The financial industry is known for its rigorous and sometimes quirky data retention requirements that can challenge even the most seasoned security expert.
For example, FINRA Rule 4511 requires members to "preserve for a period of at least six years those FINRA books and records for which there is no specified period under the FINRA rules or applicable Exchange Act rules."
Keeping six years of records: That's no small feat. But it's certainly doable.
This is the true story of how one firm used Zeek®, the open-source network monitoring system that forms the backbone of Corelight’s enterprise Open NDR Platform, to address its data archiving challenge. The firm used Zeek network data logs to assist in the capture and preservation of all business-related electronic communications, including emails, instant messages, and chat logs, ensuring compliance with the rule's recordkeeping mandate. This action gave them the ability to monitor activity in these systems. It also confirmed which data was retained, simplifying auditing and facilitating its ongoing compliance with FINRA Rule 3110. As a residual benefit, the firm improved its process of retaining security logs from involved systems and network monitors.
The firm had an existing NetFlow and PCAP system and considered expanding its use to capture book and record transactions. They had a pretty good idea of the answer beforehand, but did their due diligence and calculated the costs of expanding the existing platform:
When the firm spec'd out the platform, it anticipated being able to contain seven days’ live PCAP and NetFlow before copying and archiving some PCAP data over to a NAS for application analysis. In practice, they were only able to compile four days’ worth of live retention before the data was overwritten. The PCAP system also wasn't capturing all network traffic: It was capturing specific traffic communicating on certain ports.
So, in order to expand the limited capture to just a full month’s worth of live record retention, the upgrade was going to cost over $7 million. This solution was too expensive, unsustainable, and out of the question.
Fortunately, the firm had personnel with operational experience implementing Zeek. Using Zeek and the detailed metadata it logs, the firm bridged the gap in its network security monitoring platform. With it, the firm could have 60 days’ worth of network traffic indexed live.
Here are what the Zeek solution’s numbers looked like by comparison:
And here’s how the firm met its long-term data archival goals and complied with FINRA’s six-year lookback requirement:
Problem solved.
As a security expert, it isn't feasible to threat hunt or respond to incidents with a limited amount of PCAP on only a few ports and protocols. When defenders are protecting networks from exploitation, breaches, and data loss, they require detailed evidence that builds a comprehensive story of what occurred. When a new zero-day detection is released, you can detect it going forward. But if you don't have data from the past to run against the indicators of compromise (IoC), you can't be sure your network hasn’t already been compromised.
Scenarios like these form a compelling case for security experts in the financial industry to leverage the capabilities of Corelight’s Open NDR Platform. With its Smart PCAP technology, Corelight enables long-term data storage and retrospective investigation and simplifies the process of complying with regulatory mandates.
It also provides security teams and forensic analysts with invaluable lookback capabilities that assist them in monitoring and defending their networks.
Corelight does not provide legal or compliance advice. You are responsible for making your own assessment of whether your use of the Corelight offerings meets applicable legal and regulatory requirements.