SWICA, one of the leading health and accident insurance providers in Switzerland, provides health-related services for approximately 1.2 million insured and 27,000 corporate customers. The services they offer range from health care coverage to competent support for people who are ill, have had an accident, or require prenatal and postnatal care, and also services related to occupational health. Of course it is the primary obligation of this health insurance provider, located in Winterthur, to ensure the complete security of all patient data.
In light of the complexity of today‘s threats and the constant danger of new malicious software and attacks that are difficult to detect, this Swiss company decided that an anti-malware solution alone is no longer comprehensive enough to be able to guarantee the protection of critical data.
"We must also protect our systems better against zero-day and targeted attacks," says Chris Baur, Head of Technology Management at SWICA. "Moreover, the availability and integrity of our infrastructure is absolutely critical for our company." This manager understood that these requirements can be met only if his department knows at any given point in time what is happening in the company‘s network, ensuring that any suspicious communication is detected immediately.
This past spring Baur decided to search for the right solution. He compared Trend Micro‘s proof of concept for Deep Discovery with the proofs of concepts for other products on the market to help him make his decision. "There were many reasons why we chose Deep Discovery," says the Head of Technology Management. "Firstly, the Trend Micro solution provides more in-depth forensic analyses than its competitors," explains Baur. Secondly, this insurance company already uses Trend Micro solutions and can leverage the benefits of a seamless integration with this new solution.
For added protection of the company‘s approximately 2,000 clients and servers, SWICA has been using Trend Micro‘s Deep Discovery Inspector and Deep Discovery Advisor since July 2013. One Deep Discovery Inspector Appliance is responsible for monitoring all network traffic to and from the Internet. A second Deep Discovery Inspector Appliance is responsible for comprehensively simulating and analyzing potentially malicious content including executable files, PDFs, and other common Office documents, as well as websites. To do this, the solution also uses sandboxing technology along with detection engines.
OfficeScan and ScanMail, two Trend Micro solutions already in use at SWICA, are integrated with Deep Discovery. This means, for example, that ScanMail can also forward suspicious attachments to the sandbox for execution. If the solution identifies a communication as malicious, it sends a message to the scanner and can block the attack. "The tight integration of these solutions with each other enables us to use all of the web reputation capabilities," Bauer points out. "Not only do we profit from information from the global Smart Protection Network, but we also have an SPN that is more or less customized for our environments.“
The sandbox execution environment of the Deep Discovery Advisor uses company- internal desktop images. In the eyes of the Head of Technology Management, this is one more benefit the Trend Micro solution offers, since analyses results from company- specific environments are more precise and more meaningful than those from generic sandboxes.
The way in which the Swiss security team works when qualifying security events has changed with the introduction of this new solution. The once time-consuming process of analyzing and interpreting logs has been replaced by the Threat Intelligence Center. The IT team now uses this as its environment for analyzing event data taken from the threat analysis, and for security incidents and logs. Baur emphasizes the advantages of working with these advanced investigation components which make it easy to link individual pieces of information together quickly using graphical options and to connect the dots so that their correlation becomes clear.
"Using forensic analyses, the Advisor enables us to search for the cause of the event and not just combat the symptoms. We are able to identify what is really happening on a computer, and moreover, what could have happened,“ explains Baur. Based on the results, the team can decide what is a sufficient response, for example, if it is necessary to set up a new computer or which updates and patches can be quickly imported. "This supports not only our security incident management processes, but it allows us to manage risks as well,“ summarizes the Head of Technology Management.
In addition, the Swiss are using productive threat intelligence functions from the Threat Connect Portal. If Deep Discovery detects suspicious behavior, the IT team can find out here if similar incidents have occurred before. Furthermore, it offers detailed threat categorization and recommendations for containment and elimination.
Although qualifying the events and wading through the mass of detailed information is still difficult and IT employees are still learning how to use the software, the IT team does not need any more resources for these complicated processes than before.
"The solution has already proven itself. We have already been able to detect potential attacks and bugs that we wouldn‘t have detected until later with conventional means,“ reports the Head of Technology Management. Many activities related to awareness are also based on the results produced by the Advisor. These are not just warnings sent to employees when suspicious activity is detected. Deep Discovery reports also show employee activities that could potentially threaten security.