Posted on

Building resilience against cyber attacks in ASEAN through data

We’ve all heard cyberattacks are no longer a matter of ‘if’ but ‘when’. In today’s economy, where businesses are all part of a complex ecosystem of digital supply chains, decision-makers must build resilience against cyber-attacks, expecting major cyber incidents and crises to happen to them.

More importantly, however, they must do this in the context of their business and environment.  I explain two strategies that ASEAN businesses can adopt in their cyber operations today.

Cyber operations in ASEAN lack context

The average annual cost of cybercrime is rising, expected to increase from US$8.4 trillion in 2022 to more than US$23 trillion in 20271. Asia Pacific is particularly vulnerable when compared to its global counterparts, accounting for 31 per cent of all incidents remediated worldwide, according to the IBM Security X-Force Threat Intelligence Index 2023. 

Respondents cited the top forms of attacks across the Asia Pacific as spear phishing by attachment (40 per cent), exploiting public-facing applications (22 per cent) and cases of external remote services and spear phishing links tied at the third place (12 per cent).

The most common action on objectives included deployments of backdoors (31 per cent), ransomware (13 per cent) and malicious documents (10 per cent). The most common impacts observed included extortion (28 per cent), impacts on brand reputation (22 per cent) and data theft (19 per cent). 

A key reason for these vulnerabilities in Asean is that a lot of the cybersecurity software adopted by businesses in Asia has been developed by firms in the US and Europe, which lacks the collective intelligence of the Asian context.

Hence, when it comes to cybersecurity, Asia is always catching up, and attackers are aware of that.  As a result, it’s critical that companies build a successful defence with urgency and operate based on intel specific to their business context and environment.  

Also Read: 6 cybersecurity criteria for corporate compliance

The path to contextualided cyber operations depends on operationalising your data. This involves two distinct data-driven strategies:

  • Profiling strategy for understanding and prioritising data with context
  • Resilience strategy for responding and adapting to threats with context

Profiling strategy: Understand and prioritise data with context 

When it comes to cybersecurity, the first problem we solve for our customer is contextualising their data and making it operational.   

The market is not short of world-class tools that organisations can adopt to identify and detect security threats and vulnerabilities.  However, different tools generate different data that must be understood, prioritised, and acted upon for effective cyber operations.  The challenge is not the absence of data but the operationalisation of data that varies wildly in their ‘five V’s’: velocity, volume, value, variety, and veracity.

Businesses need to consolidate, process, and analyse data events before they can even decide what is important.  Solutions that aggregate and integrate from data sources work largely for software as a service or modern solutions.  Legacy servers, on-premise or in-house systems are notoriously difficult to operationalise — and they are still very much common in ASEAN markets.  

To add to the complexity, cybersecurity teams don’t just have a data management challenge; they have a data contextualisation challenge. Alerts, events, and logs must be understood in relation to the business context, made up of unique information about the organisation as and when they happen.

Context catalogues: Assets and controls  

To analyse data with the business context on-demand, the Human Managed platform automatically builds and continuously manages context catalogues, including but not limited to: 

  • Asset catalogue: All your uniquely identifiable assets, their criticality and their relationship to the business services and products.  
  • Control catalogue: Security controls deployed on each asset, their functions, policies, and operational status  

These catalogues form the foundation of the business context and determine the operational procedures for use cases.  For example, a bank’s critical business logic is banking transaction logic.  Knowing what assets (e.g. app, API, network) are involved in the entire transaction process and what security controls are operational on each asset is the context that will impact prioritisation and response.  

 As logs, metrics, traces, and alerts get normalised and processed through the Human Managed platform, they are analysed with the current state of assets, controls, and other context attributes.  This allows for contextualisation and triage of data up front, minimising manual intervention. By the time detection is notified to the customer, it is already prioritised based on the customer’s business context so that appropriate action can be taken.  

One of our customers, a leading ASEAN conglomerate, approached us with a widely shared problem in cyber operations: effective prioritisation. They had struggled with siloed asset databases for 20+ years and managing disparate cybersecurity tools across the public cloud, software vendor cloud, and on-premise. This resulted in manual and slow cyber operations, where many issues slipped through. 

