Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Ms think-tank-coffee-table-book

726 vues

Publié le

Discussion on issues of contemporary concern and knowledge sharing on prevalent practices in the cyber security community.

Publié dans : Internet
  • ➤➤ 3 Reasons Why You Shouldn't take Pills for ED (important)  http://ishbv.com/rockhardx/pdf
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Ms think-tank-coffee-table-book

  1. 1. Presents
  2. 2. © Copyright 2018 by 9.9 Group Private Ltd Program Coordination Deepak Sharma, R Giridhar, Renuka Deopa, Sachin Mhashilkar, Vandana Chauhan CISO Think Tank Book R Giridhar, Shyamanuja Das, Shubhra Rishi Art & Design Shokeen Saifi Microsoft Team Aneesh Dhawan, Anish Chandy, Anil Malekani, Chakrapani Dasika, Iftekhar Husain, Stafin Jacob, Terrence Gomes, Vaibhav Gupta, Vanitha Varadarajan Disclaimer This publication is distributed and made available with the understanding that no express or implied guarantees or warrantees have been made, or are made, by the publisher. While every effort has been made to make the information presented here as complete and accurate as possible, it may contain errors, omissions or information that was accurate as of its publication but subsequently has become outdated by marketplace or industry changes, new laws or regulations, or other circumstances. The publisher does not accept any liability or responsibility to any person or entity with respect to any loss or damage alleged to have been caused, directly or indirectly, by the information, ideas, opinions or other content in this publication. All errors, omissions, and corrections may be brought to the notice of the publisher for rectification in subsequent editions of this publication. Published and printed by 9.9 Group Private Ltd 121, Patparganj, Mayur Vihar Phase 1 New Delhi-110 091 This publication is for private circulation only. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any other means without prior written permission of the publisher, or otherwise circulated in any form or binding or cover, other than in which it is published, and without a similar condition being imposed on the subsequent purchaser. All company, product and service names mentioned in this book may be trademarks or service marks of others, and are duly acknowledged. Copyright 2
  3. 3. Content CONTENTS Publisher’s Note: Wear Your Thinking Cap 04-05 Sponsor’s Note: Partnering on Security 06-07 Prologue: Setting The Context 08-09 Methodology: Our Modus Operandi 10-15 About The Authors 16-17 SECURITY STANDARDS & CERTIFICATIONS: WHICH ONES MATTER? by Anil Porter, AVP - IT & GDS Services, Interglobe Technology Quotient 18-23 DEVELOPING AN EFFECTIVE SECURITY OPERATIONS CENTRE by Anis Pankhania, General Manager – IT Delivery Excellence, Vodafone India 24-29 BEYOND THE ENTERPRISE— SECURING THE THIRD PARTY ECOSYSTEM by Anuj Tewari, CISO, HCL Technologies 30-35 HARNESSING THE POWER OF COLLECTIVE INTELLIGENCE FOR CYBER SECURITY by Colonel Darshan Singh, Vice President, ABB India 36-41 THE ART OF SECURITY MANAGEMENT: GAINING VISIBILITY AND CONTROL by Jagdeep Singh, CISO, Raukaten India 42-47 AI & MACHINE LEARNING APPLICATIONS FOR CYBER SECURITY by Rajeev Verma, Deputy General Manager – Information Security, SRF 48-53 RISK-BASED APPROACH FOR APPLICATION DEVELOPMENT by Rajendra Mhalsekar, President and Head Corporate Banking Technology, Yes Bank 54-59 ALIGNING SECURITY AND RISK MANAGEMENT WITH BIMODAL IT by Rajiv Nandwani, Director, VP – GIS & CISO, VP – Facilities, InnoData 60-65 COMPLIANCE AND RISK MANAGEMENT BEYOND IT by Satyanandan Atyam, AVP, Head Risk Management & CISO Bharti AXA General Insurance 66-71 3
  4. 4. CISO Think Tank “This publication aims to spur discussion on some issues of contemporary concern and to share knowledge on prevalent practices in the cyber security community.” 4
  5. 5. Publisher’s Note WEAR YOUR THINKING CAP C yber security has gone from the back room to the boardroom. And the reasons are not far to seek. Scarcely a week passes without newspaper headlines proclaiming the exposure of thousands of customer records, theft of digital currencies, or valuable corporate IP being siphoned away. The problem is so pernicious and ubiquitous, that the digital crime economy now dwarfs the illegal drugs industry. This situation is unlikely to change soon. As economic pressures and customer demand compel organizations in India to rethink and re-engineer their business processes, the use of technology to automate and speed operations is increasing. Previously isolated systems are getting linked, and new types of interdependent digital ecosystems are being formed. The mobile revolution, cloud services and the advent of IoT have also contributed to the dissolution of the enterprise perimeter. Consequently, traditional cyber defenses are no longer adequate for this new digital world. In fact, the velocity of change in business operating models is so rapid that IT departments are struggling to cope. And in the haste to capture market opportunities, security and prudence are sometimes taking a back seat—with disastrous outcomes. At other times, it is the ingenuity of the attacker that beats the best systems. Cyber criminals, now working in concert, have developed increasingly sophisticated exploits—and even the best defended systems are succumbing to their inexorable attacks. In midst of this maelstrom are the CISOs—aided by new technologies and techniques—striving to avert the ever- imminent calamity. This publication aims to spur discussion on some issues of contemporary concern and to share knowledge on prevalent practices in the cyber security community. We hope you find the content, that has been put together by members of the information security community, useful and insightful. Vikas Gupta Director, 9.9 Group Pvt. Ltd & Publisher, CSOForum 5
  6. 6. CISO Think Tank PARTNERING ON SECURITY 6
  7. 7. Sponsor’s Note “The CISO Think Tank in India has been a great way for us to engage, collaborate and get feedback from our customer CISOs on modern day threat landscape.” M icrosoft’s mission is to empower every person and every organization on the planet to achieve more. As our CEO, Satya Nadella, stated, “Businesses and users are going to embrace technology only if they can trust it”, and therefore we want to make sure our customers can trust the digital technology that they use. We have made investments in privacy and control, security, compliance, and transparency, and especially those features that matter the most to our customers. We’re committed to being a leader in this space, but security is not a problem we can address alone. Microsoft approach to security encompasses three pillars: Platform, Intelligence and Partnerships. Our commitment is to make sure our products work with technology you already use based on your feedback, leveraging the collective intelligence we can build and foster a vibrant ecosystem of partners who help us raise the bar across the industry. Microsoft collaborates extensively with governments and organizations around the world in sharing industry standards, providing guidance on cyber security best practices, and engaging in protecting critical infrastructure sectors. The CISO Think Tank in India has been a great way for us to engage, collaborate and get feedback from our customers/CISOs on Modern Day Threat Landscape relevant to India. It has also helped us establish deep and continuous engagement with the CISO community to share information about latest developments in cyber security, impart knowledge on best techniques and practices, and facilitate peer-to-peer knowledge sharing amongst CISOs and security practitioners. Through this initiative we have also been able to collaborate with the CISOs on 9 cyber security whitepapers across several critical topics like managing security, risk, compliance, partner ecosystems, collective cyber security intelligence. The CISO Think Tank digital coffee book will further help us share our learning and best practices with the larger community and leverage the digital/social tools further for collaboration on these topics. Thanks to all the CISOs and 9.9 Group for being part of the CISO Think Tank initiative so far. A special thanks to the authors of the digital coffee book whitepapers on their thought leadership! We look forward to a continued strong journey with you in our fight against cybercrime. Vanitha Varadarajan Director-Security Solutions Microsoft India 7
  8. 8. CISO Think Tank 8
  9. 9. Prologue SETTING THE CONTEXT T he CISO Think Tank is a compilation of community-led and community-driven content that is timely, useful and relevant to cyber security practitioners. The main purpose of putting together this document is to facilitate peer-to- peer discussion and information sharing and share the latest developments in cyber security. This book provides a platform for recognizing CISO expertise. For the CISOs, it is just the right time to finalize their priorities. The CISO role today is becoming more business focused. While it is also about making decisions, performing risk assessments and understanding the latest technology solutions in the market – but it is more about influencing, stakeholder management, positioning and communication. The CISO Think Tank is designed to help impart knowledge on best techniques and practices. It lists down a broad set of topics for CISOs to focus on —and sets the tone for the rest of the year! This book also displays a CISO’s deep understanding of the ‘what’, and the ‘how’ of some of the most relevant security topics. It gives them an opportunity to address the challenges and offer recommendations and solutions based on CISO’s experience in their area of expertise and interest. This book lends some very important perspectives from some of your peers in the industry. The CISO Think Tank also sets the context for the 10th Annual CISO Summit, where some of the top security professionals will gather to discuss issues of contemporary relevance that are likely to influence the CISO’s role in the enterprise. 9
  10. 10. CISO Think Tank OUR MODUS OPERANDI 10
