Overview

Through the turbulence and dynamism that has affected banks across the world—from the impact of Covid to the skyrocketing demand for digital banking services—Pakistan’s banking sector has continued to get stronger, more vibrant and, perhaps above all, more mature. Deposits and profitability are up, competition is robust, and the share of the population with access to banking services has steadily grown. Put simply, the outlook is good. As Pakistan’s banking industry has continued to evolve and develop, government regulators have done their part to sustain the industry’s momentum by issuing new guidelines in response to rising risks and threats. The most recent of these, known as Cyber Security Policy 2021, calls for banks to modernise the systems and procedures they have in place to detect, respond to, and ultimately thwart cyber attacks in all their guises—from malware, phishing and spoofing to the “skimming” of data from ATM cards. For Pakistan’s government, the intent of these new cybersecurity rules was to bring the country’s banks—which until that point had been focused chiefly on growth and profitability—up to speed on a largely neglected area. Among other measures, the new policy called for banks to maintain baseline security capabilities, including Security Operations Centres (SOCs) and automated response tools that work around the clock, 24×7. In early 2019, when the policy was still being drafted, Askari Bank—like the vast majority of banks in Pakistan—had only the most rudimentary security capabilities in place, limited security governance, and no dedicated security personnel. Filling that gap was the primary mandate of Jawad Khalid Mirza, who joined the bank in March as Chief Information Security Officer (CISO). From the start, he explains, strong board-level support provided a favorable climate for the transformation he envisioned. “Our board was cognisant of how banks around the world were investing in security,” he says. “They recognised that without the right cybersecurity capabilities, as well as the right professionals, we can’t move ahead.”

A new SOC takes shape

Perhaps the central challenge facing Jawad Khalid Mirza was the need to build and staff an SOC from scratch. To get there, he would need to choose the security software solution that would most efficiently and cost effectively address the technical needs, including the integration of the solution with Askari Bank’s core banking systems. On top of that, he needed to put in place the team to establish and manage the SOC’s day-to-day technical operations, including the all-important detection and handling of security incidents. The task called for seasoned SOC experience, and he found it in Umair Shakil. Just days after joining Askari Bank as head of the SOC team, Umair Shakil was in deep deliberations with Jawad Khalid Mirza on the all-important platform decision. In his previous role—running security operations for one of Pakistan’s largest telecom providers—Umair Shakil had deployed the IBM Security® QRadar® solution to great effect. It was as a direct result of his positive experience that IBM Security made the short list, along with security solutions from Microsoft and Splunk. Based on proofs of concept submitted by each vendor, Umair Shakil and Jawad Khalid Mirza performed rigorous benchmarking exercises based on three core dimensions: system performance, interoperability and ease of use. In addition to these factors, Jawad Khalid Mirza explains, the choice of the QRadar platform reflects their confidence in the roadmap IBM has laid out for it. “We see ourselves as really aligned with the direction IBM is going with the QRadar platform,” he says. “To us, it reflects IBM’s commitment to making a great security solution even better.” In looking at the attributes that favored the QRadar solution over those from Microsoft and Splunk, Umair Shakil singles out ease of integration as one of its particular strong points. “One of the best things about QRadar is that it offers multiple ways to integrate with our core banking systems, rather than just a single method,” he says. “As we had hoped, that proved to be an enormous advantage during the implementation.” To deliver the solution, Askari Bank engaged with IBM Business Partner Software Productivity Strategists, Inc. (SPS), which worked closely with Umair Shakil and his growing SOC team. For threat detection, the solution’s core component is IBM Security QRadar SIEM, its security information and event management product that enables the bank to aggregate logs from various sources within a single repository. This in turn enables SOC staff to perform correlations and escalation of different logs to quickly identify and prioritise security incidents.

