How Can Indian Banks Comply with

RBI cybersecurity Guidelines

Understanding the new RBI guidelines and how
Cyberbit helps financial institutions achieve compliance

White Paper

www.cyberbit.com | sales@cyberbit.com
Table Of Contents

State of Cybersecurity in India’s Financial Sector ....................................................... 3

The RBI Guidelines ............................................................................................................... 4

Overview
Weighing the Omnipresent Risk of a Technology
Cyber Crisis Management Plan and Acclivity of Technology
Empowering Incident Response and Management
Keeping up with Cyber Awareness and Preparedness

The Cyberbit Cybersecurity Portfolio .............................................................................. 6

SOC 3D Orchestration and Automation
Cyberbit Endpoint Detection and Response
Cybersecurity for Smart Building Critical Systems
Cyberbit Range

Achieving Compliance to the RBI Guidelines .............................................................. 10

 State of Cybersecurity in India’s Financial Sector
As consumers continue to advance towards digitization, pressure mounts on the IT infrastructures of financial institutions. They
must race to provide innovative digital services while also ensuring robust information security standards are in place to protect
and benefit both consumers and the bank itself. In turn, banks are facing an unprecedented challenge of cybersecurity breaches.
McKinsey predicts the cost of implementing and managing cybersecurity infrastructure is predicted to increase 40% by 20251.
According to the Indian Emergency Response Team (CERT-In) approximately 28,000 cybersecurity incidents were reported in
June 2017.

The Reserve Bank of India (RBI), has provided guidelines on Information Security, Electronic Banking, Technology Risk
Management and Cyber Frauds. The guideline is intended to facilitate proactive response and management of cyber incidents.

1
The Future of Bank Risk Management”, McKinsey & Company, July 2016

3 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 The RBI Guidelines
Overview
Following the announcement in the April 2010 Monetary Policy Statement, a working committee was constituted to change
the measures and outlook from static to a much more proactive and cyber aware approach by modifying policies and
procedures with the current trends. The guidelines provided by Reserve Bank of India focus on speeding implementation of new
developments and emerging concerns in cyber security.

Weighing the Omnipresent Risk of a Technology

“The size, systems, technological complexity, digital products, stakeholders and threat perception varies from bank to bank and
hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework.” -
RBI Cybersecurity Guidelines

There are several types of risks that must be considered, such as; operational risk, infrastructure risk, data loss or design risk
before adoption, alignment with business and regulatory requirements, methods of delivery, organizational culture and internal
and external threats. Based on these parameters, each technology is assigned a risk level (low, medium, high or very high) in
terms of adoption and usage.

Cyber Crisis Management Plan and Acclivity of Technology

In contrast to security incident response plan that focuses on day-to-day security issues and its resolution, a Cyber Crisis
Management Plan (CCMP) focuses on a contemplated process and plan for continuous improvement, corrective measures and
fortification of infrastructure, technology and services. The goal is to proactively defend from unknowns and advanced cyber
threats including, but not limited to zero-day, remote access threats, targeted attacks, ransomware, crypto ware or destructive
malware. CCMP addresses four aspects of detection, response, recovery and containment with an overall goal of establishing a
cyber resilience framework.

Empowering Incident Response and Management

It is imperative to have a robust incident response framework for effective remediation and response of a threat and at the
same time support the cyber resilience objectives of a financial institution. The goal of incident response is rapid recovery from
cyber-attacks and safe resumption of business operations. Every Security Operation Centre (SOC) must have a well-defined
incidence response framework, with clear roles and responsibilities for all team members. Access to historical data, coupled
with powerful analysis tools proactively provide insights from past outbreaks that help the SOC continually reduce time to
respond (TTR) over time

“Empowering SOC involves integrating various log types and logging options into SIEM; ticket management, workflow
and case management, big data repository for natural search, integration of various threat intel and security tools, and
customization based on risk and compliance requirements of a financial institution as per the RBI guidelines.”
Cyber Security Framework in Banks, Reserve Bank of India

4 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 The sequence of tasks performed by SOC personnel may vary per incident when implemented by humans, but a defined
workflow for an incident category will always be consistent. Hence, incident response should be automated, either partially or
fully, according the RBI guidelines. At the same time, the cybersecurity skill shortage has fuelled the exploration of simple yet
effective tools that can be used by less experienced SOC personnel. Well-defined automation of repetitive tasks is the best way
to reduce SOC workload.

Keeping up with Cyber Awareness and Preparedness

“It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe
environment.”

R.Ravikumar, Chief General Manager, Reserve Bank of India

It is also observed, that if you ask SOC personnel about a threat such as SQL injection or ransomware, he/she may be able to
define it by name and nomenclature, but when it comes to explaining micro actions of a threat, there is a lack of familiarity and
detailed knowledge necessary to effectively respond to a cyber threat or incident. This information gap helps the attackers gain
enough of a time advantage to achieve their malicious goals.