  11. 11. Methodology I n the last quarter of 2017 and early 2018, a series of meetings were organized in Delhi, Mumbai and Bangalore with members of the CISO community to discuss the emerging security challenges, review the latest developments in cyber security technologies, and share learnings on best techniques and practices. It was soon apparent that the collective knowledge and insights would be of great value to the entire community—and needed to be widely disseminated. That was the genesis of this volume. A list of topics was prepared on the basis of research and discussion with the Advisory Committee Members and India’ leading CISOs. Cyber security practitioners attending the CISO Think Tank meetings were invited to take up a topic—and prepare a whitepaper or presentation. Some authors opted to work together in teams to prepare the document— while others went solo. Advisory support was provided by technical experts from Microsoft’s cyber security practice. Each author group was provided with a basic framework for preparing the presentation, along with guidelines for writing a white paper. All the nine teams worked on the initial drafts—and presented their work at a second Think Tank meeting in February- March 2018. The teams made a short presentation to the group at the meeting and other CISOs were encouraged to provide inputs, advice, and suggestions to the authors. The final version of all the presentations was submitted in March 2018. USING THIS BOOK Each paper in this volume is focused on a specific facet of cyber security and has been organized to provide information in a concise and comprehensive fashion. You can use this as a workbook to gauge your own knowledge and organizational readiness—and as a starting point to initiate action. CISO Think Tank has been prepared with the involvement of most of the participating CISOs in CSOForum’s advisory board. It delves in issues of contemporary relevance that are likely to influence the CISO’s role in the enterprise. CSOForum circulated a basic brief on each of the topic to the respective chairpersons. It also shared a framework for presentation, with full independence to chairpersons to modify it as needed. All the CISOs were divided into 9 working groups. Each group worked on one specific topic, which appears as one whitepaper in this book. The whitepapers will be compiled and published as a book, and sent to the entire CISO community. The topics were decided after thorough research by CSOForum edit team and consultations with selected CISOs. 11
  12. 12. CISO Think Tank MUMBAI 27th September 2017 15th March 2018 The first session of the seven-part CISO Think Tank Series organized by CSOForum in collaboration with Microsoft commenced at the Bandra Kurla Complex in Mumbai, on 27th September 2017. The event was attended by 25+ CISOs of leading organizations based in Mumbai, India. They discussed the emerging security challenges and reviewed the latest developments in cyber security technologies, during which several security topics were prepared on the basis of research with the Advisory Committee Members and India’ leading CISOs. And cyber security practitioners attending the CISO Think Tank meetings were invited to take up a topic—and prepare a whitepaper or presentation. Some of these topics were presented on 15th March 2018, during one of the CISO Think Tank workshops in Delhi 12
  13. 13. Methodology DELHI 27th October 2017 8th February 2018 The second session of the seven-part CISO Think Tank series took place on 27th October at The Leela Ambience, Gurgaon on 20th November 2017. The event was attended by 25+ CISOs of leading organizations as well as senior Microsoft delegates based in Delhi, where they chose topics for whitepapers that they would later present on 8th February, 2018, at the same venue in Delhi. 13
  14. 14. CISO Think Tank BENGALURU 20th November 2017 22th February 2018 The third meet of the seven-part CISO Think Tank series took place on 20th November at Vivanta by Taj, Bengaluru on 20th November 2017. The event was attended by 25+ CISOs of leading organizations based in Bengaluru, where they chose topics for whitepapers that they would later present on 22nd February, 2018, at the same venue. The delegates from Microsoft also gave presentations on select security topics, adding context to the series. 14
  15. 15. Methodology KOLKATA 25th April 2018 The last session of the CISO Think Tank series commenced at The Lalit in Kolkata. The event was attended by security practitioners across leading organizations in Kolkata. Microsoft conducted a security workshop and discussed a wide ranging topics including cyber security best practices in today’s landscape, among others. 15
  16. 16. CISO Think Tank ANIL PORTER AVP - IT & GDS Services Interglobe Technology Quotient ANIS PANKHANIA Head - Products and Applications - IT - Customer Experience Vodafone India 2519 ANUJ TEWARI CISO HCL Technologies 31 COL. DARSHAN SINGH Vice President & Head - Security, India Sub Region ABB India 37 16
  17. 17. Author’s Profile JAGDEEP SINGH CISO Rakuten India 43 RAJIV NANDWANI Director, VP – GIS & CISO, VP – Facilities InnoData 61 RAJENDRA MHALSEKAR President & Head Corporate Banking Technology Yes Bank 55 RAJEEV VERMA Deputy General Manager- Information Security SRF 49 SATYANANDAN ATYAM Associate Vice President Bharti AXA General Insurance 67 17
  18. 18. CISO Think Tank SECURITY STANDARDS & CERTIFICATIONS: WHICH ONES MATTER? 18
  19. 19. Security Certifications B usinesses today are realizing the growing importance of data security. But the rising incidents of cyberattacks and the lack of security skills within organizations is a huge concern. In the last few years, India has witnessed disruptions from cyber attacks through ransomware attacks such as, WannaCry and Petya, among others. These attacks and breaches threaten to trigger heavy damages, including loss of data and disruptions in business. They could also include regulatory compensation. So, policy, rules, and practices must address cybersecurity and data breaches. CISOs must re-look at their data protection applications and to build innovative new applications that generate rich insights into business, industry, and customers which will enable you to make informed decisions and quickly take decisive action as well as to protect this data against any breach. This data protection need is constantly evolving and becoming extremely crucial for Indian organizations to focus not only on data protection but also data recovery. There are certain practices that CISOs must adopt to protect their business from data losses. Clearly, data is changing hands from devices to data centers to cloud, and therefore, CIOs must analyze how fast and efficient is their data protection infrastructure or what new elements are being used in to make it as efficient as possible? Increasingly organizations are realizing the need to have standard practices for not only protecting their assets, but also the importance of data recovery. Therefore, CISOs need to conduct a thorough risk assessment, in turn realize that every organization’s risk profile is different, and one size, standard or certification won’t fit every organization. A standard control requirement may effectively close a gap in one instance, but not work well in another. Not every risk can be avoided or effectively mitigated. Risk management requires some level of risk to be understood, communicated, and, ultimately, accepted. Anil has over 20 years of technical experience in the field information security function. His responsibilities include conducting employee security awareness training, developing secure business and communication practices, identifying security objectives and metrics, choosing and purchasing security products from vendors, ensuring that the company is in regulatory compliance with the rules for relevant bodies, and enforcing adherence to security practices. Anil has comprehensive experience in building high performance teams, in-sourcing vendor operations, auditing IT general controls, business transitions, network security, among others. ANIL PORTER AVP - IT & GDS Services, Interglobe Technology Quotient 19
  20. 20. CISO Think Tank THE PROBLEM What to protect? Too much to protect or Too much hype!! • The biggest challenge for CIOs and IT leaders in 2018 is the strategic protection of PII and data for their enterprises • IT skills gap–a shortfall between the supply of qualified IT professionals and the necessary IT skills • Merging old and new • Legacy process and willingness of business to fund risk posturing since no defined model and matrix available • Needless to say one size (standards & certifications) doesn’t fit all WHY DOES IT EXIST? • Till date there is no defined model and matrix which is available as a guide to different size and class of business • CIOs are confused and driven more by the hype cycle • Threat of being out-of-date both for CIO and technology selection • No ROI mode available to get funding to protect – What and Who • Consultants will always do a over kill HOW DO WE DEAL WITH IT? • KIS (Keep it Simple) • Risk assessment of the business of all function • Get a heat map and relative ranking of all risk accounted in the risk register • If IT/Info Security/End Point Protection/Data at various end point gets listed in top 10, then you will have a business buy in CHALLENGES & RISKS • Most of the organizations do not accept and acknowledge the information as risk • Data is the core which needs protection and has never been classified (Including IP/IPR, Source Code, Structure and Unstructured DB) • Run various scenarios of data loss or theft with key stake holders and get their impact analysis on business impact which should include all aspects such as Financial, Brand, Customer loyalty, future earnings, stock price etc. NEXT STEPS Keep IT simple 20
