Red lambda charting a new course in protection

Charting a New CourseA new strategy to protect your financial institution and your reputation against cyberthreats

The bottom line: Financial services institutions are favored hunting ground of cybercriminalsWhether it’s from treacherous insiders stealing data or malicious cybercriminals hack-ing into company resources, financial services institutions face severe risk to their most important assets—their customers and their reputation—from inside and outside the organization.

Daily press highlights the intensity of online banking attacks, fueling the erosion of customer trust while tarnishing an institution’s reputation. As hackers refine their attacks, they simultaneously hone in on the financial services sector.

These issues have escalated to such massive proportions that the law enforcement and national banking organizations like the FBI, the FDIC and NACHA have issued ongoing alerts warning of the growth in cybercrime and the alarming sophistication of six- and seven-figure attacks.

Recently, the financial segment ranked highest at 60% for exposed identities in the Symantec Global Internet Threat Report. That represents an enormous one-year increase from the previous year, when financial sector victims made up only 29% of identities exposed.

Financial institutions are caught in a war they’re simply unequipped to win against such highly evolved and organized foes. Despite continued increases in network and IT security spending by financial services (ABI Research estimated a 9.8% increase in 2011), the financial services industry continuously falls prey to highly organized and well-funded cybercriminals who steal large sums of money through malicious attacks.

It is not possible to fight an unconventional foe with conventional tools and be victorious. As the size of data grows in many organizations, performance and detection times plummet, impeding timely threat detection and response.

Financial services institutions need a new approach to cybersecurity; an approach that can match the volume, variety and velocity of today’s cyberattacks.

© 2014 Red Lambda, Inc. All Rights Reserved.

Banks and financial institutions are under constant attackWhether it’s from treacherous insiders stealing data or malicious cybercriminals hacking into company resources, financial institutions face risk from inside and outside the organization. For instance:

More than 60,000 new malware strains are identified each day, a four-fold increase in just three years.

With more than 20 million new malware strains produced in 2010, 34% of all malware ever created was unleashed last year, according to Panda Security.

In its “2012 Data Breach Investigations Report”, Verizon Business reported that the financial services industry represents 10% of attacks, but 40% of all compromised records in 2011. Stealing digital money from information systems rather than vaults is seemingly a less primitive, less dangerous, and less risky form of bank robbery.

Internal threats abound as well. Statistics show that while faceless hackers halfway around the globe pose a formidable threat to financial services organizations and their customers, some of the biggest security problems in the industry may originate from the keyboards of their own staff.

With a couple of keystrokes from an employee or authorized user accessing the network from almost anywhere, terabytes of sensitive information can be transferred easily into exploitive hands.

In the past year alone, 72% of financial institutions reported suffering a breach at the hands of insiders. One of the most recent victims was card processor Global Payments. While the company maintains that fewer than 1.5 million card accounts were stolen, some industry experts now believe more than 7 million card accounts may have been compromised. These incidents are clearly on an upward trajectory—nearly 80% of financial organizations around the world believe the problem only continues to increase in the wake of the current economic turmoil.

Botnets Serve as a Spring-board for Organized Crime

Zeus (aka Kneber) - an online banking Trojan spread by phishing email and drive-by downloads over a period of three years, infesting millions of PCs, herded into hundreds of botnets.

According to officials, victim’s stolen credentials were used to initiate fraudulent transfers to “money mules” who were paid to route stolen funds back to organizers.

In October 2010, the FBI announced that one large international crime network used Zeus to steal $70M from victim accounts, leading to 60 arrests in the US, 19 in the UK, and others in the Ukraine.

© 2014 Red Lambda, Inc. All Rights Reserved.

Cost of a breach exceeds the dollars lostBreach costs within the financial sector are more expensive than all other sectors, according to the Ponemon Institute. The average cost of a data breach within the financial sector is $249 per record, a full $45 per record more than the average cost of a breach across all sectors. The majority of financial institutions in 2009 reported a $6.75 million average breach cost.

