Referenced in our Newsletter Volume 5, Issue 2 - April 2006
Network Monitoring
Link analysis is an effective and efficient way to examine data for possible interactions and processes that
span multiple organizations and systems. Data is even collected over the Internet on every packet and system message,
and is then sent through a network. Building effective analytical models from numerous sources across various offices,
divisions, or regions can expose massive networks of activity that help illustrate an overall pattern. Distinct activity
patterns can reveal insider threats, competitive intelligence, and espionage that can be uncovered internally in an
organization through the analysis of these collective data sources.
Due to the recent security breaches of large data providers such as Lexis/Nexis and ChoicePoint, CNR Financial Group
was concerned about potential information leaks of sensitive data within their own internal networks. CNR Financial Group
believed that letting their employees communicate customer's private data to trusted partners in an insecure manner would
needlessly put their own company at risk. Immediate action was necessary to reduce potential damage and to safeguard CNR
Financial Group's reputation as a premier investment firm offering reliable and secure financial services.
CNR Financial Group integrated VisuaLinks with a network monitoring device to track internal network traffic across the
corporate intranet for protection of their internal operations. All network traffic was examined for specific keywords,
look-up values, and additional indicators defined by CNR Financial Group's management and IT staff (including customer
names, social security numbers (SSNs), and account references). The effectiveness of an integrated internal network
analysis system for activity within CNR Financial Group is shown in the example below. During a routine scan of email
traffic over the corporate network, an increase in SSN leaks appeared. An initial query was run to retrieve all SMTP
activity between 8:00 AM and 8:30 AM.
The objects returned from the query were grouped by an attribute that followed the rules of the network monitoring
back-end system. The SSN attribute returns true if any values matching the XXX-XX-XXXX format are found in the text
of the SMTP transaction. In the example shown below, five SMTP transactions violated the corporate policy of sending
unsecured SSNs to other sites (annotation was added to emphasize the distinction).
To further analyze the source of the information leak, a Database Walk was performed on the five questionable SMTP transactions.
The example below shows which workstations sent the prohibited emails and which servers received the data.
CNR Financial Group was able find the two workstations (keyed by IP addresses) that were responsible for initiating
the information leak through five emails sent within a 17-minute timeframe. The link analysis of these transactions
also exposed a connection between three of the emails sent from the two workstations since they were directed to the
same server (with a Bank of America domain).
The Bank of America email destinations in addition to the two unsecured emails sent to an off-shore server in the United Kingdom
prompted the analyst to examine additional correspondence from the servers and workstations involved. A larger network of
related transactions was discovered, which the analyst then used to examine a variety of protocols performed by the
targeted workstations. Several of these transactions could be expanded to determine what other websites the workstations
accessed over the timeframe in question. In the example shown below, the three transactions in the center of the diagram
caught the investigator's eye.
A number of America Online Instant Messenger chats sent within a few minutes of each other occurred shortly before the
emails that violated corporate policy were sent. Could the two employees at the affected workstations possibly have
participated in careless sensitive information sharing? The individuals also could have been working together on a
project involving client accounts at Bank of America and sent the emails, unaware that they were violating protocol.
By isolating the leak (shown in the example below), the investigating analyst is able to produce a visual representation
to support the overall investigation.
The instance shown above is just another excellent example of how VisuaLinks assisted in the discovery of an insider
threat within an organization by providing overall analytical and pattern detection capabilities. To learn more about these
capabilities from our partner PPC, go to the following website:
Project Performance Corporation
|