  21. 21. Security Certifications Needless to say one size (standards & certifications) doesn’t fit all. Till date there is no defined model and matrix which is available as a guide to different size and class of business The Best Practice Toolkit Employee Size Risk Ranking Based on Enterprise Risk Register Low Medium High Critical 500- Above 200-500 0-200 Complexity of IT Landscape of the Organization Ad-hoc Prescribed Standardized Quantitative & Optimized Ad-hoc System Hardening, AV, Firewall Prescribed System Hardening, AV, Firewall, HIPS, DLP, Encryption, SSO, SIEM, Content Filtering Standardized System Hardening, AV, Firewall, HIPS, DLP, Encryption, SSO, SIEM, Content Filtering, ISO 9001 Quantitative & Optimized System Hardening, AV, Firewall, HIPS, DLP, Encryption, SSO, SIEM, Content Filtering, ISO 9001, ISO 27001, ISO 20000 THE BEST PRACTICE TOOLKIT 21
  22. 22. CISO Think Tank 22
  23. 23. PwC RECOMMENDS Define your own operating model framework for information security, which requires a deep understanding of the organization’s strategy, culture, politics, risks and regulatory regime. Future Forward 23
  24. 24. CISO Think Tank DEVELOPING AN EFFECTIVE SECURITY OPERATIONS CENTER 24
  25. 25. Security Operations Anis has over 21 years of rich experience in leading the Information Security function. He possesses sound knowledge of ISO Standard Audits, PCI DSS audits, network security, governance, IT and security processes. Anis has held several leadership positions with large telecom and IT companies in India. He has established IT divisions from scratch, including design of strategy and execution roadmap, operating procedures, multi-site facilities, end user workspace for over 10000 users. ANIS PANKHANIA General Manager – IT Delivery Excellence, Vodafone India Ltd T he threat environment confronting a business organization today is daunting. Not only are data breaches growing larger, disruptions to business operations by malevolent entities are becoming increasingly frequent and disruptive. Organizations can no longer rely on basic security solutions like firewalls and anti-virus software to thwart increasingly sophisticated threat vectors. You need to employ multiple kinds of technological defences and maintain a unremitting vigil to take protective or preventive action when a threat is identified. This is easier said than done. The attack surface for a medium to large organization with hundreds of employees, multiple operational systems, and numerous offices, is already daunting. When you add in the proliferation of new technologies such as, Internet of Things (IoT), cloud, and fuzzy network perimeters, the risk of falling prey to a cyber-attack increases, dramatically. So, it’s no surprise that many organizations are looking to either implement a new Security Operations Center (SOC) or enhance an existing one to ameliorate the risk of delays in detecting and responding to cyber incidents. However, to create and operate a successful SOC, organizations need to invest in three things: People, Processes and Technology. • People: Having the right people to staff the SOC is essential to success. Team members will need to have proper skills and training--since they will be making security-related decisions that will impact every facet of the business. • Processes: Having a consistent, well-defined and regularly-tested process will ensure that the SOC is effective and efficient. Hence, before operationalizing a SOC, proper policies and procedures should be defined, along with responsibilities for individuals. • Technology: Security technology is crucial to protecting data, detecting threats and alerting teams. Often, the core of the SOC security technology architecture is a Security Incident and Event Management (SIEM) system. It analyzes event and contextual data from the security devices that feed into it, such as firewalls, IPS, web and email protection tools, IdM etc. But their’ protective abilities are not the only factor driving SOC effectiveness. In a distributed threat landscape, security technology also needs to function as part of a collaborative architecture that automates the sharing of intelligence and centrally coordinates threat response. 25
  26. 26. CISO Think Tank THE PROBLEM • Increasing attack and threats • Managing compliance • Business continuity and protection of critical data • People, process and technology • Team knowledge and shortage of skills • Clarity on processes • Segregation of duties • Operational efficiencies and enablement WHY DOES IT EXIST? • Management approach • Increasing data volumes, variety and complexity • Ever changing threat landscape • Evolving techniques and technology • First layer of defence • Reactive approach • Limitations of security tools • Security roles and responsibilities Triad of Security Operations: People, Process and Technology SOC Process Preparation Identification Containment Eradication Recovery Lessons Learned People Formal Training Internal Training On-the-Job Experience Vendor-Specific Training Technology Endpoint Netflow Network Monitoring Threat Intel Forensics Incident Detection/ Management 26
  27. 27. Security Operations CHALLENGES AND RISKS • Budgets • Resource crunch • Skill deficit • Security Operations Centre • Adapting to changing platforms • ROI - Maximizing the value of security investments THE BEST PRACTICE TOOLKIT • Automated analysis • Build incident response (IR) team • Define response team roles • Train response team • Identify plan gaps areas for improvement before an incident occurs • Assess IR Plan effectiveness and IR team ability to execute • Tools : QRadar, ArcSight, Splunk Next Steps - Align the Model • Utilize and scale your teams to provide 24x7 threat monitoring • Prepare for, and proactively hunt threats • Apply predictive/proactive intelligence • Detect the unknown with enhanced analytics • Use artificial intelligence (AI) and machine learning (ML) for analytics • Extend threat visibility to the cloud Identify threats early to mitigate risk • Empower IR Team • Build communications flows and procedures • Define roles in the response team • Identify gaps in response plans • Learn from incidents and apply findings Invest in Success • Automate as much as possible to reduce the load of Level 1 tasks • Share information and eliminate silos between teams • Provide threat intelligence feeds and security tools to make teams successful • Retain top talent and feed their thirst for knowledge • Train employees, your first line of defence • Evolve your SOC by combining technology and human expertise • Do the basics well – regular patching, hiring the right people • Empower your resources • Adopt a proactive approach to deter emerging threats • Integrate deception technologies to bait attackers Provide threat intelligence feeds and security tools to make teams successful and retail top talent and feed their thirst for knowledge 27
  28. 28. SANS INSTITUTE RECOMMENDS As you tackle the challenge of building a Security Operations Center (SOC), your ability to anticipate common obstacles will facilitate smooth start-up, build-out and maturation over time. Though each organization is unique in its current security posture, risk tolerance, expertise and budget, all share the goals of attempting to minimize and harden their attack surface and swiftly detecting, prioritizing and investigating security incidents when they occur. Working within the constraints of your organization, while pushing the boundaries and striving to achieve its critical security mission, your SOC can be a critical and successful venture— and a key contributor to your organization’s continuously improving security posture. CISO Think Tank 28
  29. 29. Future Forward
  30. 30. CISO Think Tank BEYOND THE ENTERPRISE— SECURING THE THIRD PARTY ECOSYSTEM 30
  31. 31. Beyond the Enterprise A s increasing numbers of organizations join the digital bandwagon, the size and scope of the third-party ecosystem is increasing. From manufacturing partners to logistics suppliers, marketing associates to dealers, cloud service providers to remote infrastructure management agencies—the number of third parties that have access to your IT systems and data continues to increase. And this burgeoning growth of ecosystem business partners has a significant impact on the security posture of your organization. Exacerbating the complexity of securing this third-party ecosystem is the fact that organizations often have multiple relationships with one another, and the fact that organizations may have indirect relationships with even more parties to meet business needs. In fact, the risk to strategic data assets is not just from any single third-party, but from the web of relationships that comprise the data ecosystem. Organizations need to realize that managing this digital risk is not just a compliance and contract issue, but a fundamental strategic challenge.The first challenge is to understand the diversity of third parties in your business ecosystem. What kinds of entities have access to your data, information and IP, and why? The next challenge is to ascertain exactly who is in your value chain, and what they are doing. You need to know who is “touching your stuff”– virtually and physically. The exponential growth of IoT and connected devices within your value chain will create yet another challenge to driving a comprehensive approach to security across your value chain. Finally, what will be right way to assess the risk and implement security across all third-party entities? Many organizations are unaware whether their vendors’ have adequate data safeguards, security policies and procedures to respond effectively to a data breach. To remedy this problem, you need to develop a comprehensive security architecture that you can share with and deploy within your third-party ecosystem. Anuj is a dynamic leader in the security arena, with specialized Information security, risk management and leadership experience. His wide array of Cyber Security experience coupled with capabilities in business development, personnel management, and fiscal planning form a unique ability to understand and manage all areas of the cyber security arena. The diversity of these skill sets has helped him understand client business requirements, analyze security needs, and communicate at all levels of an organization to ensure effective operations, strong client relationship, and continued business growth. ANUJ TEWARI CISO, HCL Technologies 31
