Optimal protection from cyber attacks

“The Swisscom security experts react immediately when an attack occurs”

An attack involving ransomware can completely paralyse a company if the worst comes to pass. St. Galler Kantonalbank, SGKB, has made clever provisions.

Text: Anton Neuenschwander, Images: Michael Meier, 31 may

The business model used by the extortion industry continues to evolve. In the past, it made companies what was often the irresistible offer to not publicise certain sensitive information as long as the sum of money demanded was, in fact, paid. Today, companies find themselves paying a ransom for their own data. The most effective weapon used by extortionists is ransomware. This malware insidiously penetrates file servers and disables the files by encrypting them. Those who pay will have their files activated again. If they're lucky.

Wanted: An intelligent defence system

Guido Kölliker is the Chief Information Security Officer at SGKB, making him responsible for information security at eastern Switzerland's leading financial institute. In early 2017, he analysed the cyber risks to which the bank is exposed. “Unfortunately, we realised that there were no suitable countermeasures available to us to prevent ransomware attacks,” he recalls. “That made us feel terrible. An attack like this can cause damage amounting to millions.” Kölliker consulted the experts from Swisscom for advice, as Swisscom was responsible for operating the file servers at SGKB. “Our expectations of an effective system to protect us from ransomware were clear: First of all, lightning-fast identification of an attack. And secondly, an immediate reaction involving countermeasures.” Donat Kaeser, Product Manager for Storage, Backup & Archive Services at Swisscom, mentions a third, equally important, criterion: “An effective backup and restore concept is also indispensable. We recommend backing up data five times a day using snapshot technology. In the event of an attack – which can never be completely ruled out – work on restoring needs to start immediately. However, this also involves a problem: After an incident, the data are restored to the version that existed before the attack. And in many cases, a number of hours can pass in between. In the meantime, however, the more than 1,000 employees of SGKB have been hard at work, with all this work being put into their files. This work would be lost if all the files were simply restored without any differentiation. The best remedy for this is ‘Differential Restore’, which only overwrites the files affected.”

Donat Kaeser (left) and Guido Kölliker intend to keep one step ahead of cyber criminals.

“Good” changes are retained

SGKB decided in favour of the Ransomware Protection service option. This intelligent radar screen identifies ransomware attacks by means of more than 1,700 patterns, and immediately initiates the defined defensive measures. Guido Kölliker cannot hide his enthusiasm for one particular highlight that the solution offers: “‘Differential Restore’ allows all of the files that were spared by the attack to be identified. They contain ‘good’ changes, which are retained. Files that fell victim to a virus attack, in contrast – those with ‘bad’ changes – are overwritten by an older, intact version.” Ransomware Protection allows Guido Kölliker to sleep better at night. “We know that we're optimally protected. The Swisscom security experts react immediately when an attack occurs – for example, by disabling certain user profiles. We are promptly informed about exactly what has happened, and what the bank still needs to do.”

“We know that we're optimally protected.”

Guido Kölliker, Chief Information Security Officer at SGKB

Gaining an advantage when playing cat and mouse

SGKB takes a proactive approach when it comes to security, and is a leader in its industry in guaranteeing the broadest possible protection for itself and its customers, as Guido Kölliker states. “Years ago, the bank was already focussing on its core business activities, which is why it depends on competent, external security partners,” as he describes its development path. “This is why we are considering using other Managed Security Services from Swisscom along with Ransomware Protection. Discussions are currently focussed on Threat Detection & Response services such as Security Analytics, Security Operation Center (SOC) and the Computer Security Incident Response Team (CSIRT).” This is an approach that Donat Kaeser considers advisable, because: “Make no mistake: While we have used Ransomware Protection to create the general conditions for optimal protection and rapid restoration in the file service area, we're still playing cat and mouse with the cyber criminals. We are continually perfecting our solutions to ensure our customers are armed against future threats.”

Leaders when it comes to Cybersecurity: St. Galler Kantonalbank.

St. Galler Kantonalbank, SGKB

One in every two residents of St. Gallen maintains a business relationship with SGKB. As a regional full-service bank, SGKB will soon have been advising private and business customers for 150 years. The bank maintains headquarters in the canton's capital, and operates another 38 branch offices.

Enterprise File Services – the Ransomware Protection option

  • Based on NetApp and Cleondris technologies.
  • Detection and notification for identified events (ransomware patterns).
  • Automatic blocking of clients/hosts
  • Automatic triggering of emergency snapshots (restore points) for identified attacks.
  • Differential Restore for rapidly restoring services in the event of an attack. The unique functionality repairs defective data and leaves “good” modifications alone.
  • Integration into the “Threat Detection & Response” security portfolio possible (event & incident management).

Hand with smartphone


Would you like to regularly receive interesting articles and whitepapers on current ICT topics?

More on the topic