This regional credit union is one of the largest financial cooperatives in the U.S., offering various business and personal banking products and services through its many regional branches such as deposit accounts, credit cards, loans, insurance, and wealth management services.
Protecting Users from Malicious Emails
Entrusted with billions of dollars in assets, the credit union’s highest priority is keeping their members’ hard earned money safe. As a financial institution, it has a lot of sensitive data to protect, ranging from its customers’ private information— names, addresses, and social security numbers— to credit card numbers and financial information. Protecting this data requires taking strict measures to prevent unauthorized access attained through malware infections, defending against zero-day vulnerabilities that can lead to ransomware attacks, and eliminating phishing emails that target the bank’s unsuspecting users.
The bank’s Information Security team, consisting of only 4 people, was spending up to 20 hours a week remediating problems. The previous solution, a firewall and email security gateway using signature-based detection, had been letting various Zero-Day malware through its perimeter. Users would receive emails with infected attachments or links that once clicked would cost the bank a lot of overhead.
“We were constantly rebuilding PCs that were getting infected with malware, having to go and investigate and make sure the malware didn’t spread to other places,” said the bank’s Manager of Information Security. “It really became a lot of manual effort that was related to some of these infection events.”
The company knew it had to find a solution that significantly reduced the time spent on remediation of email-borne infections, and made management of security simpler and more effective. It sought a security solution that would stay one step ahead of the curve and be able to defend against advanced threats such as Zero-Day and ransomware attacks.
“Our Check Point SmartEvent console consolidates monitoring, logging, reporting, and event analysis to correlate data and give us actionable attack information,” said Honnold. “Our security analysts can see malicious events, attack entry points, scope of damage, and data about infected devices so that we can respond quickly.”
Staying Ahead with Reliable Detection
Unlike any of its competitors’ sandboxing solutions, Check Point Threat Emulation uses CPU-level inspection to identify advanced threats and Zero-Day attacks that would have gone undetected by traditional solutions. The granularity of Threat Emulation allows it to identify and stop sophisticated evasion techniques such as Return-Oriented Programming exploits before they can cause any harm, bringing the Information Security team peace of mind. CPU-level evasion detection guarantees that even the most dangerous targeted threats will be caught and prevented in time.
The solution has prevented over a thousand malicious file and zero-day threats in the course of just one year.
“I’ve seen, personally, multiple forensic reports come back where it’s specifically stated that it was able to detect the file as malicious from the CPU-level examinations.”
In one case, one of the bank’s vendors was compromised, leading to a particularly targeted spear phishing campaign against the bank’s underwriters. The Threat Actor referenced the underwriters by name, and sent them word files from an email address that was known to them as a legitimate source.
“Looking at that email as a human being, even I couldn’t tell anything was wrong with it,” said the Manager.
When the user received the clean and empty attachment, they asked about the original. A quick look at the Emulation results showed critical severity with a high level of confidence.
“Without that Sandblast technology in place, the user’s computer would have most likely been impacted and infected by the virus that came through,” said the manager. “For us, the zero-day defense that it provides has been really beneficial.”
Effective and Efficient Security
Whereas infections used to require 10 to 20 hours of weekly remediation, since implementing SandBlast the Information Security team has spent almost no time on maintenance at all. The security team can trust SandBlast to deliver safe content to end-users and block potentially malicious files. In cases where someone needs a particular attachment with executable, it can be delivered after verified by SandBlast and the whole process takes about a minute or two at most.
“I would say [SandBlast] has already paid for itself in the year that we’ve had it,” said the Information Security manager. “Just the time it saves us having to remediate actions, having to do investigations, and its ability to prevent something worse than that happening. You can’t put a price on that.”
With Check Point SandBlast’s comprehensive reports, the team is able to get full visibility into the malicious attempt, as well as track the extracted content. The forensic reports provide the Information Security team with helpful information.
“There’s a lot of good data on top of the solution, besides the obvious benefit of being able to stop these attachments from infecting our organization,” said the Information Security manager. “When [SandBlast] does find something we’re able to view a forensic report from the tool, where it’ll give us screenshots, and give us information about what the attachment would’ve done.”
Improved Security Posture
Now when an attachment is received via email, Threat Extraction immediately provides the users with reconstructed files, removing any potentially malicious code and providing the Information Security team with valuable analysis. Even before the email has gone through emulation Threat Extraction proactively delivers clean attachments so a user who opened them is completely safe. Almost entirely unnoticeable to the user, the feature has been easy to adopt and instantly effective.
With recent reports of the Petya attack spreading weaponized Word documents via email, the bank felt relieved to have SandBlast’s Threat Extraction capability. With the combination of Extraction and Emulation, SandBlast provided a complete solution and ensured all files with ransomware were caught and rendered benign.
“It didn’t matter how much, or how fast they were changing the Petya code or the different techniques they were using. That code simply just got stripped out.”
According to the manager, “we’re far less likely to get hit with email-born attacks. It helps everybody kind of sleep a little better at night, and it just has improved our security posture.”