  32. 32. CISO Think Tank THE PROBLEM Trends - Increasing Dependence on Third Parties • Globalization and expanded use to support core products • Expertise, innovation and speed to market • Economic pressure – need for efficiencies and cost savings • Expanded need for governance models Risks - Heightened Threats • Third party breaches dominate the news • Complexity/pace of the risk landscape is outpacing industry response • Likelihood of a material breach (10k or more records) in next 2 years – 26% • 450 global breach investigations, 63% linked to a third party component • Third party involvement increases breach costs (from USD158 to USD172 record) WHY DOES IT EXIST? Why Manage 3rd Party Risks? Reliance • Need third parties to deliver critical specialized services • Several industries are heavy on third party supply chain • Vendors globally help us achieve our mission Value • Maximize value and deliver great commercial outcomes through our relationships Loss of productivity (68%) – up 10% Increased cost of working (53%) – up 14% Damage to brand reputation or image (38%) – up 11% Customer complaints received (40%) – unchanged Service outcome impaired (40%) – up 4% Loss of revenue (37%) – down 1% CHALLENGES & RISKS Third Party Life Cycle • Business request – new contract, renewal, service change • Scope & gather information • Vendor risk segmentation & tiering • Perform pre-contract assessment for high risk relationships for new contracts • Business to take Go/ No-go’ decision on the Vendor based on results of pre-contract assessment • Address contractual security requirements for Tier 1 relationships • Incorporation of ‘Right to audit’ clause in contracts for Tier 2,3 & 4 relationships • Asset & data disposal • Access revocation • Contractual obligations for high risk Vendor • Conduct periodic assessments based on vendor tiers & program guidelines • Vendor Risk assessment report • Issue remediation & closure 1Vendor Profiling & Classification 2Pre-Contract Risk Assessment 3Contract & On Board 4Periodic Risk Assessments 5Vendor Off-board / Transition Risk • Increased regulatory and member scrutiny on how institutions manage Vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational Explain the cause of the problem: The Impact of Disruption Disruptions damage your brand and your bottom line 32
  33. 33. Beyond the Enterprise • 87% of firms experienced a disruptive incident with third parties in the past 2-3 years • 70% of firms experienced a supply chain disruption in the past year • 66% of firms do not have full visibility of supply chains • 41% of those disruptions came from Tier 1 suppliers • 40% of firms do not analyze the source of disruption THE BEST PRACTICE TOOLKIT Risk Practices – Identify Key Data • Personally Identifiable Information (PII) • Protected Health Information (PHI) • Card Holder Data (CHD) • Confidential, Intellectual Property, Sensitive (CIPS) includes • Customer • Board / Executive • Key process • Human Resource • Financial • Partner Risk Practices – Identify Key Technologies Use of certain technology platforms and delivery channels pose additional risk when outsourcing. These include: • External data hosting • Cloud for storage and data processing, especially when PII, • PHI or credit card data is involved • New distribution channels for product/service delivery such as mobile platforms • Use of third party custom developed software • Any further outsourcing to subcontractors/fourth parties Risk Practices – Contracts • Assess controls based on risk of product or service to be provided • Terms and conditions • Typical standard clauses: price, liability, confidentiality, intellectual property, information security, incident audit rights, disaster recovery, approval of fourth party use, cyber-insurance, termination, payment schedules, escrow, maintenance schedule, complaint handling, cross-border data transfers ] • Remediation of identified control weaknesses • Legal review, selection, negotiation and notification • Add third party information to Procurement system, GRC system and/or contracts database. Third Party Risk Management - Lifecycle Plan, Select & Due Diligence Establish Third Party/ Contract risk Third Party/Contract • New/existing • RFx/sole source/ renewals • Relationship owner is the key Risk Criteria • Simple, clear & consistent • Applied at contract level • Due diligence requirements Control Assessments • Areas to include : security, information, personnel, site, business continuity, regulatory requirements, etc. • Leverage industry standards • Capture appropriate documentation Remediation/ Issue Closure Clauses (Legal Approved) • Right to audit • Information security • Physical security • Background checks • Business resiliency/ disaster recovery • Fourth parties • Encryption requirements as appropriate • Termination and exit Authorized Negotiators/ Signers • Goods and services • Specialized services (real estate, benefits, legal, etc.) Exceptions and Approval Leverage • Assigned risk ranking • Assessments and prior reviews Ongoing Monitoring • Periodic validation of risk ranking • Frequency based on risk and service provided • Agree on scope and type of review to be performed • Perform onsite reviews • Point in time assessment move toward continuous monitoring Ensure Issue Remediation/Closure Third Party Performance • Scorecard program • Reporting Software and License Compliance Termination • Normal • Cause • Convenience • Breach Asset Return • Return and/or confirmation of destruction of confidential data Exit Strategies • Developed internally, not with third party • Outlines approach to be followed if critical third party prematurely terminates • Outlines various options to ensure continued service availability Ensure Use and Completion of Templates and control assessments Standard Contract Language Formalize Oversight and Monitoring Exit Strategy and Asset Return Contracts Online Monitoring Terminate 33
  34. 34. CISO Think Tank 34
  35. 35. KPMG RECOMMENDS Organizations will need to formalize their activities and implement clear owners of third-party risk management that are responsible for the end-to-end process, from due diligence planning to remediation activities. Future Forward 35
  36. 36. CISO Think Tank HARNESSING THE POWER OF COLLECTIVE INTELLIGENCE FOR CYBER SECURITY 36
  37. 37. Collective Intelligence Colonel Darshan Singh was commissioned in the The Dogra Regiment ( Infantry) of the Indian Army in 1969. During the course of his 28 years tenure, he was honored to take an active part 1971 Indo-Pak war and was also an integral part of active insurgency operations in J&K/Ladakh, and the Eastern Sector of India. Since leaving the Indian Army in 1997, Colonel Darshan Singh has immersed himself in the corporate world, handling infrastructure, facilities, crisis and security functions. He is also actively engaged in conducting training sessions and audits on international crisis and security. COLONEL DARSHAN SINGH Vice President, ABB India Ltd T he ‘cyberspace’ is essentially a shared environment—shared among different types of stakeholders, across political boundaries, and between people who want to use for productive advancement of the society and those who want to thwart those efforts for their gains. As the reach of digital technologies and by extension the cyber footprint spreads beyond computers and information systems—reaching manufacturing plants to water treatment plants; power generation stations to city transport systems—both the ease and incentive for the forces wanting to exploit the situation negatively increases manifold. No wonder, cyber-attacks are now not just more common and frequent, they are often more global. Since the Internet is owned by no one, any counter-attack strategy requires the intended target of these attacks as well as the indirect victims and stakeholders need to work together to nullify/minimize the impact of those attacks. The power of collective intelligence, hence, is no more a desired good-to-have strategy but an imperative. Some of the stakeholders who are already actively cooperating are: • The enterprise users • The public sector • The government agencies specially created to tackle computer related emergencies • Law enforcement agencies • Academia and research community, especially those working in security and new emerging technologies • Security vendors • Technologies companies working in new emerging technologies However, often this sharing of information is point-to-point and as a need- to-know basis and not seamless to be effective as a pre-emptive measure. While some of the information sharing are now formalized, many others such as among enterprises and between academia and enterprise are still sketchy, if at all, it exists. From research firms to enforcement agencies, many have stressed the need for collaboration and collective intelligence sharing. In the era of platforms, such a mechanism should be more than the sum of parts. 37
  38. 38. CISO Think Tank HOW TO DEAL WITH IT? • Empowering security teams with the collective intelligence in form of data that can be visualized. • Complete data modeling, analytics, and solutions will help them steel their systems and people against attack, without having to sink huge amounts of money or resources into data warehousing, harmonizing data streams, or generating reports. THE PROBLEM Physical Threats • Attacks with drones and other physical systems (e.g. through the deployment of autonomous weapons systems) • Novel attacks that subvert cyber- physical systems (e.g. causing autonomous vehicles to crash) • Involve physical systems that it would be feasible to direct remotely (e.g. a swarm of thousands of micro- drones). Political Threats • Use of AI to automate tasks involved in surveillance (e.g. analyzing mass- collected data) • Persuasion (e.g. creating targeted propaganda), and deception (e.g. manipulating videos) • Privacy invasion and social manipulation. • Analyze and distort human behaviors, moods, and beliefs on the basis of available data. (e.g. public decision making). • Labor-intensive cyber attacks (such as spear phishing). • Exploitation of human vulnerabilities (e.g. through the use of speech synthesis for impersonation), existing software vulnerabilities (e.g. through automated hacking), or the vulnerabilities of AI systems (e.g. through adversarial examples and data poisoning). USD16 billion The Javelin Strategy & Research 2017 Fraud Report discovered that 15.4 million U.S. consumers (17.5% ncrease) lost $16 billion to identity fraud in 2016 USD500 billion Microsoft’s estimate for the total potential cost of cybercrime to the global community. USD14 billion The amount the U.S. government spent in 2017 on cybersecurity. (Source: CIO) USD2.1 trillion The total global annual cost of all data breaches by 2019, as suggested by Juniper Research. USD158 billion The collective amount of money consumers lost globally in 2015 due to cybercrime. The U.S. accounts for $30 billion of that loss. (Source: Symantec) USD3.8 million The average cost of a data breach to a business. (Source: Microsoft) Principles of Territoriality Principles of Legality Principles of Guilt Challenges to preservation and storage of digital forensics Challenges to creating a global repository of biometrics CHALLENGES & RISKS 38
