Network Forensic Project

PMO MEETING
07/2019
13/03/19

Strictly Private & Confidential

 TABLE OF CONTENTS

No Contents Page Number

1 Project Objective 3

2 Executive Summary 4

3 Project Implementation Scope 5

4 High Level Architecture Diagram 6-8

5 High Level Timeline 9

6 Progress Report 10

7 Risk Assessment 11

Network Forensic PMO Slide Page 2

 OBJECTIVE

Objective of this presentation is

1. To present the Project Stakeholder on Network Forensic & Security Analytics Project status
2. Moving forward recommendation

Network Forensic PMO Slide 3

 EXECUTIVE SUMMARY

 Network Forensic and Security Analytics solution project implementation is to improved visibility to detect malicious
activities by analyzing network traffic and provide better accuracy for identifying and prioritizing threats and risk.

 Enhance the bank’s ability to detect, investigate, and respond to cyber security threats to lessening the impact of
cyber-attacks towards bank’s assets.

 The solution will be used to identify and generate an evidence specifically related to network activity to aid in
forensic investigation.

 Being able to reconstruct and analyze an incident promptly will help to improve bank’s cyber security defenses to
ensure that similar cyber security incidents don’t happen in the future.

 This implementation also to address BNM regulatory requirements & findings as below:

i) BNM – Managing Cyber Risks Circular – item 10 (e)

Capture the full packet to rebuild relevant network sessions to aid forensics in the event of
incidents.

ii) BNM 2017 CRR - Weakness in Management of IT Risk (no 32)

Technology Division is required to undertake the following measures:
- Expedite full implementation of cyber security requirements.

Network Forensic PMO Slide Page 4

 PROJECT IMPLEMENTATION SCOPE

Project Stage Main Activities

Initiation  Collect requirements
 Develop SOW
 Planning and design the overall solution
 Kickoff Meeting

Execution  Delivery of appliances.

 Rack mount and setup 1 unit of GigaVUE-HC2 and 1 unit of DCIP-X2
appliance at Strateq DC.
 Rack mount and setup 1 unit of GigaVUE-HC2 and 1 unit of DCIP-X2
appliance at Cyberjaya DC.
 Configure all the appliances in scope.
 Perform user acceptance test to confirm all deployed devices is
functioning as expected.

Closure  Prepare handover documents

 Knowledge transfer
 Post Implementation Review

Network Forensic PMO Slide Page 5

 HIGH LEVEL ARHITECTURE DIAGRAM
OPTION 1 – Gigamon connects to network switch

Spanned/Port
1st tier Firewall 1st tier Firewall mirror Traffic
3
1
switch switch 5 4
2
T1 T2

TAP-HC0-G100C0
WAF

SMT-HC0-X16
IPS
6
Rdy
Rdy
H/S

Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X10 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

Darktrace

Traffic Flow
1. Traffic from 1st tier firewall is passed to switch and forwarded to Gigamon (tap module)
2. Gigamon decrypts HTTPS traffic
2nd tier Firewall 2nd tier Firewall 3. A copy of traffic (decrypted) is mirrored and sent to Darktrace for analysis
4. Gigamon forwards traffic out to IPS for scanning and IPS sends back to Gigamon (inline
module)
5. Gigamon forwards traffic out to WAF for scanning and WAF sends back to Gigamon (inline
Traffic module)
Mirrored Traffic 6. Gigamon encrypts HTTPS traffic
7. Traffic is forwarded out from Gigamon to switch and to 2nd tier firewall before been forward out to
destination (tap module)
Network Forensic PMO Slide Page 6
 HIGH LEVEL ARHITECTURE DIAGRAM Cont.
OPTION 2 – Gigamon replaces network switch

Spanned/Port
1st tier Firewall mirror Traffic
3

1st tier Firewall

1 5 4
2
T1 T2

TAP-HC0-G100C0
WAF

SMT-HC0-X16
IPS
6
Rdy
Rdy
H/S

Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

7 Darktrace

2nd tier Firewall

Traffic Flow
1. Traffic from 1st tier firewall sent to Gigamon (tap module)
2. Gigamon decrypts HTTPS traffic
3. A copy of traffic (decrypted) is mirrored and sent to Darktrace for analysis
2nd tier Firewall 4. Gigamon forwards traffic out to IPS for scanning and IPS sends back to Gigamon
(inline module)
5. Gigamon forwards traffic out to WAF for scanning and WAF sends back to
Traffic Gigamon (inline module)
6. Gigamon encrypts HTTPS traffic
Mirrored Traffic 7. Gigamon forwards out the scanned traffic to 2nd tier firewall (tap module)

