ASAP Patch | {build} Hackathon

Team members and respective division

Name	Division
Selina Ho	CSG / CDOI
Grace Koh	CSG / CDOI
Kelvin Leong	CSG / ENGR
Foo Shi Kai	CSG / ENGR
Amalina Rashid	CSG / ENGR
Wan Ding Yao	CSG / ENGR (CSA)

Problem Statement

CSG CISO Office needs to curate a security vulnerabilities report daily for immediate dissemination to agencies, but the manual process is tedious and inefficient, especially when handling large volumes of data. This results in information reaching stakeholders late, potentially delaying the remediation of critical or high-severity vulnerabilities. How Might We allow CSG CISO Office to create vulnerability report accurately and efficiently?
Agency CISO/SIRO needs to track the latest security vulnerabilities and vendor-released patches daily, but the process is currently manual. This results in delays in WOG agencies remediation of critical or high-severity vulnerabilities. How Might We allow agency CISO/SIRO Office to know the vulnerabilities and patches available, their severity, enabling them to assess the impact of remediating/not remediating their systems in a timely manner?

Problem Formulation Process

Our team conducted user research, including in-depth interviews with five users. Since our team comprise problem owners, we had direct business insights throughout the process. This dual perspective allowed us to align our solution closely with both user needs and operational requirements.

Key insights from our research include:

Timeliness is critical: Prompt delivery of vulnerability newsletters is essential for end-users to patch systems quickly, reducing security risks.
Data collection challenges: Inconsistent formats across vendor websites make vulnerability information gathering inefficient and time-consuming.
High volume processing: The large number of CVEs increases review and formatting time, impacting overall efficiency.
Future-proofing needed: Flexibility in vendor management is crucial for integrating additional services to address future vulnerabilities.
Post-send data management: Current processes lack mechanisms for reviewing or updating information after newsletter distribution, potentially leading to outdated or inaccurate content.
Review process uncertainties: While helpful in catching errors, the frequency and time required for revisions are unclear, causing workflow inefficiencies.

Proposed Solution Details

Smart and automated solution to enable timely and remediation of vulnerabilities across WOG. We believe that leveraging on AI and automation will hasten the process and reduce human errors in generating and dissemination of security vulnerability information.

Solution breakdown

Through our market research, we identified as a tool that can help to support in the process of collating security vulnerability information and thus decided to adopt and enhance it to better fit our requirements.

The Feedly solution will automate the scrapping of security vulnerability information from the internet. Thereafter the CVE metadata and AI-generated insights will be consolidated into newsletter format for review. Once approved, the newsletter will be disseminated to a pre-defined mailing list.

Impact and Outcome Analysis

	Current State	Would Be State
Impact	1 man day is spent preparing the report	Automation and AI will reduce 80% of time required for the same output (< ½ man day)
Cost	Nil	~US$3,000 / month

Future Plans

Expand vulnerability sources to include a wider range of monitored products
Enhance AI accuracy to provide more reliable vulnerability assessments
Integrate with various WoG system to improve coverage and alerting capability
Enrich current insights with additional threat intel sources

Problem Statement

Name	Division
Selina Ho	CSG / CDOI
Grace Koh	CSG / CDOI
Kelvin Leong	CSG / ENGR
Foo Shi Kai	CSG / ENGR
Amalina Rashid	CSG / ENGR
Wan Ding Yao	CSG / ENGR (CSA)

CSG CISO Office needs to curate a security vulnerabilities report daily for immediate dissemination to agencies, but the manual process is tedious and inefficient, especially when handling large volumes of data. This results in information reaching stakeholders late, potentially delaying the remediation of critical or high-severity vulnerabilities. How Might We allow CSG CISO Office to create vulnerability report accurately and efficiently?

Agency CISO/SIRO needs to track the latest security vulnerabilities and vendor-released patches daily, but the process is currently manual. This results in delays in WOG agencies remediation of critical or high-severity vulnerabilities. How Might We allow agency CISO/SIRO Office to know the vulnerabilities and patches available, their severity, enabling them to assess the impact of remediating/not remediating their systems in a timely manner?

Problem Formulation Process

Key insights from our research include:

Timeliness is critical: Prompt delivery of vulnerability newsletters is essential for end-users to patch systems quickly, reducing security risks.

Data collection challenges: Inconsistent formats across vendor websites make vulnerability information gathering inefficient and time-consuming.

High volume processing: The large number of CVEs increases review and formatting time, impacting overall efficiency.

Future-proofing needed: Flexibility in vendor management is crucial for integrating additional services to address future vulnerabilities.

Post-send data management: Current processes lack mechanisms for reviewing or updating information after newsletter distribution, potentially leading to outdated or inaccurate content.

Review process uncertainties: While helpful in catching errors, the frequency and time required for revisions are unclear, causing workflow inefficiencies.

Proposed Solution Details

Solution breakdown