  39. 39. Collective Intelligence NEXT STEPS • Policymakers should collaborate closely with technical researchers to create credible pools of intelligence. • Researchers and engineers in artificial intelligence should take the dual-use nature of their work seriously, allowing misuse-related considerations to influence research priorities and norms, and proactively reaching out to relevant actors when harmful applications are foreseeable. Best practices should be identified in research areas with more mature methods for addressing dual- use concerns, such as computer security, and applied intelligence, wherever applicable THE PRACTICE TOOLKIT Behavioral Analytics Detection for known attacks and issues Advanced Threat Detection Identify anomalies in device behavior Measuring detection performance Identify anomalies in employee and contractor behavior Macro trend analysis Detect anomalies in the network Assess network vulnerabilities and risks Malware research and analysis • Best practices should be identified in research areas with more mature methods for addressing dual-use concerns, such as computer security, and applied intelligence, where applicable. • Actively seek to expand the range of stakeholders and domain experts involved in discussions of this collective intelligence. 39
  40. 40. EXPERTS RECOMMEND Key idea behind machine learning in cyber security is not to replace firewalls, antivirus, or experts, CISO Think Tank 40
  41. 41. but to complement them to create a more multi-layered defence. Future Forward 41
  42. 42. CISO Think Tank THE ART OF SECURITY MANAGEMENT: GAINING VISIBILITY AND CONTROL 42
  43. 43. Security Management O ver the years, cyber threats have evolved by leaps and bounds and will continue to do so. Criminal organizations, hackers and cyber attackers are expected to become more sophisticated and mature in the next few years and be able to migrate their activities online at a greater pace. The activity among Indian organizations is also expected to rise with more and more organizations focusing on their core business, thereby creating more complex and interconnected networks with suppliers, vendors, partners and other third parties, making them more prone to cyberattacks and data leakages. And hence, it is imperative for Indian organizations to gear up for the cyber security challenge by formulating security strategies and implementing technology solutions to monitor and manage security risks. So, while information security risk management is still a lot of science when it comes to processing skills for systematic and rigorous data driven analysis; but it is also a lot of art. Gaining visibility into the DNA of your organization and creating a culture that is a perfect balance between security and convenience and in turn, understand the risk framework that connects them all, should be deemed as both art and science. Jagdeep is Chief Information Security Officer at Rakuten India. He is a seasoned information security professional, with rich expertise in running large security programs, aimed at building robust information security posture for organizations. He also takes care of existing and future security needs of business, define security roadmap and vision, and execute security strategy that aligns with business objectives. JAGDEEP SINGH CISO, Raukaten India 43
  44. 44. CISO Think Tank and not competes with them. • Approach is to reach out with an helping hand rather than pointing fingers when security incidents occur. • Prepare a comprehensive security roadmap which is realistic and time bound. Inform stockholders timely of the progress with the mapping of reduction in dollar loss with the implementation. • Don’t shop for products just because a sales guy is giving you for dirt cheap, and heavily discounted. The products should fill in some critical gaps and align with long term security strategy, and costs of replacing a product at times exceed far more than implementing them. • Outcome and KPI driven approach for all initiatives • Very important to build trust with the business, and leadership, as the focus is to mature the organization with Continuous Improvement rather than mere fault finding approach MUST-HAVES FOR GAINING CONTROL AND VISIBILITY People • Building a strong team. Look for building core group of talented and responsible individuals, and give them authority. • The core team should have really good engineering, automation, security Assurance, rest other capabilities could be looked for outsourcing or in-house with least knowledge tier guys. • Focus on organization-wide programs and outreach to support the business in building secure products. Policy and Process • This includes policies and practices which have to be followed no matter what. Have the head of the company or the board sign these policies. • The processes should blend well with the culture and ecosystem of the organization, otherwise people would always find ways to circumvent it and not follow it. • Always have a strong feedback mechanism for the business to feed It is important to build trust with the business, and leadership, as the focus is to mature the organization with continuous improvement rather than mere fault finding approach THE PROBLEM Security management is a unique blend of technical, general management, and most importantly risk management skill. You just can’t bring people only having vast leadership experience and with credentials of a top B school to run the show. Many leaders mistake to focus only on hiring a core technical talent to provide security to the business; least realizing whether the new hire actually understands the meaning of risk. CHALLENGES & RISKS • Old school thought process of security as do’s and dont’s • Security looked upon as a major cost to the business • Security still looked upon as a support function • Security function is given lesser privileges/authority than other business units • Culture of the organization could be reactive, and change resistant THE BEST PRACTICE TOOLKIT • Translating both security risk and actual compromises and into Dollar Loss • Practice tabletop exercises more frequently. • Highlight potential legal risks and map them to security gaps, because that’s where eyeballs get immediately focused. • Give trust to the business that security team complements them 44
  45. 45. Security Management in. This leads to driving efficiencies while practising optimum security posture. Technology • Open source capability is a buzz word now, where readily available tools could be utilized for a job with little customisation and engineering to save millions which would have gone in buying commercial off the shelf products. • Build systems which talk to each other. Now a days with multiple products for multiple uses, work in isolation. Good organizations make sure the security systems intelligently share the information, while working on their core proposition. NEXT STEPS Step 1 Prepare Security and Risk Management Teams for Bimodal IT • Drive an education program on bimodal IT • Evaluate the current state of bimodal IT in the organization • Identify the primary skills and technology gaps Step2 Build additional organizational capabilities to support increased agility and defend against new digital risks Step3 Manage Security throughout the Project Life Cycle Step 4 Maximize effectiveness with a bimodal security program Threats and vulnerabilities perceived to have most increased the risk exposure of the respondents, 2013–2017 Vulnerabilities Threats % of respondents stating as top two items to increase risk exposure % of respondents stating as top two items to increase risk exposure 53% 57% 2013 2014 2015 2016 2017 2013 2014 2015 2016 2017 44% 55% 60% 51% 34% 34% 32% 44% 37% 52% 34% 48% 46% Careless or unaware employees Outdated information security controls or architecture Unauthorized access Malware Phishing Cyber attacks to steal IP or Data Internal attacksCyber attack to steal financial information 46% 51% 44% 52% 64% 64% 32% 30% 25% 33% 41% 41% 39% 28% 42% 45%51% 41% 27% 43% 33% 44% 39% 34% 31% 45
  46. 46. PwC RECOMMENDS In an era where insider threats are rising, weak authentication mechanisms are CISO Think Tank 46
  47. 47. usually held responsible. Organizations have already put in place controls to mitigate risks stemming from insider threats. However, with advancements in tools and techniques employed by internal actors, organizations need to continuously adapt and evolve to keep up. Future Forward 47
  48. 48. CISO Think Tank AI & MACHINE LEARNING APPLICATIONS FOR CYBER SECURITY 48