Fraud costs are massive to an institution, far exceeding losses associated with the fraudulent transactions. Financial institutions lose money stolen through fraud as well as the amount needed to pay legal fees, the cost to report the breach to customers, and fees from compliance organizations.

What’s more, they suffer reputation damage, brand damage, and customer departures. According to Ponemon Institute, 20% of customers leave immediately upon discovering an organization suffered a breach.

Cybercrime Costs Approaching $1 trillion

In a speech on the floor of the U.S. Senate, Sen. Sheldon Whitehouse (D- Rhode Island) relayed:

“There is a concerted and systematic effort underway by nation states to steal our cutting edge technologies.

At the same time, criminal hacker communities are conspiring to penetrate financial industry networks, rob consumers of their personal data, and transform our personal computers into botnet zombies that can spread malware and chaos.

It is difficult to put a precise dollar figure on the damage and loss these malicious activities are causing, but it is safe to say it numbers in the many tens of billions of dollars--perhaps as high as $1 trillion.”

To remain competitive, banks and credit unions are expanding the services that they offer at an unprecedented rate, including greater online banking and payment options. And all of this is increasingly available to an ever-expanding list of devices, including:

Smart phones

Pad-based computers

Other mobile devices

Concurrently, a steep rise in web-based collaborative tools, mash- ups, social media, enriched instant messaging, and online user- contributed content continues to grow. Many of these applications are built hastily with minimal regard for security to take advantage of quickly changing market conditions.

These mobile applications tunnel through network firewalls to provide web-based access directly into back-end systems that may or may not have been intended for outside connectivity.

The unprecedented volume, variety, and velocity of today’s cyberattacks give criminals a clear tactical advantage.

New attacks are fueled by ongoing innovations

© 2014 Red Lambda, Inc. All Rights Reserved.3


There are two contributing factors why conventional security approaches are ineffective against today’s sophisticated threats:

The advanced tools and techniques used to wage cyberattacks

The profile and motivations of the attackers themselves

Combined, they form an unconventional threat that has left conventional network security infrastructure falling short in combating:

Conventional security can’t protect against unconventional threats

Malware sophistication and proliferation

Adpative adversaries

Distributed and coordinated resources

Advanced PersistentThreats (APTs)

Multi-vector attacks

Open source malware kits, like Zeus, facilitate a never-ending stream of new malwareSignature-based, IPS technology has a 62% average effectiveness rating**

Sophisticated hacker communities, crime syndicates, and foreign nationsDecoy alerts and log entries to mask attacks

Botnets leverage massive computing power to overwhelm and bypass existing perimeter defenses

Active for months or years before surfacing

Malware, social engineering, and physical media

**“Network Intrusion Prevention System (IPS) Comparative Test Report”- Q4 2010

Defenses must be right every time attacks happenFor financial services companies, determining when, where, how, and why cyberattacks might strike is like searching for a needle in a hayfield. Security teams trying to analyze everything, everywhere, every moment hope to detect threats quickly and stop them before the damage is done.

Achieving this level of visibility and awareness requires correlating and analyzing vast amounts of data collected from numerous systems, logs, directories, security and network devices, traffic, sensors, and databases over the course of a year.

The requirement for real-time, complex event processing on large datasets (IT big data) goes well beyond the capabilities of today’s SIEM and log management products. Security teams must choose between the lesser of two vulnerabilities: reducing the breadth and scope of data being analyzed or substantially delaying threat detection times.


Current defense techniques deployed by financial institutions are ineffective against increasingly sophisticated attacks. A survey of 500 financial institutions conducted by the Ponemon Institute found that in 80% of attacks, the money left the institution before the attack was identified. More than 70,000 variations of Zeus exist. Phishing attacks via email, SEO, and mobile phones are rampant. Criminals move money online via the ACH network, wire transfers, and bill pay. Some attacks are automated; some have a real human behind them. Using conventional tools— signature-based threat detection solutions, such as antivirus, IDS/IPS, and forensics-focused security information and event management (SIEM) tools—financial institutions simply do not have the resources to understand, anticipate, and respond to every possible threat. Current perimeter- and network-based protection systems can’t effectively analyze, detect, and block current threats.

