BOI uses SIEM to re­duce false pos­i­tives and boost se­cu­rity

The pro­lif­er­a­tion of de­vices in the Bank’s data cen­ter yielded thou­sands of logs; it was im­pos­si­ble to man­u­ally de­ci­pher those logs and make log­i­cal con­clu­sions about threats and at­tacks. So, the Bank of In­dia opted for a so­lu­tion that cor­re­lates var­i­ous

InformationWeek - - Contents - By Brian Pereira

The pro­lif­er­a­tion of de­vices in the Bank’s data cen­ter yielded thou­sands of logs; it was im­pos­si­ble to man­u­ally de­ci­pher those logs and make log­i­cal con­clu­sions about threats and at­tacks. So, the Bank of In­dia opted for a so­lu­tion that cor­re­lates var­i­ous logs, an­a­lyzes them, and of­fers a sin­gle dash­board

I n re­cent years, more banks have em­braced in­for­ma­tion tech­nol­ogy to of­fer cus­tomers ser­vices, such as In­ter­net and mo­bile bank­ing. As the na­ture of cy­ber at­tacks grow in so­phis­ti­ca­tion and vol­ume, banks have been com­pelled to in­vest heav­ily in data se­cu­rity so­lu­tions. Last year, the RBI is­sued de­tailed guide­lines on IT gov­er­nance, in­for­ma­tion se­cu­rity, and cy­ber fraud for the In­dian bank­ing in­dus­try. And SIEM (Se­cu­rity In­for­ma­tion and Event Man­age­ment) tools are a way to en­sure com­pli­ance. Now ev­ery bank is in the process of de­ploy­ing — or has just de­ployed SIEM. The Bank of In­dia de­ployed an SIEM so­lu­tion in 2010, be­com­ing the first pub­lic sec­tor bank to do so.

SIEM tools pro­vide real-time anal­y­sis of se­cu­rity alerts gen­er­ated by net­work hard­ware and ap­pli­ca­tions. They are also used to log se­cu­rity data and gen­er­ate re­ports for com­pli­ance pur­poses. SIEM so­lu­tions are known for their su­pe­rior log man­age­ment ca­pa­bil­i­ties and their abil­ity to cor­re­late events.

Back in 2010, the Bank was fac­ing many se­cu­rity chal­lenges. As the num­ber of de­vices in­creased in its data cen­ter, a vo­lu­mi­nous num­ber of se­cu­rity logs were gen­er­ated. And be­cause of the dif­fer­ent types of de­vices, there was much di­ver­sity in the for­mat of the log files, mak­ing it difficult to read logs and cor­re­late all the recorded in­ci­dents.

“Our data cen­ter and DR site has more than thou­sand de­vices, and each gen­er­ates a lot of logs. There are var­i­ous logs re­lat­ing to sys­tems, ac­cess control, se­cu­rity events, etc. So it was be­com­ing in­creas­ingly difficult for us to man­u­ally mon­i­tor the logs of all th­ese de­vices,” says Sameer Ra­to­likar, Chief In­for­ma­tion Se­cu­rity Of­fi­cer & Head-Busi­ness Con­ti­nu­ity, Bank of In­dia.

So the Bank looked for a so­lu­tion that would cor­re­late var­i­ous logs, an­a­lyze th­ese logs, and of­fer a sin­gle dash­board.

The other chal­lenge was cop­ing with the grow­ing so­phis­ti­ca­tion of the at­tacks. Hackers use dif­fer­ent modus operandi and there is also mu­tat­ing mal­ware — so it was be­com­ing difficult to de­tect or trace the at­tacks.

“At that point, we had a point or siloed ap­proach to de­tect the at­tacks, and I was look­ing for a more in­tel­li­gent way of do­ing this. So I would ask peers if they could trace the source of the at­tacks, if the same hacker or mal­ware was also tar­get­ing other in­sti­tu­tions, and what is the impact of the at­tack. We searched the his­tory re­lated to the at­tack. So all this in­for­ma­tion re­lat­ing to the pe­riph­ery of the at­tack gave me in­put in the form of a threat in­tel­li­gence re­port,” in­forms Ra­to­likar.

Apart from this, there were also many false pos­i­tives.

