DDoS attackers targeting the financial services firms can cause chaos by disrupting key public services including payment processing and intra-bank links, manipulating markets to influence stock prices, and exposing firms to extremely large losses in earnings, capital, productivity, consumer confidence, etc. State-of-the-art DDoS detectors are mostly based on black listing and rate limiting which are not effective against large scale stealthy (low and slow) attacks. The objectives of this paper is to detect large scale stealthy DDoS attacks targeting financial institutions using data-driven security analytics which can (1) protect application-level services by detecting large scale stealthy DDoS attacks as early as possible, (2) automate the traffic/log analysis process, and (3) provide the guidance for real-time mitigation. The major results of the paper include (1) the data-driven approach to identify features for DDoS detection based on real-life dataset and the methodology to identify the cross-correlation between features, (2) the information theoretical and statistic analysis to develop a model of the normal behavior of users, and (3) the summary of experimental results based on the data from real bank web log and the comparison with a real DDoS attack dataset. We believe that these technical approaches can provide the defense-in-depth against large scale stealthy DDoS attacks targeting financial institutions.