Compliance Management, Incident Response, TDR

Protecting the vault: First Financial Bank’s go-to solution

Bank robbers are not bursting in through the front door so much these days. Instead, from remote locations which could be anywhere on the planet, and cloaked behind anonymity instead of ski masks, they sit at computers and send out malicious software in their attempts to siphon off the digital equivalents of cash to then transfer the loot between accounts.

Headquartered in Cincinnati, First Financial Bank (FFB) has more than 100 locations in Ohio, Kentucky and Indiana. As of March 31, it had $6.5 billion in assets, $4 billion in loans, $4.8 billion in deposits and $691 million in shareholders' equity.

That's a lot of dough to protect from marauding cybercriminals. “We were looking to stop malicious software in ways which traditional anti-virus tools could not,” says Brad Stroeh, vice president, network services and security engineering at the regional bank. “Signature-based remedies no longer suffice in today's environment. You have to examine deeply into what a particular piece of malware is doing.”

Bank on it

Jason Brvenik, principal engineer of the Security Business Group, Cisco

Daniel Polly, vice president, enterprise information security officer, First Financial Bank

Brad Stroeh, vice president, network services and security engineering, First Financial Bank

His bank, he says, puts a great degree of trust in his IT team to protect the network and customers' information. “We work hard to achieve these goals,” he says. “That's why we're always evaluating solutions which bring more capabilities than those in use – to close the gaps between what exists and what's possible.”

The challenge at FFB was to get to the point where the IT team could identify malware and then pull it apart and to assemble intelligence into what it was doing, adds Daniel Polly, the bank's vice president, enterprise information security officer. “We also needed to perform this analysis quickly and then implement remediation rapidly.” 

It was difficult and time consuming determining what exactly was occurring when the bank experienced an incident, Polly says. But the business side expected his team to do so. “Senior management wants transparency in security operations,” he says. “Demonstrating what's happening with a malware situation – and how you are addressing it – is part of that.”

Stroeh and Polly and their IT team sought a solution and narrowed their choice down to three top contenders, but, Stroeh says, Cisco proved itself well above the others with a product line called Advanced Malware Protection (AMP). 

“We discovered that Cisco AMP can provide a vast range of insights,” says Stroeh. “It tells us not only everything about the malware, but it reveals how many systems it's impacting. We can discuss what the incident ‘spread' is within our environment.” 

This means FFB's IT team can elaborate in detail the impact, if any, a malware incident has on the organization, says Polly (right). “The ability to quickly and accurately inform interested parties of malware incident details allows us to maintain a high level of credibility. It's similar to when you take your car into the shop. You have more faith in the mechanic if he comes to you with a thorough, accurate diagnosis of what's wrong.”

And all of this is entirely automated, he adds. “It's so much more efficient for us to own a solution in which the analysis is baked in, instead of paying someone on staff to do it manually.”

Plus, Stroeh says, it saves on costs. “You don't have to pay for the internal expertise,” he says. “When you employ someone who's responsible for that, you need enough incidents to keep him or her busy. Of course, you don't want that, because it means you have security problems. With Cisco AMP, we avoid this scenario.”

Handle with care

AMP is an advanced malware protection system designed to provide visibility, context and control for files across the extended network, says Jason Brvenik, principal engineer of the Security Business Group at Cisco. “It combines instrumentation of devices and systems that deal with files – good, bad, unknown – to understand their activities and relationships with a central analytics system that allows for the determination of a given files disposition and the subsequent handling of files and their lineage.”

Further, combining Big Data analytics with a continuous approach, AMP for Networks and AMP for Endpoints help organizations bridge the gap between network and endpoint protection, providing coordinated detection, investigation and response, Brvenik says. “Sharing information, they continuously analyze file behavior for malicious indicators, detecting and correlating indications of compromise from multiple sources across the extended network as attacks unfold to stop threats when and where they happen.

What differentiates this tool from other offerings, Brvenik says, is that AMP is an analysis platform before it is a file-focused technology. It differs in many aspects, but two very notable ways are its ability to retrospectively react to past events when armed with new information. In this way, users can be aware of a compromise that they otherwise wouldn't have known without a host-by-host forensic analysis. Second is the continuous inspection and analysis of the activity associated with files on systems and as they traverse networks and are executed on hosts. This continuous model presents the opportunity for understanding, scoping, and remediating compromise should attackers be successful in evading a corporate defense, Brvenik says.