Financial sectors can improve their level of preparedness and ability to defeat the adversary by using real simulated trainings
over different attack vectors. Simulation training allows SOC personnel to quickly improve both knowledge and hands-on skills
so that when things get chaotic, they are ready to respond the moment as a live cyber-threat gains foothold in the environment.

At the same time, awareness and knowledge should be inculcated about cyber-attacks, threat vectors and do’s and don’ts of
cyber awareness with the top management and board to keep them on the same page of all nuances and familiarize them for fair
degree of cognizance.

5 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 The Cyberbit Cybersecurity Portfolio
SOC 3D Orchestration and Automation
SOC 3D is a security orchestration, automation, and response (SOAR) platform, which enables information security
organizations in to automate and orchestrate the entire incident response lifecycle, reducing time to response by 90% and
tripling the efficiency of the security operation. SOC 3D integrates all sensors, data feeds and tools in the SOC, to create a
single point of control for security operations in financial institutions. SOC 3D provides advanced investigation, reporting and
customized dashboards powered by big data for forensic analysis and reporting.

SOC 3D - Centralize and Automate Incident Response

6 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 Cyberbit Endpoint Detection and Response
Cyberbit Endpoint Detection and Response is a detection and response platform made for and used by critical government
infrastructure and defence organizations. Cyberbit EDR solves the most pressing security challenges of detecting unknown and
advanced threats.

Cyberbit EDR - Visualize the entire attack timeline to investigate incidents and get to their root cause within minutes

7 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 Cybersecurity for Data Center Control Systems
Financial organizations often employ ICS/SCADA control systems, which provide digital control of physical devices. For example:
to control air conditioning, electricity, elevators and more. These systems have become prime targets for cyber threat actors. For
example: a cyber attacker can easily tamper with air conditioning control systems, increase the temperature in the organization’s
data center and take it out of service. Traditional IT systems are challenged in protecting these environments as they use unique
devices and communication protocols. Cyberbit’s SCADAShield platform helps financial organizations address this new challenge
by monitoring control system network and detecting threats and configuration risks. SCADAShield integrates with other Cyberbit
systems to provide consolidated detection and response across all environments.

SCADAShield - real-time network visualization: device mapping, communication protocols, IT/OT touch-points, and risks

8 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 Cyberbit Range
Cyberbit Range is a training and simulation platform that increases security team efficiency and addresses the talent shortage gap
by actively training security teams in simulated attack scenarios. The training involves identifying an issue, spread of an attack,
finding footprints and collaborative effort of resolution and remediation. Controlled through a guided User Interface gives the SOC
instructor the ability to gauge and find pitfalls in skills of a SOC personnel undergoing training.

Cyberbit Range - Instructor view of simulated cyber-attack and defence

9 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 Achieving Compliance to the RBI Guidelines
Cyberbit understands the challenges of banks and financial organizations and has developed a unified cybersecurity platform
focused on strenghtening the core aspects of a cyber resilience framework and fulfiling RBI guidelines. The following table
highlights key RBI guidelines and how Cyberbit’s products organizations address them:

Circular: RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16

Point Guideline Achieve Compliance

5 The size, systems, technological complexity, digital products,
stakeholders and threat perception vary from bank to bank
and hence it is important to identify the inherent risks and the
controls in place to adopt appropriate cyber-security framework.
Riskiness of the business component also may be factored into
while assessing the inherent risks.
Unlike conventional detection products, Cyberbit products
can all be deployed completely on-premise, in air-gapped
environments, while retaining their functionality. This minimizes
the customer’s risk because data does not have to leave the
organization for analysis, threat intelligence, etc.

11 A Cyber Crisis Management Plan (CCMP) should be immediately Cyberbit EDR is built to provide detection of zero day, unknown
evolved and should be a part of the overall Board approved and targeted attacks and responding to these threats post
12 strategy. CCMP should address the following four aspects: (i) detection for achieving recovery and containment.
Detection (ii) Response (iii) Recovery and (iv) Containment. Banks
are expected to be well prepared to face emerging cyber-threats
such as ‘zero-day’ attacks, remote access threats, and targeted
attacks.

17 It should be realized that managing cyber risk requires the
commitment of the entire organization to create a cyber-safe
environment. This will require a high-level of awareness among
staff at all levels. Top Management and Board should also have
a fair degree of awareness of the fine nuances of the threats
and appropriate familiarisation may be organized.
Cyberbit Range is a training and simulation platform that
trains security teams at all levels, from junior to executive, in
cyber emergency scenarios, and to gain complete awareness
on different threats and attacks. As a result, banks can raise
awareness of an attack or threat, including at all levels of staff,
executive management and the board.

