BOI uses SIEM to reduce false positives and boost security
The proliferation of devices in the Bank’s data center yielded thousands of logs; it was impossible to manually decipher those logs and make logical conclusions about threats and attacks. So, the Bank of India opted for a solution that correlates various
The proliferation of devices in the Bank’s data center yielded thousands of logs; it was impossible to manually decipher those logs and make logical conclusions about threats and attacks. So, the Bank of India opted for a solution that correlates various logs, analyzes them, and offers a single dashboard
I n recent years, more banks have embraced information technology to offer customers services, such as Internet and mobile banking. As the nature of cyber attacks grow in sophistication and volume, banks have been compelled to invest heavily in data security solutions. Last year, the RBI issued detailed guidelines on IT governance, information security, and cyber fraud for the Indian banking industry. And SIEM (Security Information and Event Management) tools are a way to ensure compliance. Now every bank is in the process of deploying — or has just deployed SIEM. The Bank of India deployed an SIEM solution in 2010, becoming the first public sector bank to do so.
SIEM tools provide real-time analysis of security alerts generated by network hardware and applications. They are also used to log security data and generate reports for compliance purposes. SIEM solutions are known for their superior log management capabilities and their ability to correlate events.
Back in 2010, the Bank was facing many security challenges. As the number of devices increased in its data center, a voluminous number of security logs were generated. And because of the different types of devices, there was much diversity in the format of the log files, making it difficult to read logs and correlate all the recorded incidents.
“Our data center and DR site has more than thousand devices, and each generates a lot of logs. There are various logs relating to systems, access control, security events, etc. So it was becoming increasingly difficult for us to manually monitor the logs of all these devices,” says Sameer Ratolikar, Chief Information Security Officer & Head-Business Continuity, Bank of India.
So the Bank looked for a solution that would correlate various logs, analyze these logs, and offer a single dashboard.
The other challenge was coping with the growing sophistication of the attacks. Hackers use different modus operandi and there is also mutating malware — so it was becoming difficult to detect or trace the attacks.
“At that point, we had a point or siloed approach to detect the attacks, and I was looking for a more intelligent way of doing this. So I would ask peers if they could trace the source of the attacks, if the same hacker or malware was also targeting other institutions, and what is the impact of the attack. We searched the history related to the attack. So all this information relating to the periphery of the attack gave me input in the form of a threat intelligence report,” informs Ratolikar.
Apart from this, there were also many false positives.
So there were three main criteria that the solution had to address: threat intelligence, complexity of attacks, and analysis & correlation of logs. The solution had to determine if a particular attack was also directed at other systems such as routers, Internet banking system, intranet etc. Two other key criteria were simplicity in the dashboard and the reduction of false positives. Before deploying the solution, the false positives were 40-45 percent of the total incidents.
After an evaluation process, the Bank opted for RSA ‘s SIEM solution, called enVision. HP’s ArcSight was among the other solutions shortlisted. enVision is a centralized log-management service that enables organizations to simplify compliance programs and optimize security-incident management.
“We found that enVision was simple to configure. It was also easy to deploy on various devices,” asserts Ratolikar.
Ratolikar did not find it difficult to convince his management about the benefits of this product, and why it was
the right solution for the Bank.
Managing more than 1,300 events per second (EPS) is a herculean task — and these alerts come from various devices in the data center. This can only be done by a robust SIEM log management solution.
The management at the bank acknowledged this and gave its approval.
During the implementation there were challenges with router configurations. But with the support of HP (implementation partner) and RSA, these were resolved and the solution was deployed in three months. An expert from RSA was flown in to train five persons at the Bank.
RSA’s enVision was first deployed in a non-production/UAT (user acceptance testing) environment, which is an isolated environment.
It has been 18 months since RSA enVision was implemented at Bank of India. Ratolikar and his team are satisfied with its performance. Apart from detecting many attacks, it has also reduced the time between an attack and a suitable counter response. Also, the number of false positives has decreased drastically from 45 percent of all incidents to just 5-10 percent.
In addition, the team now has a consolidated view of all the threats, with information gleaned and correlated from thousands of logs.
“With this tool we detected attacks originating from China, Japan, N. Korea, Nigeria, and other African countries,” informs Ratolikar. “After you detect an incident, the time taken to respond is a crucial factor. With this SIEM solution that window has narrowed down. “
But despite all these attacks, Ratolikar has piece of mind. Calmly sipping his cup of lemon tea during an interview with InformationWeek, he says that all systems can withstand the attacks and continue to run smoothly.
Should the worst happen, Ratolikar can easily switch over to his DR site. In fact, there are quarterly drills during which all operations are run from the DR site, and the primary site goes offline in a planned manner.
Bank of India is now looking at more intelligence in the next version of this SIEM tool. It will offer forensics at the packet level. The tool under consideration is RSA’s NetWitness — a network forensics tool.
The bank was looking for a solution that could address three main criteria: threat intelligence, complexity of attacks, and analysis and correlation of logs. The solution had to determine if a particular attack was also directed at other systems, such as routers, Internet banking system, intranet etc.
“RSA’s SIEM solution has narrowed down the window between detecting an incident and the time taken to respond to an incident”
CISO & Head - Business Continuity, BOI