In recent years more banks have embraced information technology
to offer customers services, such as Internet and mobile banking.
As the nature of cyber attacks grow in sophistication and volume,
banks have been compelled to invest heavily in data security
solutions. Last year, the RBI issued detailed guidelines on IT
governance, information security, and cyber fraud for the Indian
banking industry. And SIEM (Security Information and Event
Management) tools are a way to ensure compliance. Now every bank is
in the process of, or has just deployed SIEM. The Bank of India
deployed an SIEM solution in 2010, becoming the first public sector
bank to do so.
SIEM tools provide real-time analysis of security alerts
generated by network hardware and applications. They are also used
to log security data and generate reports for compliance purposes.
SIEM solutions are known for their superior log management
capabilities and their ability to correlate events.
Back in 2010, the Bank was facing many security challenges. As
the number of devices increased in its data center, a voluminous
number of security logs were generated. And because of the
different types of devices there was much diversity in the format
of the log files, making it difficult to read logs and correlate
all the recorded incidents.
"Our data center and DR site has
more than thousand devices, and each generates a lot of logs. There
are various logs relating to systems, access control, security
events etc. So it was becoming increasingly difficult for us to
manually monitor the logs of all these devices," says Sameer
Ratolikar, Chief Information Security Officer & Head-Business
Continuity at Bank Of India.
So the Bank looked for a solution that would correlate various
logs, analyze these logs, and offer a single dashboard.
The other challenge was coping with the growing sophistication
of the attacks. Hackers use different modus operandi and there is
also mutating malware -- so it was becoming difficult to detect or
trace the attacks.
"At that point, we had a point or siloed approach to detect the
attacks, and I was looking for a more intelligent way of doing
this. So I would ask peers if they could trace the source of the
attacks, if the same hacker or malware was also targeting other
institutions, and what is the impact of the attack. We searched the
history related to the attack. So all this information relating to
the periphery of the attack gave me input in the form of a threat
intelligence report," informs Ratolikar.
Apart from this, there were also many false positives.
So there were three main criteria that the solution had to
address: threat intelligence, complexity of attacks, analysis &
correlation of logs. The solution had to determine if a particular
attack was also directed at other systems such as routers, Internet
banking system, intranet etc. Two other key criteria were
simplicity in the dash board and the reduction of false positives.
Before deploying the solution, the false positives were 40 - 45
percent of the total incidents.
The solution
After an evaluation process the Bank opted for RSA 's SIEM
solution, called enVision. HP's ArcSight was among the other
solutions shortlisted. EnVision is a centralized log-management
service that enables organizations to simplify compliance programs
and optimize security-incident management.
"We found that enVision was simple to configure. It was also
easy to deploy on various devices," asserts Ratolikar.
Ratolikar did not find it difficult to convince his management
about the benefits of this product, and why it was the right
solution for the Bank.
Managing more than 1,300 events per second (EPS) is a herculean
task -- and these alerts come from various devices in the data
center. This can only be done by a robust SIEM log management
solution. The management at the bank acknowledged this and gave its
approval.
Implementation
During the implementation there were challenges with router
configurations. But with the support of HP (implementation partner)
and RSA, these were resolved and the solution was deployed in three
months. An expert from RSA was flown in to train five persons at
the Bank.
RSA's enVision was first deployed in a non-production/UAT (user
acceptance testing) environment, which is an isolated
environment.
Benefits
It has been 18 months since RSA enVision was implemented at Bank of
India. Ratolikar and his team are satisfied with its
performance. Apart from detecting many attacks, it has also reduced
the time between an attack and a suitable counter response. Also,
the number of false positives has decreased drastically from 45
percent of all incidents to just 5-10 percent.
In addition, the team now has a consolidated view of all the
threats, with information gleaned and correlated from thousands of
logs.
"With this tool we detected attacks originating from China,
Japan, N. Korea, Nigeria, and other African countries," informs
Ratolikar. "After you detect an incident, the time taken to
respond is a crucial factor. With this SIEM solution that window
has narrowed down."
But despite all these attacks, Ratolikar has piece of mind.
Calmly sipping his cup of lemon tea during an interview with
InformationWeek, he says that all systems can withstand
the attacks and continue to run smoothly.
Should the worst happen, Ratolikar can easily switch over to his
DR site. In fact, there are quarterly drills during which all
operations are run from the DR site, and the primary site goes
offline in a planned manner.
Bank of India is now looking at more intelligence in the next
version of this SIEM tool. It will offer forensics at the packet
level. The tool under consideration is RSA's NetWitness -- a
network forensics tool.