So there were three main cri­te­ria that the so­lu­tion had to ad­dress: threat in­tel­li­gence, com­plex­ity of at­tacks, and anal­y­sis & cor­re­la­tion of logs. The so­lu­tion had to de­ter­mine if a par­tic­u­lar at­tack was also di­rected at other sys­tems such as routers, In­ter­net bank­ing sys­tem, in­tranet etc. Two other key cri­te­ria were sim­plic­ity in the dash­board and the re­duc­tion of false pos­i­tives. Be­fore de­ploy­ing the so­lu­tion, the false pos­i­tives were 40-45 per­cent of the to­tal in­ci­dents.

THE SO­LU­TION

Af­ter an eval­u­a­tion process, the Bank opted for RSA ‘s SIEM so­lu­tion, called en­Vi­sion. HP’s Ar­cSight was among the other so­lu­tions short­listed. en­Vi­sion is a cen­tral­ized log-man­age­ment ser­vice that en­ables or­ga­ni­za­tions to sim­plify com­pli­ance pro­grams and op­ti­mize se­cu­rity-in­ci­dent man­age­ment.

“We found that en­Vi­sion was sim­ple to con­fig­ure. It was also easy to de­ploy on var­i­ous de­vices,” as­serts Ra­to­likar.

Ra­to­likar did not find it difficult to con­vince his man­age­ment about the ben­e­fits of this prod­uct, and why it was

the right so­lu­tion for the Bank.

Manag­ing more than 1,300 events per sec­ond (EPS) is a her­culean task — and th­ese alerts come from var­i­ous de­vices in the data cen­ter. This can only be done by a ro­bust SIEM log man­age­ment so­lu­tion.

The man­age­ment at the bank ac­knowl­edged this and gave its ap­proval.

IM­PLE­MEN­TA­TION

Dur­ing the im­ple­men­ta­tion there were chal­lenges with router con­fig­u­ra­tions. But with the sup­port of HP (im­ple­men­ta­tion part­ner) and RSA, th­ese were re­solved and the so­lu­tion was de­ployed in three months. An ex­pert from RSA was flown in to train five per­sons at the Bank.

RSA’s en­Vi­sion was first de­ployed in a non-pro­duc­tion/UAT (user ac­cep­tance test­ing) en­vi­ron­ment, which is an iso­lated en­vi­ron­ment.

BEN­E­FITS

It has been 18 months since RSA en­Vi­sion was im­ple­mented at Bank of In­dia. Ra­to­likar and his team are sat­is­fied with its per­for­mance. Apart from de­tect­ing many at­tacks, it has also re­duced the time be­tween an at­tack and a suit­able counter re­sponse. Also, the num­ber of false pos­i­tives has de­creased dras­ti­cally from 45 per­cent of all in­ci­dents to just 5-10 per­cent.

In addition, the team now has a con­sol­i­dated view of all the threats, with in­for­ma­tion gleaned and cor­re­lated from thou­sands of logs.

“With this tool we de­tected at­tacks orig­i­nat­ing from China, Ja­pan, N. Korea, Nigeria, and other African coun­tries,” in­forms Ra­to­likar. “Af­ter you de­tect an in­ci­dent, the time taken to re­spond is a cru­cial fac­tor. With this SIEM so­lu­tion that win­dow has nar­rowed down. “

But de­spite all th­ese at­tacks, Ra­to­likar has piece of mind. Calmly sip­ping his cup of le­mon tea dur­ing an in­ter­view with In­for­ma­tion­Week, he says that all sys­tems can with­stand the at­tacks and con­tinue to run smoothly.

Should the worst hap­pen, Ra­to­likar can eas­ily switch over to his DR site. In fact, there are quar­terly drills dur­ing which all op­er­a­tions are run from the DR site, and the pri­mary site goes off­line in a planned man­ner.

Bank of In­dia is now look­ing at more in­tel­li­gence in the next ver­sion of this SIEM tool. It will of­fer foren­sics at the packet level. The tool un­der con­sid­er­a­tion is RSA’s NetWit­ness — a net­work foren­sics tool.

The bank was look­ing for a so­lu­tion that could ad­dress three main cri­te­ria: threat in­tel­li­gence, com­plex­ity of at­tacks, and anal­y­sis and cor­re­la­tion of logs. The so­lu­tion had to de­ter­mine if a par­tic­u­lar at­tack was also di­rected at other sys­tems, such as routers, In­ter­net bank­ing sys­tem, in­tranet etc.

“RSA’s SIEM so­lu­tion has nar­rowed down the win­dow be­tween de­tect­ing an in­ci­dent and the time taken to re­spond to an in­ci­dent”

Sameer Ra­to­likar

CISO & Head - Busi­ness Con­ti­nu­ity, BOI

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.