Ashish Tandon, Chairman & CEO, Indusface, discusses the evolving security scenario, the growing need for web application firewalls and the challenges faced by CIOs and CISOs in an interview to Sanjay Gupta. Excerpts:
The security landscape is already crowded with too many vendors. So why another one—why Indusface?
The current cyber scenario is extremely dynamic. There has been an incremental increase in the number of new vulnerabilities in web and mobile applications, leading to frequent online attacks in the last few years. In 2012, 5,291 new vulnerabilities were discovered, and 415 of them were on mobile operating systems. The cyber attacks now are more sophisticated and focussed, and the losses, both financial and the brand’s reputation after such an attack, in most of the cases, are very hard to recover from. It is a pressing need for an exhaustive range of application security solutions to not only provide total application security to a company’s business but also aid them in the compliance requirements.
Indusface was set up in 2004 as a consultancy helping and advising organisations on compliance requirements as the IT infrastructure was being laid in the country. Having gained a solid understanding of the security space, in 2010 Indusface built a website security product, IndusGuard Web. It is a zero-touch, non-intrusive, cloud-base solution which safeguards web applications by daily, automatic and comprehensive scanning for systems and application vulnerabilities, and malware. And the company built on its offerings, one after the other.
Currently, with a slew of offerings—IndusGuard Mobile, IndusGuard PCI, and the latest IndusGuard WAF—Indusface provides organizations with a complete suite of comprehensive application security solutions.
CIOs and CISOs are increasingly using more security solutions at multiple layers, yet the threats and vulnerabilities continue to rise. Your comments?
As audiences are moving quickly into the social web, so are the attacks. Additionally, as emerging operating systems/platforms and mobile devices become more popular, they are targeted more. At the same time, malicious attackers are increasing the number of traditional attacks on personal computers, with quickly changing tactics and adding new twists on old plots.
CIOs and CISOs must opt for products that are intelligent and pre-emptive, companies that are continually innovating new solutions and not merely announcing version updates. According to Gartner, 75% of cyber attacks take place at the web application layer, which means it is very critical to protect the application layer. Companies recognised this and web application firewall (WAF) came into being. But the risk of false positives, i.e. the obstruction of legitimate traffic that creates service interruptions, has hindered the wide-scale adoption of WAFs. Indusface is the first company to guarantee zero WAF false positives with respect to fixing of the known vulnerabilities and ensure that no legitimate web traffic is affected. This is a game changer to the adoption of WAFs globally.
In my opinion, the CIOs ought to analyse thoroughly before opting for a security solutions provider, as security is a critical component in order to protect the intellectual capital of an organization.
Large vendors have bigger threat intelligence resources and can provide end-to-end solutions. Where does that leave niche solution providers like Indusface?
The differentiation here is whether the customers would settle for ‘middle-of-the-road’ solutions from one vendor or opt for ‘top-of-the-line solutions’ from different agile vendors.
Further, please understand that today’s scenario is very dynamic and technology is evolving every minute. Large organizations have a lot of systems and procedures and processes to follow and hence longer lead times to develop solutions and services.
Focussed solution providers like Indusface provide enhanced, cutting-edge security solutions, that focus on issues at hand and can quickly evolve and adapt to the new challenges. Rapid development cycle of cyber attacks demands swift innovation on the part of security vendors. Very often the large players are slow to respond to such needs due to stringent and elaborate processes to be followed but the security market calls for constant focus and innovation, as the hackers are also innovating. Only agile players can keep pace with the ever smart hackers.
How is the money spent on information security rising globally and in India? What are the constraints under which CIOs/CISOs are operating?
According to analysts’ forecast, the global IT security spending market is aimed to grow at a CAGR of 9.29% over the period 2012-2016. One of the key factors contributing to this market growth is the need to improve the quality of protection. The market has also been witnessing the increasing demand for cloud-based security solutions. However, the high cost of implementation could pose a challenge to the growth of this market.
India is one of the most cyber attacked countries in the world, but it is only now that it is giving the much needed importance to information security. A research report showed that there was a disturbing increase of 136% in cyber threats and attacks against the Indian government organisations and a 126% increase in attacks targeting financial services organisations. Cyber-crimes cost India a whopping Rs 24,630 crore ($4 billion) in 2013 alone.
The constraints under which CIOs/CISOs operate include tight budgets; gaps in compliance where shift is required from only compliance to continuous monitoring; need for the company’s own staff to understand security; integrating the security into operations and entire systems development life cycle; and spending time complying with regulations and completing assessments (whereas they should actually be spending energy on mitigating threats), among others. Also, employees are wary of security departments within an organization. The more that people are afraid, the more delayed is their response to bring forward security issues. Sometimes the issues that could have been nipped in the bud become too big and complex, causing considerable financial loss and brand image damage.
How relevant or useful are firewalls when most new attacks are socially engineered or persistently targeted?
We must understand the difference between network firewalls and web application firewalls at this juncture. A network firewall defends the perimeter of the network on Layer 3-4, while WAF is placed on Layer 7, between the web client and the web server. It analyses application layer traffic and blocks illegitimate traffic while providing smooth passage to legitimate traffic.
Web application firewalls focus on the application layer, the point at which the user is interacting with the application, e.g. the www.bank.com’s landing page that an average user interacts with.
Socially engineered attacks result in having a user compromise their security credentials. This is akin to an individual giving away copies of keys to their front door to strangers. Users cannot blame the lock manufacturer if the strangers misuse the keys and compromise the sanctity of their house. Does this mean you would rather have a weak front door? Web application firewalls make the front doors of the web assets stronger. Properly deployed web application firewalls with constant monitoring are like you hiring a security guard to guard your front door. Protecting your keys is still important, but having a guard watching your front door 24×7 definitely helps.
In the times of socially engineered and persistent attacks, organisations should sign up for a hybrid analysis—i.e., web application scanning with a managed web application firewall, which works on behavioural analysis. A managed WAF scans your traffic and creates a rule based on that, thereby evolving the protection as per the traffic. Gartner mentioned in a recent report that any organisation that owns a public website, makes internal web applications available to partners and clients, or has business-critical internal web applications, should consider investing in WAF.
The years 2013 and 2014 have been notorious for sophisticated DDoS attacks. A managed WAF with DDoS prevention rule, with right thresholds configured for raising alerts along with human intervention to act on those alerts, can be used to block the traffic in case the DDoS attack is at the application level. In other words, your WAF vendor manages the incoming traffic by its behaviour profiling, which is done with the help of manual intervention. Once this is done, the appropriate security policies can be applied to mitigate DDoS attacks.