  49. 49. AI & Cybersecurity Rajeev has over 12 years of technical experience in the field Information security function. His responsibilities include conducting employee security awareness training, developing secure business and communication practices, identifying security objectives and metrics, choosing and purchasing security products from vendors, ensuring that the company is in regulatory compliance with the rules for relevant bodies, and enforcing adherence to security. Rajiv has comprehensive experience in building high performance teams, in-sourcing vendor operations, auditing IT controls, among others. RAJEEV VERMA Deputy General Manager – Information Security, SRF I t is a no-brainer that fighting cyber threats is becoming an increasingly complex and challenging task. With attacks becoming more and more advanced, the defense mechanism has to keep pace. That is what makes cyber security so different from rest of the IT functions in the enterprise. While a good planning is half the job for rest of the enterprise IT, it is just the baby step in security. Cyber security is probably the only responsive function in the entire technology value chain. That makes cyber security one of the most suitable application areas for artificial intelligence and machine learning. AI can be used to collect and analyze security data from different data repositories, track the threats, prioritize the response to voluminous alerts. While prevention is better than cure, breaches are a reality and quick containment can dramatically reduce damages. That is another potential application area. Also, machine learning can aid in analytics-based defense mechanisms to become stronger and stronger. However, the benefits of AI in cyber security go much beyond fighting threats. Cyber security can be a test-bed for unleashing the true potential of AI beyond the efficiency-driven automation applications, which in turn, will enhance the depth of AI application in all areas of business. While AI is a god-send for fighting cyber attacks, it must be remembered that it is available to the attackers as well. In fact, so far, they have been more effective in applying AI to attacks. Another challenge is the unrealistic expectations from AI. One of the biggest short-term challenges is the false assumption that application of AI to cyber security will bring down the demand for skilled professionals. resulting in lesser number of low-skilled professionals in the medium run. If anything, it will take up the demand for more highly skilled professionals. 49
  50. 50. CISO Think Tank THE PROBLEM There’s one job where AI has already shown superiority over human beings? Cyber attacks. Machine learning, for example, can enable a malicious actor to follow your behavior on social media, then customize the following for you: • Phishing tweets or emails—just for you. A human hacker can’t do the job nearly as well or as quickly. • The more AI advances, the more its potential for cyber attacks grows too. • Techniques like advanced machine learning, deep learning, and neural networks enable computers to find and interpret patterns. They can also find and exploit vulnerabilities. • Intelligent malware and ransomware that learns as it spreads, machine intelligence coordinating global cyber attacks, advanced data analytics to customize attacks— unfortunately, it’s all on its way to your organization soon. • AI itself, if not well-protected, gives rise to new vulnerabilities. Malicious actors could, for example, inject biased data into algorithms’ training sets CHALLENGES & RISKS • AI can be used to protect, defend and to attack cyber infrastructure. • AI can be used to automatically identify the attack surface that hackers can target. • AI can be misused to perform more automated and increasingly sophisticated social engineering attacks. • AI-enabled cyber attacks can cause an epidemic-level spreading of intelligent computer viruses which can mutate and evade Antivirus products. • The only solution to defend against AI-enabled hacking is by using AI • The worst outcome will be beyond simple imagination, there is potential to damage human well-being on a global scale. THE BEST PRACTICE TOOLKIT As organizations face pressure to design, build, and deploy AI systems that deserve trust and inspire it, many will establish teams and processes to look for bias in data and models and closely monitor ways malicious actors could “trick” algorithms. Governance boards for AI may also be appropriate for many enterprises. Public-private partnerships and public-citizen partnerships. One of the best ways to use AI responsibly is for What’s holding AI back in the enterprise? Increased vulnerability and disruption to business Potential for biases and lack of transparency Ensuring governance and rules to control AI Risk to stakeholders’ trust and moral dilemmas Potential to disrupt society Lack of adequate regulation 77% 76% 73% 71% 67% 64% Source: PwC CEO Pulse Survey, 2017 Q: Which of the following issues surrounding AI adoption concern you the most? Base: 239 50
  51. 51. AI & Cybersecurity public and private sector institutions to collaborate, especially when it comes to AI’s societal impact. Likewise, as more governments explore the use of AI to distribute services efficiently, they’re engaging citizens in the process. Self-regulatory organizations to facilitate responsible innovation. Since regulators may scramble to keep up, and self-regulation has its limits, self- regulatory organizations (SROs) may take the lead with responsible AI. NEXT STEPS • Talent shortage in information security: A report from (ISC)2 shows that there will be more than 1.5 million unfilled positions by 2020 in the field of global cyber security. AI can help in this situation to equip the professionals with powerful tools • AI enables analysts to focus on more advanced investigations rather than spending valuable time on data crunching. • AI, when applied in an interactive manner, together with humans, can promise several opportunities for identifying, combating, and managing cyber risks. • There are plenty of academic researches about detecting cyber attacks using artificial intelligence. The success rate of those researches varies between 85% and 99%. • DarkTrace claims to have more than 99% of success rate and it also has a very low rate of false positives. • It is up to human imagination. For the sake of clarity, following application categories can be examined: � Spam Filter Applications (spamassassin) to detect malicious activity and stop attacks � Using machine learning to analyze mobile endpoints � Using machine learning to enhance human analysis � To detect starting of any attack and encapsulate it. AI, when applied in an interactive manner, can promise several opportunities for identifying, combating, and managing, cyber risks AI in Cyber security: Funding (USD) million 71.1 79.4 347.2 537.1 783.7 806 2012 2013 2014 2015 2016 2017 Source: CB Insight 51
  52. 52. CISO Think Tank 52
  53. 53. GARTNER RECOMMENDS Leaders need to create a 10- year scenario and prepare for the combination of people + AI + robots in the workplace and how they will enrich and invigorate work dynamics. Future Forward 53
  54. 54. CISO Think Tank RISK-BASED APPROACH FOR APPLICATION DEVELOPMENT 54
  55. 55. Envisioning SecDevOps A pplications are one of the softest targets for cyber attackers. Since most applications have not been designed to keep the attackers away and since they contain critical business processes and sensitive organizational data, for the attackers, applications are like low hanging fruits. Multi- million dollar breaches happen through application compromise. Reasons are many. Application security exercises in enterprises start pretty late in the cycle. Skilled manpower being a scarce resource, often, a couple of security people oversaw security of multiple development teams. In a typical set-up, they end up getting aligned with a few teams that they have been familiar while other development teams manage with some basic to-do and do-not lists. Though the Open Web Application Security Project (OWASP) provides a very useful list of the Top 10 web application security flaws along with the nature, severity and impact of each, on ground challenges remain—largely because development, testing and security teams do not work in tandem. A holistic, risk-based approach that can start with basic security sensitizations for developers and quality teams while doing periodic assessment based on learning can go a great length in preventing and remediating application breaches. Detection time and cost of remediation are usually directly related. The earlier is the detection, the lower the cost of remediation. The author gets deeper into why there is a pressing need for this approach and how organizations can proceed on the path. Rajesh has over 22 years of technical experience in the field of program management in all phases of the software development life cycle (SDLC) from requirements gathering to actual implementation. He has international exposure in system study, client requirements and specifications, and implementation. Rajesh is also proficient in analysis, design and development. He has pioneering API banking in the Indian context and has won several awards for the organization. He also has excellent understanding of business flows particularly in manufacturing, telecom and financial services including insurance and banking. RAJENDRA MHALSEKAR President and Head Corporate Banking Technology, Yes Bank 55
  56. 56. CISO Think Tank THE PROBLEM • 2017 saw various cyber security attacks, ransom ware and malware, globally • Emphasized the need for an enterprise-wide strategy to deal with such situations, both preventive as well as reactive • Application security layer is the hardest to defend • Highly important since core business logic resides in application • 37% of all the risk attacks are aimed at the Application layer • SQL Injection and cross-site scripting are the commonest attacks • Attackers can potentially use many heterogeneous paths through application to harm the business • QA & software teams lack the knowledge and incentives to address vulnerabilities early in the SDLC. • Earlier the detection, lesser are the costs for remediation. CHALLENGES & RISKS Challenges to secure application development • Developers are not security experts Threat Agents Attack zones Security weakness Technical Impacts Business Impact 1 Attack1 Weakness1 Asset1 Impact1 2 Attack2 Weakness2 Asset2 Impact2 3 Attack3 Weakness3 Asset3 Impact3 4 Attack4 Weakness4 Asset4 Impact4 5 Attack5 Weakness5 Asset5 Impact5 • Hackers are becoming more and more aggressive • Incentives in organization work against strong emphasis on security – faster delivery is more appreciated • Resource crunch for security initiatives Attackers can potentially use many heterogeneous paths through application to harm the business. Each of these paths need to be analyzed and risks assessed and then remediated based on priority. Major vulnerabilities • SQL injection • LDAP injection • Cross-site scripting • JSP file inclusion • Remote code execution Inventory – Attributes & Risks • Name of application • Business owner • Creation date • Customer facing? Internal? Partner facing? • Functional complexity • Infrastructure complexity 56
