SIEM & SOC Infrastructure for Regional Bank

The client is a regional bank with $8 billion in assets and 1,200 employees operating 47 branches. Two significant incidents in the prior 18 months — a data exfiltration and a fraudulent transaction ring — were discovered during regulatory examination, 8+ weeks after occurrence.

Compliance Pressure: Federal Reserve examination explicitly cited lack of SOC capability as a critical deficiency. FFIEC guidance requires real-time detection and response capability.

Technical Baseline: Basic firewalls and antivirus only. Each department maintained separate tools with no event correlation. No incident response playbooks. Security was a part-time responsibility of 2 IT staff.

Phase 1: Architecture & Preparation (Month 1–2)

• Designed Splunk Enterprise in active-passive HA configuration
• Identified 48 data sources: firewalls, servers, network devices, application logs, ATMs, authentication systems
• Designed SOC operations: 8 analysts in 3 shifts for 24×7 coverage, escalation procedures, incident runbooks

Phase 2: SIEM Deployment (Month 3–4)

• Deployed Splunk cluster: 12 indexers, 4 search heads
• Configured 48 data source integrations
• Built 85 detection rules: malware, lateral movement, data exfiltration, fraud, ATM anomalies
• 3-week baseline learning period before alert activation

Phase 3: Analyst Training (Month 5)

• Hired 8 security analysts; 80-hour training programme per analyst
• Developed 23 incident response runbooks
• Built automated playbooks: malware → isolate endpoint; unusual login → force password reset

Phase 4: Tuning & Optimisation (Month 6+)

• Reduced false positive rate from 45% to 8%
• Automated 95% of routine response tasks

• MTTD: Reduced from 60+ days to 2 hours average
• MTTR: Reduced from 8 hours to 45 minutes via automated playbooks
• Alert Accuracy: False positive rate 8% (vs industry average 30–40%)
• Incidents: 847 security events in Year 1; 23 confirmed incidents, 18 contained before impact
• FFIEC: Achieved "mature" rating; prior "deficient" rating eliminated
• Automation: 95% of routine response automated

Financial Impact: 18 incidents contained before impact prevented estimated $2.8M in fraud losses. ~$500K in potential regulatory costs avoided.

Multi-Source Aggregation: 48 data sources, 150M+ events/day, unified via Common Information Model (CIM) for consistent field naming across all sources.

Fraud Detection: Custom rules for card testing, ATM smurfing, and fast-flux DNS patterns. Integrated with fraud prevention platform for real-time transaction blocking.

Automated Incident Response: 8 core playbooks — malware detection triggers automatic endpoint isolation, memory capture, and SOC notification within 90 seconds, no analyst intervention required.

Behavioural Analytics: Splunk UBA caught insider threat in Month 9 accessing customer records outside assigned role scope.

Best Practices: Build the analyst team alongside the SIEM, not after. Over-provisioning infrastructure while under-hiring analysts is a common mistake. Clear career paths improve retention — 4 of 8 analysts were promoted to senior roles.

Common Pitfalls: Alert fatigue kills SOCs — target <15% false positive rate. 24×7 operations need adequate staffing (minimum 3 shifts × 3 people). Do not underestimate Splunk storage costs; 150M events/day with 30-day retention requires significant infrastructure budget.