The goal was to automatically contextualise and prioritise our customer’s cybersecurity issues as and when the alerts are generated. The customer’s job was completed when they chose 10 data sources to provide us with the required input (alerts, logs, metrics from SaaS and on-premises systems) and context (asset databases, strategies, and business logic).

Also Read: How an AI cybersecurity company harnesses the power of AI for optimal business performance

The Human Managed platform onboarded the customer’s data for continuous cyber operations in less than a month. We catalogued their assets, controls and attributes and structured their cybersecurity alerts, logs and metrics under one data schema and model. 

Resilience strategy: Respond and adapt to threats with context

Once you have visibility on your data sources and analyse them based on your business context, what do you do next — especially in the face of real threats and attacks, often with incomplete information and limited time?  

While many companies say they have a playbook (procedural steps for response), timely response is another set of challenges, because they require specific conditional steps to be executed across physical and digital assets. Even with playbooks that detail a checklist of required steps and actions, businesses are up against cyber threats and attacks with wildly varied velocity, volume, value, variety, and veracity.  

Threat and attack patterns consistently change and are difficult to predict.  Therefore, having the relevant intel and action steps to react and respond — upfront and at speed — goes a long way. At Human Managed, we solve this problem by applying the same principle of contextualising security events and making them operational — not just for intel generation but for decisions and actions.

We build a customised cybersecurity playbook and runbook (detailed sequence of conditional steps) for cyber use cases and operationalise them by translating them into data flow and models and automating them wherever possible.

Context flows: Playbooks and run books  

To analyse security exposures, threats, and attacks with the business context on-demand, the Human Managed platform builds and manages context flows, which determine the data-driven pipelines and workflows for recommended actions to fix or resolve the issue or incident in question.  Context flows are made up of playbooks and runbooks with the objective to:  

  • React: Contain and mitigate issues triaged by the platform as a short-term fix.  
  • Resolve: Remediate and resolve issues triaged by the platform as a long-term solution.  

Playbooks and run books form the foundation of the business context workflows and determine the operational procedures for response. They are stored and managed as databases that get triggered when specific use case conditions are met.

For example, malware detected on a non-critical asset in the development environment will trigger a playbook and runbook to accept and monitor the threat, whereas the same malware detected on the critical system in the production environment will trigger multiple playbooks and run books simultaneously to mitigate the threat by containment and launch back up service.

Security logs, metrics, traces, and alerts are processed through the Human Managed platform, and they are analysed based on the current state of assets, controls, and other context attributes such as risk threshold and tolerance. 

Also Read: The business edge: Why prioritising employee cybersecurity is a smart investment

By the time detection is dispatched to a customer, it is already prioritised based on the customer’s business context, with recommended playbooks and run books.  The above graphic provides examples of the process followed when business-context-specific conditions for digital, cyber and risk management are under threat.  

Our experience with one of our clients who took no action over two years, even after 40,000 violations were generated from 100+ firewalls, demonstrates the stifling impact of complex change management and unknown implications for organisations. Human Managed prioritised three playbooks to optimise firewall rules that were immediately actionable and had a high impact. 

By embedding contextualised analysis throughout the entire security event lifecycle, a customer spends less precious time gathering intel, triaging, and responding — they can act and adapt with higher speed and accuracy, which is critical for resilient cyber operations today.  

Conclusion: Resilience by design and intervention

The foundation for cybersecurity begins with complete visibility over enterprise data and the controls around it. This allows for regular investigations into the quality of controls, while keeping a regular look-out for suspicious activities that may breach data guardrails.

Unfortunately, with heightened and ever-evolving cybercrime, the reality for established businesses is not if a business will be attacked but when. Hence, the goal becomes one of resilience, rather than defence — how soon can operations bounce back from identified threats and attacks?

The key strategic and operational change for cybersecurity leaders in today’s digital age is to see data as not only a type of asset to protect but an intelligence-generating asset that can be embedded in everyday operational decisions and actions.

This can be proactively designed and intervened systematically by contextualising data throughout the entire lifecycle, from its initial generation to the action that it triggers. When all data is understood from the lens of business priorities and analysed based on defined tolerance and existing controls, businesses will improve their ability to anticipate, withstand, recover, and adapt to threats.

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic

Join our e27 Telegram groupFB community, or like the e27 Facebook page

Image credit: Canva

The post Building resilience against cyber attacks in ASEAN through data appeared first on e27.