alphaspirit - stock.adobe.com

Grab outlines its approach to cyber security

Singapore-based ride-hailing company prefers detective controls rather than preventive ones to deter cyber threats – an approach it claims is less intrusive and costly to implement

At Grab, Southeast Asia’s biggest ride-hailing and transportation platform, detection is key to keeping out cyber threats that have affected its rivals in recent years, according to its security chief.

Speaking at a Splunk event in Singapore this week, Suchit Mishra, head of information security at Grab, said the company builds detective controls across its products, services, applications and infrastructure to gather insights on where it is most vulnerable to attacks.

Such insights are then used to shore up Grab’s cyber defences in what Mishra described as an “offence informing defence” strategy. This is less intrusive and cheaper to implement, he said, because the company would be able to invest only in what is needed to deter cyber threats.

In executing this strategy, Mishra said it is critical to collect log data about everything that is going on in both external and internal systems, such as customer service portals and business intelligence applications. That data should be held in a centralised repository, he said.

But that is not enough – organisations need to go one step further to put the data into action by building dashboards to make sense of those insights, so they can have a good overview of their overall cyber security posture, said Mishra.

“This is not a new concept,” he said. “If you look at things like A/B testing and performance monitoring, everything is captured and put into dashboards for anyone to consume.”

Along with insights from Grab’s bug bounty programme, which offers rewards of up to $10,000, Mishra’s team relies on log data collated onto a Splunk dashboard to identify vulnerabilities and incidents, such as attempts to steal employee credentials and exfiltrate data. All of that information is then passed on to Grab’s engineering teams for further action.

Read more about cyber security in ASEAN

  • The Malaysian Communications and Multimedia Commission and a local firm have been sued for the massive data breach involving the personal data of more than 46 million mobile phone users in the country.
  • Cyber resilience remains low across Southeast Asia, a regional economic powerhouse that is increasingly susceptible to cyber threats as its digital economy grows.
  • Singapore’s Ministry of Defence is getting white hat hackers to identify loopholes in its internet-facing IT systems in the country’s first government-led bug bounty programme.
  • The key to improving the cyber security posture of organisations is to keep complexity at bay, according to a senior Microsoft executive.

“If we had only built preventive controls, we could only hypothetically say that something is vulnerable based on some threat model,” he said. “With this data, we now have more ammunition to push the security initiatives that we plan to put in place.”

In 2017, Uber, Grab’s former rival in Southeast Asia, revealed it had covered up a massive data breach that had affected 57 million riders and drivers. The blame was pinned partly on the failure to use multi-factor authentication for Uber’s account on GitHub, from which developer credentials were stolen to access the breached data housed on Amazon Web Services.

Uber has since exited the Southeast Asian market, selling off its operations in the region to Grab, which is valued at about $6bn. Under the deal, Uber would receive a 27.5% stake in Grab.

Read more on Hackers and cybercrime prevention