What is Root Cause Analysis (RCA)?

Root cause analysis (RCA) is a method of problem-solving used to investigate known problems and identify their antecedent and underlying causes. While the term root cause analysis seems to imply that issues which have a singular cause, this is not always the cause. Problems may have a singular cause, or multiple causes stemming from deficiencies in products, people, processes or other factors.

Applicability

While the general process for root cause analysis remains consistent across industries, investigators differ in the tools and techniques that they use to get to the underlying source of a problem. Even security operators who can automate much of the RCA process with security analytics applications must be familiar with methodologies of root cause analysis to accurately interpret the causes of security events.

Objective

RCA has a wide range of advantages, but it is dramatically beneficial in the continuous atmosphere of software development and information technology for two main reasons:

  • RCA focuses on cause, not symptoms. RCA pinpoints the factors that contribute to the problem or event. But its depth also helps you avoid the temptation to single-out one issue, over others, in order to resolve the problem as fast as possible. It also helps to find the actual cause of the problem as opposed to just fixing resulting symptoms.
  • RCA significantly reduces cost and time spent by catching problems early. Identifying the problem’s root in the early stages enables developers to maintain an agile environment and drive process improvement.

Approach

When investigating a cyber security incident, security operations teams must act quickly to identify and isolate the root cause of the event. The basic outline of the RCA process is identical across industries, regardless of the tools that individual practitioners choose to implement. A process for root cause analysis is described in the following four steps:

Identification and description:

the first step to a successful root cause analysis is the accurate identification and description of a problem. If the problem is poorly understood, it may prove difficult to correctly isolate the underlying causes of the problem. For IT operators responding to an automated alert from a security analytics tool, an initial problem statement could be “Our security system sent an alert”. Accurate event descriptions also play an important role in RCA. The starting point for a successful analysis should be a collection of accurate event descriptions detailing everything that happened in connection with the problem.

Chronology:

Once IT operators have identified the problem and associated events, they should be arranged in chronological order, as in a timeline or sequence of events. This makes it easy to establish and identify causal relationships between events connected to the problem. Organizations that leverage security analytics software can automate the collection of event logs and the integration of logs from multiple sources into a single, standardized format and platform. This streamlines the RCA process, helping these organizations get to step three of RCA at lightning speed.

Differentiation:

Differentiation is the third step of the RCA process. Here, investigators incorporate additional contextual data surrounding the events to understand how events are correlated. When a cyber security event is detected, security operators must analyze dependencies between events to distinguish between root causes, causal factors and non-causal factors within the system. Using a data analysis technique called event correlation, enterprise security analytics tools can filter through high volumes of computer logs from a variety of different sources and pinpoint the ones that are most likely to be connected to the problem.

Causal graphing:

In the final step of the RCA process, investigators are encouraged to produce a causal graph, diagram or another visual interpretation of the result of the RCA process. Causal graphing illustrates a sequence of key events that begins with the root causes and ends with the problem. This exercise demonstrates the logical pathway that was followed to determine how the problem occurred.

Why CyberSRC®?

Established in January 2018, CyberSRC® Consultancy offers the full machination of cyber security services ranging from threat intelligence, VMS to general advisory services in areas pertaining to Cyber security such as vulnerability attacks, compliance, and cyber security regulations, and laws. We are into system audits such as ISNP Audits, NBFC Audits, UCB Audits, PPI Audits, and SEBI Audits. We provide our solutions with better accountability. We are a certified assurance firm. We are an ISO 27001 certified organization, backed by a very diverse and dynamic team which have a combined experience.