Information Security is a never-ending battle where we thrive for the best possible balance between managing cybersecurity risks, usability and costs. 2020 has been a challenging year as we had to adapt to the work from home paradigm. Yet, this has been a very fruitful year for Group Security. Here is how we made Kindred Group more secure in 2020 and what we intend to focus on in 2021.
Identify: Know thy enemy, know yourself
We started the year confirming the maturity of our Information Security Management System (ISMS) by passing our second ISO 27001:2013 maintenance audit! 2021 will be the last year of our certification cycle and the main goal will be to maintain top of the line review from our auditors while preparing for a potential scope extension for the new cycle. We also intend to increase our alignments with more US-centric standards and practices, such as the NIST Cyber Security Framework, to ease our penetration into the US market.
Speaking of audits, 2020 has been our most successful year so far from a security compliance standpoint, as we passed all of our external security audits with no non-conformity. In 2021 we intend to further improve our audit preparation processes by consolidating requirements into a common control framework.
We also made significant improvements in our vulnerability management program through the year. Not only have we extended its scope to our containerised components but with the help of Tech, we also reduced our average time to mitigate new vulnerabilities.
To protect our assets commensurate with their sensitivity and importance, we deployed a mandatory data classification scheme in our main documentation systems: Office and Confluence. In 2021 we intend to offer our employees more intuitive ways to protect data in accordance with its classification level.
On the developers' side, we deployed semi-automated web application security scanning solutions, allowing developers to look for low-hanging fruits before pushing changes to components. As a result, the Cyber Security team has been able to focus their effort on larger, more advanced internal penetration tests. 55 pentests were conducted internally in total in 2020, 22 of which were large reviews that took more than 3 days. In 2021 we intend to further increase the integration of security checkpoints within our development pipeline, building on the "DevSecOps" mindset.
Last but not least, we consecrated the year with a key re-organisation that moved us directly under the CTO. This new reporting structure will allow for an even closer collaboration with the rest of the Tech department and shows Kindred Group's acknowledgement of the importance of the cybersecurity challenges we face.
Protect: Build a tenable defence and make it harder for the attackers to impact you
While hackers in movies tend to dramatically attack the service they want to hack upfront, real-life attacks often take crossroads, with employee endpoints being an all-time favourite. They manipulate employees into opening malicious attachments or performing dangerous actions. To combat this, we deployed additional endpoint protection technologies, such as Attack Surface Reduction. We also added extra malware detection capabilities on our MacOS endpoints, on top of our existing Endpoint Detection & Response (EDR) solution.
Following the least privilege principle — where people only have the accesses and permissions they absolutely need to do their job — is a tough challenge as access tends to grow over time. Indeed, while it is easy to notice when you're missing access, active reviews must be performed to track down those you no longer require. In 2020 we completed a global access review campaign including all staff members. Thanks to the thorough review of involved managers, we successfully removed 7% of employees existing access on average. In 2021 we intend to simplify the global review process and continue role mining activities to reduce the amount of accesses to review.
Detect: Spot the vulnerabilities and attackers before it is too late
Bug Bounty program pushes the concept of third-party security assessment further by welcoming security researchers to poke for vulnerabilities all year round, instead of the more traditional yearly pentest. Kindred Group has been maintaining a private Bug Bounty program successfully for the last 3 years, which we were proud to turn public in January 2020. Thanks to the experience we earned, we managed the transition successfully, keeping an average time to bounty to one day and resolution time to one month. Through the year we continuously added new products to our scope. As our program is getting more mature, we’ve also conducted several ‘campaigns’, offering an extra reward for any vulnerability found in specific critical areas, such as our customer authentication system. We also raised the bounties rewarded for high severity vulnerabilities, which now puts us in the top 25% of HackerOne’s bug bounty programs. In 2021 we intend to further increase the scope and attractiveness of our Bug Bounty program for security researchers.
In Q4 2020 we also completed the implementation of a new SIEM infrastructure. SIEM stands for Security Information and Event Management and is the key service that allows our security operations team to centralise, correlate and triage all our security alerts. In 2021 we'll continue building on top of this new solution by implementing additional use cases and improving the signal vs noise ratio of our current alerts.
Respond and Recover: When things don't go to plan
2020 has been a challenging year for everyone with the pandemic forcing us to work from home, thus slowing down many processes which used to be handled in person. In Q4, we deployed additional live forensics capability to our employees’ endpoints. This new solution will allow us to hunt for potential threats remotely and considerably ease the incident investigation process for our security response team.
As we matured in our security controls, we quickly realised that we needed to optimise our processes in order not to overwhelm our security experts. In 2020 we put significant effort into automating the triage of ‘simple’ security alerts. As a result, we dramatically reduced the workload of our Level 1 and 2 resources, allowing us to delegate them new use cases to focus on in a sustainable fashion. On average, 30% of the tickets that used to be handled by our Level 1 resources have been automated over the last 2 quarters. In 2021 we will continue to automate ticket triage and response, but also focus on reducing our false-positive ratio.
In Q3, we conducted our yearly incident management tabletop exercise, which allowed us to test our incident notification and coordination capabilities. in 2021 we intend to broaden the exercise by including high-level, crisis management aspects
In line with our committed objectives from the 2019 sustainability report, we achieved the first step toward becoming an accredited Computer Security Incident Response Team by getting listed in the CSIRT Task Force, a widely recognised European community. In 2021, we intend to complete the accreditation process and join several security communities, which will give us access to even more knowledge sharing groups, such as national CSIRT groups in some of the countries we are operating. We are also aiming to strengthen our contacts with security teams of other Gambling operators through existing workgroups.
The above achievements were made possible thanks to the tremendous collaboration from the rest of Kindred Group. Security is very important to our customers and our shareholders and is, therefore, a vital part of our operations.