Global Tier 1 Bank

Cyber Security Operations Automation

Global Tier 1 Bank – Cyber Security Operations Automation
Global Tier 1 Bank – Cyber Security Operations Automation
25/02/2020 MHC
time saving for data capture and notifications
time saving on case investigation
cost saving by decommissioning legacy systems

Client Problem

The introduction of GDPR, together with increased threat actor activity, had led to a massive increase in the number of cyber security incidents to be investigated. With limited resource and budget, our client, a global bank, needed task automation to help prevent a backlog from developing.

MHC Approach

Our team of MHC Business Analysts adopted an Agile approach to the various automation tasks that would individually help address the issue.  High level requirements were prioritised with the business owner, with the next highest priority requirement analysed, ready for code development, testing and implementation, through a series of Agile sprints.

A number of key enhancements were delivered.

BIRO Email Notification

Business Information Risk Officers (BIROs) assist the Cyber Security Operations teams with the investigation and escalation of incidents, particularly ones involving Data Loss Protection (DLP).

Show More
By automating the generation of an email notifying the BIRO when new incidents occur, a manual time-consuming task was removed from the DLP analysts. In addition, BIROs were notified as soon as the incident occurred, rather than later when the Analyst processed the incident. A note was added to the incident ticket showing to whom the email notification was sent. 

Line Manager Notification

A second email notification allowed a DLP Analyst to send a questionnaire to an Impacted User’s Line Manager, so that information on the background and resolution of the incident could be captured from the Line Manager.  

Show More
By having a web page based questionnairethe responses could be added directly to the incident case without additional Analyst intervention. The automation of the questionnaire notification and the capture of the response data saved several days time and much effort from the investigation process, increasing efficiency and avoiding backlogs.

Self-Reported Incidents

The existing method to capture details of incidents involved the impacted user completing a SharePoint form that sent an email to an offshore team, who in turn keyed the details into the Case Management system for the DLP Analyst to investigate. This was both time consuming and error prone. Automation involved creating a set of web based forms for the Impacted User to complete, which created an incident directly in the Case Management system. 

Show More
In addition to massive benefits in speed of capture (5 days reduced to 10 minutes) in-built flexibility allowed the DLP team management to maintain each form’s questions as necessary, something that was not possible previously. 

Workflow Improvements

The Case Management system previously forced the DLP Analyst processing an Incident to proceed through all workbook pages, despite them often knowing quickly that no data loss had occurred.  Improvements were introduced that allowed the Analyst to exit from a workflow and have the system automatically complete the remaining steps when this situation occurred. This allowed a 60% time saving on these cases.

Enhanced Geographic Coverage

The restrictions involved in the initial implementation of the Case Management system meant that it could not be used, or used completely, within some highly regulated countries. Refinements were introduced that tailored which groups of users could access, and so process, cases for these countries.  This allowed them to adopt the global Case Management system rather than old, out of support system that they had to use previously. 

More
The refinements were created as individual tasks, which allowed varying combinations to be used, by country, thereby catering for slightly different requirements. 

Project Outcome

The DLP team and end users around the world enthusiastically welcomed each of the above changes. Time saved through automation allowed Analysts to process cases sooner, thereby reducing the period when the bank was at risk of data loss because an incident.

By adopting an agile approach, work could be done on the Product Owner’s highest priority tasks, moving onto development, testing and implementation, while the next most important task was being analysed and solution devised. This resulted in improvements being implemented sooner than could have been achieved via a waterfall approach.

 

000

Related Insights

Case StudiesService: Payments
Payments Sevice Strategic Review and Implementation of Replacement Platform
ArticlesService: Cyber security
Email Phishing Protection
Email Phishing Protection
ArticlesService: Cyber security
THE EU 5TH ANTI MONEY LAUNDERING DIRECTIVE