Online investigations to protect the customer
Our customer, a major U.S. corporation, operates a global network of online payment solutions, with millions of registered users around the world. Like many financial institutions, the company has implemented strict cybersecurity measures to protect its customers against fraud and mistreatment. But traditional methods like blocking suspicious sites and phishing attempts have left investigators without the means to follow up on leads. Without the whole story, how could the company’s analysts get to the root of the problem and determine who’s trying to undermine the company’s reputation and the integrity of its transactions?
Following up on leads and intel from threat hunters
As a financial services provider, the company has set up advanced perimeter defenses against hackers. But in addition to typical threats like malware and phishing attempts, the company was concerned about preventing their payment systems from being used for unlawful and fraudulent activities. A brand reputation management team is responsible for ensuring that the company’s name is not affiliated with transactions such as sales of illicit drug sales, human trafficking or child exploitation, and that bad actors don’t use the platform for financial fraud, which could cause the company to lose revenue.
The company’s SOC includes a team of dedicated threat hunters and analysts, whose job it is to follow up on alerts and flagged transactions. But existing IT policies that restrict analysts’ access to blocked sites would often lead investigators to dead-ends, unable to follow the perpetrators deeper into their illicit marketplaces and forums to expose their true identities and intentions. These strict IT policies were put in place for a reason — to protect the company’s security personnel from retaliation and their systems from malware. But the brand reputation agents felt like their efforts could be much more effective if they could have secure access to any website, social media or business profiles, and even local news at various places around the world.
From threat indicators to full investigators
Since implementing Silo for Research, the company has created specific workflows, which all analysts follow to protect the integrity of investigations and maintain the chain of custody for all collected evidence. When a security tool sends an indicator of a breach or a customer or team member reports a potential violation, the information is piped into a SIEM, where it’s correlated with other log data. If the event requires escalation, it is assigned to an investigation team, which uses Silo for Research to gather additional data. With all evidence files securely stored and shared, the team can collaborate on analyzing results and determine if additional steps are necessary. All results are shared with the leadership team in a report.
Staying ahead of threat actors
With millions of active customers — both individuals and businesses — the company views security as its top priority. And today, security means more than just protecting their systems from ransomware and keeping customers’ information secure. Preserving the company’s reputation and brand integrity involves untraditional investigation methods, including listening in on dark web forums, blending in with the hacker communities, going undercover to pose as buyers of stolen credentials and many other forms of investigation that don’t fit into the typical mold of a cybersecurity analyst. But with the help of Silo for Research, the company can accomplish their goals without incurring extensive IT infrastructure investments or exposing their analysts to harm.