The Bank of England has drastically shifted the way it runs its security operations centre (SOC) from being reactive to more proactive, employing more data science techniques to answer one fundamental question: "How do you spot an attack when you don't know what it looks like?"
Attempting to answer that question this week during security analytics vendor Splunk's annual .conf in Orlando was Jonathan Pagett, head of the security operations centre at the Bank of England.
The UK's central bank, amongst other functions, is responsible for the UK's payment infrastructure, both by acting as the settling agent to allow financial institutions to exchange funds and by operating the CHAPS payment network, meaning the bank's SOC is protecting the trillion dollars (£700 billion) or so that moves through those systems every day.
Read next: How Splunk pivoted to security
Two years ago Pagett and his team within the SOC decided that simply being reactive to security alerts would not be sufficient for an organisation that is being targeted by highly sophisticated attacks that may not be known by their researchers or threat intelligence tooling.
"We knew attacks can bypass those security controls, so we asked how to detect those," he told the audience during a breakout session this week. "We also took a moment to ask what our strategy is, not just what technologies you have, but how it all fits together."
The result is what Pagett calls SOC 2.0, which was established in earnest late last year and comprises three elements: technology, people and process.
First there is the tech platform, which is underpinned by Splunk solutions. "We needed a tool to proactively search and spot behaviours of attacks," he said.
Next is people, with the current SOC consisting of 10 analysts, with a skill set that now varies from traditional IT to more data science practices to help identify the threats from within that massive data set.
This remains a major hurdle for the bank however. "Recruitment is the biggest challenge," Pagett said. "We have the tech and tools to be able to do this but someone has to put that logic into the tools." This includes recruiting from non-conventional backgrounds and participating in programmes like the Cyber Security Challenge.
Pagett believes that the bank's new proactive model does make it a more attractive destination from a recruiting perspective. "Our SOC people have a problem not a task," he said.
The result is that security analysts at the bank now spend around 80 percent of their time building up what it calls 'attacker profiles'. This consists of modelling attack behaviours, so "using Splunk to write analytics that look for those behaviours," Pagett explained. The other twenty percent of time is spent on incident response.
Read next: How to respond to a security breach
This is all underpinned by a new operating model that focuses on discovering unknown attacks and creating a repeatable method to defend against them. "We wanted a SOC doing daily, continual improvement to create new analytics to detect those attacks," Pagett said.
This process starts with acquiring data (NetFlow, DNS, endpoint logs, access controls). Next is threat intelligence and research to create hypotheses for how an attacker might behave, instead of what the specific piece of malware might look like.
Then there is data mining, using bespoke Splunk searches and machine learning algorithms designed using the Splunk ML Toolkit. The last phase comes down to alert triage and incident response processes, followed by a wrap up that is focused on making that analytic repeatable.
The result is a culture of continual improvement within the SOC. "We are never going to finish, which is why we liked Splunk, to build a devops team within the SOC so we can develop our own Splunk apps to extend that functionality," he said, citing a new voice assistant interface recently developed by a member of the team.
Pagett admits that it is difficult to quantify the success of its new SOC model as it is a process of continual improvement, but so far the team has developed 273 different Splunk searches, each associated with different actors.
These are reviewed daily in red team exercises with internal pen testers. They also triage their threat intelligence database, using a bespoke Splunk app to identify threats that haven't fired in over a year or been hit by their pen testers, flagging that vector for review.
In terms of impact on the business Pagett talks about the 2016 Bangladesh Bank cyber heist which targeted $1 billion (£770 million) worth of assets from the bank using vulnerabilities in the SWIFT payments network.
When an attack like that hits, Pagett tends to get a knock on his door asking: "Could we be hit by this?" Having the ability to turn around and say they had it covered is certainly a positive result for Pagett and his team.
The next thing for the bank is building more automation and orchestration into the SOC's practices, specifically what Pagett calls "the contextualisation of security incidents."
Expanding on that, he explained: "When you get an alert there will be questions you want to answer: have I seen anything like this before, or this exact thing? That means we can build out that threat and see what other incidents could be part of this puzzle, giving us an instant triage platform to bring that straight to the analyst."
Fortunately the Splunk roadmap, especially after the recent acquisition of security automation and orchestration specialist Phantom, aligns nicely with the bank's priorities.
"We will continue to make investments into machine learning with new versions of user behaviour analytics which does insider threat detection, anomaly detection for security folks, which is really important as the talent shortage, so how do you start to leverage technology to take care of the first line of defence," head of product marketing at Splunk John Rooney told Computerworld UK.
That being said, Pagett did have some words of advice during his breakout session on Tuesday, telling the audience: "Don't be driven by your vendors, I know that's a strange thing to say at a vendor conference, but it's your business and you know it better than Splunk and RSA does, so invest in good people to make those decisions."