How automation enables a proactive security culture at Bank of England

Cyber attackers continue to single out the financial industry. The UK Financial Conduct Authority found that the number of attacks and incidents reported by financial organizations has doubled over the last 12 months. These attacks are costly, too. According to Accenture the average attack cost financial organizations over $18 million in 2017.

As the UK’s central bank, the Bank of England (BoE) might be the most critical financial organization in the country.  Formed in 1694, it is the world’s eighth-oldest bank, and is responsible for regulating all other UK banks, issuing bank notes, setting monetary policy and maintaining financial stability. The bank handles some £700 billion [$883 billion] worth of transfers across its system every day.

A critical part of the UK’s national infrastructure, the bank’s operations must remain uninterrupted and retain their integrity. Regular attacks from cyber-criminals, nation-state actors and even hacktivists (Anonymous targeted the Bank of England and other central banks as part of its #OpIcarus campaign in 2016) make that a challenge.

To help stay ahead of attackers, the bank has been investing hard in automation and being more proactive in its defenses.

BoE looks to automation to cope with patching vulnerabilities

BoE formed its cyber division in 2013 to centralize security operations and have a single center of excellence around security. Today the bank’s frontline security operations team consists of around 70 people.

Since that centralization initiative, the bank has ripped and replaced 50 percent of its security technology. Automation and proactivity are two key areas the bank is looking to double down on with new projects. “It’s all about intellectual capital of our people,” says Neal Semikin, head of security and infrastructure at the BoE. “I don’t really want people doing mundane activities day in day out, so the whole eyes-on-glass SOC—having someone responding to alerts—to me that is an old approach.”

“What we work on is driving automation through the low end to free up our staff to work on more the high-end attack or the more value-added work where they really are using their intelligence and expertise to try and thwart attackers,” he adds.

As well as a SOC 2.0 project with Splunk focused on analytics and machine learning, the company has spent the last year working on its vulnerability management 2.0 program with Qualys to gain greater visibility into its environment and potential security gaps. With 6,500 endpoints and over 400 IT systems, the team is patching around 200,000 assets each month. In 2017 the bank assessed 17,000 new vulnerabilities, with patching cycles ranging from zero to five days for serious issues, and five to 90 for regular patching. However, a lack of visibility and automation was causing the company to fall behind.

“Twenty-four months ago, we had problems,” says David Ferguson, senior manager of technical vulnerability management. “We had a lot of patch debt creeping up, adding more and more and systems accumulating more and more vulnerabilities.”

The growing patch debt was compounded by the rapid rate at which potential vulnerabilities were being exploited by threat actors. “At the time we weren’t doing continual scanning. Most of our scanning was done out of hours, so actually getting a view of our entire estate took about a 30-day period. But the weaponization is far, far quicker than it used to be, within 48 hours.”

As a result of continuous monitoring and automated patching, the security team’s ability to react quickly is getting better. Semikin says the bank is now able to detect whether it is fully patched from a vulnerability within minutes and to send a message to the business explaining the situation. “When WannaCry broke, we were able to reassure the business in about an hour. We were fully patched within 90 minutes. That reassures the business that we are there to protect them,” he says.

The end goal, according to Semikin, is to have real-time actionable telemetry that informs the bank of where it has what he calls real risks rather than potential risks. “There is always that gap between a vulnerability being published and that gap between you patching it, but it’s about being aware whether there is a real threat,” he says. “An exploit is only an exploit if it can be applied to your environment. You need to know what’s secure and then you can engage the relevant areas if you have got a gap and get a quick and timely response to actually remediate it.”

The focus on automation and continuous monitoring has also enabled for a more proactive culture to bloom within the bank. “Our engineers typically only ever actioned something if we sent them a report, and there wasn’t actually that proactive approach,” says Ferguson. “In the last year we’ve changed the culture to enable the engineers to have their own dashboards. The engineers can see which of their assets are affected and they’re responsible for fixing that.”

Automation frees time to better explain security to the business

Data breaches and major exploits are becoming increasingly mainstream news. While this can elevate the issue of security in people’s thinking, it can can create problems for security teams. Fancy logos can obfuscate the true severity of vulnerability, and the business function may panic regardless of reality when it sees something in the news and then demand to know the company is safe from that particular logo.

“The whole marketing around vulnerabilities means the business wanted answers very, very quickly.” says Ferguson. “The entire business now wants to know what is the state of that vulnerability. If we let something go beyond lunch time, we would get 70 emails, and those 70 emails would turn into 60 more from people reading the news and reaching out being concerned about their business area.”

As an example, the SWIFT attacks on Bangladesh’s national bank caused the security team’s phones to ring off the hook with the business asking for help in understanding what had happened and how it could affect the BoE. “If you go radio silent, you’ll get it in the ear,” says Semikin. “We are getting much better at putting those messages out before someone comes calling. It has been a step change with the capabilities we’ve built to actually be able to give that reassurance that we are fully patched.”

As well as being able to give clear and rapid responses to new developments, the security team has been working hard on making everything it does more easily communicable to the business. One such area of focus has been around penetration testing. “A lot of the time when people talk about pen tests, they take a very technical approach to it,” says Ferguson. “But to the business a series of vulnerabilities doesn’t actually mean too much. We made a conscious decision not to talk in vulnerabilities, but to talk in cause and effect.”

Because the red team’s tests no longer involve simply exploiting an unpatched system and pivoting, the team is required to create more elaborate kill-chains to exploit a system. To avoid getting bogged down in technical talk, the red team conducts what the bank calls business-orientated penetration tests. Instead of focusing on how a certain system could be exploited, they explain how this potential series of events could have caused what Ferguson calls a ‘nightmare scenario’ such as the integrity of money transactions being compromised.

“We don’t go to them and say, ‘You’ve got an Apache Struts 2.0 CVE’. We say, ‘We’re at risk of this scenario of occurring because of these vulnerabilities.’ Apache Struts may be the enabler for that nightmare scenario, but by talking the same language and building up that trust, when we say that we need something, people understand that we’re serious.”

The end goal, says Semikin, is to have a really good relationship with the business to show that security is a valuable enabler to the business. “You want the business to understand you are relevant to their operations, that you’re not something that sits in a corner and then they only come to us when a ‘Bangladesh’ happens.”