BSE’s Cyber Security Operations Center is AI-enabled

Shivkumar Pandey
Shivkumar Pandey

BSE is implementing a Cyber Security Operations Centre (CSOC) with Artificial Intelligence capabilities on the back of an orchestrated approach wherein multiple advanced cyber technology solutions are  integrated to provide contextual intelligence, explains Shivkumar Pandey, CISO, BSE

The stock exchanges in India, the fastest growing economy are closely watched and reported, globally. The news about any halt or disruption in trade at a stock exchange spreads like wildfire and has tremendous monetary ramifications. The exchanges are seen as a reflection of the health of the economy of a country. The Bombay Stock Exchange (BSE) is the fastest exchange of the world. It facilitates 250-280 million orders per day. Of these about two million trades are converted. BSE has 13 companies under its umbrella. India International Exchange (INX) being the latest entrant, which operates 22 hours of the day. Precisely, why, BSE is a target of cyber hackers and organised cyber crime syndicates. Most of the times, the attacks are state sponsored. This makes cyber security a critical business factor for the BSE. In order to ringfence itself from global cyber security threats, BSE is implementing a next generation Cyber Security Operations Centre (CSOC). “All the 22 tools in the CSOC have been bought and orchestrated together to work as one unit. The CSOC will empower the exchange to have a real time and proactive stance to any impending cyber security threat,” says Shivkumar Pandey, CISO, BSE.

The Bombay Stock Exchange (BSE) is in the process of implementing a hybrid Cyber Security Operations Centre (CSOC). “About 80 per cent of the rollout is over, which is scheduled to get in a short period of time,” informs Pandey.

Nextgen CSOC: About the implementation
The project timeline is from March 2017 to December 2017. The standard inbuilt configurations are up and running. Some customization based on the existing setup is still pending. This CSOC applies to all the 13 group companies of BSE. It will operate 24X7 with a suite of 22 niche and advanced technologies. The solution is also integrated with other intelligent sources that provides alerts about the trending and emerging threat vectors at any given point in time. There are feeds available from CERT-in, IBM, Checkpoint, Microsoft, IDRBT etc. These feeds are centrally processed and a cyber threat intelligence is generated. This is again integrated with the SIEM and the analytics tool. The solution has been finalised after consolidating various information security frameworks from SEBI, CERT-in, National Institute of Standards and Technology (NIST) and third party consultants. From a certifications perspective, BSE is already ISO 27001 certified and is under the process of getting ISO 22301 certified. The approximate cost as mentioned by Pandey, “It’s a multi million dollar deal with more than 30 per cent of the overall IT budget in 2016-17 allocated for security. There are no licenses bought. The entire hardware is owned by BSE.”

The implementation has been done using a big bang approach. All the tools in the suite of offerings have been bought. Given that each of the tools have use cases in the stock exchange space. They are integrated to work in complete alignment. The integration will power the single dashboard to send alerts to the respective stakeholders. The threat will be killed at the source level itself.

From reactive to proactive
Any organization fundamentally faces two kinds of threats: Internal and external. As far as internal threat is concerned, the CSOC has a Network Access Control (NAC) tool, compliance tool like IBM BigFix. It makes sure the tools used by the internal employees are compliant with the BSE’s InfoSec policy. The tools will run on the BSE network, only when they are set according to the policy. For the external employees, they will have to be registered first, followed by a request sent to the CIO on the kind of IT tools to be accessed. Accordingly, the required access will be provided.

The solution will take care of the key nine pillars: security of the data, network, endpoint, advanced fraud detection, identity and access management (wherein BSE has taken ARCOS PIM), Open IBM SSO, application security solution, IBM AppScan for source code review and wireless application firewall. For data security: DAM, Network DLP for data classification. For mobile security, a Mobile Data Management (MDM) solution, Mobile threat Management for content security; endpoint patch management, malware protection, endpoint DLP, endpoint detection and response and Network Access Control; feeds for threat intelligence is sourced from various avenues.

To put these solutions together, for them to work in cohesion, there is a security analytics and orchestration middleware. It is supported by cognitive security, threat hunting and investigation, user behaviour analysis, incident management and response, threat anomaly detection and vulnerability management. All these solutions are integrated and orchestrated. The tools, which are operating from the cloud are also integrated with the CSOC. For example, BSE has hooked the Office 365 on cloud.

It’s important to note, this is a CSOC and not a SOC, which is more reactive in nature. “In the emerging threat scenario, SOC has limited relevance. The time is ripe for CSOC, which adopts a more proactive response strategy. The systems in a CSOC model are more closely knit together with the people and processes vis-a-vis a SOC model,” informs Pandey. It has online forensics, ML, Network Behaviour Anomaly Detection (NBAD). This is all Real time, the feeds are consolidated at one place and analysed for various new age threats like anti advanced persistent threat tool, which neutralises the zero day attack. These are signature based attacks. Moreover, threat intelligence, dark web monitoring tools are also provided, which puts the posture on a more proactive footing than reactive.

The CSOC runs on a hybrid model. BSE has a captive SOC in Mumbai, manned by 15-20 professionals. In combination, there are 22 security professionals from IBM operating from Bengaluru. There are traditional technologies like PIM, DAM, WAF, SIEM, security analytics etc. On top of this, there are other next generation capabilities like forensics, Anti APT solution, deception technologies etc. The deception tool stops ransomware with lateral movement. A honeypot is created in VLANs, which immediately identifies the scanning and relays alerts from SIEM to the security operations team. The suite of technologies also has IBM watson (with features like ML and predictive analytics). Both the traditional and Next gen security technology tools combine and provide the intelligence to handle not only the scale and size of the systems handled but also events responded to in close to real time and with razor sharp accuracy. The CSOC provides time, scale and accuracy to respond to cyber security incidents. ML adds to the capabilities as far as automation and proactive approach is concerned. The ML learns from both the structured and unstructured data. Using the solution, most of the L1 jobs are automated.

The Bombay Stock Exchange, on a daily basis is under attack from a number of threat vectors. The normal attacks are: DDoS, malware etc. For DDoS, BSE has a hybrid model for security. On premise, the network can withstand 2GB protection. The cloud takes over to face volumetric based attacks. “We have malware protection tools like Anti APTs, IPS signature based solution and anti virus. This apart, we also do simulation tests, to make sure the tools are performing and are up to the mark as claimed and benchmarked by the vendors,” says Pandey. The attacks are staged manually from the premises using the red team assessment. For some technologies, these simulation tests are conducted on a quarterly basis and some on an
annual basis.