weerapat1003 - stock.adobe.com
The Bank of England is using Splunk in its security operations centre (SOC) to try and spot cyber attacks before they happen.
According to Jonathan Pagett, head of the SOC, the bank has been moving away from traditional methods of dealing with attacks towards a more data-informed and proactive approach.
“A very historical way of doing attack detection is looking for attacks that you know about,” he says. “We refer to that as being a very reactive SOC. If you think about a lot of the technology out there, things like anti-virus, intrusion detection systems and such like, they are all very much looking for known attacks.”
But Pagett says this model is only “OK”, because attackers are becoming savvier to this way of working, so it is no longer viable to only respond to an attack as it happens.
Citing the 2016 attack on the central bank of Bangladesh as an example, Pagett points out that this attack was not only quite sophisticated, but also bespoke to that particular organisation – and this is the direction that attackers are moving in.
With cyber attacks becoming more sophisticated, the Bank of England started looking into “how we respond and detect those very bespoke and sophisticated attacks”, says Pagett, adding: “You won’t know what they look like.”
Moving to SOC 2.0
The bank is using Splunk to move away from a reactive SOC that only responds to known threats, and is now working towards being more proactive – or, as Pagett calls it, SOC 2.0.
“The proactive model is around getting in lots of data and then what we call behavioural profiling or adversary modelling,” he says. “We try to model what our attackers might do from a behavioural point of view, and then we look for those behaviours.”
Pagett says hackers can change the technology and techniques they use, but it is difficult for them to change their behaviour, making this the easiest way to spot when an attack is about to happen or is under way.
The bank uses Splunk to mine the datasets needed to begin predicting these shifts in behaviour. This could range from a large number of failed password attempts to something more sophisticated, such as a spear-phishing attack with booby-trapped Microsoft Word attachments.
“We might look for things like [Word exploits] when you open Microsoft Word,” says Pagett. “If you open a document, there are certain programs that will run, but you wouldn’t expect to see a program like PowerShell or Command Prompt.”
Cyber-attack operations function as a “kill chain”, with various steps taken by the attackers before they reach their goal – from reconnaissance through to the delivery of an attack.
The Bank of England collects a large amount of data, including logs from all its laptops, servers and network, which gives it “good visibility from all the different stages of an attack” to build a picture of what different attacks may look like at different points in the kill chain, says Pagett.
If one machine is behaving differently to others, the SOC knows this is something to look into, he says.
However, one of the most difficult parts of implementing SOC 2.0 was finding the right talent, says Pagett.
“There’s a technology component, but then there’s a massive amount of process and people associated with that as well, because unless you have the people to drive it, it’s just a big pot of data at the end of the day,” he says.
Finding skilled workers
The bank had to focus on finding skilled workers who can understand the behaviour of attackers and what that may look like from a data perspective, so that action can be taken.
“We started with Splunk about two and a half years ago,” says Pagett. “The bank wasn’t using Splunk at the time, so we brought it in to provide us with a data-mining platform. At the same time, we started bringing new skills into the SOC, so it was very much data science approach.”
Cyber security and data science professionals are among the most sought-after talent in the UK technology industry, and there is also demand for people with softer and more creative skills to contribute a different way of thinking.
As well as seeking recruits with traditional IT skills, Pagett says he is always on the lookout for individuals with the ability to “come up with abstract concepts and apply those to the data”.
Lack of cyber talent
There is a lack of cyber security talent in the UK, and the Bank of England works with the Cyber Security Challenge to encourage more young people to pursue careers in cyber, as well as working with interns to give them real-world skills.
Pagett acknowledges that most cyber professionals are in high demand, and so to retain them, it is important to make sure their job is exciting – and one way to do that is to automate some of the more boring tasks.
“Most security people could get another job by the end of the day,” he says. “People can be quite picky about where they work. I think it’s important that, to retain people, we make the jobs actually interesting and fulfilling.
“If you had the option of sitting in a SOC waiting for alerts, or having to go and find that attacker, that’s a really interesting job. So you can make your operating model within your SOC interesting and therefore retain people.”