  57. 57. Envisioning SecDevOps • Age in production • Platform (web/mobile/c-server) • Compliance requirements • Reputation risk • PII • IP • Legal obligations (HIPAA/PCI) Next step would be to assess risk for each attribute. Relevant stakeholder participation in this exercise is a MUST. Application Security Testing • White-Box analysis – static analysis • Dynamic analysis – simulates many of the techniques used by cybercriminal and hackers • Interactive Analysis – Glassbox analysis- combination of both inside and outside impact • Mobile app analysis to detect client- side vulnerabilities. Feature of Testing Solution: • Vulnerability testing throughout SDLC • Scalable • Accurate • Covers modern and complex sites and major code changes • Equipped to detect mobile application vulnerabilities. Risk Determination and Prioritization • Determine risk rating for each of the applications. These applications and the individual risk could be classified as critical, high, medium, low. • Create remediation plans based on priority which will align with the overall risk strategy • Focus on preventing breaches that might have bigger business impact - may put in some compensating controls. NEXT STEPS SMART: SMART working is a security journey • Systems driven • Measured progress tracking • Analytical supported • Resources intensive in terms of right technologies or resources • Time measured to control the deviations. Application Monitoring in Production • Detected vulnerabilities can be shared with an IPS and IPS may protect from attacks aiming to exploit these vulnerabilities. • Information available should be shared among various relevant stakeholders for effective in control of any breaches. • Database vulnerabilities can be easily pinpointed by such sharing. • Would help in strengthening the WAF in terms of security patches. Stride • Spoofing identity • Tampering with data • Repudiation • Non-repudiation refers to the ability of a system to counter repudiation threats • Information disclosure. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access • Denial of service • Elevation of privilege. Attackers can potentially use many heterogeneous paths through application to harm the business. Each of these paths need to analyzed and assessed for risks 57
  58. 58. CISO Think Tank 58
  59. 59. Immature application security initiatives in many organizations aren’t effective at combating risk. Additionally, the proliferation of new and updated applications can introduce new vulnerabilities into ambitious product release environments that are fed by end-user demand for fresh versions and functionality. In fact, 56% of respondents stated that the pressure to release new applications quickly was a significant barrier to making their security posture as effective as possible. Application vulnerabilities represent risk vectors that cannot be ignored. As the number of applications that your company releases grows, the situation will only become worse — especially if it isn’t addressed immediately. PONEMON INSTITUTE RECOMMENDS Future Forward 59
  60. 60. CISO Think Tank ALIGNING SECURITY AND RISK MANAGEMENT WITH BIMODAL IT 60
  61. 61. Bimodal Security Rajiv is Director, VP - Global Information Security & CISO, VP – Facilities at Innodata, with offices in US, Israel, Philippines, Sri Lanka and India locations. He leads the data security and data protection practices at the organization. He is in charge of all the security requirements and compliances covering project delivery and all support functions. He also takes care of Information security requirements of General IT controls in Sarbanes Oxley compliances. RAJIV NANDWANI Director, VP – GIS & CISO, VP – Facilities, InnoData T he security challenges around traditional legacy systems in Mode 1 are already familiar to organizations. However, Mode 2 offers the kind of agility and flexibility that organizations require today such that they can focus on data and information security. With the help of bimodal IT, organizations can now secure their assets across both legacy systems and cloud. This means that the demand for both, securing information and data flow, are met. As a result, security and risk leaders no longer have to deal with the two entities in isolation. They must also understand the link between Mode 1 and Mode 2 in order to carry out risk assessments of how data moves between the two environments from the start. This bimodal strategy allows organizations to turn risk management into a continuous and ongoing process, tightly knit into the organization’s security framework. Bimodal IT has the power to transform how organizations operate. It impacts technology as much as how IT operates. It also dramatically changes how a business runs. Don’t try to retrofit security to a bimodal IT environment once the data is flowing; it will be a nightmare. Use biomodal to focus on pulling IT and business together to collaboratively innovate and bring new products and services to market quickly. 61
  62. 62. CISO Think Tank evolution of products and technologies (Mode 1) with the new and innovative (Mode 2) is the essence of an enterprise bimodal capability. Both play an essential role in the digital transformation. HOW DO WE DEAL WITH IT? Under the Gartner’s model - We can divide a big chunk of enterprise IT into two kinds of systems: • Systems of record - It manages the sensitive data that is most valuable to our organizations (like bank account information) • Systems of engagement - a set of public-facing systems through which customers access our services This approach creates two separate groups: a fast team that focuses on digital exploitation and a separate traditional IT group that focuses on the classic back-office systems of record. CHALLENGES & RISKS 1. From a one-size-fits-all model we move to a two-sizes-fit-all model 2. The risks inherent in building and evolving systems of record are better managed through waterfall, though changes to the systems at the heart of many enterprises, usually decades-old COBOL software running on mainframes or packaged software built by vendors, is painful, expensive and risky. 3. Agile methods are more suited to building and managing systems of engagement, investment needs to be done to maintain systems that will become increasingly complex and fragile over time, while failing to gain the expected return on investment from adopting agile methods. 4. Create a two-class system that adds complexity and kills culture. At a time when businesses need to drive speed and agility, it makes no sense to have two groups competing for funding, resources, skills, and the business’ attention. 5. Focuses on a technology-centered model that does not connect to customers. Firms are explicitly linking performance metrics to improvements as a way to break down the silos and drive more aligned behavior in service of the customer. 6. Perpetuates the myth that back- end systems can be left as they are. What is Biomodal? Run Differentiate Innovate Source: Gartner Mode 2 (Exploratory, adaptable, no fixed rules, risk taking) Mode 1 (Predictable, reliable, risk-averse, standards-oriented, rigorous governance) THE PROBLEM Bimodal - the practice of managing two separate but coherent styles of work 1) Focused on predictability 2) Focused on exploration Mode 1 is optimized for areas that are more predictable and well- understood. It focuses on exploiting what is known, while renovating the legacy environment into a state that is fit for a digital world. Mode 2 is exploratory, experimenting to solve new problems and optimized for areas of uncertainty. WHY DOES IT EXIST? • Both modes exist and are essential to create substantial value and drive significant organizational change. Neither of these models is static and both models are evolving. • Marrying a more predictable 62
  63. 63. Bimodal Security While some systems may change less frequently, they need to evolve quickly when they do change. Customers’ expectations necessitate the streamlining of operational processes and systems, while digital disruption forces organizational simplicity and agility. 7. Engages and energizes the C-suite and board. The technology’s role in improving customer experience, differentiating products and services, and building partner ecosystems. 8. Empowers business leaders to take ownership. Leading e-commerce, field service, and product development groups take a more activist role in a BT strategy. CHALLENGES – SECURITY 1. Continuous delivery - DevOps is a key component of IT delivery. 2. Cloud service integration - The potential security weak link here is the integration and communication between the cloud services and the existing in-house systems of record. 3. Shadow IT (systems and solutions built and used inside organizations without explicit approval) – Gartner estimates that just over a third of the money spent on cloud is being spent on shadow IT. 4. Integration of multiple cloud suppliers - Putting the cloud at the forefront of service delivery means organizations will have to integrate and manage many more suppliers than before. 5. Increased risk of reputational damage - By using bimodal IT to deliver more digital services this in itself increases security risks. 