case studies

How a regional bank reduces time to contain and respond to incidents by prioritizing and acting on behavior data detected on 77,000+ digital assets

Our client is one of the largest banks in the ASEAN region, providing a full suite of products and services for both the retail and corporate markets, such as lending, deposit, brokering, investments, credit card, and remittances.

HM Solution Stack

Incident Management
Threat Management

including DENIAL OF SERVICE and PHISHING use cases

all with continuous asset management, context management, change management, and alert management

The Challenge

The future of computing promises more scale, more complexity, and certainly more change, all at a great speed. Due to this transition, the odds increase every day that every organization will have a major technology incident, created internally or externally. Without a predictable way to respond to incidents, any organization—growing or mature—is at risk.

For our banking client that delivers essential financial services for millions of customers, and that operates in an industry always highly targeted by bad actors, it was a business critical for them to have a modern incident management system that is speedy and reliable against the changing threat landscape. To improve their cyber defense capabilities, they had made significant investments in cybersecurity tools and software.  They wanted to ensure the incident management platform can holistically analyze diverse and large volumes of data events from diverse sources, and minimize repetitive manual analyses and triage from their security operation center.

The Solution

The Human Managed’s cloud-native and data-agnostic platform continuously collects logs, metrics, events, and alerts data from the client’s IT and security systems such as endpoints, cloud resources, network devices, software, servers, etc., that generate as much as 15 billion events per month.

After cycles of data analysis, the platform generates contextualized intelligence and recommendations for internal users, executives, and engineers to reduce cyber threats and optimize cyber operations.

The alerts generated by the Human Managed platform are monitored and triaged on a continuous basis to enable the client to quickly and efficiently validate, investigate, and respond to issues, incidents and cases. Human Managed provides actionable remedial recommendations, and where applicable, take remedial action on security devices or security applications to perform rapid exposure containment to minimize business impact.

input

  • Data on configs, logs, metrics, events, and alerts generated by data sources from client, such as device, app, API, compute, storage and tools
  • The client connected more than 20 data sources with the HM platform through APIs and private networks — zero new tools involved.

process

The HM platform runs multiple depths of analyses on client’s processed data and events consisting of conditions, correlation rules, machine learning algorithms and business intelligence to detect and alert on suspicious or anomalous activities occurring on client’s 77,000+ assets.

output

The outputs for the threat incident management service sends insights, intel, decisions, and actions on client’s custom cyber threat use cases, including ransomware, phishing, denial of service, and attack surface management.  

The intel and recommendations are sent on-demand as report, notification, and dispatch to the client’s operators, analysts, and executives.

Insights:
detected cyber threat tactics and techniques such as compromised asset, internal threat, external threat, and malware.

INTEL:
metrics and trends on cyber threats, anomalies and suspicious behaviors against client’s baseline and external patterns.

DECISION and ACTION:
Recommended steps to fix and remediate prioritized issues and incidents

The Impact

6
months taken to remove denial of service (DoS) and phishing as top attack vectors for client
48
hours - mean time to respond to phishing attacks through automation in playbooks and runbooks
15
minutes mean time to respond to DoS through automated detection and action pipelines
  • removed denial of service (DoS) and phishing as top attack vectors for client within 6 months
  • mean time to respond to phishing attacks reduced from 3 months to 48 hours through automation in playbooks and runbooks
  • mean time to respond to DoS reduced from 12 hours to less than 15 minutes through automated detection and action pipelines
  • reduced future exposure through recommendations of compensating controls as part of every incident resolution
  • operational efficiency from data-driven prioritization of 13-15billion events per month to 700-900 prioritized alerts per month.
  • minimum savings of 3-4 hours per day of manual information consolidation, triage, prioritization of alerts, data analysis, and issue and incident management workflow
  • minimum savings of 1-2 hours per week of manual reporting (from operational to executive)
  • minimum 6 months saved from deployment to operational processes (reduced time for procurement, workshop and meetings, project management, day to day operations including progress tracking)
  • improvement to overall data culture throughout the organization, as asset management, context management, change management, alert management continuously improves through data
  • improvement to overall data-driven knowledge base that is contextualized to the client’s unique profile and domain expertise, which can be applied to any other use cases in cyber, digital, and risk problems.

...and more!

Got data you want to understand?

Get your very own I.DE.A. platform today