Summary

The nomination is for the Security Analytics Project, implemented to be the backbone of the GSIS Information Security Office (ISO) in monitoring, detecting, preventing and responding to cyber threats in the shortest possible time. The project was initiated by CISO Jonathan Pineda and is an innovation to have an overall view of the GSIS Information Security Posture, including cyberattacks and threats to GSIS IT infrastructure in near real-time. Logs from various security tools are captured, aggregated, and processed using automation and machine learning techniques, enabling GSIS to respond faster. The project was started in 2016 and is continuously being improved.

Background and Problem

According to the Ponemon 2019 Cost of Breach Report, it takes an average of 279 days for a company to identify and contain a breach. The GSIS is under constant cyber-attack from various threat actors 24×7. Just the public websites alone receive more than 25,000 attempted attacks per day. The objective of the project was to identify and profile these attacks, and filter out the noise and false positives, so that the lnfoSec personnel can act on notable incidents only. To protect its IT infrastructure, GSIS implemented multiple security tools to implement its Information Security Program. However, these tools generate millions of logs daily and it is impossible for lnfoSec personnel to filter out notable incidents and respond to them faster. Investigating and remediating incidents takes so much time that the GSIS may be exposed to data breaches if these threats are not detected and acted upon sooner.

Solution and Impact

Traditional Security Incident and Event Management meant that you can aggregate and correlate logs so you can review them from a single platform. The Security Analytics Project improved this traditional practice to, not only aggregate and correlate logs, but also to create profiling and validation with public threat intel sources. This also led to creation of alerts based on user or adversary behavior such as multiple attacks from the same IP source, multiple login failures, multiple malware infection, attempts to connect to command and control servers, to name a few. This also enabled the lnfoSec analysts to focus more on the notable incidents, rather than on learning to operate the security tools. Cybersecurity is a very complicated discipline as the adversaries use various and multiple threat vectors to compromise their target. They need to be successful just once and that is what GSIS is trying to prevent. While no system is hack proof, the same Security Analytics tool helps us in detecting these notable incidents faster as we can detect these in near real time and have set up alerts to notify us for priority incidents. The GSIS information Security Program took many years to mature and we have implemented various tools to mitigate specific cybersecurity threats. The Security Analytics tool gave us the capability to see beyond the tools and understand our threat landscape better. This helps our security analysts focus more on the actual incidents rather than guessing what is happening. The tool provides them the “needles in the haystack” immediately so immediate response can be made. This methodology ensures that we can provide information assurance to our users and stakeholders when they use our technologies.

Milestones

The Security Project enabled GSIS to:

  1. Lower possible breach detection from months to hours;
  2. Respond faster and proactively to cybersecurity incidents;
  3. Profile cybersecurity threats and deliver technology securely; and
  4. Detect cybersecurity threats (Cyber Attack Killchain and MITRE ATT&CK frameworks).

It recently won the ASEAN Social Security Association, Information Technology Recognition Award for 2019. The next step will be to automate further using Security Orchestration and Automated Response tools (SOAR). The SOAR will leverage threat intelligence platforms and minimize further the need for human responders to act on repeating incidents (Phishing mails and malware infections.)

2019

This is an Entry to the Government Best Practice Recognition Awards

Title

GSIS Security Analytics Project (GBPR 2019)

Organization

Government Service Insurance System