Slash Incident Resolution Time - From 30 Days to 1
vshabad
11 views
15 slides
Jun 26, 2024
Slide 1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
About This Presentation
Presentation on the CRESTcon Europe 2024 conference
Slide Content
Slash Incident Resolution
Time: From 30 Days to 1
Vsevolod (Sam) Shabad, CISSP, CCSP, MBCS
Interim CTO @ Gemba Finance (UK)
ex: CISO @ Halyk Bank (Kazakhstan)
CRESTcon Europe 18-Jun-2024
Time: From 30 Days to 1
Vsevolod (Sam) Shabad, CISSP, CCSP, MBCS
Interim CTO @ Gemba Finance (UK)
ex: CISO @ Halyk Bank (Kazakhstan)
CRESTcon Europe 18-Jun-2024
Briefly about me: the international octopus
IT OT SecurityCloud
Technologies
Risk
Management
ComplianceData Science,
ML & AI
Project
Management
Culture
Changes
Fraud
Prevention!
"
#$
%&
Cybersecurity'
(
IT OT SecurityCloud
Technologies
Risk
Management
ComplianceData Science,
ML & AI
Project
Management
Culture
Changes
Fraud
Prevention!
"
#$
%&
Cybersecurity'
(
Halyk Bank (LSE: HSBK) at a glance (2021)
£3.3B market cap 9M retail clients589 branches
£20.2B assets3K corporate
clients
4.5K cash
machines
13K staff15.5M cards148K POS
terminals
£3.3B market cap 9M retail clients589 branches
£20.2B assets3K corporate
clients
4.5K cash
machines
13K staff15.5M cards148K POS
terminals
Cybersecurity Team
•SOC
•L1 – 6x2 (24x7)
•L2 – 2x3 (8x5)
•SIEM developers – 4
•Red Team
•penetration testers – 2
•cyber risk analysts – 2
•business analysts – 2
•Cyber architects – 5
•Anti-Fraud
•L1 – 20 (contact center)
•L2 – 10 analysts
•L3 – 5 researchers / data scientists
•Methodology/compliance – 10
•Cybersecurity tools
support
•engineers – 4
•Applications Security
•…IT
•SOC
•L1 – 6x2 (24x7)
•L2 – 2x3 (8x5)
•SIEM developers – 4
•Red Team
•penetration testers – 2
•cyber risk analysts – 2
•business analysts – 2
•Cyber architects – 5
•Anti-Fraud
•L1 – 20 (contact center)
•L2 – 10 analysts
•L3 – 5 researchers / data scientists
•Methodology/compliance – 10
•Cybersecurity tools
support
•engineers – 4
•Applications Security
•…IT
Cyber incident definitions
•“Violation or imminent threat of violation of computer security
policies, acceptable use policies, or standard security practices”
(NIST SP 800-61r2)
•“Related and identified information security event(s) that can harm
an organization's assets or compromise its operations
(ISO 27035-1:2023)
•“Any occurrence that has impact on any of the components
of the cyber space or on the functioning of the cyber space,
independent if it’s natural or human made; malicious or non-
malicious intent; deliberate, accidental or due to incompetence”
(ENISA overview of cybersecurity and related terminology)
•“Violation or imminent threat of violation of computer security
policies, acceptable use policies, or standard security practices”
(NIST SP 800-61r2)
•“Related and identified information security event(s) that can harm
an organization's assets or compromise its operations
(ISO 27035-1:2023)
•“Any occurrence that has impact on any of the components
of the cyber space or on the functioning of the cyber space,
independent if it’s natural or human made; malicious or non-
malicious intent; deliberate, accidental or due to incompetence”
(ENISA overview of cybersecurity and related terminology)
Why slashing incident time is so important?
