important to be able to respond. HawkEye G's automated response capabilities represent a key differentiator.”

HawkEye G fuses all this together in an aggregated threat scoring and behavioral analytics model called ThreatSync. ThreatSync enables security teams to make better, smarter and faster decisions, Carlson says. “HawkEye G empowers security teams to respond to threats automatically based on internally set policies, through machine-guided, one-click instructions, or a combination thereof.”

Threat feed and software updates are available through a secure download mechanism from the Hexis cloud servers, says Carlson. Threat feeds are available for download at least once per day and are controlled by the customer. The software update mechanism allows for in-place upgrades for both major and minor software releases as new functionality is available. Customers with deployments managed by Hexis Managed Services coordinate their software upgrades to align with their own change management windows.

HawkEye G is the only endpoint security solution built with integration in mind, says Carlson. The solution not only boasts integrations with third-party vendors like Palo Alto Networks, FireEye and Splunk, but also correlates both network and endpoint activity. “This not only improves visibility into the threats within the environment, but also verifies which attacks require the immediate attention of security teams.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.