Network Forensic PMO Slide Page 7

 HIGH LEVEL ARHITECTURE DIAGRAM Cont.
OPTION 3 – Gigamon is placed after WAF

WAF
Spanned/Port
mirror Traffic

WAF
3

1 4
2 T1

TAP-HC0-G100C0

SMT-HC0-X16
IPS
5
Rdy Rdy

H/S

Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X10 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

6 Darktrace

switch
Traffic Flow
1. Traffic from 1st tier firewall passed to WAF before forward to Gigamon (TAP
module)
2. Gigamon decrypts HTTPS traffic
switch 3. A copy of traffic (decrypted) is mirrored and sent to Darktrace for analysis
(inline module)
4. Gigamon forwards traffic to IPS for scanning and IPS sends back the traffic to
Gigamon (inline module)
Traffic 5. Gigamon encrypts HTTPS traffic
6. Gigamon forwards scanned traffic out to internal network
Mirrored Traffic

Network Forensic PMO Slide Page 8

 HIGH LEVEL TIMELINE
Feb-19 Mar-19 Apr-19 May-19
Task/Activities
W1 W2 W3 W4 W1 W2 W3 W4 W1 W2 W3 W4 W1 W2 W3 W4
Finalize SOW Document
Project Kick-Off
Technical Workshop
Implementation Workshop
Strateq Data Center
Da rktra ce a nd Gi ga mon Setup
Pi l ot UAT
SOC Moni tori ng
UAT
Cyberjaya Data Center
Da rktra ce a nd Gi ga mon Setup
Pi l ot UAT
SOC Moni tori ng
UAT
Documentation
Training
Post Implementation Review
Project Closure and Signoff
We are here

Network Forensic PMO Slide Page 9

 Network Forensic Project: Progress Report as of 13 Mar 2019
Project Milestones Current Progress/Status
Target Start Target End Actual Start Actual End Status Actual Start Target End
No Milestones No Activities Date Date
Date Date Date Date (%)
1 Finalize SOW Document 20 Feb 22 Mar 20 Feb - 50% 1. SOW Signoff 20 Feb 21 Mar
2 Project Kick-off 27 Mar 27 Mar - -
3 Technical Workshop 28 Feb 21 Mar 28 Feb - 50% 2. Technical Workshop 28 Feb 21 Mar
4 Implementation Workshop 22 Mar 1 Apr - - 3.
5 Strateq Data Center
Darktrace and Gigamon Setup 8 Apr 18 Apr - - 4.
Pilot UAT 9 Apr 9 Apr - - 5.
SOC Monitoring 9 Apr 9 Apr - -
6.
UAT 19 Apr 24 Apr - -
6 Cyberjaya Data Center 7.
Darktrace and Gigamon Setup 29 Apr 9 May - -
8.
Pilot UAT 30 Apr 30 Apr - -
SOC Monitoring 30 Apr 30 Apr - - 9.
UAT 10 May 15 May - -
7 Documentation 16 May 22 May - -
8 Training 23 May 27 May - -
9 Post Implementation Review 28 May 29 May - -
10 Project Closure and Signoff 30 May 30 May - -

Activities Planned Next Period Highlight / Issue

Project Kick Off :
No Activities Target Start Date Target End Date Responsibility
Project Kick Off had been postponed to 27 Mar 2019 due to technical design
1.
Ensign, IT Security, discussion is still in progress
1. SOW Document 20 Feb 28 Feb
PMO
Ensign, IT Security, Pre–Workshop:
2. Project Kickoff Meeting 27 Mar 27 Mar
PMO •Done on 28 Feb 2019
2.
3. •Ensign presented the deployment options to Bank Islam

4.
Contract Agreement and SOW Signoff:
5. • IT Security provided feedback on the draft SOW document
3. • Ensign, IT Security, VMO and Legal team working together to finalize the
6.
draft of Contract Agreement
7.

Network Forensic PMO Slide Page 10

 PROJECT RISK ASSESSMENTS

Date Criticality
No Key Risk Identified Raised by Likelihood Mitigation Strategy Status Remark
Raise (H, M, L)
1 Extended timeline for 11 Jul Ensign M Possible Ensign will arrange the data centres site On Bank Islam teams are
Technical Workshop 2019 visit on week of 18th Mar to address the going in the midst of
technical concerns from both Bank Islam evaluating the design
IT Security and Network teams. options. Ensign will
assess the progress and
provide update during
next PMO meeting.

Network Forensic PMO Slide Page 11