Experience helps put use cases into action

When it comes to responding to security incidents, the bank’s rule of thumb was to automate wherever feasible. Its basic approach was to employ the playbook capabilities with IBM Security QRadar SOAR, its security orchestration, automation and response solution. In the initial deployment phase, SPS proposed a series of use cases drawn from its experience in implementing automated response scenarios for other customers. These use cases were then translated into specific playbooks that defined the sequence of how each incident would be escalated to higher response tiers or, if necessary, would trigger intervention from a member of the SOC response team. Having worked with SPS to deploy 10 playbooks, the Askari Bank team—with some coaching from SPS—is continually developing more, with the eventual aim of having about 35 automated playbooks in place. To Nayab Akbar, Assistant Vice President at SPS for Enterprise Security and a key player in the engagement, the bank’s progress is a clear sign that the SOC team is getting good traction. “Today, the Askari team is actually discussing the security use cases themselves, and they know how to translate them into playbooks,” says Akbar. “That’s exactly where you want your customers to be—spending their time and efforts coming up with use cases to automate.”

Prioritising threats to drive response efficiency

While stopping threats from becoming security breaches is the ultimate measure of success for a SOC, the efficiency with which it does so is also key on an operational level. And that’s where Askari Bank’s automation efforts have really delivered. Through QRadar SIEM’s ability to weed out false positives, the bank’s SOC has reduced the number of security incidents from roughly 700 per day to fewer than 20. Moreover, the QRadar SOAR playbooks implemented in the SOC enable personnel to resolve these incidents in an average of five minutes, as compared with up to 30 minutes prior to the bank’s security transformation. As Umair Shakil points out, all these automation-driven efficiency improvements mean that SOC personnel can filter out the low-priority incidents and false positives that can swamp an SOC, and instead focus on addressing true risks and hunting for vulnerabilities. “For an SOC to be effective, the ability to prioritise our response to the most pressing security risks is nearly as important as detection,” says Umair Shakil. “In that respect, the QRadar solution we deployed has made our team far more effective at addressing the threat landscape.” Importantly, that means threats that come from both outside and inside the bank. And that gets to one of the key security issues facing not just banks, but any organisation: Managing the security threats posed by “insiders.” In many cases, the tell-tale signs of insider threats are both botched login attempts and atypical or anomalous behavior within the network, such as when an employee attempts to access an application or database. To detect these risks, Askari Bank uses the User Behaviour Analytics (UBA) app. By combining behavioral rules and analytics with log and activity data already stored in QRadar, the UBA app has enabled the bank’s SOC staff to streamline monitoring, detection and investigation, thereby improving the efficiency of insider threat management. Moreover, because UBA uses analytical algorithms to detect deviations in user activities—rather than strict rules—Askari Bank has been able to use it to reduce the frequency of false-positive incidents. While there’s no single indicator of how far Askari Bank has come in improving its security posture since working with SPS to deploy its new QRadar solution, there are plenty of proof points. For instance, an SOC that didn’t even exist three years ago is now staffed by a team of more than 20 specialists. And there’s something else the bank has that it didn’t before: Threat visibility. By virtue of the correlation capabilities of QRadar SIEM and its ability to provide high-fidelity alerts, Askari Bank can now get an accurate window on how many offenses it’s experiencing 24×7. On top of this vastly improved threat visibility, Jawad Khalid Mirza points out, the automated responses enabled by QRadar SOAR mean that SOC personnel are working more efficiently and proactively to keep today’s cyber threats—and tomorrow’s emerging ones—at bay. “The fact that we’re now able to comply with Pakistan’s cybersecurity regulations is critical, but only the beginning,” he explains. “With QRadar, we now have the efficiency and flexibility to adapt to a cyber threat landscape that’s constantly changing, no matter how fast we grow.”

About Askari Bank Ltd

Based in Rawalpindi, Pakistan, Askari Bank (link resides outside of ibm.com) is a commercial and retail bank with 560 branches across Pakistan and a wholesale bank branch in Bahrain. Established in 1991, Askari Bank is a unit of the Fauji Group, with 2021 revenues of USD $4.2 billion and approximately 7,500 employees.