These approaches fall short in several critical areas:

Lack scalability — Managing users/identities, systems, applications, and data all at once with product scalability limitations narrows the security analysis into a sub-set of event and log data.

Can’t support highly distributed environments — Financial institutions are among the most highly distributed environments with branches and remote outposts. Current solutions deploy appliances or collection agents to these locales. But this just compounds analysis latency with limited data parsing and filtering at the collection point and requires inbound data to come to rest in a database before further processing.

Difficult to deploy and manage — To provide the needed protection against sophisticated attacks, it is essential to collect more data from more devices and events. It’s simply not feasible for applications and humans to handle the information collection and analysis workload required to detect everything; something’s bound to get through; period.

Signature based — A database of signatures and known bad elements can’t keep pace with the sheer volume of new malware strains created daily. Even if perimeter defenses with rules and signatures are proactively managed and updated regularly, they are necessary, but not the answer; this approach is far too static.

Focused on compliance — The financial services sector is among the most highly regulated industries, and with good reason. But demonstrating compliance is a static event and compliance regulations are reactive to technology. Demonstrating compliance is important; but being compliant is not the same as being secure.

Intrusion-centric defense — In many respects, information security has mimicked physical security practices in deploying an intrusion-centric approach to threat protection. Cyberattackers take advantage of this lop-sided security model to provide command and control channels for on-premise bots to access confidential data and intellectual property.

Identify attacks after the fact — Current solutions are passive and lean heavily toward forensic analysis after attacks have long since occurred. The key to breaking the cycle lies in identifying an attack while it’s happening or even before it begins—when cybercriminals are profiling a financial services company.

Conventional tools fall short


Charting a new course to gain the upper hand on cybercriminalsBanks and financial institutions can exercise a strategic advantage over cybercriminals—their knowledge of customer behavior. Every bank and credit union has data about their customers and legitimate behavior and patterns. And somewhere, through the process of logging in, performing account reconnaissance, setting up payees, changing user information, and executing a wire, ACH, bill pay, or other transaction, a criminal will do something unexpected relative to what a typical user would do.

Knowing what “normal” behavior looks like, financial institutions can evaluate online banking sessions for predictable, legitimate user behavior, pinpointing sessions and activities that don’t follow known behavior patterns as fraudulent activity.

Analysis of behavior and detecting, in real time, is the most effective strategy against today’s most sophisticated attacks, and will continue to be effective as threats evolve. This means integrating cybersecurity with fraud prevention, leveraging a bank’s strength in understanding customer behavior, and expanding the telemetry of data that is collected and analyzed.

Red Lambda’s next-generation approach to network security provides effective threat defense to financial services institutions worldwide. Combining leading-edge technologies from distributed high-performance computing (e.g. used in computationally intensive tasks such as advanced research, model simulations, and movie animation) and complex event processing (e.g. used in real-time stock analysis) with advanced neural network, behavioral, and social analysis capabilities, Red Lambda converts massive amounts of security and network data (IT big data) into critical information needed to identify and respond to threats as they surface.

Red Lambda achieves optimal network security using a suite of security and operational intelligence applications powered by the underlying high performance MetaGridTM Platform. MetaGridTM unifies distributed computing power from across the network into a virtual supercomputer capable of consuming petabytes per day of operational data and processing millions of events per second.

MetaGridTM was born for Big Data, delivering massive scale, speed, and storage needed to overcome the historical barriers and provide data-driven security within Big Data IT environments. The Red Lambda suite of solutions leverages the MetaGridTM platform to provide a full range of security and operational intelligence applications that are: massively scalable, identity aware, deliver advanced threat detection and analysis, enable active response/ remediation, and provide shared security intelligence to counter today’s advanced cyberattacks. A summary of Red Lambda’s security, analytics and operational intelligence capabilities include:


Massively distributed, scalable, and survivable — An effective defense against today’s threats requires the ability to analyze everything crossing the network, everywhere the network is deployed, every moment in time. This complex data processing challenge is further exacerbated by the size and complexity of many financial services institutions. MetaGridTM leverages distributed grid computing to deliver the supercomputer power and speed required for comprehensive threat detection, analysis, and defense. Innately highly aware and available, it outperforms botnet-enabled adversaries.

