riskmanagement1

Complying to Risk Management in IT requirements

Estimated reading time: 5 minutes

PIKOM recently organised a cybersecurity sharing session with cybersecurity services and solutions provider, Firmus, and cybersecurity vendor, Crowdstrike.

Newly-minted FIRMUS Senior VP of Business Development, Rodney Lee, is a long-time  established cybersecurity professional, most well-known for his daily threat intelligence broadcast feed to over 160 CxOs. He was joined by Crowdstrike regional head, Ajay Kumar to have a fireside chat with nearly 200 business and technology decision makers who attended the session.

Rodney combines his subject matter expertise and consultancy experience with Firmus’s extensive portfolio of cybersecurity, solutions, services, and trainings.

“With our combined strengths, we are talking about almost 20 compromise assessment (CA) projects in the past 18 months,” he observed before opining, “I don’t know anyone else who has done this many CAs in the country, so you are in good hands if you are looking for a CA partner!”

Compromise assessment is one of many requirements that the financial services regulator, Bank Negara, has outlined for the financial services institutions (FSI) industry. This and other requirements the FSI industry have to comply with, is in accordance with the Risk Management in IT (RMiT) document which Bank Negara released in 2019.

The CA methodology

Rodney emphasised that Firmus’ CA methodology focuses on short-term and long-term solutions.

He also pointed out the importance of products that provide solutions at scale. “Technology allows you to scale and spread your coverage, while providing accuracy, speed. It frees your people from mundane tasks, to do very informed decision-making.”

“The compromise assessment must not be a firefighting situation, right? It must be something that leads you to your Incident Response (IR) plan.”

“And you’d need a very, very strong team of consultants to also ensure that technology you use is set at the parameters that gives data. You want to see tangible and intangible information, so that you can make a decision,”

He recommended a mindset and approach that is end-to-end. “The compromise assessment must not be a firefighting situation, right? It must be something that leads you to your Incident Response (IR) plan.”

Another way to think of it is as a playbook of what to do in certain scenarios.

“Subsequently, you will begin to put down the steps to take to remediate,  and also end up with managed detection and response. So,  you start with a short-term solution which is compromise assessment and incident response, followed by a long-term solution which is managed detection and response.

“What you want is the ability to respond to within a single day, to any kind of APT attack that you can find within your network,” the senior VP said.

Visibility

One cannot defend against what one cannot see. This is where visibility comes in, but the challenge many organisations face is the variety of brands, devices, and operating systems that exist in their environments.

“Today, there are thousands, and some even claim there are millions of logs to read, incidents to review, and subsequently reports to write up,” Rodney shared.

Due to the scale and huge number of endpoints involved, there must be proper tools to analyse the real cyber incidents, and these all must lead to a report that is conclusive, with real insights that can be acted upon with speed.

We cannot run away from putting the right tools or products into place, he also opined. They can help to overcome the issue of variety, volume, and velocity.

Rodney explained that their CA methodology addresses this, and that a successful CA must include processes to assess and read from a variety of data (ie.logs).

“Some of the big banks today have 20,000 to 25,000 endpoints in place. You can’t be doing it with just people, and tools have a role to play here.”

Due to the scale and huge number of endpoints involved, there must be proper tools to analyse the real cyber incidents, and these all must lead to a report that is conclusive, with real insights that can be acted upon with speed.

Rodney added that human experience will play a big role in identifying the threats, as well as provide short-term and long-term mitigation plans.

Firefighting a threat does not mean that the threat will not arise again, which is why long-term mitigation plan is crucial.

“You don’t want to be going through the same cycle over and over, addressing the issue as if you are just firefighting it.” Rodney concluded.

Key takeaways from vendor

Crowdstrike’s regional head Ajay Kumar followed up Firmus’ presentation, with some statistics they have observed about reported breaches.

“The number of external reporting about breaches is increasing. This is because those breaches and incidents are becoming more sophisticated, and organisations are not able to detect those cases.”

For example in one particular case, a law enforcement agency observed an organisation’s data in the dark web, and alerted them about it.

Organisations need to have capacity and capability to detect in one minute, to understand and respond in 10 minutes, and to remediate and eject within 60 minutes.

Another trend shared was that manufacturing was the sector biggest hit by cybersecurity breaches.

“If you are in information security long enough, you see that signature-based technology is not going to help at all.

“You need to have a next-generation machine learning, AI-based soution, or behavioural-based technology which can take care of your malware-free attacks as well,” Ajay said.

Crowdstrike defines malware-free attacks as any attack in which the initial tactic did not result in a file or file fragment being written to disk.

The vendor is also focused upon reducing the dwell time that malicious software spend in an organisation’s environment.

“If you take a longer time to detect and respond to any malicious artefact, or any malicious activity, it is going to give you maximum damage.”

Ajay shared about the golden rule whereby organisations need to have capacity and capability to detect in one minute, to understand and respond in 10 minutes, and to remediate and eject within 60 minutes.