How the Bank of England built its ‘SOC 2.0’>
Computer World – Scott Carey
The Bank of England has drastically shifted the way it runs its security operations centre (SOC) from being reactive to more proactive, employing more data science techniques to answer one fundamental question: “How do you spot an attack when you don’t know what it looks like?” Pagett calls SOC 2.0, which was established in earnest late last year and comprises three elements: technology, people and process. First there is the tech platform, which is underpinned by Splunk solutions. “We needed a tool to proactively search and spot behaviours of attacks,” he said. Next is people, with the current SOC consisting of 10 analysts, with a skill set that now varies from traditional IT to more data science practices to help identify the threats from within that massive data set. This remains a major hurdle for the bank however. “Recruitment is the biggest challenge,” Pagett said The result is that security analysts at the bank now spend around 80 percent of their time building up what it calls ‘attacker profiles’. This consists of modelling attack behaviours, so “using Splunk to write analytics that look for those behaviours,” Pagett explained. The other twenty percent of time is spent on incident response. This is all underpinned by a new operating model that focuses on discovering unknown attacks and creating a repeatable method to defend against them. “We wanted a SOC doing daily, continual improvement to create new analytics to detect those attacks,” Pagett said. This process starts with acquiring data (NetFlow, DNS, endpoint logs, access controls). Next is threat intelligence and research to create hypotheses for how an attacker might behave, instead of what the specific piece of malware might look like. Then there is data mining, using bespoke Splunk searches and machine learning algorithms designed using the Splunk ML Toolkit. The last phase comes down to alert triage and incident response processes, followed by a wrap up that is focused on making that analytic repeatable. Pagett admits that it is difficult to quantify the success of its new SOC model as it is a process of continual improvement, but so far the team has developed 273 different Splunk searches, each associated with different actors. These are reviewed daily in red team exercises with internal pen testers. They also triage their threat intelligence database, using a bespoke Splunk app to identify threats that haven’t fired in over a year or been hit by their pen testers, flagging that vector for review. The next thing for the bank is building more automation and orchestration into the SOC’s practices, specifically what Pagett calls “the contextualisation of security incidents.” Fortunately the Splunk roadmap, especially after the recent acquisition of security automation and orchestration specialist Phantom, aligns nicely with the bank’s priorities.
Link: https://www.computerworlduk.com/security/how-bank-of-england-built-its-soc-20-3684713/