6. The number of mobile devices the staff uses to perform their jobs on a daily basis will continue to proliferate, as will the breadth of the application ecosystem. THE BEST PRACTICE TOOLKIT Step 1. Prepare security and risk management teams for bimodal IT • Drive an education program on bimodal IT • Evaluate the current state of bimodal IT in the organization • Identify the primary skills and technology gaps Step 2. Build additional organizational capabilities to support increased agility and defend against new digital risks Step 3. Manage security throughout the project life cycle. Step 4. Maximize effectiveness with a bimodal security program. NEXT STEPS - ALIGN THE MODEL 1. Customer-led, through fused design thinking and an agile methodology - Success starts with an outside-in focus on delivering new sources of value to customers in both a B2C and B2B 2. Insights-driven, with new skills and systems of insight. 3. Fast, by closing the speed gaps - The faster you execute, the more quickly you will win customers over. 4. Connected, through APIs, modern architectures, and ecosystems 5. Continuous risk management - After the initial risk assessment for bimodal IT a set of control requirements can then be defined and improved on continuous basis 6. Automation - Automation is absolutely essential to addressing bimodal IT security issues. Application and data monitoring and automation of the risk management processes ensure they can be operationalized in an easy and repetitive manner. 7. Encryption - There is a greater requirement for encryption technologies in bimodal IT delivery to remove some of the risks posed to the data as it flows across public or private clouds and in-house IT. 8. Identity - Identity management is essential to enforce the appropriate levels of trust and verification. After the initial risk assessment for bimodal IT, a set of control requirements can be defined and improved on a continuous basis; thus enabling periodic checks and balances 63
  64. 64. CISO Think Tank 64
  65. 65. GARTNER RECOMMENDS To support bimodal initiatives, risk and security leaders must take steps to prepare security and risk management teams for bimodal IT. Learn about bimodal IT, evaluate where your organization is on the bimodal journey, and identify the primary skills and technology gaps. They must build additional organizational capabilities to support increased agility and defend against new digital risks, understand the higher-risk appetite represented by Mode 2 projects, and adapt security practices to the pace of Mode 2 projects, with laser focus on low interferences during early stages and continuous monitoring of security debt. Future Forward 65
  66. 66. CISO Think Tank COMPLIANCE AND RISK MANAGEMENT BEYOND IT 66
  67. 67. Managing Compliance T here is little doubt that companies across all industries are confronted by a proliferation of regulatory requirements, stakeholder expectations, and business model changes. Not only are organizations expected to comply with laws and regulations, but they also have to be mindful of being ethical in behaviour and protecting their brand. These challenges are even more acute in highly regulated industries such as financial services, telecom, health care, life sciences, travel and hospitality, where the information security needs have evolved beyond mere compliance to include strategic issues such as: • Analyzing the impact of emerging regulations on business models and on existing processes and systems • Ensuring proper roles and responsibilities amongst legal, compliance, audit, IT and business functions • Driving a culture of compliance across diverse geographies, functions and operational teams • Managing remediation in more complex and diverse environments • Ensuring that the compliance program keeps pace with the evolution in the organization’s business strategies The scope of Governance, Risk & Compliance (GRC) doesn’t end with just governance, risk, and compliance management—it also includes assurance and performance management. This means that the GRC framework is further getting extended to information security management, quality management, ethics and values management, and business continuity management. For CISOs, sustaining a continuously evolving information security GRC program in a changing risk landscape while meeting multiple compliance requirements represents a significant challenge. Since managing risk is a reality of doing business, it is essential that cyber security practitioners look at implementing a comprehensive risk management program that can be integrated into all layers of the organization, and in all functions. Satyanandan is Chief Information Security Officer (CISO) for Bharti AXA General Insurance. Prior to this, he was leading the Risk Management function at Bharti AXA General Insurance. He comes with 13+ of years global experience, across various industry domains viz. Insurance, Capital Markets, Automotive and in multiple geographies like Europe, Middle East and in Asia Pacific in Enterprise Risk Management ,Operational Risk, Financial Risk, Information Security, IT Risk Management, Data Privacy, Data protection, Business Process Design, Risk advisory, IT audit & Outsourcing risk SATYANANDAN ATYAM AVP, Head Risk Management & CISO Bharti AXA General Insurance 67
  68. 68. CISO Think Tank makes an enterprise digital platform a must. What was within the enterprise premise (or an extended physical premise) has moved beyond boundaries. The situation has become more complex. Because • The traditional IT architecture is challenged by the emerging cloud computing paradigm • There is a plethora of devices from many access points and on multiple platforms • Multiple stakeholders, each one with unique ‘interaction requirements’. Enterprise platform is opened for the customers from a customer service or ecommerce perspective. • Multiple and ever growing applications meeting the unique requirements of the stakeholders THE PROBLEM • Aadhaar Data • Business processes that are capturing customer Aadhaar • Employee Aadhaar collected by HR • regulation • Business should onboard to cloud services within India jurisdiction • Sensitive Personal Data • Many businesses operate with integration with multiple vendors and partners. Regulation requires insurance, banking and telecom companies to protect sensitive personal data • Existing risk management framework is not comprehensive to validate controls across all the third party frameworks. Robust implementation is limited to internal company systems and processes Why Does It Exist? • Digitization and automation are driving business operations • Data safeguards important from competitive and regulatory perspective • The IT as a custodian of business data needs to align with compliance and risk management requirements • Risk and compliance requirements for business should be embedded through IT controls THE CHALLENGES AND RISKS Let’s see the bigger context, which Information Governance Program Must Incorporate Different Needs Compliance perspectives Business Perspectives • CFO • HR • Business Units • End-users • CIO • Storage Administrator • Application Administrator • Message Administrator • General Counsel • Litigation • Compliance • Risk Management • Audit • Info, Secturity • Records Management Legal Perspectives Technology Perspectives 68
  69. 69. Managing Compliance Digitalization and automation are driving business operations and the legacy enterprise platform is becoming inadequate to meet the emerging priorities for CIOs. • As a result of multiple devices, users and applications data is exploding, data flow across the enterprise boundaries • Increasing pressure for speed, compliance, security and governance The legacy enterprise platform is becoming inadequate to meet the emerging priorities for the CIOs. THE BEST PRACTICE TOOLKIT • Automated analysis • Build incident response (IR) team • Define response team roles • Train response team • Identify plan gaps areas for improvement before an incident occurs • Assess IR Plan effectiveness and IR team ability to execute • Tools : QRadar, ArcSight, Splunk NEXT STEPS • Utilize and scale your teams to provide 24x7 threat monitoring • Prepare for, and proactively hunt threats • Apply predictive/proactive intelligence • Detect the unknown with enhanced analytics • Use artificial intelligence (AI) and machine learning (ML) for analytics • Extend threat visibility to the cloud Identify threats early to mitigate risk • Empower IR Team • Build communications flows and procedures • Define roles in the response team • Identify gaps in response plans • Learn from incidents and apply findings Invest in Success • Automate as much as possible to reduce the load of Level 1 tasks • Share information and eliminate silos between teams • Provide threat intelligence feeds and security tools to make teams successful • Retain top talent and feed their thirst for knowledge • Train employees, your first line of defence • Evolve your SOC by combining technology and human expertise • Do the basics well – regular patching, hiring the right people • Empower your resources • Adopt a proactive approach to deter emerging threats • Integrate deception technologies to bait attackers Information Governance Program Must Incorporate Different Needs • IT Risk Management • Portfolio Management • Project Management • ISMS • VAL IT/COBIT • ITIL • Six Sigma • Master data Management • Data Quality • Data Architecture • Data Security Management • CISO & DPO Interface points for Data Governance • Compliance Risk Management • Regulations and standards • Statutory Requirements IT Governance Data Governance Risk Management & Compliance 69
  70. 70. CISO Think Tank 70
  71. 71. GRANT THRONTON RECOMMENDS To move beyond compliance, risk management functions need to understand the need for efficiency. By embracing new capabilities, such as distributed ledger technologies, and by streamlining processes, risk managers can do more with less and meet the financial expectations of shareholders. Data analytics is foundational to the final step, helping the enterprise to anticipate and address non-financial risks, especially those introduced by digital business models. This will require dedicated C-level risk leadership and the willingness to invest in the tools and capabilities necessary to empower your risk function to drive real value. Future Forward 71
  72. 72. CISO Think Tank 72

×