According to KPMG’s Cyber Security Considerations 2022 report, a whopping 10,016 cybersecurity occurrences in Malaysia have been reported to Cyber999, the cybersecurity incident response centre operated by the Malaysia Computer Emergency Response Team (MyCERT).
Of these cybersecurity attacks, 71% were fraud-centric while intrusion attempts and malicious codes were the second and third top threats reported respectively.
A study conducted by the Malaysia Cyber Security Strategy 2020-2024 also found that the nation could lose RM51 billion due to cybersecurity incidents — that is more than 4% of the country’s total gross domestic product (GDP).
As cybercrime changes rapidly, threat actors will utilise new technologies, which will inevitably ignite an evolution in our approach towards cybersecurity.
Incorporating analytics with data
The answer requires new architectures and deployment models. Security analytics solutions capable of delivering the monitoring use cases required are best suited to the scale and dynamic response inherent in the cloud.
The cloud security information and event management (SIEM), which is already becoming the standard deployment model due to the general trend of moving workloads to the cloud, is now the only practical solution to deal with the high volume of data to be collected.
By moving SIEM to the cloud, cost savings can be achieved with a smart architecture that separates processing from storage costs. This allows organisations to put more money on data queries that require faster results, while keeping the less sensitive ones running in more cost-efficient computing models.
Additionally, enriching data with additional context, user and entity behaviour analytics (UEBA) can help uncover many common use cases, including insider threats, phishing attacks, fraud and privilege misuse.
More than just cost savings
A cloud-native SIEM solution that is integrated with big data-based storage systems offers enhanced performance, analytics and threat detection as it can be dynamically scaled up or down as needed.
Cloud-native solutions help security teams stay on the cutting edge of cybersecurity with benefits including:
• Elasticity — the ability to adapt to workload changes by provisioning and de-provisioning resources as needed;
• Scalability — the ability to increase or decrease performance and cost in response to changes in application and system processing demands; and
• Reliability — the ability to maintain steady detection and response times, even during periods of increased demand.
Another advantage for organisations is the ability to incorporate their security data into their overall planning for a data cloud.
A modern SIEM enables organisations to “bring their own cloud” and keep their data in their own cloud storage for complete control and access.
It can help maximise the resources available and achieve economies of scale for data needs that would not be possible if security data were kept in a separate silo. Organisations would be able to realise the benefits of a next-gen SIEM while maintaining control of their sensitive data.
Enterprises today require a cybersecurity strategy that is dynamic, predictive, flexible and elastic in order to withstand changes to the threat landscape and IT environments.
Moving SIEM to the cloud offers flexibility, which is a key element concerning future-proofing security and provides organisations with the resiliency needed to navigate today’s complex and evolving security landscape.
Many organisations today adopt hybrid and cloud environments, making them more vulnerable to complex and sophisticated cyberattacks. Present-day threats can span multiple data sources within the cloud, where traditional SIEMs have generally poor visibility.
With huge amounts of cloud data, legacy SIEMs often struggle with an inability to scale and use weak rule-based detection techniques to identify complex threats.
Next-generation SIEM collects massive volumes of data in real time, using patented machine learning algorithms to detect advanced threats and provide artificial-intelligence-based security incident response capabilities for fast remediation.
It also offers profound visibility, detection and response at cloud scale and integrates seamlessly with all the data sources, threat intelligence tools and other technologies to enable organisations to stay on top of threats.
With a growing volume of cyberattacks bypassing traditional detection technologies, threat hunting arises, which aims to uncover the presence of attacker tactics, techniques and procedures (TTP) within an environment undiscovered by existing detection technologies.
Simply put, threat hunting is based on the assumption that your security has been compromised but your existing detection capabilities have not detected anything.
Threat hunting is proactive and pre-emptive, involving members of the security team who explore and actively search for indirect signs or artefacts of an ongoing compromise, rather than wait for something to happen or be detected.
It is a process typically conducted by a human analyst, although the “hunter” can be and is usually augmented, with the hunt being semi-automated using a diverse toolbox of technologies.
Threat hunting is a defensive adaptation in the cyber offence-defence cycle and fills the gap between attacks being known, automated and formalised via detection code.
Ajay Kumar is director for Asia-Pacific & Japan (APJ) and Middle East (ME) at Securonix