The Otkrytiye and Security Vision bank was expanded by possibilities of Information Security Center

2020

Process optimization of Information Security Center

The Otkrytiye bank broadened area of monitoring and improved processes of the Information Security Center based on the Security Vision Incident Response Platform IRP/SOAR system. Intellektualnaya bezopasnost Group which reported about it on November 23, 2020 became the partner of the project,

The Otkrytiye bank conducts full-time work on optimization and improvement of processes of information security for the purpose of opposition to any kinds of cyberthreats and ensuring the maximum protection of the data assets. Within this work in bank the project of expansion of field of control of information security of Information Security Center was implemented.

The following tasks were solved:

• Development of procedures (playbooks) for response to cybersecurity incidents
• Increase in quantity of the systems and information security tools integrated into Security Vision IRP/SOAR
• Improvement of the reporting
• Development of processes of management of information security
• Process automation of divisions of cybersecurity
• Development and testing of models ML (Machine learning) applicable to stream event handling of security in Security Vision service.

In the project progress experts of Department of information security of Otkrytiye bank in close cooperation with specialists of Security Vision integrated into Security Vision IRP/SOAR of 10 systems and information security tools, developed and implemented 17 procedures of response to cyber security incidents. Also a number of processes of the adjacent divisions of Information Security Center relating to daily activity of their employees was automated. Automation of process of sending data on the revealed threats and incidents of cybersecurity in FINTSERT — FinCERT, special structural division of the Bank of Russia became one of stages of the project.

The financial industry as any another is subject to cyber attacks. Realizing it, we aim to do everything possible that our data assets and, as a result, finance and personal data of all clients of Otkrytiye bank were under reliable protection. Cybercriminals constantly improve the tools, however and we day by day improve and we expand possibilities of Information Security Center. Thanks to it and also thanks to information security systems, such as Security Vision IRP/SOAR, we guarantee to clients of bank the high level of information security support.

Security Vision IRP/SOAR was implemented in Otkrytiye bank in 2018 and showed high efficiency as on expansion of borders of control and monitoring, and immersion deep into of incidents of cyber security and to increase in number of checks for unit of time. So, for example, to check system implementation, connected with cyber-incidents, could take day and more, and complete lifecycle of an incident could be calculated for weeks. As a result of reaction automation everything began to work as on hours, the benefit of the colleague had good experience of the formalized procedures and processes which were realized and adapted in a product. For November, 2020 all groups of means of protecting are automated, and the speed of checks is calculated by hundreds per second.

System implementation of operational risk management

On April 29, 2020 the Otkrytiye Bank announced system implementation of operational risk management based on Security Vision Cyber Risk System (Security Vision CRS). The partner of the project, Intellektualnaya bezopasnost Group, developed the special module by a bank inquiry.

Implementation of an oeprational risk management system of bank based on Security Vision CRS already led to noticeable improvements – reduction of time for event handling of an operational risk, increase in level of availability of information to workers, formation of more flexible reporting system, reported Oksana Staroselskaya, the vice president, the director of the department of the analysis of retail risks of Otkrytiye bank

This technological solution Security Vision CRS through integration with a personnel system allows any employee of bank to announce the happened event of an operational risk to profile employees and to connect them to the solution of a question, allows to load historical events from other systems of bank, to perform collecting and the analysis of events of an operational risk with the organization of several roles of users, to reveal duplicates and to group events of an operational risk, to configure notifications of users via corporate e-mail.

Essential advantage of the system implemented in Otkrytiye bank is her adaptivity and flexibility. It allows experts of bank independently without involvement of the developer to perform setup and completion of functionality in case of new regulatory and internal requirements.

Risk management - the fundamental and constantly developing direction therefore in modern risk management effective models, new technologies and developments are actively applied, told Ruslan Rakhmetov, the CEO of Intellektualnaya bezopasnost Group

In my opinion, the Security Vision software products of the resident Skolkovo of Intellektualnaya bezopasnost Group quite naturally are in demand of many government and commercial structures, including large financial institutions of the Russian Federation. They are really effective in respect of process automation of cyber security, have the high potential of flexibility, adaptability and scalability, commented Mikhail Styugin, the head "Information security" of the Cluster of information technologies, Skolkovo Foundation

2019: System implementation of response to cybersecurity incidents

On June 10, 2019 the Skolkovo Foundation reported that the Otkrytiye bank entering the list of systemically important banks of the Central Bank completed implementation of an automated system of response to incidents of information security of Security Vision Incident Response Platform (Security Vision IRP) from the resident of Skolkovo Foundation of Intellectual Security company.

The Otkrytiye bank held an open multi-stage competition among the Russian and foreign IRP systems. The winner recognized the Russian Security Vision Incident Response Platform system.

Using the platform in bank automatic collecting and formation of base of assets with regular updating and use in reaction processes is performed now. More than 30 procedures of response to cybersecurity incidents, including automatic data acquisition, collecting of the additional information and the analysis in external and internal "sandboxes" of bank are automated.