Annex 1

2.1 Maintain an up-to-date and preferably centralised inventory of Whitelists can be created and maintained on Cyberbit EDR
authorised/unauthorised software(s). Consider implementing and SCADAShield, to monitor and control use of authorised or
whitelisting of authorised applications /software/libraries, etc. unauthorised software.

13.1 Build a robust defence against the installation, spread, and Serving as the last layer of defence, Cyberbit EDR detects
execution of malicious code at multiple points in the enterprise. installation, spread, and execution of malicious code through
EDR agents installed across the organization.

13.2 Implement Anti-malware, Antivirus protection including Cyberbit EDR performs behavioural analysis and machine
behavioural detection systems for all categories of devices learning on recorded information across different layers on
endpoint and servers. endpoints and servers.

16.3 Enough care is to be taken to capture audit logs pertaining to The audit maintains a trail of all actions for review and
user actions in a system. Such arrangements should facilitate examination.
forensic auditing, if need be.

10 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
 Point Guideline
18.1 Periodically conduct vulnerability assessment and penetration
testing exercises for all the critical systems, particularly those
facing the internet.
23.3 Conduct targeted awareness/training for key personnel (at
executive, operations, security related administration/operation
and management roles, etc.)
23.3 Evaluate the awareness level periodically.
23.5 Establish a mechanism for adaptive capacity building for
effective Cybersecurity Management.
Annex 2
4 The systems that NEED to be put in place as a part of the
Cyber SoC requires the following aspects to be addressed.
Methods to identify root cause of attacks, classify them into
identified categories and come out with solutions to contain
further attacks of similar types.
4 Incident investigation, forensics and deep packet analysis need
to be in place to achieve the above.
4 Analytics with good dash board, showing the Geo-location of
the IP’s
4 Ability to assess threat intelligence and the proactively identify/
visualize impact of threats on the bank
5 Integration of various log types and logging options into SIEM,
ticketing/workflow/case management, unstructured data/big
data, reporting/dashboard, use cases/rule design
5 Technology for improving effectiveness and efficiency (tracking
of metrics, analytics, scorecards, dashboards, etc.)
11 | How Can Indian Banks Comply with RBI Cybersecurity Guidelines | www.cyberbit.com
Achieve Compliance
Cyberbit Range supports replication of existing network in
the virtual test bed for penetration testing exercises without
compromising on uptime of the actual network during testing.
Cyberbit Range can be used by all members of the organization
for cyber awareness training and practice responding to cyber
crises.
Cyberbit Range stores performance metrics for all trainings
of every trainee or attendee that can be used to evaluate
improvement or downgrade of skills in past and present.
Cyberbit Range provides a mechanism for adaptive capacity
building. The simulated platform comes with a robust library of
scenarios and the ability to easily develop custom scenarios.
SOC 3D provides analysis dashboards to identify root causes
and classifies each based on categories. SCADAShield
identifies vulnerabilities and root causes in physical control
networks including smart grids and air conditioning control
systems and more.
Cyberbit EDR provides incident investigation, forensics and
treat hunting.
SOC3D automates and orchestrates the incident investigation
and provides advanced investigation dashboards.
SCADAShield provides deep packet analysis on numerous
protocols to achieve rapid and accurate detection of threats
and their cause.
SOC 3D dashboards show geo-location information. Multiple
dashboards are available, for example for mapping ATM
threats and Point of Sale (POS) attacks.
SOC 3D and EDR can integrate with subscribed threat
intelligence as an enrichment to provide details and impacts
of a threat.
SOC 3D can ingest SIEM data and additional logs in multiple
formats.
SOC 3D investigation platform provides multiple KPI
dashboards for tracking SOC efficiency.
ABOUT CYBERBIT Ltd.
Cyberbit provides a consolidated detection and response platform that protects an organization’s entire attack surface
across IT, OT and IoT networks. Cyberbit products have been forged in the toughest environments on the globe and
include: behavioural threat detection, incident response automation and orchestration, ICS/SCADA security, and the
world’s leading cyber range. Since founded in mid-2015 Cyberbit’s products were rapidly adopted by enterprises,
governments, academic institutions and MSSPs around the world. Cyberbit is a subsidiary of Elbit Systems (NASDAQ:
ESLT) and has offices in Israel, the US, Europe, and Asia.

sales@cyberbit.com | www.cyberbit.com
APAC Office Israel Office
Temasek Avenue 22 Zarchin St. Ra’anana
Centennial Tower, #21-23 Israel 4310602
Singapore 039190 Tel: +972-9-7799800
Tel: +65.6679.5771