Delzad P Mirza, CISO, Tata Technologies, in an interaction with EC’s Rachana Jha describes his views on present scenario of digitization and how a services provider like Tata Technologies is tackling cyber threats proactively
Some edited excerpts…
How do you see the present scenario of digitization in the industry ?
Digitization is all about agility, speed and connectivity. But, security cannot be an afterthought. In this day, cyber security in the age of digitization cannot be addressed through just traditional technologies. It has become a key strategic priority for organizations globally. It’s quite simple: You snooze, you lose.
While everyone agrees that security is critical, few really confront it or understand the significance of cyber security on the devices and platforms that they are working with. 2017 was an eventful year in this regard with a rise in phishing attacks, global ransomware attacks (WannaCry and NotPetya being the most famous among them), new attack vectors, Equifax and Anthem breaches, etc., which affected some of the biggest organizations in the world. These attacks severely affected multiple organizations’ bottom lines and came from multiple entry points. And these are just the financial consequences, we aren’t even considering the brand and reputation damaged caused, as well as the loss of productivity.
2018 will not be much different, in fact, the expectation is that the number of attacks on organizations willrise, due to newer and stricter regulations around privacy such as the General Data Protection Regulation (GDPR). It’s basically a minefield out there. This quote sums it up: “Trust will be a casualty of the war on cybercrime”. Cyber criminals will go after Personally Identifiable Information (PII) and Sensitive Personal Information (SPI), because that is where the money is.
How is cybersecurity the biggest concern for an engineering services provider like Tata Technologies?
Cyber criminals are only getting smarter and staying one step ahead. As more devices come online, the risk faced by companies increase exponentially. The level of sophistication in each attack is evolving rapidly as well.
Tata Technologies is a global leader in Engineering Services Outsourcing and Product Development IT services to the automotive, aerospace and industrial heavy machinery industries. Our customers trust and rightly expect that the confidentiality, integrity and security of the Intellectual Property shared by them are maintained and secured by us all times.
In an industry like ours, there is a need to have a cybersecurity framework for the automobile industry, similar to the likes of ISO and the privacy & health regulations that other industries mandate. Otherwise, the consequences could be disastrous: imagine a drawing of a future automobile being leaked. A proper framework along with a specific set of cyber security controls is the need of the hour.
What steps has the company taken to combat security threats?
Hackers enjoy one clear advantage: they need to find just one loophole to exploit and their job is done. At a very basic level, one initiative which we are focusing on is maintaining IT hygiene. It is as simple as having an accurate inventory of all our IT assets, keeping track of patch management cycles and ensuring that all systems have one “golden image” from an operating system perspective. It is also important for all systems to have an updated next-gen antivirus client, a software asset management client and for all these systems to be hardened with a pre-defined checklist.
We are also running many initiatives as part of our global cybersecurity roadmap such as Cloud Access Security Broker (CASB), Digital Protection, Encryption, etc., from a technology perspective. A CxO Cyber Defense Strategy Process has also been initiated where the InfoSec team will keep a vigil on the assets the CxO teams use to ensure they are always safeguarded.
In terms of security, what were the major initiatives taken in 2017?
Strengthening our InfoSec incident management process, upgrading to a next-gen antivirus, deploying a virtual patching solution to protect our critical servers are some of the initiatives we took up in 2017.
To elaborate on the virtual patching solution further – Tata Technologies has many servers/applications which are either in the production environment and/or exposed on the Internet. These servers are exposed to a range of vulnerabilities related to the operating system. These threats range from zero-day exploits to advanced persistent threats. The mechanism to prevent these threats from exploiting weaknesses identified on the servers is to harden the system. However, due to multiple reasons such as a patch not being released from OEM, not being applied on time causing production application/server malfunctioning, etc., it is not feasible to patch the server until and unless it is tested thoroughly before moving it into a production environment. This can take time and a patch may not be applied due to certain constraints. Due to these reasons, servers are left vulnerable and can be compromised.
