Referenced in our Newsletter Volume 5, Issue 2 - April 2006

Network Monitoring Link Chart

Link analysis is an effective and efficient way to examine data for possible interactions and processes that span multiple organizations and systems. Data is even collected over the Internet on every packet and system message, and is then sent through a network. Building effective analytical models from numerous sources across various offices, divisions, or regions can expose massive networks of activity that help illustrate an overall pattern. Distinct activity patterns can reveal insider threats, competitive intelligence, and espionage that can be uncovered internally in an organization through the analysis of these collective data sources.

Due to the recent security breaches of large data providers such as Lexis/Nexis and ChoicePoint, CNR Financial Group was concerned about potential information leaks of sensitive data within their own internal networks. CNR Financial Group believed that letting their employees communicate customer's private data to trusted partners in an insecure manner would needlessly put their own company at risk. Immediate action was necessary to reduce potential damage and to safeguard CNR Financial Group's reputation as a premier investment firm offering reliable and secure financial services.

CNR Financial Group integrated VisuaLinks with a network monitoring device to track internal network traffic across the corporate intranet for protection of their internal operations. All network traffic was examined for specific keywords, look-up values, and additional indicators defined by CNR Financial Group's management and IT staff (including customer names, social security numbers (SSNs), and account references). The effectiveness of an integrated internal network analysis system for activity within CNR Financial Group is shown in the example below. During a routine scan of email traffic over the corporate network, an increase in SSN leaks appeared. An initial query was run to retrieve all SMTP activity between 8:00 AM and 8:30 AM.


The objects returned from the query were grouped by an attribute that followed the rules of the network monitoring back-end system. The SSN attribute returns true if any values matching the XXX-XX-XXXX format are found in the text of the SMTP transaction. In the example shown below, five SMTP transactions violated the corporate policy of sending unsecured SSNs to other sites (annotation was added to emphasize the distinction).

To further analyze the source of the information leak, a Database Walk was performed on the five questionable SMTP transactions. The example below shows which workstations sent the prohibited emails and which servers received the data. CNR Financial Group was able find the two workstations (keyed by IP addresses) that were responsible for initiating the information leak through five emails sent within a 17-minute timeframe. The link analysis of these transactions also exposed a connection between three of the emails sent from the two workstations since they were directed to the same server (with a Bank of America domain).


The Bank of America email destinations in addition to the two unsecured emails sent to an off-shore server in the United Kingdom prompted the analyst to examine additional correspondence from the servers and workstations involved. A larger network of related transactions was discovered, which the analyst then used to examine a variety of protocols performed by the targeted workstations. Several of these transactions could be expanded to determine what other websites the workstations accessed over the timeframe in question. In the example shown below, the three transactions in the center of the diagram caught the investigator's eye.


A number of America Online Instant Messenger chats sent within a few minutes of each other occurred shortly before the emails that violated corporate policy were sent. Could the two employees at the affected workstations possibly have participated in careless sensitive information sharing? The individuals also could have been working together on a project involving client accounts at Bank of America and sent the emails, unaware that they were violating protocol. By isolating the leak (shown in the example below), the investigating analyst is able to produce a visual representation to support the overall investigation.

The instance shown above is just another excellent example of how VisuaLinks assisted in the discovery of an insider threat within an organization by providing overall analytical and pattern detection capabilities. To learn more about these capabilities from our partner PPC, go to the following website: Project Performance Corporation