Leaning on automation and analytics to keep cyberthreats at bay 24x7
Pakistan’s Askari Bank turns to the IBM QRadar platform to build a new security operations center
Shah Faisal mosque in Islamabad, Pakistan
Through the turbulence and dynamism that has affected banks across the world—from the impact of Covid to the skyrocketing demand for digital banking services—Pakistan’s banking sector has continued to get stronger, more vibrant and, perhaps above all, more mature. Deposits and profitability are up, competition is robust, and the share of the population with access to banking services has steadily grown. Put simply, the outlook is good.

As Pakistan’s banking industry has continued to evolve and develop, government regulators have done their part to sustain the industry’s momentum by issuing new guidelines in response to rising risks and threats. The most recent of these, known as Cyber Security Policy 2021, calls for banks to modernize the systems and procedures they have in place to detect, respond to, and ultimately thwart cyberattacks in all their guises—from malware, phishing and spoofing to the “skimming” of data from ATM cards.

For Pakistan’s government, the intent of these new cybersecurity rules was to bring the country’s banks—which until that point had been focused chiefly on growth and profitability—up to speed on a largely neglected area. Among other measures, the new policy called for banks to maintain baseline security capabilities, including security operations centers (SOCs) and automated response tools that work around the clock, 24x7.

In early 2019, when the policy was still being drafted, Askari Bank—like the vast majority of banks in Pakistan—had only the most rudimentary security capabilities in place, limited security governance, and no dedicated security personnel. Filling that gap was the primary mandate of Jawad Khalid Mirza, who joined the bank in March as Chief Information Security Officer (CISO). From the start, he explains, strong board-level support provided a favorable climate for the transformation he envisioned. “Our board was cognizant of how banks around the world were investing in security,” he says. “They recognized that without the right cybersecurity capabilities, as well as the right professionals, we can’t move ahead.”

<20 security incidents

 

Cut the number of security incidents from roughly 700 per day to fewer than 20 by sharply reducing the number of false positives

5 minutes

 

Reduced the time required to remediate from an average of 30 minutes to an average of 5 minutes through the implementation of automated response

Our board was cognizant of how banks around the world were investing in security. They recognized that without the right cybersecurity capabilities, as well as the right professionals, we can’t move ahead. Jawad Khalid Mirza Chief Information Security Officer Askari Bank
A new SOC takes shape

Perhaps the central challenge facing Jawad Khalid Mirza was the need to build and staff an SOC from scratch. To get there, he would need to choose the security software solution that would most efficiently and cost effectively address the technical needs, including the integration of the solution with Askari Bank’s core banking systems. On top of that, he needed to put in place the team to establish and manage the SOC’s day-to-day technical operations, including the all-important detection and handling of security incidents. The task called for seasoned SOC experience, and he found it in Umair Shakil.

Just days after joining Askari Bank as head of the SOC team, Umair Shakil was in deep deliberations with Jawad Khalid Mirza on the all-important platform decision. In his previous role—running security operations for one of Pakistan’s largest telecom providers—Umair Shakil had deployed the IBM Security® QRadar® solution to great effect. It was as a direct result of his positive experience that IBM Security made the short list, along with security solutions from Microsoft and Splunk.

Based on proofs of concept submitted by each vendor, Umair Shakil and Jawad Khalid Mirza performed rigorous benchmarking exercises based on three core dimensions: system performance, interoperability and ease of use. In addition to these factors, Jawad Khalid Mirza explains, the choice of the QRadar platform reflects their confidence in the roadmap IBM has laid out for it. “We see ourselves as really aligned with the direction IBM is going with the QRadar platform,” he says. “To us, it reflects IBM’s commitment to making a great security solution even better.”

In looking at the attributes that favored the QRadar solution over those from Microsoft and Splunk, Umair Shakil singles out ease of integration as one of its particular strong points. “One of the best things about QRadar is that it offers multiple ways to integrate with our core banking systems, rather than just a single method,” he says. “As we had hoped, that proved to be an enormous advantage during the implementation.”

To deliver the solution, Askari Bank engaged with IBM Business Partner Software Productivity Strategists, Inc. (SPS), which worked closely with Umair Shakil and his growing SOC team. For threat detection, the solution’s core component is IBM Security QRadar SIEM, its security information and event management product that enables the bank to aggregate logs from various sources within a single repository. This in turn enables SOC staff to perform correlations and escalation of different logs to quickly identify and prioritize security incidents.

For an SOC to be effective, the ability to prioritize our response to the most pressing security risks is nearly as important as detection. In that respect, the QRadar solution we deployed has made our team far more effective at addressing the threat landscape.” Umair Shakil Head of Security Operations Center Unit Askari Bank
Experience helps put use cases into action

When it comes to responding to security incidents, the bank’s rule of thumb was to automate wherever feasible. Its basic approach was to employ the playbook capabilities with IBM Security QRadar SOAR, its security orchestration, automation and response solution. In the initial deployment phase, SPS proposed a series of use cases drawn from its experience in implementing automated response scenarios for other customers. These use cases were then translated into specific playbooks that defined the sequence of how each incident would be escalated to higher response tiers or, if necessary, would trigger intervention from a member of the SOC response team.