We have carried out some assessments which confirm the same. Antivirus solutions are not enough to offer protection against the advanced threats and exploits in the wild. To counter this kind of threat, Tata Technologies has deployed a virtual patching solution which provides advanced server security for physical, virtual and cloud servers. This has been deployed over 250 servers within our core DC. It protects enterprise applications and data from ransomware, breaches and business disruptions without requiring emergency patching. This forms a protective shield around the server. Even if the server is not fully patched, this solution protects the server from zero-day exploits and vulnerabilities that are present. This gives server administrators sufficient time to patch their servers by testing it out thoroughly and moving into production as it shields known vulnerabilities like Shellshock and Heartbleed in enterprise applications and operating systems, offering protectionfrom new attacks like ransomware. This solution also acts as an Intrusion Protection System, Firewall and Anti-Malware, strengthening protection against web threats, performing integrity monitoring and log inspection as well.
Recently we will be entering a new financial year. What are your plans for Tata Technologies from a security point of view?
At Tata Technologies, we have defined a solid Information Security roadmap over the next couple of months which are relevant and addresses today’s threats and risks. Digital protection, Robotic Process Automation, etc. are some of the plans on the roadmap. The end goal is to have an integrated security enterprise architecture which can cut down on complexity and, of course, increase security effectiveness.
A major focus area is creating a pervasive information security culture within the organization which stays continuous. Employees are and will always be the weakest link in the information security chain. Gamifying Information Security awareness is one of the things which welook forward to in the coming year. Keep it interesting – no one wants to go through a boring presentation with statistics. If the awareness programs are conducted in an interactive manner or if there are simulated war games concluded, it is easier to identify where your loopholes are.
Donald Rumsfield has a famous quote where he says, “There are known knowns. These are things we know that we know. There are known unknowns that are to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know”. These unknown unknowns will always be a headache for Chief Information Security Officers. New risks will arise, but people must be familiar with these unknowns. Enhancing our risk assessment will help us uncover some of these “unknown unknowns” and plan accordingly.
Ultimately, information security is not about pitching a tool and saying that it will fix all our problems. There are no silver bullets and even the management does not need to know all the nitty-gritties of the technicalities. The key learning is – try and make it real for the C suite.If you translate threats and risks into a language they understand, they willbe on board and support you. You need to show the senior leadership how money spent on information security will address existing business risk, improve enterprise risk posture and align information security spend to compliance issues.
What kind of technologies/solutions do you use to prevent theft or leakage of information from insiders?
Insider threats pose the greatest threat to organizations as compared to external hackers or state-sponsored hacking or competition. According to Accenture and HfS Research, 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months in 2016.
Any employee (current or former) or third-party contractor/vendor who has or had access to an organization’s endpoints and intentionally misused that privilege to leave a negative impact on the organization poses a threat. As a result, when they break policy unintentionally or intentionally choose to misuse their privileges, their actions stand to do a tremendous amount of damage to any organization.
The unfortunate fact is that very few organizations concentrate or focus on information security and compliance controls/strategies to thwart this threat. How do we reduce the risk from insider threats? The first point of defense is the principle of least privileges. Does an organization know the number of server admins in the system? Are there any generic ids being used to log on to these devices? What kind of access do they have? Is there any monthly governance on the same? What about an organization’s sensitive ERP codes? It is a continuous cycle. There cannot be just one review. Data exfiltration points need to be monitored – are USB drives locked down? If they are allowed, are they restricted and encrypted only for specific systems and cannot be used on other systems? These questions need to be asked.
Employee awareness remains a top priority. It’s not just the training or the awareness – the reinforcement of organization-wide policies is also a must. It is high time organizations rethink their information security objectives of solely focusing on external threats and protecting their perimeter.
How can technologies like Artificial Intelligence (AI) be useful to your industry? In which areas do you think AI can be useful in security?
There are two areas where Artificial Intelligence and Machine Learning can assist CISOs and information security teams. One is by automating regular and menial tasks and the second is through threat detection and response. The latter is where there are more benefits. As mentioned earlier, cyber threats have become more and more sophisticated and are complex in nature. Machine Learning and Artificial Intelligence will play a huge role in predictive analytics.
In your opinion, what would be the top trends of 2018?
The top trends for 2018 are IoT, consumer privacy regulations/GDPR, artificial intelligence, machine learning, cryptocurrencies and, of course, the persistent cybersecurity skills shortage.