Speeding Up Security Forensics by 97.5% Using AWS Step Functions with OneMain Financial

OneMain Financial offers lending products—such as loans, credit cards, and insurance—to customers across the United States. To avoid downtime and protect against cybersecurity threats, the company sought to quickly investigate and resolve application issues across approximately 100 AWS accounts. OneMain Financial’s Cloud and Application Security team prioritized establishing a tool for digital forensics on all those accounts.

Previously, it could take hours for an SOC analyst to identify a potential issue and conduct a deep analysis. The process involved bringing in developers and other staff who had more context for the application in question to investigate the issue and come up with a solution. As a result, developers had to shift their focus away from current projects, slowing business-prioritized product development.

The company ran multiple proofs of concept for various third-party products to test whether the offerings met its strict requirements for a digital forensics tool kit. However, those third-party products had limitations on what data could be moved and how quickly. The products also lacked hashing capability—that is, changing data strings into other values for security purposes and validating chain of custody—which OneMain Financial wanted as an integral part of the forensics process.

To gain the technical capabilities it desired, OneMain Financial decided to build its own digital forensics solution, OneFor(ensics), on AWS. With much of OneMain Financial’s cloud security already on AWS (under the AWS shared responsibility model), using the tools it was familiar with was a good place to start. “Building a solution on AWS increased our ability to investigate and deliver on analysis independent of development teams, helping reduce the impact any investigation would otherwise have in the future,” says Neil Cosson, Vice President and Director for Cloud and Application Security at OneMain Financial.

OneMain Financial began building its automated solution on AWS in January 2024, and the first version of OneFor(ensics) was in production by March 2024. The company built that version using application integration services such as AWS Step Functions. OneMain Financial then added new features and optimizations, updating to the fifth version of OneFor(ensics) in September 2024. By then, it had accelerated its time to market by 77.8 percent.

When SOC analysts at OneMain Financial receive an alert of a potential issue, they log into a SANS SIFT Workstation, which is a suite of open-source issue-response and forensics tools that is considered an industry standard for digital forensics. The SOC analysts’ workstation is installed on Amazon Elastic Compute Cloud (Amazon EC2), which provides secure and resizable compute capacity for virtually any workload. Moreover, OneMain Financial stores data using Amazon Elastic Block Store (Amazon EBS), a scalable, high-performance block-storage service designed for Amazon EC2. After an analyst logs in, AWS Step Functions validates the account and instance identifier and sends a notification to an authorized person, requesting approval to make a secure forensic snapshot of the account in question.

After the approval is granted, AWS Step Functions takes a snapshot of the affected Amazon EC2 instance’s Amazon EBS volume and creates an encrypted volume of it. To remove the movement limitations of encrypted volumes, OneMain Financial uses cryptographic logic and AWS Lambda, a compute service that runs code in response to events and automatically manages the compute resources. When the volume is moved into the company’s sandboxed AWS account for forensics—which hosts the SANS SIFT Workstation Amazon EC2 instance for the SOC—OneFor(ensics) automatically runs scanning and generates a report. OneFor(ensics) can handle multiple compromised forensics investigations simultaneously from Amazon EC2 instances hosted in multiple AWS accounts. To save the report, the solution uses Amazon Simple Storage Service (Amazon S3)—object storage built to retrieve virtually any amount of data from anywhere. Next, OneFor(ensics) triggers a notification that the report is available. The SOC analyst then has the option to isolate workloads that are deemed to be problematic.

By building its solution using AWS Step Functions, OneMain Financial has reduced the number of people who need to be involved in an investigation by 33 percent, freeing up developer time and accelerating the process by 97.5 percent. Developing the solution on AWS has proven to be more economical, too. Compared with third-party licensed products, the company saved an estimated 98.8 percent on costs. “The time savings have been a huge driver and an impressive part of this AWS-powered solution,” says Neil Cosson. In addition, by optimizing its solution, OneMain Financial has reduced the cost of taking snapshots by 96.2 percent.

In an organization with hundreds of AWS accounts and thousands of Amazon EC2 instances, the SOC team doesn’t have to access the accounts or instances to investigate. Instead, the SOC analyst only needs OneFor(ensics) hosted in an AWS Account. This greatly reduces the time and money required. So, forensics analysis does not impact business operations. On-premises, analysts would need to take over a developer workstation or unplug servers and equipment to investigate. By using AWS Step Functions, OneMain Financial’s SOC analysts can investigate a live instance while keeping product lanes running.

OneMain Financial has streamlined digital forensics for its AWS accounts and greatly accelerated investigations, improving developer productivity. Going forward, OneMain Financial is considering adding more features, such as identity and access management, to make OneFor(ensics) more robust and support both on-premises and third-party sources. Using AWS, OneMain Financial has all the tools to build innovative solutions in the future.

“The solution we built on AWS achieved a huge improvement on time to delivery and cost savings for the DevOps team,” says Neil Cosson.