We are well aware that cyberattacks have shifted from being a possibility to an inevitability. In today’s interconnected digital economy, where businesses form intricate networks within the supply chain, it is imperative for decision-makers to proactively establish resilience against cyber threats. They must anticipate encountering significant cyber incidents and crises. Moreover, they must tailor their approach to suit the unique characteristics of their business and operating environment. In this article, I dissect two strategies that ASEAN businesses can implement in their cyber operations starting today.
Cyber operations in ASEAN lack context
The average annual cost of cybercrime is on the rise, expected to increase from $8.4trillion in 2022 to more than $23 trillion in 2027. Asia Pacific is particularly vulnerable when compared to its global counterparts, accounting for 31% of all incidents remediated worldwide according to the IBM Security X-Force Threat Intelligence Index 2023. Studies estimate that the top 1000 companies in Southeast Asia are at risk of losing $750 billion in market capitalisation because of cybersecurity threats.
According to the 2023 PaloAlto Asean State of Cybersecurity report, respondents view the following as top drivers of cyber security threats-
- increased security risks arising from unmonitored and unsecured loT devices [60%]
- personal device/s and home networks accessing corporate networks [47%]
- Increasing digital transactions with suppliers and other third parties [47%]
One primary factor contributing to these vulnerabilities within ASEAN is the prevalent use of cybersecurity software developed by companies based in the US and Europe, lacking comprehensive understanding of the unique nuances of the Asian landscape.
Here are some of the emerging cybersecurity threats to watch out for in Southeast Asia this year
Consequently, the region is consistently playing catch-up in the realm of cybersecurity, a fact that attackers exploit to their advantage. Hence, it is imperative for companies to swiftly establish robust defense mechanisms, leveraging intelligence tailored to their specific business context and environment
Achieving contextualized cyber operations hinges on the effective operationalization of your data. This involves two distinct data-driven strategies:
- Profiling strategy for understanding and prioritizing data with context
- Resilience strategy for responding and adapting to threats with context
Profiling strategy: Context is key for understanding and prioritizing data
When it comes to cybersecurity, we always begin by contextualizing our customer’s data and making it operational.
While the market offers numerous top-tier tools for organizations to adopt in identifying and detecting security threats and vulnerabilities, each tool generates distinct datasets. These in turn necessitate understanding, prioritization, and prompt action for effective cyber operations. The primary challenge lies not in the absence of data but rather in operationalizing data, which varies significantly across the “5 V’s”: velocity, volume, value, variety, and veracity. Businesses need to consolidate, process, and analyze data events before they can even decide what is important. Solutions that aggregate and integrate from data sources work largely for software as a service or modern solutions. Legacy servers, on-premise or in-house systems are notoriously difficult to operationalize – and they are still very much common in ASEAN markets.
Further complicating matters, cybersecurity teams are confronted not only with a data management obstacle but also with a data contextualization challenge. Alerts, events, and logs must be understood in relation to the business context, made up of unique information of the organization, as and when they happen.
Context Catalogs: assets & controls
To analyze data with the business context on-demand, the Human Managed platform automatically builds and continuously manages Context Catalogs, including but not limited to:
- Asset catalog: all your uniquely identifiable assets, their criticality and their relationship to the business’ services and products.
- Control catalog: security controls deployed on each asset, their functions, policies, and operational status
These catalogs establish the groundwork for the business context and dictate the operational procedures for various use cases. For example, a bank’s critical business logic is banking transaction logic. Having knowledge of what assets (e.g. app, API, network) are involved in the entire transaction process, along with the security controls operational on each asset is crucial contextual information that will impact prioritization and response.
Our client, a prominent conglomerate in ASEAN, came to us with a common challenge in cyber operations: the need for effective prioritization. For over two decades, they grappled with fragmented asset databases and the management of diverse cybersecurity tools across public cloud, software vendor cloud, and on-premise environments. This led to manual and sluggish cyber operations, resulting in numerous issues slipping through unnoticed.
