1. CYBERTHREAT LANDSCAPE -HOW
ORGANIZATIONS CANTAKE
PROACTIVE APPROACHTO BOLSTER
THEIR SECURITY POSTURE
Satyanandan Atyam, Associate Vice President, Data
Privacy Officer, Bharti AXA General Insurance
1

2. DISCLAIMER
The Document may contain material nonpublic
information/Information on public domain and is provided for
informational purpose only.The views presented here are the
sole views of the Speaker and doesn’t represent the views of
the Organization where he is / was working
2

3. DO WE KNOW WHERE ISTHE
THREAT LANDSCAPE ?
 APTs commonly seek intellectual property (IP) and personally identifiable
information (PII) that resides within large financial institutions.
 Moving towards mobility : Opening up the corporate network to the unknown,
meaning this has to be structurally secured.
 Cloud data leakage is the biggest concern
 About 48 percent of data breaches were caused by malicious attacks from
people both inside and outside of the organization.
 Nearly 25 percent of breaches were associated with human error.
 The single biggest factor in reducing the cost of a data breach was having
an incident response team in place
3

4. THREATVECTORS : INSURANCE
INDUSTRY
 APTs commonly seek intellectual property (IP) and personally identifiable information (PII)
that resides within large financial institutions.
 The global insurance industry, worth close to $1 trillion annually
 They may try to compromise a vendor or, perhaps in the case of insurance, independent
agents, and use that as a conduit to the target entity. They often compromise one thing to
get to another
◦ Insurance Agent/Brokers
◦ Health-Third Party Administrators
◦ Policy ProcessingVendors
◦ IT Outsourcing –Software Development & Infrastructure
◦ Reinsurers
◦ Garages & Service Providers
 Not only do insurers possess this treasure trove of sensitive personal information, second
only to government, but also increasingly rely on integrated information systems, providing
multiple pathways for attack
4

5. ELEMENTS OFTHE ECOSYSTEM
 APT not detected by the traditional signature based controls
 Social Engineering and Social Networks being used to target
sensitive roles in organization's
 Goals
◦ Malware delivery
◦ Lasting footprints
◦ Persistence
◦ Obtaining targeted individual’s credentials
5

6. ARE BREACHES REALLY
INEVITABLE?
 YES & NO
 Is technology going to be a the panacea for all problems
 Is assessment of security processes around the technology for the
effective management of the potential threat vectors critical to
reduce breach events ?
◦ Insurance Use Cases
 Data Leakage
 Data Privacy breach
 Awareness
 Security Processes
6

7. WHAT’SYOUR POSTURE?
Every organization in always in reactive mode- Do we need any
preparation for this ?
Do we know what goes into having an Proactive approach to APT
• Business Questions
 Understand the Risk Posture :Align Board on the Risk (Threat Posture) Assessment Engagement
 Understand Business Risks and Aggregation of such risks due to weak IT Controls
 Are you concerned that your key employees and executives might be a enticed for IP theft?
 Do you wonder if any of your key systems have been compromised by malware?
 Are you concerned that sensitive data is exiting your network via corporate and personal email accounts?
 Would you like to know which sensitive files are vulnerable because they are accessible to everyone?
 Do you have a compliance initiative that mandates protecting sensitive payment card or personal data?
• IT Questions
 Security Controls review before Onboarding new application/Infrastructure/moving to cloud
 Employ Defense in depth strategy
 Basics of Layered Security-Management of Devices ( Monitoring )
 Data Leakage Solutions
 Outsourcing Risk
 Secure Configuration
 Review BYOD Policy
 Review Access Rights-PUM
 Awareness & Education
 Incident Management & Incident Reponses ( All threats cannot be prevented)
 Clear Acceptable use Policy
 Logging and Monitoring
7

8. THANK YOU
8