Global Tier 1 Bank

Cyber Security Operations Automation

Global Tier 1 Bank – Cyber Security Operations Automation
25/02/2020 MHC
time saving for data capture and notifications
time saving on case investigation
cost saving by decommissioning legacy systems

Client Problem

The introduction of GDPR, together with increased threat actor activity, had led to a massive increase in the number of cyber security incidents to be investigated. With limited resource and budget, our client, a global bank, needed task automation to help prevent a backlog from developing.

MHC Approach

Our team of MHC Business Analysts adopted an Agile approach to the various automation tasks that would individually help address the issue.  High level requirements were prioritised with the business owner, with the next highest priority requirement analysed, ready for code development, testing and implementation, through a series of Agile sprints.

A number of key enhancements were delivered.

BIRO Email Notification

Business Information Risk Officers (BIROs) assist the Cyber Security Operations teams with the investigation and escalation of incidents, particularly ones involving Data Loss Protection (DLP).

Line Manager Notification

A second email notification allowed a DLP Analyst to send a questionnaire to an Impacted User’s Line Manager, so that information on the background and resolution of the incident could be captured from the Line Manager.  

Self-Reported Incidents

The existing method to capture details of incidents involved the impacted user completing a SharePoint form that sent an email to an offshore team, who in turn keyed the details into the Case Management system for the DLP Analyst to investigate. This was both time consuming and error prone. Automation involved creating a set of web based forms for the Impacted User to complete, which created an incident directly in the Case Management system. 

Workflow Improvements

The Case Management system previously forced the DLP Analyst processing an Incident to proceed through all workbook pages, despite them often knowing quickly that no data loss had occurred.  Improvements were introduced that allowed the Analyst to exit from a workflow and have the system automatically complete the remaining steps when this situation occurred. This allowed a 60% time saving on these cases.

Enhanced Geographic Coverage

The restrictions involved in the initial implementation of the Case Management system meant that it could not be used, or used completely, within some highly regulated countries. Refinements were introduced that tailored which groups of users could access, and so process, cases for these countries.  This allowed them to adopt the global Case Management system rather than old, out of support system that they had to use previously. 

Project Outcome

The DLP team and end users around the world enthusiastically welcomed each of the above changes. Time saved through automation allowed Analysts to process cases sooner, thereby reducing the period when the bank was at risk of data loss because an incident.

By adopting an agile approach, work could be done on the Product Owner’s highest priority tasks, moving onto development, testing and implementation, while the next most important task was being analysed and solution devised. This resulted in improvements being implemented sooner than could have been achieved via a waterfall approach.