The vast majority of cyber attacks in the world and in Russia are the share of financial institutions, first of all of banks. It causes need of use of the flexible and well-tried remedies of data protection giving optimal opportunities in the field of counteraction to cyberthreats. Security Vision IRP allowed to robotize execution of program and technical functions of the operator of security from automation shares to 90%. A system provides automatic execution of a full range of procedures on duty that allows not only to react to 24/7 cyberthreats, but also to avoid influence of a human factor, told Vladimir Zhuravlev, the director of the department of information security of Otkrytiye bank

Security Vision IRP is the instrument of processing of complete lifecycle of incidents of cyber security – from identification before elimination. Created as the designer, Security Vision IRP consists of intelligently self-regulating program and technical modules that allows to adapt easily a system for features of business processes of the customer, creating structure, logic and filling of the solution according to them. Thanks to team work with Otkrytiye bank it was succeeded to reach high extent of automation in the field of response to cyber security incidents. Potential of development of a system is not limited, we conduct researches and practical implementations of other methods of the analysis of Big Data in questions of cyber security and we hope to be useful in it to bank, noted Ruslan Rakhmetov, the CEO of Intellectual Security company

Implementation of IRP in Otkrytiye bank or How systemically to increase automation of cybersecurity in group

Incident Response Platform IRP the main premises of creation of IRP in Bank:

• Reduction of risk of the human factor and human errors attracted on reaction of incidents of cyber security two thirds of cyberincidents are connected with a human factor
• Robotization of 24х7 x365] accomplishment of procedures on duty of the operator in real time; after loud epidemics of viruses and Trojans of shifrovalilshchik, became obvious that reaction it not the notification, and this automatic execution of actions of the operator
• Automatic saturation and enrichment of an incident information on events from adjacent IT and cybersecurity of systems; bilateral exchange between IT and cybersecurity of systems provides necessary and sufficient conditions of lack of white spots
• Depth of checks (quantity and quality) quality); the manual mode spends for analysis of a standard incident 2 hours with the minimum depth of checks up to 10, automatic in several minutes is capable to carry out hundreds of inspections
• Decrease in influence of incidents of cybersecurity due to decrease in time of reaction; the response time reduces adverse effect of the happened incidents
• Systematization of integration: E-mail security protection, Means of antivirus protection (servers), Means of antivirus protection + IPS (users), the Corporate system of Service Desk, Windows Servers & Hosts Active Directory , the Control facility of changes of firewalls, the Control facility of integrity of data, Firewalls, the Platform of network security, Means of protecting from phishing attacks, the Intrusion prevention system (IPS), Means of the analysis of threats N 1 ("sandbox"), Means of the analysis of threats N 2 ("sandbox"), Storage system of event logs, Means of storage of archives of corporate e-mail FinCert , VirusTotal, UrlScan io, MXTool box, MessengerActive Directory, Cisco ASA, CMDB iTop, Microsoft DNS, Cisco FirePower, and others.

Incident Response Platform IRP] main results of implementation

• More than 30 scenarios of response to cybersecurity incidents are automated, more than 50 integration with means of protecting of Bank are carried out;
• It directly affected employee performance. If earlier the specialist of bank needed not less than two hours for check of 1 2 difficult incidents, then now a system performs on 200+ of checks for several seconds;
• 19 employees of Service of monitoring and response to incidents of cybersecurity can service more than 25 thousand jobs of financial group without loss of quality;
• Security Vision IRP allowed to robotize execution programmatically of technical functions of the operator of security from automation shares to 90%;
• A system provides automatic execution of a full range of 24/7 procedures on duty.

Examples of the implemented checks

• Existence on the automated workplace of antivirus software, Start of scanning on an automated workplace;
• Check of URL, hashes, postal addresses on external services (VirusTotal, URLScan.io, MxToolBox0
• Password length according to security policy;
• Lack of vulnerabilities on an automated workplace or on the server;
• Verification of files in sandboxes
• Control of integrity
• Formation check of sheets and their processing
• Blocking of the IP addresses on firewalls, blocking of network resources (URL, domains)
• Collection of information on the mail server and/or a mailbox;
• Analysis of requests of regulators
• Collection of information about node / OUSE in the domain, blocking of UZ in the domain
• Obtaining parameters and determination of category of the importance of an object;
• Change control of the AS parameters;
• Existence of updates on an automated workplace;
• Modeling of threats;
• Formation of acts and reports on standards and standards.

Incident Response Platform IRP] the main perspectives of development in Bank

• Expansion of area of a covering of an IRP system on a set of the systems of protection of Finance Corporation connection of child structures and their information security facility to the fulfilled scenarios and procedures
• The tasks connected with connection and analytics of security in BigData processing systems with the module of semantic analysis of incidents containing model of machine learning. The module has potential of automatic detection of commands of response to an incident and transfers of commands of reaction to the connected external systems and devices

• Automation of interaction with regulators for example, providing complete lifecycle in interaction with FinCERT of ASOI, Fid Antifrod

• Transition to the questions Auto Compliance based on the implemented IRP tools, automation of compliance to the standards and standards, most important in the financial industry. For example, autocompliance to the GOST P 57580.1 2017 and GOST P 57580.2 2018 financial Standards