Rich identity awareness — Mobility is severing the historical tie between a user, their computer, and their office. Today’s users are likely to have multiple devices—home and office computers, smartphone and iPad—using them to access the network from numerous locations including home, campus, customer sites, Wi-Fi hotspots, even the battlefield. To keep pace with the infrastructure access options, Red Lambda’s security applications provide a rich identity mode that triangulates a user’s identity based on multiple authentication directories (e.g. Active Directory, DHCP), session telemetry (characteristics of interaction), and user behavior.

Rapid threat detection and analysis — Rule and signature-based threat detection and analysis can’t keep pace with rapidly changing threats. In addition, as the amount of data, rules, and signatures increase, performance drops and false positives increase, hampering timely threat detection and response. To get ahead of today’s cyberattacks, Red Lambda’s solutions use an advanced threat detection engine that identifies the broadest possible spectrum of anomalies and threats to virtually eliminate false positives. When combined with the system’s correlation engine that relates data by user identity, application, context, location, and social construct, it can detect more obscure threats such as hijacked credentials, the accessing of classified data from an unauthorized location, or the transfer of an unusually high volume of data.

Active response and remediation — The ability to share real-time security intelligence between geographies, subsidiaries, and across the industry enables the strongest security in existence. Red Lambda’s security and analytics suite allows disparate groups and enterprises to be interconnected and share operational responsibilities, reports, and real-time threat intelligence.

Quarantining or revoking access of suspicious users

Revising security policies of current perimeter defenses (e.g. firewall rules)

Blocking a file transfer at the network router

Notification of other agencies to include restricted data views (e.g. NSA)

Automated escalation of incident to US-CERT

Collaboration and security intelligence sharing — The ability to share real-time security intelligence between geographies, subsidiaries, and across the industry enables the strongest security in existence. Red Lambda’s security and analytics suite allows disparate groups and enterprises to be interconnected and share operational responsibilities, reports, and real-time threat intelligence.

© 2014 Red Lambda, Inc. All Rights Reserved.v.17042014

Red Lambda, Inc. Phone: +1.407.682.1894 Fax: +1.718.247.1852

Corporate Headquarters2180 West State Road 434Suite 6200Longwood, Florida 32779

London1 Royal Exchange AvenueLondon, EC3V 3LTUnited Kingdom

ConclusionTo protect a financial institution’s more critical assets – customer data and corporate reputation – against a powerful and cunning opponent, a new approach to cybersecurity is critical to win the war. This novel, elegant solution must provide a defense that equals the volume, variety, and velocity of today’s cyberattacks.

Combining high performance computing, identity awareness, advanced neural, behavioral, and social analysis and rapid response capabilities, Red Lambda enables businesses and government agencies to deliver a symmetrical threat defense and gain the upper hand in the ongoing cyberwar.

About Red Lambda, Inc.Red Lambda enables businesses and government agencies to effectively secure their data through advanced, Big Data analytics technologies that break through the barriers and limitations of existing legacy systems and appliance-based offerings.

Red Lambda’s seamlessly integrated suite of solutions, powered by its massively scalable distributed grid platform called MetaGridTM, fuses virtual supercomputing, relational stream processing, and artificial intelligence for the first time into one complete system, enabling real time, on-the-fly anomaly detection for known and unknown threats.

The system’s predictive capabilities deliver unprecedented visibility and actionable intelligence that makes sense of structured and unstructured data without rules, signatures, or manual programming. By empowering end users, companies can deploy preemptive strategies to confidently defend against cyberattacks while deriving significant business value from their operational data.

Based in Orlando, Florida, Red Lambda, Inc. maintains operations in the U.S. and London, distributing its solutions directly and through strategic partnerships worldwide. For more information, visit www.redlambda.com.