How the Bank of England is transitioning to 'SOC 3.0'

The UK's central bank is transitioning its security operations centre towards a more automated future

UK | United kingdom  >  England  >  London  >  Bank of England [central bank]

The Bank of England is six months in to a redesign of its security operations centre (SOC) focused around a set of end-to-end defence templates in what it is calling SOC 3.0.

The UK's central bank, amongst other functions, is responsible for the UK's payment infrastructure, both by acting as the settling agent to allow financial institutions to exchange funds and by operating the CHAPS payment network, meaning the bank's SOC is protecting the trillion dollars (£700 billion) or so that moves through those systems every day.

Computerworld sat down with the bank at the same time last year, where Jonathan Pagett, head of the security operations centre, talked through the modernisation of its SOC around more fine-grained monitoring technology, proactive defence and a culture of continuous improvement, in what the bank internally branded SOC 2.0.

Read next: How the Bank of England built its 'SOC 2.0'

Since then the Bank of England has been looking to go one step further and build the SOC 3.0, which is based on the principles of infrastructure-as-code, an IT approach which rose to prominence as a way for devops teams to automate some key manual processes using software – or code.


What Pagett and his team at the Bank of England are working through is how these principles can be applied to a security operations centre.

"If you think about infrastructure-as-code: rather than thinking of storage, networking, your services and stuff independently, you think of it as one stack," he explained. "This was the idea, thinking end-to-end within the SOC and asking why aren't we deploying our SOC processes as code."

This led Pagett and his team to start creating a set of what they call 'defence templates', where "you can define all of the principles of how you want your SOC to operate".

At a high level these templates consist of relevant security analytics – which the bank stores in Splunk – testing criteria, triage actions and incident response, which can then be deployed directly from Git onto the SOC infrastructure.

"What that does from a SOC point of view is it forces you to think of the full end-to-end piece," he added. "If you're having to define your whole operation within a piece of code, it forces you to think about: 'if I'm going to detect this, how am I going to respond to it?' Because you have to define this up front, it forces you to bring all of those different disciplines together into effectively a piece of code."

This is more important than ever in a cloud computing world, as the Bank of England is in the process of adopting more modern IT platforms following an independent review in 2013, which identified the need for a more modern data infrastructure at the bank.

Read next: How the Bank of England redesigned its data hub around open source

"When you start adopting cloud services, you can't do that [SOC 2.0] model anymore," Pagett said. "Some of the things that you might be able to do is, when it's all on prem it's nice and within your boundary. As you start adopting cloud services you want to be able to respond a lot quicker and that's where you have to take the human out of the loop."

Embracing automation and orchestration

From a people perspective this brings the members and disciplines of a SOC closer together as they look to define that end-to-end incident response.

"If you think of a SOC, you've got a number of disciplines," Pagett said. "So you have threat intelligence, data analytics, your detection techniques, you've got your testing criteria, then you've got your triage and incident response. What I found was everyone's thinking of those disciplines independent of each other."

What he wants to do instead is bring concepts of automation and orchestration into the SOC itself, especially for the triage and incident response parts of the process.

"When you think about your most costly areas within the SOC, it is effectively where your humans are," he said. "If you can automate your triage process and make that more efficient, that's obviously a good thing. Same with the orchestration side of incident response, if you can orchestrate some of those actions and stop people having to manually do those actions, then that's great."

This focus on orchestration and automation has come almost directly from Phantom, the security automation specialist Splunk acquired in 2018 for $350 million.

"We started working with Phantom in the past year and that has changed how we think about things," Pagett said. "That's where this whole SOC-as-code approach came from." The key caveat here however is that the Bank of England isn't just adopting Phantom technology, but thinking more holistically about the SOC's operating model.

People impact

In terms of the team's thinking, Pagett says the 12 people within the SOC has been largely responsive to the 3.0 model, primarily because it frees up analysts to think more about the creative aspects of security, rather than triage and response.

"The SOC analyst of the future isn't the person doing the triage, they're not part of that process anymore, so I like to think of them as more of the orchestrators of what's going on in the SOC," he explained.

The clear benefit of this is scalability and the ability to react to more alerts and attack vectors with the same sized SOC.

"You want your people doing the creative side, because that's what humans are good at, whereas the repetitive side, you just want your automation to do that," Pagett said. "What we've actually found is where you might have your incident response specialists, and your detection specialists and so forth. What this is saying is that the analysts are now thinking full end-to-end. So we are expecting our team to cover a lot more disciplines, but I think that's a healthy thing."

What next?

The bank is now in the heavy integration and implementation side, with around 336 defined security vectors to port over to their own defence templates.

"In theory, we're going to have to review every single one of those to then define the defence templates," he said. "It's not going to be a one-to-one relationship but as we've been testing this approach we have been looking at what use cases we have at the moment and if they could be bundled up into a defence template."

That being said, Pagett is confident his SOC will be a fully fledged SOC 3.0 six months from now.

Read next: How the Bank of England is modernising its systems for the future

This process isn't a straight porting exercise, however, with plenty of triage involved. This project – called use case assurance testing (UCAT) internally – focuses on testing existing security risks and ensuring the business has the right response in place to mitigate it.

"We can turn around and say, for actor X they use these tactics and techniques, and then we have detection techniques for use cases like that," Pagett said. "That's great, but how did you know they are actually going to work? So we've put a lot of effort into that testing regime."

This also means that if an attack technique goes out of fashion the bank is still protected. "We have a piece of intelligence come in, we can say that hasn't fired in a while, but it's still a valid technique at the moment, so [creating] that feedback loop between threat operations and detections," he explained.

This approach is then continually validated as attacks come in – and Pagett ensured Computerworld that the bank has been "busy" over the past year – as red teaming exercises continue to detect attacks.

"The SOC is in that unique position where you can actually provide real world examples and it's not just all fear, uncertainty and doubt, which a lot of security can be seen as," he concluded.


Copyright © 2019 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon