Innovating Logs at a State-of-the-Art Banking IT Infrastructure

Tiit Hallas, Head of Information Security
 
Knowing we can parse and analyse any data we encounter, gives me an undefeatable sense of “we can do this”. This is why I’m happy with SpectX - digging in logs with this tool is effortless for all our tech teams. As a bonus, our log quality has notably improved because developers are now both motivated creators as well as avid consumers of raw log data.
 
We’ve got about 30-40 people working with logs daily at LHV:  the infosec team, sysadmins and developers. First, the infosec team. Anything can happen, and we know we can look it up from the logs without wiggling our way into production machines. We’re also using SpectX as a monitoring tool to find anomalies in payments, cards, internet bank, network scans, perimeter breach. Looking both at shorter as well as longer intervals is easy.
 
It used to be trickier to sync log changes with developers. They would sometimes tweak a thing or two or add a field to the application logs. This would break our parser, leaving the infosec team blind. We’re now gratefully accepting whatever they’ve created without the need to check if changes have been made because with Spectx we can instantly modify the parser and make sense of the data we need when we need it.
 
Secondly, SpectX has given a birds-eye view for sysadmins. For example, we have about a dozen nodes in the internet bank. Admins no longer have to look each node up separately. It gives us the opportunity to look at things across various folders quickly. A typical admin day now begins with coffee and “Hey, SpectX, give me all the error logs of the payment engine.”
 
Thirdly, developers now instantly see what’s going on in the live systems. As the head of infosec, I can sleep considerably better if the developers have no access to production. Instead, they’re simply looking at logs to see how their work is affecting production in real time. A positive side effect is this: developers’ interest in logs has boosted our log quality quite a lot since they are now genuinely interested in extracting more quality information from the raw data.
 
Lastly, the appetite of the business side is growing. For example, we recently introduced instant payments, moving transactions within seconds day and night. SpectX helps us to monitor these payments (the hack: cron runs a .sx query at certain intervals, receives json, posts into Zabbix).
 
We did look at alternatives when considering SpectX but were not happy with the other options. It came down to either SpectX, Splunk or in-house dev. Splunk would have been expensive, and we would have needed to duplicate our data. That is, have the logs on our central log server and then send them to Splunk, too. In-house would have been very time-consuming and not reasonable if the same thing (SpectX) already exists. And hey - we can still endlessly build custom solutions on top of SpectX using the API. Quickly using logs from the storage is a convenient approach for us.
 
All in all, logs and the knowledge extracted is now bringing teams together at LHV. I’m happy with the strong visibility giving us a stoic mindset towards security incidents. And - our logs, thanks to our developers, are better than ever.
 
About LHV.
LHV is a financial group providing customers with banking services and pension funds based in Tallinn and London. It is one of the largest brokers on NASDAQ OMX Baltic stock exchanges and the largest broker for Baltic retail investors in international markets. LHV is considered as an innovative link between FinTech companies and banking infrastructure, and as an excellent example of open banking.

Back to case studies