The threat posed by threat actors and ransomware groups to enterprise security has never been higher – polymorphic ransomware written in newer languages such as Rust and GoLang are easily evading known threat detection measures; the cost of insider threats have increased by 44% over the last two years; and a whole host of newer, stricter compliance mandates have forced CISOs and compliance officers to reevaluate their governance, risk and compliance (GRC) frameworks.
Highlighting the complexity of the present-day threat landscape, Vinay Bhide, Associate Vice President at Tata Communications Ltd., in his keynote, revealed that it takes an average of 277 days to identify and contain a data breach. He also pointed out that the presence of multiple security products that operate in silos and the skills shortage in cybersecurity further complicates the problem.
The traditional reactive approach of collecting and analyzing security logs no longer suffices. “At Tata Communications, we’ve formulated and implemented the 5I framework, in which we identify business-critical applications and then figure out which logs we need to enable and ingest – this reduces false positives,” he said.
Praveen Mishra, senior vice president – information security at YES Bank: “We cannot have the same security solution for all applications – you need to have a customized solution based on the business use case and the threats it is exposed to.”
The biggest challenge that is often overlooked, Mishra pointed out, is the quality of security logs: “We can set up a rule to monitor suspicious activity, but there can be cases when the event itself is not logged. This is a common problem in cloud workloads. The biggest cloud exploits did not result from vulnerabilities, but from misconfigurations.”
Bringing to light the lack of collaboration between security leaders, Dinesh Kumar Srimali, global head of cybersecurity at UPL, said that in comparison to the speed and level of collaboration between cybercriminals, the enterprise has a lot of catching up to do.
Emphasizing on the role of a security partner, Srimali said that vendors must be available at all times, even during odd hours.
Improving Mean time to Detect and Mean time to Respond
Mishra opined that it takes longer to detect advanced persistent threats or APTs because they lie dormant for long periods of time and do not leave signatures that can be picked up by the best of EDR or AV solutions – they can only be detected when activated by the command and control center.
“In addition to this, vulnerabilities are discovered at a rapid pace, but the mitigation cannot match that speed. This is a gap attackers are aware of and exploit,” he said.
The Log4j crisis is a perfect example to corroborate Mishra’s point – although the vulnerability existed for many years, organizations all over the world struggled to mitigate the risk and stop exploits.
In his opinion, threat hunting is one exercise that can really make a difference, but is presently not widely prevalent. “With proper threat hunting, which involves studying anomalies from previous threat logs and understanding malicious IPs and the actions carried out on them, the number of days to detect and mitigate threats can be cut down.”
Sharing some of the best practices to slash MTTD and MTTR, Srimali said that at UPL, IOCs are added to the threat intelligence platform. “In addition to red teaming and VAPT, we also conduct a lot of cyber crisis drills replicating phishing and ransomware attacks – this includes CFO, CEO response as well as cyber insurance procedures,” he said.
Threat intel key to preempting cyberattacks
Vikas Goyal, vice president – IT security at FIS says that while cyberattacks cannot always be preempted, it helps if security teams are aware of the latest IOCs, current threats, and preventive measures shared and discussed in industry consortiums, such as the Fintech Convergence Council.
“Following threat intel, the second most important thing is to be able to bring all security logs together,” he added.
Upendra Singh, head of global security operations & engineering at HCL Technologies underlined that the first step to building preemptive capabilities is to have visibility into the complete asset base and digital footprint. “You need to have holistic asset management – this not only applies to devices, but to APIs as well,” he said.
Additionally, he said that CISOs must also focus on both external and internal attack surface management and evaluate the access provided to the crown jewels.
The secret sauce to achieving visibility according to Abhishek Bansal, head of non-financial risk and CISO at Max Life Insurance, is to gather information collectively from disparate sources, such as the SIEM and SOC, XDR, and dark web monitoring.
“You can take as many proactive steps as you want, but it’s a constant strife that keeps us all in business,” he added.
Rishi Rajpal, Director of Global Security at Concentrix, sums it in a nutshell: “You are as intelligent as the intel fields you’ve got. Threat intel feeds are the fuel to the SOC. Unless you determine the root of the problem – how did a machine get compromised, from where, what did the user click, what was the DNS query, you cannot effectively handle threats.”
In his opinion, one of the biggest challenges security leaders face is to be able to track threat actor groups and what they are up to.
Dr. Yusuf Hashmi, Group CISO at Jubilant Bhartia Group believes that there are two most important factors in managing threats in the present day: the threat monitoring and response process, and the vulnerability management process.
“If you can at least address and fix the vulnerabilities present in your environment, that could be your first step. The biggest challenge, however, is that you have to rely on your infra team,” he said.
How the 5I Framework Helps in Fulfilling Modern Enterprise Security Requirements
The operational, procedural and infrastructural challenges voiced by security leaders in the panel discussions established one common theme: CISOs need a single comprehensive threat and vulnerability management solution on a unified platform.
Tata Communications 5I approach addresses these key considerations and streamlines the entire threat management process.
The 5 I’s that constitute the framework are:
Identify the crown jewels across the heterogeneous IT environment;
Ingest log data from the identified critical assets into a singular data lake;
Improve logs using threat intelligence, correlation rules and several data models;
Investigate incident logs to decrease threat proliferation by analyzing similar historical patterns and dependencies; and
Involve human expertise and enable security automation for precise and faster threat response
Tata Communications uses a unified platform that integrates the security information and event management (SIEM); security orchestration, automation, and response (SOAR); user and entity behavior analytics (UEBA); and cyber threat intelligence (CTI).
While CISOs are gunning to shore up their threat management and response capabilities, they unanimously voiced the need for security solutions to keep pace with digital transformation initiatives.
As organizations turn to Low-Code/No-Code (LCNC) platforms to slash the software development lifecycle, it automatically puts the pressure on CISOs to ensure that the security measures they rope in match the speed of deployment of other IT initiatives.
The problem here is that large-scale security deployments that involve frameworks are often time-consuming. Tata Communications identified this requirement and brought it on board their security offerings for the modern enterprise.
According to Bhide, Tata Communications is able to onboard customers and roll out deployments within just two weeks.
In addition to rapid onboarding, CISOs are greatly benefited by a rich feed of use cases.
Owing to Tata Communications managing a third of global internet traffic in addition to 25-30 scrubbing centers, the company is able to mine close to 180 TB of data each month and ingest that data onto their cyber threat intelligence (CTI) platform. This also contributed to the company developing a large repository of custom use cases.
“We don’t just develop a playbook for a customer and then store it in our repository, we go with the complete development life cycle – following the development stage, we carry out validations, we then apply it to the environment and comprehensive tests are carried out. Assurance testing is done and only after this, we add it to the repository,” Bhide explained.
With a comprehensive suite of threat monitoring and response capabilities that is able to quickly react to new and emerging threats, the company promises the ultimate security objective of the modern enterprise – the ability to preempt and respond to cyberattacks.
NOTE: This article is a part of ETCISO Brand Connect Initiative.