AI takes cyber security to a new level for HDFC Bank

Sameer Ratolikar,

The capabilities of current security technologies  coupled with the power of Artificial Intelligence (AI) will take the  cyber security  preparedness to the next level, says Sameer Ratolikar, CISO, HDFC Bank, highlighting his bank’s AI based Cyber Security Operations Center (CSOC)

Artificial Intelligence is explored for information security because there are questions raised about the effectiveness of the currently available solutions to thwart the attacks which are becoming more sophisticated, innovative and targeted. AI can complement with the current security solutions and decipher the anomalies, which are non-signature, behaviour and heuristics based. For example, the security logs in the Security Incidents and Events Management (SIEM) can only serve a limited purpose; however this data coupled with AI solutions has the potential to detect the anomalies, threats which are sitting latent in the system, waiting for the right time to hit. Another use case can be finding trends on the amount of file uploads on PCs and search for aberrations. AI can also team up with other solutions to bring to the fore any divergence in terms of the times during which the applications are accessed by the employees and how can it be detrimental to the company. AI and Machine Laerning (ML) will achieve objectives, not yet achieved by the current solutions, which are reactive in nature.

HDFC Bank has completed a pilot for AI based Cyber Security Operations Centre (CSOC) and soon, the bank will go live. The log data from CSOC is put for processing on the AI solution having big data capabilities and it was done for about eight months on a cloud platform. The bank has close to 100,000 employees. The AI solution will help in monitoring insider threats. The aforementioned anomalies were successfully found using the AI platform during the pilot.

AI has deep learning (DL), self learning and machine learning (ML) as major components. There are well established algorithms in each of these areas. One team will manage the CSOC and the second team will focus efforts for threat hunting by writing rules for ML. The bank will have 70-80 per cent contribution from the vendors and close to 20 per cent from the internal teams. CSOC is a combination of SOC, threat hunting, breach readiness teams, threat aggregation platforms, red teaming, etc.  “Dark web monitoring is a part of the overall security. We are working on dark web solutions, like real-time defacement and vulnerability monitoring. The solution should have features like early detection of malware presence; in case any data is available for sale in the dark web, how soon are we able to know about it,” states Ratolikar.

The economics of security
CISOs will have to balance the budgets to focus only on their crown jewels. The company’s residual risk and cyber risk tolerance level will have to be identified. However, that said, banks are a regulated entity. The relationship with the customer is heavily based on trust. Thus there is consensus among the bank CISO community that the reputation risk is also equally important. As a result, even the risk tolerance levels have to be continuously tightened.

The investment in cyber security is determined by the risk management principles. Proper controls are put in place after doing regular threat and risk assessment exercises. Adequate investments should be made based on the kind of threats and risks faced by the organisations. If required, heavy budget allocations must be made. Cyber security is a business risk and it has found its place in boardroom discussions too. The importance given to cyber security in banks is way ahead than in any other industry. “We have also found companies paying ransom when their crown jewels are locked by a ransomware. But there is no certainty that the data will be released after the ransom is paid. Neither is there any assurance that the systems will not be attacked again,” mentions Ratolikar.

Importance of cyber security framework
The concept of perimeter security has collapsed with the onset of API banking. For payment enablement, banks have to talk to government agencies, payment aggregators, corporates etc. When banks are interfacing with hundreds of third parties, the idea of perimeter has vanished. Banks should have an ideal cyber security framework.

HDFC bank’s approach is to have a four point – Prevent, Detect, Respond and Recover framework. To have multiple preventive controls that covers the entire ground in terms of the channels through which the customer is served or the bank operates internally or with the third parties. Deception technology is an upcoming space in the detection piece. It’s a honeypot created for the hacker. The technology serves the purpose of knowing well in advance about who is trying to target the information infrastructure of a particular organization, and how it’s done. For example, create a honeypot for credit card and debit card numbers. This way, the potential hacker is lured to hack the duplicate card registry. The system
triggers an alarm after the hacker attempts to get the information, which actually is not a genuine database but a honeypot. After the detection comes the response. There are enough systems in place to quarantine the attack and invoke the DR, in order to mitigate the damage.

Too much focus on prevention is unfruitful because there will always be functions that will have residual risk; for eample, USBs used for cheque truncation is a risk. There are chances of malware getting infiltrated through them, given that there are thousands of employees. Even if a single employee clicks on the infected mail, the network can get affected, through open shares, privilege escalations, with the threat vector, which can be an APT attack, ransomware, etc. This can affect the crown jewels too.

The last part is to recover, which majorly deals with DR and BC, where the Recovery Time Objective (RTO), Recovery Part Objective (RPO) come into play. For the crown jewels, there has to be a file, storage based and database backups. This is a part of the recovery strategy, where BCP and DR is an integrated component. Managing security at an ecosystem level IDRBT, every quarter organises CISO forums, which is well attended by the CISOs from major BFSI institutions. It is developing to be a good platform to share thoughts on the challenges faced, and the developing threat vector scenario. This apart, there are various informal forums, where selected CISOs meet to exchange thoughts on the impending issues. The CISOs also get multiple advisories and presentations from IDRBT. A consortium of banks can come together and leverage ML for information security. The decision whether to join such a consortium depends upon the priorities of each bank.