The goal was to automatically contextualise and prioritise our customer’s cybersecurity issues as and when the alerts are generated. The customer’s job was completed when they chose 10 data sources to provide us with the required input (alerts, logs, metrics from SaaS and on-prem systems) and context (asset databases, strategies, and business logic). In less than a month, the HM platform seamlessly integrated the customer’s data for ongoing cyber operations. We meticulously categorized their assets, controls, and attributes, and organized their cybersecurity alerts, logs, and metrics within a unified data schema and model.
Resilience strategy: respond and adapt to threats with context
After gaining visibility of your data sources and analyzing them within the framework of your business context, what are the subsequent steps to take—particularly when confronted with genuine threats and attacks, often amid incomplete information and constrained timeframes.
Although numerous companies claim to possess a playbook outlining procedural response steps, achieving a timely reaction poses another challenge as it necessitates the execution of specific conditional steps across both physical and digital assets. Even with playbooks that detail checklist of required steps and actions, businesses are up against cyber threats and attacks with wildly varied velocity, volume, value, variety, and veracity.
Threat and attack pattern are always changing and unpredictable. Hence, having the relevant intel and action steps, at hand and ready for speedy response, is critical. At Human Managed, we solve this problem by applying the same principle of contextualizing security events and making it operational – not just for intel generation, but for decisions and actions. We craft tailored cybersecurity playbooks and runbooks, comprising detailed sequences of conditional steps for various cyber scenarios. These frameworks are operationalized through the translation into data flows and models, with automation implemented whenever feasible.
Context Flows: playbooks & runbooks
For on-demand analysis of security exposures, threats, and attacks within the business context, the Human Managed platform constructs and oversees Context Flows. These flows establish data-driven pipelines and workflows, guiding recommended actions to address or mitigate the identified issues or incidents. Context Flows are made up of playbooks and runbooks with the objective to:
- React: contain and mitigate issues triaged by the platform as a short-term fix.
- Resolve: remediate and resolve issues triaged by the platform as a long-term solution.
Playbooks and runbooks serve as the cornerstone of business context workflows, establishing operational protocols for response. Stored and managed as databases, they are activated when specific conditions within use cases are fulfilled. For instance, the detection of malware on a non-critical asset in a development environment will activate a playbook and runbook to acknowledge and monitor the threat. Conversely, if the same malware is detected on a critical system in a production environment, multiple playbooks and runbooks will be triggered simultaneously to contain the threat and initiate backup services.
Our experience with one of our clients who took no action over 2 years, even after 40,000 violations were generated from 100+ firewalls, demonstrates the stifling impact of complex change management and unknown implications for organisations. Human Managed strategically prioritized three playbooks aimed at optimizing firewall rules, which were promptly actionable and yielded significant impact. By integrating contextualized analysis across the entirety of the security event lifecycle, the client now expends less valuable time on intel gathering, triaging, and response. Instead, they can swiftly act and adapt with enhanced speed and precision, crucial elements for fostering resilient cyber operations in today’s landscape.
Resilience by Design and Intervention
Gaining comprehensive visibility into enterprise data and corresponding controls is critical for cybersecurity. Visibility allows for regular investigations into the quality of controls, while keeping a regular look-out for suspicious activities that may breach data guardrails. The reality for established businesses is not if a business will be attacked but when. Hence the goal becomes one of resilience, rather than defence – how soon can operations bounce back from identified threats and attack?
The need of the hour is to see data not only as an asset to protect, but as an intelligence-generating resource that can be embedded in daily operational decisions and actions. This
involves a proactive design and systematic intervention process of contextualizing data throughout the entire lifecycle, from its initial generation to the action that it triggers. When all data is understood from the lens of business priorities, and analyzed based on defined tolerance and existing controls, businesses will improve their ability to anticipate, withstand, recover, and adapt to threats.
The article titled “Data-driven security: building resilience against cyber attacks in ASEAN” was contributed by Karen Kim, CEO, Human Managed
About the author
Karen is the CEO of Human Managed, the ASEAN cloud-native data platform that empowers businesses to make smarter decisions and faster actions for cyber, digital and risk outcomes.
She aligns HM’s purpose to strategy — and strategy to what they call “Distributed Ops” for data-driven solutions, including DataOps, MLOps, and IntelOps. She enjoys combining her learnings, love for design-thinking, and service-first mindset to various domains, be it branding, service design, and business development.