Barclays banking group’s security division is using Splunk, a big data technology tool, to help it comply with an increasingly complex regulatory environment and is also looking to roll out the technology across a number of other business units.

Barclays is one of the largest banking groups in the world, where it operates in over 50 countries and has tens of millions of customers.

Computerworld UK spoke to the bank’s head of security services, Stephen Gailey, at this week’s Splunk Live event in London, where he explained that Barclays initially had no plans to use the application, but was so impressed by its capabilities that it actually backtracked on rolling out other log management solutions to deploy Splunk.

When Gailey joined Barlcays seven years ago he rolled out a security information and event management solution (SIEM), which he said ran into problems scaling up when the bank acquired other banks and integrated other sections of the business into the Group.The SIEM solution was used as an integration point for everything that happened in Barclay’s security, where the team were able to see people logging in, getting viruses, remote access etc. 

As the SIEM tool began to struggle, Gailey began looking around for a solution and was set on trying to integrate a log management system. However, he then attended a Splunk Live event three years ago, which changed his mind.

“People in my team kept saying to me I should look at Splunk, but I wasn’t convinced. I kept saying no, that we had a strategy and that we should push ahead with it. In the end I came to Splunk Live looking for more information to argue more effectively with them, because I was so sure it wasn’t the right thing for us,” said Gailey.

“I was turned around at the event, I came away thinking it was fantastic. So I went back to the office, called everybody together and told them to get Splunk into the lab and test it out compared to the log management solutions and other SIEM tools. It just blew them away.”

Gailey said that changing track and deciding to pursue Splunk was a big and risky decision, as he had convinced the business to pursue a new log management system already.

“Because we had got a strategy that senior management had already bought into, changing that was quite courageous. Then we had the additional challenge that we were influencing other business units – we had already talked the retail bank into log management. We had to go back and tell them, that’s all off!” he said.

“I had to take a deep breath and go tell them all that we were wrong and that there had been something in the market place for at least a year or two that was much better for us. But we ended up throwing away log management, and throwing away SIEM.”

Barclays instantly bought a 2TB licence from Splunk. Gailey said that deployment of the technology was fairly straightforward as they already had all the data coming into a central point so all they had to do was reroute the feeds into Splunk. Barclays has also been able to massively increase the number of data feeds going into Splunk, compared to what it was using previously, as on the previous system adding a new feed would have taken a month of technical work.

“In the old world nobody was allowed to bring any data in unless you had defined what reports you wanted coming out the other end. If you didn’t normalise it right you wouldn’t get out what you needed. With Splunk you can just throw anything at it,” said Gailey.

Other teams in Barclays are even using the security team’s test and development environment to see how their data could be used with Splunk and are now going off to build their own infrastructure around the solution.

Gailey is now involved in a project to tackle data tied up in privileged database logs, which holds information about payment systems and customer data, which he said once integrated will help Barclays to comply with strict regulations.

“The one big piece of data that we never managed to get was the database logs – the volumes are massive and the database guys were not our friends and didn’t want to do it. However, regulation and compliance has now put a lot of pressure on them and they’ve now come to us and said can you help us from a security standpoint,” he said.

“If someone is injecting data into this database or stealing it because they are going to work for another company the regulatory fines alone would run into the hundreds of millions. They weren’t doing it before, the volumes were just too big and they didn’t have the technology.”

He added: “By bringing the database logs in we are going to add at least 1TB a day to what we use already, probably 1.5TB, maybe even 2TB.”

Barclays has to operate in an incredibly complex international regulatory environment, and Gailey argues that Splunk is helping the bank to not miss out on revenues and lost opportunities by consistently complying with these requirements. He believes that this helped the bank immediately deliver a return on investment (ROI) for Splunk.

“We got hit our ROI targets immediately, and again it comes down to the regulation. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk,” said Gailey.

“For example, we got through an audit by the monetary authority in Singapore – a very aggressive regulator. Without Splunk we wouldn’t have got through, and the consequence would have been almost unlimited fines. Or they could have thrown us out the entire market.”

He added: “The cost of not being able to do these things is almost incalculable.”

When asked whether Splunk is an expensive tool to use, Gailey simply responded that the bank “did a deal” based on the assumption that the data volumes used by Splunk will grow. Barclays has stuck to its word and now has 15 other business units looking to deploy the technology.

“In the next 18 months, in security, we will increase our licence to 4TB. Two of the other 15 business units looking to use the technology could easily be looking at up to 10TB each. The other twelve or thirteen could probably put together 8TB,” said Gailey.