CIBIL boosted its security posture using multi-tier defense approach from perimeter to end point in their attempt to safeguard the 27TB of customer data without affecting the response time of applications.

Credit Information Bureau (India) Limited or CIBIL is a Credit Information Company founded in August 2000. The company has come to play a critical role in India’s financial system --whether to help loan providers manage their business or help consumers secure credit faster and at better terms. CIBIL is the first Credit Bureau of India, formed as per the directives of RBI, in order to reduce delinquency in lending. CIBIL is the custodian of 550 Million trade lines which is stored in a 27TB of database. This data contains the Personally Identifiable Information (PII) of millions of customers who have approached a Credit Grantor (CG) (Banks/NBFC/HFC/Insurance) for a credit. Key business challenges Protecting the consumer PII submitted by CG as per the regulatory requirement is the key business challenge that CIBIL faces today. Application vulnerability, advanced threats and possible data breaches were the key technical challenges for them to be wary of. The company wanted to make sure the security enhancements do not deteriorate the response times of the applications even marginally, given that response time is one of the most important attributes for the customer. Forensic investigation was a challenge due to lack of technologies to generate logs, collect the logs centrally and then to correlate for analysis.    Seamlessly integrating new technologies to the existing environment which is large and heterogeneous with multiple operating systems & virtualization platforms, without any performance degradation was also a hurdle that they had to face. On the flip side, convincing the top management to go for the overhaul of the entire security landscape, given that they have never faced any cyber-attacks in the past, was no less a potential roadblock. Though CIBIL is a part of BFSI industry segment, there is a lack of industry benchmarking for best practices for credit bureaus in India. Due to this, CIBIL had to evaluate different industry segments and create their own benchmark. Need for innovation Considering the advanced threats or data breaches that are rampant today, data security is a serious concern for a Credit bureau that holds critical customer data. Innovation was essential to ensure that the new security technology architecture is implemented without compromise on uptimes or response time. Care had to be taken to avoid technology proliferation, making sure there is no redundant or duplicate technologies performing the same task and at the same time ensuring resilience even if one control fails. 'Since we are committed to remain a lean organization, no additional manpower was envisaged to handle the new technology solutions. It has to be designed to operate with minimum administrators, says A Shiju Rawther, Assistant VP, IT Infrastructure, CIBIL. Traditional standalone security technologies were not able to address these easily, without thinking out of the box, he adds. The implementation The project was aimed at enhancing security landscape using multi-tier defense approach from perimeter to end point with 4 tier design. Data Centre Security: CIBIL has implemented Deep security – Enterprise (anti-malware, web reputation, firewall, virtual patching, integrity monitoring, and log inspection) on 400 servers with various flavors of Unix/Windows operating systems and virtualization platform to protect from data breaches and business disruption. As many of the servers are exposed to internet and are connected to internal servers that hold mission critical data, it was imperative to ensure the servers are not vulnerable and completely secured against any kind of malicious activities. Majority of the servers are on Linux platform, hosting mission critical applications and patching these OS and applications at the pace at which patches are released was a tedious task. Trend micro deep security’s capability of virtual patching to shield vulnerabilities from exploits until they can be patched, helped them achieve timely protection against known and zero-day attacks. Also, Deep Security Integrity Monitoring and Log Inspection modules has helped CIBIL to meet compliance by identifying suspicious behavior and security events. Deep Security is deployed as a single, multifunction agent across all environments having addressed resource contention issues, which helped to reduce data center security team’s effort by simplifying security operations with a single management dashboard for all capabilities. Network defence project: As a next logical step, after securing the datacenter, they wanted to implement custom defense strategy with a solution that can provide network-wide visibility and control to combat targeted attacks. They also wanted this to complement existing security deployment of deep security on datacenter. They went ahead with a combination of Deep Discovery Inspector, Deep Discovery Analyzer and Interscan Messaging Security Virtual Appliance to protect against risk of damage and data loss from cyber threats. 'We initially deployed IMSVA which significantly helped us to reduce incoming Spam mails, and later integrated this with Deep Discovery Inspector that has specialized inspection engines and custom sandbox simulation to identify zero-day malware, malicious communications, and attacker activities that are invisible to standard security defences,' says Shiju. The WAF solution from Imperva was deployed to protect the Internet facing applications from attacks exploiting application vulnerabilities. The Privileged Identity Management by Iraje makes sure that all the admins are accessing the servers only on the controlled environment that logs all admin actions. Information Forensics & Incident Response Management: Now that they were ready with protecting the datacenter and the perimeter using multi-tier architecture, it was time for collating all the logs in one place and correlate it to make meaning out of it. They have opted for HP Arc sight for SIEM to do this crucial job. They have subscribed to the SOC services from IBM. This included monitoring on a 24x7 basis and formulating the ERT using IBM X-Force with Threat intelligence feeds. This is a team which is totally detached from the Lights on Operations, who will look at each event impartially in case of any unforeseen situations and deep dive for details, if need be. Deep Discovery’s Integration with HP Arcsight SIEM benefited them to improve enterprise-wide threat management and actionable intelligence from a single SIEM console. Post the SIEM, they have also contracted Tenable for the Tenable Security Centre Passive Vulnerability Scanner for end to end Vulnerability Management. This also provides feeds to the SIEM, which helps them to beef up monitoring of unpatched or vulnerable machines. The cost involved for development and implementation of this is Rs 582 lacs of Capital expenditure and 180 lacs of operational expenditure. The benefits  Increase in revenue: By adopting technologies which can address advanced threats gives more confidence to customers for investing or partnering with CIBIL. This indirectly helps increase business revenue. The number of tradelines increased by 25% last year, which is CIBIL’s raw material. With the overall project implementation, the CPU utilizations reduced, thereby ensuring fewer enquiries got timed out. Operational efficiency: 25% reduction in existing planned downtime of the servers and breathing time for actual patching due to virtual patching, and faster investigations were the key benefits. PIM helped a password less access for admins through single sign on and for ease of password management.  This also helped to adhere to the compliance requirement and enabled them to spend less time in audits. Overall automation has helped to reduce the manpower with different skill sets for monitoring. Single dashboard enabled effective and consolidated monitoring. The change management strategy The project was implemented phase wise. Successful POC was conducted for each phase and for each technology in order to understand the impact. Each layer of application teams (application/database/OS) were involved for performing the impact analysis. Post implementation, they got the OEM to conduct an audit certifying that all features are implemented and used and that they have implemented industry best practices for their product. They have also conducted independent audits by third party auditors to confirm that the implementation is complete and correct in all respects. They have also conducted planned training sessions for the implemented technologies for in-house admins. CIBIL plans to enable DDoS protection services in premises, forensic lab, IRM and customer data protection framework, as part of their future plans.