Having worked with SPS to deploy 10 playbooks, the Askari Bank team—with some coaching from SPS—is continually developing more, with the eventual aim of having about 35 automated playbooks in place. To Nayab Akbar, Assistant Vice President at SPS for Enterprise Security and a key player in the engagement, the bank’s progress is a clear sign that the SOC team is getting good traction. “Today, the Askari team is actually discussing the security use cases themselves, and they know how to translate them into playbooks,” says Akbar. “That’s exactly where you want your customers to be—spending their time and efforts coming up with use cases to automate.”

Prioritizing threats to drive response efficiency

While stopping threats from becoming security breaches is the ultimate measure of success for a SOC, the efficiency with which it does so is also key on an operational level. And that’s where Askari Bank’s automation efforts have really delivered. Through QRadar SIEM’s ability to weed out false positives, the bank’s SOC has reduced the number of security incidents from roughly 700 per day to fewer than 20. Moreover, the QRadar SOAR playbooks implemented in the SOC enable personnel to resolve these incidents in an average of five minutes, as compared with up to 30 minutes prior to the bank’s security transformation.

As Umair Shakil points out, all these automation-driven efficiency improvements mean that SOC personnel can filter out the low-priority incidents and false positives that can swamp an SOC, and instead focus on addressing true risks and hunting for vulnerabilities. “For an SOC to be effective, the ability to prioritize our response to the most pressing security risks is nearly as important as detection,” says Umair Shakil. “In that respect, the QRadar solution we deployed has made our team far more effective at addressing the threat landscape.”

Importantly, that means threats that come from both outside and inside the bank. And that gets to one of the key security issues facing not just banks, but any organization: managing the security threats posed by “insiders.” In many cases, the tell-tale signs of insider threats are both botched login attempts and atypical or anomalous behavior within the network, such as when an employee attempts to access an application or database. To detect these risks, Askari Bank uses the User Behavior Analytics (UBA) app. By combining behavioral rules and analytics with log and activity data already stored in QRadar, the UBA app has enabled the bank’s SOC staff to streamline monitoring, detection and investigation, thereby improving the efficiency of insider threat management. Moreover, because UBA uses analytical algorithms to detect deviations in user activities—rather than strict rules—Askari Bank has been able to use it to reduce the frequency of false-positive incidents.

While there’s no single indicator of how far Askari Bank has come in improving its security posture since working with SPS to deploy its new QRadar solution, there are plenty of proof points. For instance, an SOC that didn’t even exist three years ago is now staffed by a team of more than 20 specialists. And there’s something else the bank has that it didn’t before: threat visibility. By virtue of the correlation capabilities of QRadar SIEM and its ability to provide high-fidelity alerts, Askari Bank can now get an accurate window on how many offenses it’s experiencing 24x7.

On top of this vastly improved threat visibility, Jawad Khalid Mirza points out, the automated responses enabled by QRadar SOAR mean that SOC personnel are working more efficiently and proactively to keep today’s cyberthreats—and tomorrow’s emerging ones—at bay. “The fact that we’re now able to comply with Pakistan’s cybersecurity regulations is critical, but only the beginning,” he explains. “With QRadar, we now have the efficiency and flexibility to adapt to a cyberthreat landscape that’s constantly changing, no matter how fast we grow.”

Askari logo
About Askari Bank Ltd

Based in Rawalpindi, Pakistan, Askari Bank (link resides outside of ibm.com) is a commercial and retail bank with 560 branches across Pakistan and a wholesale bank branch in Bahrain. Established in 1991, Askari Bank is a unit of the Fauji Group, with 2021 revenues of USD 4.2 billion and approximately 7,500 employees.

Software Productivity Strategists logo
About Software Productivity Strategists, Inc. (SPS)

Based in Rockville, MD, with offices in Islamabad Pakistan, IBM Business Partner SPS (link resides outside of ibm.com) builds industry solutions leveraging AI and cloud. As an enterprise-class innovator and solution creator with expertise across all phases of product design, development, deployment, security, operations, monitoring and support, SPS helps its clients build, deploy and secure applications. Its development, quality, cybersecurity, training, operations, monitoring and support teams work in tandem to create high-performance, secure, reliable, scalable and manageable systems.

Take the next step

To learn more about the IBM solutions featured in this story, please contact your IBM representative or IBM Business Partner.

Read the PDF View more case stories Silverfern

Bringing a leading cyber threat solution to businesses in need

Read the case study
Novaland

Accelerated security threat detection and priority response

Read the case study
Mohawk College

Detecting cyberattacks in a complex higher education landscape

Read the case study
Legal

© Copyright IBM Corporation 2023. IBM Corporation, New Orchard Road, Armonk, NY 10504

Produced in the United States of America. March 2023.

IBM, the IBM logo, IBM Security, and QRadar are trademarks or registered trademarks of International Business Machines Corporation, in the United States and/or other countries. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/trademark.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Generally expected results cannot be provided as each client's results will depend entirely on the client's systems and services ordered. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: No IT system or product should be considered completely secure, and no single product, service or security measure can be completely effective in preventing improper use or access. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

The client is responsible for ensuring compliance with all applicable laws and regulations. IBM does not provide legal advice nor represent or warrant that its services or products will ensure that the client is compliant with any law or regulation.