•Minimises damage from cyber attacks
•Reduces customer losses due to fraud
•Maintains company reputation and customer trust
•Complies with incident response time regulations
•Key CISO success metric for the board
•Minimises damage from cyber attacks
•Reduces customer losses due to fraud
•Maintains company reputation and customer trust
•Complies with incident response time regulations
•Key CISO success metric for the board
Key measures to improve resolution time
•Separate incidents from problems
•Set WIP limits for incidents
•Switch from assigning to pulling incidents
•Create cross-functional teams
•Focus on incidents nearing SLA breach
•Separate incidents from problems
•Set WIP limits for incidents
•Switch from assigning to pulling incidents
•Create cross-functional teams
•Focus on incidents nearing SLA breach
Separate incidents from problems (ITIL)
Incident registration and triage
Damage containment
Incident recovery
Authority notification
Root cause investigation
Root cause elimination
Evidence collection
…
Incident
(on-line)
Problem
(near-line)
Incident registration and triage
Damage containment
Incident recovery
Authority notification
Root cause investigation
Root cause elimination
Evidence collection
…
Incident
(on-line)
Problem
(near-line)
Set WIP limits for incidents (Kanban)
SOC officerNewIn-Progress
(WIP Limit = 2)
Resolved
John
Alex
Mary
…
John and Alex must resolve at least one incident before getting a new one
Mary can take on a new incident when she is ready
SOC officerNewIn-Progress
(WIP Limit = 2)
Resolved
John
Alex
Mary
…
John and Alex must resolve at least one incident before getting a new one
Mary can take on a new incident when she is ready
Switch from assigning to pulling incidents
The clear prioritisation and assignment rules allow
to eliminate delays for the manual assignment
and omit a “conductor”
The clear prioritisation and assignment rules allow
to eliminate delays for the manual assignment
and omit a “conductor”
Create cross-functional teams
3 weeks
Before:
1.Incident queue for L1 (simple)
2.Incident queue for L2 (complex)
After:
1.Incident queue (L1+L2)
2.Problem queue (L1+L2)
+ active assistance of L2 to L1 officers
3 weeks
Before:
1.Incident queue for L1 (simple)
2.Incident queue for L2 (complex)
After:
1.Incident queue (L1+L2)
2.Problem queue (L1+L2)
+ active assistance of L2 to L1 officers
Focus on incidents nearing SLA breach
(sample Kanban scatterplot from https://getnave.com/blog/kanban-cycle-time-scatterplot-patterns/)
95%
•Why?
•What happens?
•How to address?
(sample Kanban scatterplot from https://getnave.com/blog/kanban-cycle-time-scatterplot-patterns/)
95%
•Why?
•What happens?
•How to address?
Actual results – incidents resolution time
20
27
2930
28
14
10
15
20
25
30
35
Jan-21Feb-21Mar-21Apr-21May-21Jun-21
90% cyber security incidents resolution
time, days
8
3
9
3
10
44
1
7
1
0
2
4
6
8
10
12
8-Jul15-Jul22-Jul29-Jul5-Aug12-Aug19-Aug26-Aug2-Sep9-Sep
90% cyber security incidents
resolution time, days
20
27
2930
28
14
10
15
20
25
30
35
Jan-21Feb-21Mar-21Apr-21May-21Jun-21
90% cyber security incidents resolution
time, days
8
3
9
3
10
44
1
7
1
0
2
4
6
8
10
12
8-Jul15-Jul22-Jul29-Jul5-Aug12-Aug19-Aug26-Aug2-Sep9-Sep
90% cyber security incidents
resolution time, days
Actual results – fraud loss dynamics
17-Jun24-Jun01-Jul08-Jul15-Jul22-Jul29-Jul05-Aug12-Aug19-Aug26-Aug02-Sep
Weekly dynamics of the "average check"
of damage to customers for fraud incidents
- actual damage
- prevented damage
17-Jun24-Jun01-Jul08-Jul15-Jul22-Jul29-Jul05-Aug12-Aug19-Aug26-Aug02-Sep
Weekly dynamics of the "average check"
of damage to customers for fraud incidents
- actual damage
- prevented damage
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 11
- Slides 15
- Age 530 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
35 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
38 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views