BNK Busan Bank Case Study
With the goal of “redesigning its security architecture innovatively,” BNK Busan Bank has built a cyber security platform over the past two years. More specifically, it is an cyber security platform based on risk assessment.
Last year, the BNK deployed a SIEM (Security Information & Event Management) platform and cyber security portal based on big data technology to achieve efficient security operations. After adopting the risk management system to the platform, it recently launched full-fledged operations of the platform.
Jeon Seong-in, the head of the Information Security Department at BNK Busan Bank, said, “This is to create an environment where we can effectively handle cyber risk by conducting a solid risk assessment, rather than just relying on unprioritized alert responses. We took our first step to not only identify potential risks and respond quickly but also to assess our security operations and investments and ultimately prove their effectiveness.”
Cyber threats are becoming more diverse, sophisticated, and intelligent. The number of security solutions operated by an enterprise continues to increase. However, qualified security professionals are insufficient. Not only in Korea, but most companies around the world are also facing the same challenge.
It is very difficult to analyze logs and events from numerous systems and prioritize important threats and respond quickly. SOC (Security operation center) is often criticized that even running dozens of security solutions only resulted in increasing system complexity and disappointing security effectiveness.
BNK was in a similar situation. The information security department at BNK operates about 160 individual systems, from threat response to internal audit, personal and credit information protection, fraud detection and response, security planning, education, and compliance reporting. There are more than 50 types of security products which generate 150 gigabytes (GB) of logs every day. It is never easy for about 10 security professionals to identify, analyze, and handle the threats and risk factors.
Director Jeon said, “We can no longer handle the cyber security issues simply by relying on the know-how, skills, or manual work of our personnel. The number of security products and the size of the IT work environment have increased. The more solutions we utilize, the more management points we need to take care of.” He added, “We saw the necessity to build an incident response process by establishing an integrated platform providing standardized indicators to filter threats and refine risk factors.”
Busan Bank had long been operating an enterprise security management system (ESM) and expanding the network by operating a comprehensive control system. It associated ESM with other security solutions, threat management system (TMS), system management (SMS) and network management (NMS) systems as well. However, even in this way, there was a limit to analyzing data from the network, application, and user domain levels.
After deriving opportunities and risks from SWOT (strengths, weaknesses, opportunities, and threats) analysis, BNK Busan Bank began to work on its innovative security infrastructure.
Director Jeon said, “We made an integrated platform by using new technologies such as big data analysis and combining existing system resources. But the important thing here is you can’t have an integrated platform optimized for your needs by only using solutions provided by vendors. In order to create a platform that is optimized for our own organizational environment, it is necessary to understand the company’s information assets, internal security regulations, security awareness among members, and threat landscape. And you have to continuously refine it using other solutions.”
To optimize its integrated platform, BNK Busan Bank defined its own threat scenario and independently created a threat management process and configuration management database. The task-based threat model analysis (TMA) method is applied to create threat scenarios.
Currently, the Busan Bank cyber security platform collects the entire event log of security devices, and stores and analyzes the logs. In addition, a BI (Business Intelligence) system is applied for correlation analysis and drilldown. Middleware with a context database (DB) and correlation analysis function has been deployed to facilitate communication between the SIEM and the BI system. Middleware also provides alert notifications for threat or system failure.
Along with this, the SIEM can perform in-depth investigations by associating with the external threat intelligence service and the network forensic system that can store and analyze all traffic. The risk management system is connected with the BI system and cyber security portal. In the cyber security portal, you can see security posture at a glance on the dashboard screen using multi-dimensional graphs, and inquire about the necessary information with ease.
“It filters only threats that need an explanation and notifies the person in charge, who will take action according to an automated process. Key risk indicators are displayed in real-time,” explained Director Jeon.
He continued, “Before applying big data technology, it was difficult to analyze a high volume of logs in an intended way. It now refines and integrates context information while maintaining the consistency of raw data, systematizes all processes and visualizes the security posture to ensure that not only security personnel but also management can see them. It means that all members of the organization can now perform security-related roles without exception.”
Director Jeon said, "Thanks to the information security risk management system, it can identify risk level and high-priority issues by evaluating the value of assets and threat vulnerability, and provides the timing and measures." This means we can measure and quantify security issues to create a standardized indicator,” he emphasized.
BNK’s cyber risk management system operates using an automated risk assessment process for security threats derived from the big data-based SIEM and context awareness technology. It is now possible to evaluate and calculate the level of risk from a business point of view, considering the importance of the information assets currently possessed, threats and vulnerabilities that cause damage, and provide objectives and strategic indicators. This is a KPI (Key Risk Indicator).
Director Jeon said, “Based on the level of risk according to the value of the organization’s information assets, we derive measurable indicators and risk assessments. If this process is standardized and optimized, it is expected to present a more accurate ROI for security investment.”
Director Jeon explained, “By automating the incident response process, which was often handled manually, it is now possible to implement a standardized process from threat detection, triage, response, and verification. As the level of data analysis has been increased, better threat visibility has been secured, and work efficiency has improved as various threats can now be quickly identified through correlation.”
Busan Bank uses Logpresso as its big data-based SIEM platform and RSA Archer as its cyber risk management platform.
In addition to these solutions, BNK Busan Bank has also formed independent control and operation rooms to quickly respond to intrusion incidents and is operating efficient security controls.
Research is also going on to apply machine learning technology to security control to detect advanced threats and increase its accuracy.
The case of a SIEM platform with big data and BI technology won the top prize in the financial security best practice competition held by the Financial Security Institute last year. Woo Seong-hoon, Section manager of the information security department at BNK Busan Bank, and Kim Min-joon, assistant manager and other 3 personnel wrote this project thesis.
<Reporter Lee Yoo-ji> yjlee@byline.network
2019-06-12