Cyber Resilience: Automating Incidence Response By 75 Per Cent

No photo availableByDr. Bright Mawudor
6 min read
The growing cost of cyber security for organisations is getting exponentially difficult to quantify. This complexity makes it challenging to build a business case.
Network Security Lock Padlock Breach 100782976 Large

The growing cost of cybersecurity for organisations is getting exponentially difficult to quantify. This complexity makes it challenging to build a business case that can gain approvals at decision-making levels. The situation tends to deprioritise cybersecurity matters to the point of being an afterthought till the worst happens.

According to Communications Authority, cyber-attacks on Kenyan organisations rose by nearly 50 per cent in the last three months of 2020 compared to a similar period the previous year. The report further shows that more than 56 million cyber threats were detected nationwide in comparison to 37.1 million in 2019. Most of the threats were malware attacks at 46 million, followed by web application attacks at 7.8 million while 2.2 million Distributed Denial of Service (DDoS) threats were detected during the same period.

The increase in cyber threat attacks detected was attributed to the move to working remotely and enhanced uptake of e-commerce in response to the COVID-19 pandemic. Digital transformation has always been on paper as a strategy but not until a realization to activate. This increased vulnerability of organizations and businesses to cybercriminals who targeted remote working systems and tools, and e-commerce sites for fraudulent gains.

The impact of these cyber-attacks includes, but is not limited to, huge monetary and brand equity loss resulting from financial crimes such as fraud, where customer bank accounts are compromised with no trace of the perpetrators or the methodology used in the crime when forensic investigation is being employed.

There is constant mounting pressure on cybersecurity personnel and heads of IT departments to ensure that all loose ends are tied by ensuring that corporate networks are well designed, defence tools are properly utilised, and most importantly, that quick recoveries & reduced downtimes are effected by applying timely mitigation controls.

Resilient organisation needs to always have visibility of their systems. The ideal scenario is being able to respond to cyber-attacks in a timely manner, but this is hardly ever the case due to several challenges including the presence of many disparate systems that make it hard to aggregate and make sense of generated events, limited skills and staff to tackle the evolving threat landscape.

A standard model for a security team to tackle various potential attacks requires a wide knowledge base in incident response, offensive/defensive security, threat hunting, analysis, and remediation. A collaboration between all the above personnel, if they do exist within an organisation can take hours, days, or months in certain outcomes to close one case.

Working in security operations can be a constant battle

Whilst speed and efficiency are vital, ensuring all your corporate systems work in harmony is easier said than done. Analysts often find themselves weighed down by alerts from different technologies, from which obtaining and correlating the necessary data to separate genuine threats from false positives can be onerous. And coordinating appropriate response measures to remediate those threats is another challenge entirely bringing to a point of Cyber Fatigue within the organisation.

Modern attackers are leveraging automation in their exploits. Failure to use automation to combat these threats is a losing battle; organisations must adopt automation by employing intelligent systems to resolve what was otherwise impossible manually. Harnessing the full potential of automation to respond to cybersecurity incidences in a timely manner requires the synchronisation of all cyber defence tools that an organisation has. Furthermore, human intervention may occasionally be required to review stages in the automation process or to run parallel investigations.

Security Orchestration, Automation and Response can help you reduce response time by 86 per cent

Lack of visibility is a widespread challenge which underlies the vast majority of network and application performance issues, and it has been getting harder over the last few years due to the growth of Cloud. To navigate this challenge, organisations should employ a collection of software solutions and tools that enables them to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation. Security Orchestration, Automation and Response (SOAR) tools are designed to plug into existing architecture, orchestrate and assist in reducing response times to a tune of 86 percent upon implementation of the right automation workflows.

The purpose of SOAR is to alleviate performance challenges by improving efficiency. A standardised process for data aggregation assists human and machine-led analysis, and the automation of detection and response processes helps to reduce alert fatigue further helping analysts to focus on tasks that require deeper human analysis and intervention. Where defined, human input is solicited and finally at the end of an investigation, remediation steps are carried out. It also produces an investigation summary report that details the investigation steps and the mean time to respond.

A typical case in Kenya

It is a requirement by Central Bank of Kenya (CBK) that every financial institution has a Security Incident and Event Management (SIEM) system which is a tool that generates real-time alerts of potential attacks in their networks and systems. Security and IT teams within these financial institutions often get preoccupied with the day-to-day activities of maintaining technology infrastructure, and barely have time to focus on the thousands of security logs trickling in. Moreover, committing to tackle log analysis tasks results in analyst fatigue causing them to miss out important artefacts or indicators in analysis or investigation. The natural fall-back plan is to carry out digital forensics, where investigations only take place once a security breach has occurred. This approach is detrimental to business performance as the meantime to respond in unnecessarily longer than necessary during investigations.

The increase in cyber-attacks is not going to reduce anytime soon as adversaries continue automating their processes to gain even higher success rates. It is time for organisations to respond appropriately by automating their incident response procedures, development, and practice; taking more control of existing tools; and utilising resources more effectively. The difference between the impact of an attack or breach is going to depend on one common denominator, TIME. In a brutally competitive market, time is a valuable resource – the amount of time spent to recover and resume optimal business operations in the event of a breach has a direct impact on the success and relevance of the organisation.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co