The deployment at FFB went smoothly, says Stroeh. “We wanted to push the product out as quickly as possible, so we conducted a pilot with about 50 computers and then transitioned to an enterprise-wide deployment. It only took about a month, so that was great. What helped was being able to work so closely with Cisco support.”

Polly agrees, saying that Cisco support is “terrific.” It's rare, he adds, to find a company which lives up to what is promised in the pre-sales discussions. “There isn't a lot of hype with Cisco. They're honest about what they can do, and they're there with you side by side on any issues.” 

First Financial is investing into both Cisco AMP for Endpoints and Cisco AMP for Networks because in tandem the solutions address the bank's needs, to the point in which it views Cisco AMP as an extensible security platform for the organization. “The benefits for both are similar, in terms of the automated detection, analysis and remediation,” says Polly. “It all goes back to establishing the security intelligence you seek. We have insight and clarity about what's going on before, during and after a malware incident, not only locally with the endpoints, but also throughout the network.”

AMP for Endpoints protects all devices, including mobile ones outside the traditional perimeter, Stroeh points out. “These devices and machines could download a file which presents no concerns when it's first introduced into the network. But hackers are good at disguising their intent, so the malware can lay low for a while. Over time, its behavior changes and that's when the damage occurs. So AMP for Networks protects us there by detecting changing file behaviors and quarantining those signaling a threat.”

Additionally, the solution gives the bank precise, detailed incident information to report to auditors and examiners, says Polly. “We can be specific about what exactly happened. We can describe in-depth if a machine was compromised, how the compromise occurred, and accurately demonstrate there wasn't any loss of data.” In addition, parties interested in FFB's capabilities are seeing significant investment into solutions, and that the bank is committed to safeguarding company and client information. “So, again, that speaks to our credibility with them,” says Polly.

Further, the solution offers the forensic capability to allow the IT team to act as a full-fledged security engineering team. “There are always going to be new threats,” Stroeh says. “This prepares us for those new threats and new vectors.” 

And, that's essential, says Polly. “We're not a large, global organization, but we must be able to adapt to changing business processes as business matures. With Cisco AMP, we keep up with the changes while still offering a superior level of insight, intelligence and protection. Threats will target new business processes. That's why you want intelligence on the backend.”

Information sharing is also an ingredient in the success of the implementation. In the bigger picture, it enables the bank to share specific threat data it identifies with other companies through Cisco's cloud-based malware analysis, says Stroeh. This sharing of malware analysis benefits companies across industries, he adds. “Those other companies have passed along what they've discovered and that has helped us. With Cisco AMP, we're making a contribution too, and everybody wins. This common sharing of useful information pushes out our intelligence in the interest of security assurance.”

AMP takes a continuous analytics approach that rarely requires distribution of updates. Rather, it offers continuous detection of malware – immediately and retrospectively – without the need to distribute definition files and engine updates, says Brvenik. New determinations, he explains, are automatically communicated from the AMP console. It then leverages knowledge about files and their lineage to re-analyze activity that may not have previously been deemed malicious so that it can quarantine, remove or alert on files that are determined to be malware when given new information.

AMP was designed to deliver protection across the entire advanced malware attack continuum – before, during and after an attack, Brvenik (right)  emphasizes. Before an attack, AMP's malware detection and blocking stops known attacks. During an attack, a lattice of detection capabilities combined with Big Data analytics and continuous analysis determines if advanced, unknown malware is on a network. Sophisticated machine-learning techniques evaluate more than 400 characteristics associated with each file to analyze and block advanced malware. The combination gives users detection capabilities that go beyond traditional point-in-time detection, allowing AMP to also retrospectively detect files that become malicious after the initial point of entry.

After an attack, visualizing and pinpointing malware impacts and indications of compromise help speed response times, says Brvenik. “Automated remediation mitigates damage. With a detailed understanding of malware behavior, users can prevent similar future attacks and eliminate the risk of reinfection.”

By using a solution like AMP that covers the extended network, hosts, network, mobile, cloud, etc., and continually inspects activity for indications of compromise, security pros can provide coverage across the attack continuum and close the time to discover and resolution of a compromise from years to days, minutes in many cases,” says Brvenik. 

For more from First Financial's Daniel Polly, see this month's From the CSO's Desk column.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.