Welcome to The Engineer Banker, a weekly newsletter dedicated to organizing and delivering insightful technical content on the payments domain, making it easy for you to follow and learn at your own pace

Learn payments with The Engineer Banker

TEB

·

April 20, 2023

Read full story

Refer a friend

Welcome to the latest installment of The Engineer Banker. Today, we are excited to kick off a comprehensive series that delves into the world of security within payment systems and financial institutions at large. As financial institutions become increasingly digital, they face an evolving set of security challenges. Traditional security measures are no longer sufficient in an age of sophisticated cyber-attacks, insider threats, and regulatory pressures. This has led banks to deploy Security Information and Event Management (SIEM) systems to enhance their cybersecurity posture significantly.

What Is SIEM?

SIEM technology aggregates and analyzes activity in the form of logs from various resources across an organization's technology infrastructure. It collects security data from network devices, servers, and domain controllers, among other sources, and performs actions like event correlation, alerting, dashboards, and reporting. Essentially, SIEM serves as the brain of an organization's security ecosystem, providing a unified view of its information landscape.

In banking, the stakes are exceptionally high when it comes to security threats. A breach could compromise not only financial assets but also severely damage a bank’s reputation. SIEMs excel at real-time threat detection and provide immediate alerts for unusual activity, such as multiple failed login attempts, data exfiltration activities, or unauthorized system changes. They can be programmed to correlate diverse data points and recognize complex attack patterns, which single-point solutions often miss.

While external threats often grab headlines, insider threats remain a significant concern for banks. A disgruntled employee with access to sensitive information can be as damaging as a cyber-criminal. SIEM systems can monitor and analyze user behavior to detect unusual access patterns or data movements, thereby aiding in the early detection of insider threats.

One of the strengths of SIEM systems is their ability to integrate with other security tools like intrusion detection systems (IDS), firewalls, and antivirus solutions. This creates a robust, multi-layered security architecture where different tools work in tandem, guided by the analytical capabilities of the SIEM system.

Post-incident analysis is critical in understanding how a security incident occurred and in ensuring that it doesn't happen again. SIEMs offer advanced forensic and analytical capabilities, allowing security analysts to dive deep into security logs to scrutinize events leading up to an incident. SIEM also contributes to business continuity plans. By ensuring that all security incidents are duly logged and analyzed, banks can better prepare for potential threats, thereby minimizing the risk of downtime and ensuring uninterrupted service to their customers.

SIEM, a data pipeline

In a typical Security Information and Event Management (SIEM) deployment, whether utilizing a commercial solution or an open-source alternative, logs generated from various points within the bank's infrastructure are funneled into the SIEM system for centralized monitoring and analysis. These logs could originate from a myriad of systems—ranging from web servers, operating systems, and application software, to external threat feeds or specialized security devices like firewalls and intrusion detection systems.

Given that these diverse sources will likely produce logs in different formats, an essential step in the SIEM integration process involves log normalization. This is the transformation of disparate log formats into a common, standardized form that facilitates easier analysis and interpretation by the SIEM system. Log normalization is critical for comparing data across different systems and for implementing consistent security policies and procedures.

Not all logs generated within an organization, however, will be relevant or useful for the SIEM. Some logs might be redundant, containing information already captured elsewhere, while others might lack the level of detail necessary for effective security analysis. Therefore, an initial filtering or prioritization process is often put in place to ensure that only valuable logs are ingested into the SIEM system.

Finally, the ingested logs must be stored in a manner that not only complies with regulatory requirements but also allows for efficient querying. This is crucial for translating raw log data into actionable insights, displayed through dashboards, reports, and alerts, that empower the organization to proactively manage security risks and respond to incidents. Therefore, the design of the storage architecture is a critical factor that determines how successfully the SIEM system will serve its intended purpose.

In its simplest form a data pipeline and therefore a SIEM deployment can be decomposed in 4 main layers of architecture:

• Log collection: Machines and devices where the log generation and collection happens

• Log aggregation: At this stage logs are manipulated, filtered, enriched, formatted and aggregated to be finally forwarded to the end storage.

• Log storage: Place where logs are efficiently indexed for future retrieval so that queries and visualization can happen.

• Visualization: The GUI where the SOC analysts will connect to perform the queries and setup the alerts.

In the following section, we will delve into the intricacies of the data pipeline responsible for funneling information into the SIEM system and we will see how to implement the pipeline with the ELK Stack. We'll break down each stage of the pipeline, offering a detailed exploration of how data is collected, normalized, enriched, and ultimately analyzed within the security framework.

Log collection