CISOs, today, are required to smartly formulate policies and undertake information security vision, duly keeping in mind the infosec strategy as per industry risk perspective, global risks at that point of time, business strategy as well as the regulators’ perspective, while tracking the balance between risk optimisation, business realisation and resource utilisation.
“Though the challenges are many, I would like to discuss a few top pain points which disturbs every CISO in current environment. Firstly , most of the intelligence feeds comes in the form of bad IPs, hashes or url, the same are not sufficient and are very deceptive. Hackers are seen to adopt various techniques to manipulate and bypass such feeds and being able to dig deep into the organisations’ network. Over and above, in case of file-less attacks or In-Memory execution of malicious code/scripts along with legitimate or whitelisted processes, there is a need to consider some different approach which can provide proactive intelligence for timely detection and quick remediation. Thus, I feel that there is a need to fill this gap by a more matured approach which proactively sense the threats well in advance on the basis of industry specific IOCs (Indicators of Compromise) and actions required as responses,” says Jagmohan Singh, CISO, Canara Bank.
He adds that this approach should focus on identifying the TTPs (Tactics or tools , Technique and Procedures) adopted by hackers/fraudsters preparing a directory/knowledge base of IOCs. TTPs and patterns identified in respective security domains like server, endpoints, network, application and databases, etc., should be mapped to IOCs, which in turn should be plugged to actions for incident response and the same needs to be automated (fully or assisted) with clear categorisation into discretionary and mandatory actions.
The second biggest challenge is to establish a connect between SOC teams and Red teams. SOC teams need to holistically consider the results of penetration testing or red teaming for improvisation of IOCs/use cases. However, there is a disconnect between the two, which is the major cause of cropping up of weaker controls and subsequent compromises, as is seen across the industries. “I feel there should be a purple team concept be made mandatory for better exchange of information and well defined collaboration between the two teams in the interest of matured monitoring, early detection and quick reactions,” states Singh.
The third challenge, which according to Singh, is having high impact, is the lack of skilled cyber security professionals. It is difficult to find the right talent for security monitoring activity, incident response activity and for proactive detection tasks like ethical hacking, red teaming etc. Apart from this, there is a positive increase in attrition rate being recorded for core cyber security functions.
With the advent of newer delivery channels and collaborations, the business dealings and transactions are becoming more and more complex and volatile. The fundamental approach in such a scenario is to practice ‘Open But Secure’. Since, businesses are collaborating and partnering, a lot of data exchange is taking place across entities using various techniques like Web Service, APIs, infra sharing, etc. “This brings into the picture various new threat vectors for data integrity, data secrecy and privacy compliance related issues. My advice to security practitioners is that while following the basic pillars of Information security, we must also concentrate on defining a thorough and well-designed strategy for collection of security intelligence and correlation in order to achieve initiation of pre-emptive actions for probable threats. Of course, security awareness would also be playing a critical role in efficient detection and aversion of cyberthreats,” states Singh.
Robust IT security
“Apart from following the best practices, correlation of intelligent information from different sources within organisation as well a external/commercial intelligence feeds plays an very crucial role in deriving a robust security posture for any organisation. In fact, apart from preventive controls, detection and response is the ‘mantra’ in current times. However, certain best practices of utmost importance includes; keeping the security patches updated, following a defined SOP for updation of patches whether its OEM or SI (temporary patches) , when patches are received through mail or remote method a system to ensure its authenticity including approval to apply (using checksum etc) to be ensured,” he informs. Further, benchmark configuration documents and automated logging and alerting on the departure from approved configuration is also important. Since, for most of the threat vectors, phishing (or its different flavours) is emerging as prominent attack vector and as such user awareness about such tactics and methods becomes very important. Apart from the aforesaid practices, another basic practice is to conduct a periodic and holistic review of network architecture and firewall rules.
Awareness is going to play an important and deciding role in days to come. “We should understand that hackers follow the principal of least resistance. As such, instead of trying time consuming attack vectors, perpetrators are more than happy to use our people for executing what they want. In one of the recent attacks, the payload was dropped into the system in form of a phishing mail containing patch for one of the system, which was installed by the administrator due to lack of control over Patch Management process. Thus, the spending on creating awareness and trainings on security issues and best practices in infra, coding and development, etc., be considered as a major strategic investment.
Replying to the question on if the CISOs are getting enough for IT budgets, he says, “I feel this depends on the support of the senior management and the culture within the organisation. The organisation, which are matured and well sensitised, towards cyber environment, their boards are considering cyber security as a major business enabler and in turn they are tuned to release a balanced budget for critical security projects. However, there are organisations which are not able to foresee cyber as a risk, again due to lack of matured Risk Management approach, do not provide due budgets to CISO teams and becomes susceptible to hackers’ community. In fact, the budget for security should be based on a well-defined business risk assessment carried out for identification and prioritization of business assets under cyber threats.”
Trends in digitisation business
While various technologies are making an impact on the way organisations function, Singh feels there are few technologies which may see larger penetration and amalgamation with digitisation of businesses. “AI is the one which has already started making its way in productivity. AI just does not mean RPA or intelligence replacing human effort, but with AI for the future, I mean to say augumented intelligence assisting humans in creating user interface, automated decision based intelligent triggering of actions and analytics. Further , we can see greater merger of AI and IoT technologies as IoT use is increasing in all spheres,” he remarks, adding that another technology where innovation is moving ahead is blockchain products.
The major hurdle in blockchain is the incentive for compute required for a project where different stakeholders have varying level of interests, however this technology is catching a significant interest of businesses to leverage performance and efficiencies.