Transforming the SOC for Bank Central Asia

PT Bank Central Asia Tbk (BCA) is Indonesia’s largest lender by market value and the largest privately owned bank. BCA provides both commercial and personal banking services through 1,000+ branches across the country.

Lily Wongso, executive vice president (EVP), IT Security, and Hans Christianto, assistant vice president (AVP), IT Security, had to oversee a large number of security tools, each with specific guidelines to manage and configure. “We tried to automate some of the incident response procedures by writing Python-based scripts, but faced difficulties in maintaining and updating these scripts,” explains Hans. Being in the financial services sector and given the increasing threat landscape, it was imperative that BCA sought out a solution that could help them quickly detect and respond to security threats. This was of utmost importance as BCA stores and processes large amounts of personal and financial information, and needs to be able to secure the data in order to uphold their customers' trust.

Working with varieties of security tools, the security operations center (SOC) at BCA faced the huge challenge of having to deal with multiple permissions for security response. “We did not have a standardized method for security response, as we had multiple tools from various brands. We needed to integrate these numerous solutions and use automation to achieve our goal of faster detection and response capabilities,” says Hans.

Analysts at the BCA SOC were encumbered with manual tasks that often resulted in them missing certain processes due to human error. “We needed to automate processes so that all investigations could be done through a single and consistent approach,” states Lily. The team began looking for a solution that could integrate its security tools, automate processes, and create playbooks to help the SOC analysts simplify their workflow and implement a consistent process in place.

The security team at BCA wanted to improve the efficacy of their SOC by unifying their security functions and have a robust security infrastructure. Their key requirements were:

• Standardization of processes by integrating multiple security tools.
• Faster detection and response mean improved metrics on mean time to detect (MTTD) and mean time to respond (MTTR).
• Increased automation capabilities to reduce human error.
• Unified threat intelligence management with playbook-driven automation.

With around 20 members in the SOC monitoring the data center, BCA wanted to deploy Cortex XSOAR to prioritize incident response. “We saw that Cortex XSOAR could integrate well with other tools, helping us design use cases with ease through API integration,” says Hans. He also adds, “It is not just about cybersecurity. The solution helps us in cybersecurity incident management, which is critical to the financial services industry. By using Cortex XSOAR, the SOC team can now build business use cases that can protect us from security threats in the dark web, helping track cases with ease.”

Since Cortex XSOAR ingests unstructured and structured threat intelligence feeds, security teams can automate tasks and perform multiple functions from a single platform. Lily elaborates on this further, as she says, “Having worked with Palo Alto Networks for over seven years now, we were absolutely sure of their capabilities and focus in terms of security solutions. We realized that Cortex XSOAR marries threat intelligence with SOAR, providing us with extensive threat intelligence capabilities and complete control over threat data management.” BCA has leveraged Cortex XSOAR capabilities to automate the detection of anomalies within their threat intelligence database. “By integrating this data with our internal systems, we are able to identify and promptly block any malicious activities, thereby providing a robust safeguard against potential threats,” Hans adds.

BCA needed to ensure that it is compliant with the Payment Card Industry Data Security Standard (PCI DSS). Palo Alto Networks capabilities can be mapped to PCI DSS requirements, giving BCA the peace of mind to ensure regulatory compliance. Besides automating the testing of security systems, Cortex XSOAR can also help speed response in the event of a compliance failure, addressing the PCI DSS requirements.

Palo Alto Networks local partner helped with system installation, additional integrations, and playbook development after handover. The Customer Success team at Palo Alto Networks has supported BCA and its partner throughout—during setup, configuration, integration, scale, and optimization.

Playbooks enable the automation of security processes, such as handling investigations and managing tickets. With playbook automation, security responses that were manually resolved previously can now be easily automated. BCA has leveraged Cortex XSOAR for various use cases, including the integration of threat intelligence for proactive monitoring, deployment of robust security policies, and the automation of security tasks. The playbooks have allowed BCA to enhance operational efficiency and streamline processes by seamlessly integrating multiple systems and security tools. Since 2023, BCA has about 85 Cortex XSOAR playbooks (including subplaybooks) currently in production.

One of the latest use cases is leveraging an automated response for phishing. When an employee reports a suspected phishing email, it is first validated by the BCA SOC analyst. If it is deemed to be malicious, with a single click of a button, the SOC analyst can push the email to XSOAR. BCA has developed a playbook on XSOAR that will parse all the information needed from the malicious mail. It will then check against threat intelligence, and respond accordingly, even blocking the incident on the Palo Alto Networks firewall, if required.

Faster detection and response

With Cortex XSOAR, BCA has seen improved metrics on mean time to detect (MTTD) and mean time to respond (MTTR). Prior to XSOAR, the team was using open-source Java-based scripts that had very limited automation use cases and were not scalable. With Cortex XSOAR, BCA has gained incident war room capabilities and the ability to easily build playbooks. The SOC team can use the war room for incident investigation and handling. Playbooks created have automated various security processes and successfully handled approximately 740,000 tickets in 2023, of which 30,000 tickets were fully automated. By leveraging these playbooks, BCA has significantly improved the efficiency and effectiveness of their SOC operations, enabling them to handle a large volume of security events with greater speed and accuracy. With improved detection and response capabilities, BCA is also able to ensure business resiliency and data security.

Upskilling of analysts

The use of the XSOAR war room and communication between analysts to automate processes, has meant that the analysts at the BCA SOC are continuously being upskilled with the latest automation processes. Having done away with numerous manual and repetitive tasks, analysts at the BCA SOC have more time to learn on the job and build the necessary security expertise. Given the shortage of skilled cybersecurity workers currently, this is a huge advantage for BCA.