IBM will create Information Security Center for Sberbank

2017: The command center cyber security of Sberbank received the certificate of conformity to the international standard

On December 13, 2017 Sberbank became the first bank in Russia whose command center cyber security is certified by British Standards Institute (BSI) on compliance to the international standard ISO/IEC 27001:2013.

Command center cyber security of Sberbank (2017)

The ISO/IEC 27001:2013 standard defines requirements to creation, implementation, service and continuous improvement of an information security management system of the organization. It also includes requirements to assessment and processing of the risks of information security adapted to requirements of the organization. A developer of the standard is International Organization for Standardization (ISO), the British Standards Institute (BSI) acts as one of the accredited certification bodies.

"The modern world imposes high requirements to the digital companies, first of all, in the field of cyber security. The quality and availability of digital services directly depends on capability effectively to counteract cyberthreats. Therefore Sberbank considers this direction to some of strategically significant. The certificate confirms that our processes of monitoring and response to cyber attacks conform to the international requirements. It allows us to provide protection of the IT platform at the level of world leaders already today, and in the long term — and all digital ecosystem of Sberbank". Stanislav Kuznetsov, vice chairman of the board of Sberbank

2016: Development and deployment of software for the cybersecurity center

Contractor Selection

At the end of December, 2016 Sberbank determined the contractor by development and deployment of software for creation of uniform operational Information Security Center (SOC).^[1].

The software developer for Information Security Center of Sberbank is defined

Consulting services to bank on development of the cybersecurity center were rendered by IBM company (IBM VEA LLC). It will be engaged also in development of software solutions now.

The cost of project works of creation and software implementation for the cybersecurity center was estimated at 543.5 million rubles. To participation in request for proposals the companies Dell SecureWorks Accenture Deloitte IBM Microsoft Cisco PwC, were invited by EY and KPMG. However to the appointed term only one request - from IBM company arrived. Its cost was 12.5 thousand rubles less than the initial cost of the contract.

After additional negotiations IBM reduced the total cost of works to 491 million rubles.

List of works

Within the project it is required to develop several systems:

• "Single system of monitoring of events of information security"
• "System of visualization of the reporting"
• "Incident management system"
• "Analytics of cyberthreats"
• "Response to incidents"

In addition, the perimeter of the project includes works on implementation and setup existing a component of the IBM Security Qradar SIEM system which is available for Sberank.

Terms of execution of works for each system are stipulated separately, but by October 31, 2017 all of them should be already complete.

Requirements to the cybersecurity center

The structure of SOC is defined by the Target operational model which describes a set of the SOC components necessary for solving of tasks of effective information security support with calculation till 2018.

The SOC components can be carried to three segments: technology, operational and strategic. The structure the SOC component is shown on the chart of structure of the target operational model given on the drawing below.

Structure of a target operational model of SOC

The following technology components should be a part of a target status of SOC:

1. A management subsystem information and events in the field of cybersecurity (SIEM - The Security Information and Event Management system). It is intended for aggregation of information from sources of events (log sources) and the notification on potential incidents according to rules of correlation. It is supposed that Sberbank will continue operation and development by the existing SIEM - IBM Security QRadar.

2. Subsystem of processing of requests and support of workflows (Ticketing System). Gives an opportunity to registration of events of information security and incident management within response, tracking of stages of working off of the request and a current status of the request, installation of a priority and escalation, support of workflows.

3. Subsystem of the reporting and graphic panels (Reporting System). Represents key products of the platform of creation of the reporting for creation of consolidated statements by the existing and added parameters for compliance to different reporting requirements.

4. Big Data subsystem. It is held for use multistructured data from internal and external sources for the detailed analytics and more effective management and response to incidents of information security. It is supposed that Sberbank will continue operation of the existing architecture of Big Data based on Hadoop technology.

5. Subsystem of predictive and cognitive analytics (Cognitive Analytics System). This subsystem improves SOC at the expense of opportunities of machine learning, such as use of the IBM Watson for Cyber Security complex.

6. Subsystem of analytics of threats of information security (Threat Intelligence Platform). Allows analysts of information security to perform aggregation and analysis of the analytical data of cybersecurity arriving from different fid, the entrusted groups, the child organization of Sberbank Bison, blogs of information security, etc. This subsystem allows to automate implementation of proper scenarios of use, the analysis of cyberthreats for creation of the effective mechanism of reaction concerning the new arising threats.

7. Subsystem of technologies of active protection (Active Defence). This subsystem contains the technologies helping to implement function of active protection by means of deployment, managements and registration of activities in shadow networks (honeypots) or the misleading records DNS for complication of a problem of overcoming protection for the malefactor.

8. Subsystem of response to incidents of cybersecurity (Incident Response Platform). This subsystem allows to automate procedures of response to incidents thanks to conceptual instructions for reaction. The subsystem considerably reduces reaction time at the expense of the predetermined tasks.

Target architecture technology SOC component

Consulting services in development of the cybersecurity center

Contractor Selection

In April, 2016 IBM was selected by the consultant of Sberbank for development of uniform operational Information Security Center (Security Operation Center, SOC).

Within the project the American corporation will conduct examination and the analysis of the management processes and providing implemented in the existing SOC of Sberbank, inspection of IT and cybersecurity – infrastructure of external and internal network segments of bank, check and the analysis of a current status of an incident management system of cybersecurity (SIEM).

The timeline for delivery of services makes 3 months from the date of signing of the contract. As a result of IBM will have to design the target SOC model on the basis of "the best world practices" and to provide to Sberbank the detailed road map of step-by-step development of SOC.

The consultant for development of the Sberbank center was selected since December, 2015^[2]. The maximum price of the contract was 60.9 million rubles, IBM agreed to perform work for 56.9 million.

Bids were also submitted Microsoft Russia, Accenture and Deloitte. The biggest decrease in the maximum price of the contract was offered by Microsoft: the company was ready to render services for 16.1 million rubles. It was followed by Accenture which suggested to perform works for 51.8 million.

All requests except for IBM were recognized not conforming to requirements of bank to qualification. In the published protocol it is said that the companies not fully provided information on experience of creation of SOC in the financial institutions entering the rating of Fortune 500 and also about experience of participation in similar projects at the project teams.

Project Tasks

Sberbank performed centralization of collection of information about incidents of cybersecurity and created a technology basis of creation of the uniform operational center for information security, said in the tender documentation. - Further development of functionality of SOC and increase in its maturity to the level of the international standards requires acquisition of consulting services in design of its target status.

Sberbank explained TAdviser that as of April, 2016 in bank the first stage of creation of SOC is completed – the system of collecting and correlations of events of security (SIEM system) centralized all over the country to which the main sources of events of information security are connected is implemented, basic rules of correlation of events and basic processes of processing of incidents are developed.

The next stage consists in development of SOC in the direction of centralization of functions of monitoring and start of all safety management processes. Also implementation of modern analytical technologies, transition from reaction to pro-active forecasting of threats and prevention of incidents is planned, the representative of Sberbank told TAdviser.

The target SOC model should include set such a component and technologies as:

• SIEM system and its target status;
• the description of sources of events in external and internal segments of Sberbank and also in its child organizations for connection to a SIEM system;
• the description of scenarios of events (use cases) for detection of incidents of cybersecurity and the procedure of response to incidents;
• use of requests (ticketing) and mechanisms of work with them;
• use of tools for the analysis of the semi-structured and unstructured data, including business transactions, for the purpose of identification of the most dangerous attacks long on time and consisting in consecutive penetration through boundaries and barriers of protection by "small steps", implementations of flow-analytics, forensics, context analytics, predictive analytics;
• operational collecting and information analysis about relevant threats of cybersecurity (threat intelligence) received including, from external sources;
• processing procedures of information subsystems of SOC on the arriving information on new threats;
• management of compliance to requirements of information security for the politicians approved with the Customer (not less than 4 the politician, including, compliance to requirements of PCI DSS);
• interaction about an antifraud systems for carrying out the analysis;
• the optimal scheme of interaction of internal processes of processing of the requests SOC constructed on the ticketing mechanism and the Help Desk system of the Customer.

The Solar Security company noted that the decision of bank to create the SOC is completely justified as Sberbank is very big IT infrastructure, one of the biggest in Russia.

We about this project know and with interest we watch progress of a command which is responsible for creation of SOC, we exchange experience. There is a wish to note that it is one of the most professional commands in Russia, - the representative of Solar Security Valentin Krokhin says.

Шаблон:Subject Sberbank

Notes