Dilip Panjwani, Chief Information Security Officer, LTI (L&T Infotech), shares his views on a wide range of important enterprise security topics. He shares important best practices on protecting a remote workforce, the increasing relevance of AI, protecting multi-cloud environments, the importance of DNS security, and how CISOs can improve ROI from existing investments
Some edited excerpts:
What are some of the emerging threat vectors that enterprises need to be careful about?
Some emerging threat vectors that enterprises need to be cautious about are as follows:
· Ransomware – cyber-extortion where users are unable to access their data until a ransom is paid. Recent trends in ransomware attacks have also been with data exfiltration and demand for ransom to avoid public release of the enterprise / customer sensitive data to public internet.
· Weak and stolen credentials – Weak passwords and password reuse make credential exposure an easy gateway for initial attacker access and propagation and also allows attackers connected to your network to easily locate and utilize these credentials for lateral movement.
· Misconfiguration – error in configurations or setup with default configuration exposes hidden flaws, and this provides attacker with extra information to launch targeted attacks.
· Manipulating domain naming infrastructure – Adversaries are using credentials they’ve stolen to log into DNS providers and registrars to manipulate the DNS records.
· Domain fronting – technique used by adversaries to obscure their geographic location. This enables an attacker to hide the origin of his or her command and control (C2) and build a reliable channel to exfiltrate data to an unidentifiable location.
What are some of the best practices you recommend to protect a remote workforce?
Some best practices we recommend are as follows:
· Endpoint and business applications security using 2-factor or multi-factor authentication (2FA/MFA). This adds a second level of security to important applications and data. Couple it with risk based step-up authentication upon suspicious behaviour even post initial authentication.
· Network & Endpoint Security using proxied connection only via cloud/roaming proxy policies based on user and device profile.
· Follow IT Hygiene – ensure all assets are tracked for patches and vulnerability fixes to protect from threats.
· Enforce Comply to Connect policy on your network to ensure only authorized and compliant/updated assets and users are permitted to connect to the enterprise network and business applications.
· Finally, do not forget to ensure simple & continual security awareness & training for your end users and contractors. It’s easy to forget just how easy it can be to lose sensitive data – something as simple as clicking on links in emails from unknown senders or accidentally leaving your computer unlocked while you take a bio break at the coffee shop can leave your sensitive data wide open.
Request you to share your views on protecting multi-cloud environments? What are some of the best practices you recommend?
Multi-cloud strategy provides much more flexibility than working with only one cloud platform allowing organizations to better manage costs and avoid vendor lock in. It also helps to improve resiliency but at same time the high complexity of multi cloud deployments also increases the attack surface and the risk of cyberattacks, raising new cloud security concerns. To protect such hybrid cloud complex environments from cyber attacks,
· Define a secure baseline configuration standard across your multi-cloud environments – close unsecured ports, remove any unnecessary software, secure all APIs and web interfaces, and always follow the principle of least privilege for access to users and services.
· Synchronize Policies – If you use multiple clouds for availability, you need to ensure you use the same security settings in all your clouds
· Invest in cloud security posture compliance reporting and remediation
· Automate security – Adopt a DevSecOps mentality in which every process occurring on your cloud infrastructure – example, every new VM or container deployed on any cloud should be baselined as per security hardening guidelines and undergo the relevant security scans for clearance prior to publishing for use
· Consolidate monitoring – A holistic view of systems across the multi cloud is essential for detecting, investigating, and responding to cyber threats
DNS attacks have gone up significantly. How can DNS be leveraged to improve threat resolution
Some recommendations include:
· Implementing multi-factor authentication for changes made to the DNS infrastructure
· Deploying DNS security including both signed and validated records
· Have a robust certificate management process – revoke any illegitimate certificates that currently exist
· Monitor for public changes to DNS records and digital certificates associated with your organization
How can AI play a vital role in improving the security posture? What are some of the possible use cases?
With cyber-attacks growing in volume and complexity, artificial intelligence (AI) is helping enterprises with under-resourced cyber SOC teams stay ahead of threats. AI helps analyze relationships between threats like malicious files, suspicious IP addresses or insiders in seconds or minutes thus allowing cyber security teams to make critical decisions and remediate threats in reduced time. Some of the use cases for AI in cyber security posture improvement are as below:
· Behavioural Analytics – If the AI algorithm ever notices unusual activities that fall outside the user’s typical behavior, it can flag it as suspicious or even block the user. These activities can include impossible travel time due to login from user credentials from multiple geographies within very short period of time, a sudden spike in document download from user’s archived folders, or a sudden change in their typing speed.
· Threat Hunting – AI can be used to automatically investigate indicators of all compromises or exploits, alerting security analysts to threat incidents that need to be assessed. Cognitive reasoning can connect threat entities associated with genuine incidents such as malicious files, suspicious IP addresses, and malicious entities to create relationships between these entities.
· Deep Learning – AI can be used to analyze incidents in the network against incidents in an organization’s threat data lake, revealing suspicious activities at each endpoint.
Best practices recommended to improve ROI from existing security investments
· Engage and involve the business stakeholders from early on. Understand business processes and data flows to include in your data protection strategy for designing controls and selection of solutions/tools
· AI systems are iterative and dynamic. They get smarter with the more data they analyze, they “learn” from experience, and they become increasingly capable and autonomous as they go.
· Compliance can be an effective way to start an ROI conversation and get attention in a less mature organization where the executive team is less aware of the real risks. But ensure to tread with caution and not use compliance as a means of only securing budget for tick in the box compliance.
· Use your judgement and expertise to estimate the risk mitigation for each investment. Help business leaders see security not as a cost center, but as a business enabler ready to support enterprise strategic initiatives.
· See if there is a relevant CISO group or forum you can join to learn from the experience of other companies. While there would be many informal CISO groups an connect forums to leverage, some other good sources are ISAC, industry research papers, Gartner peer insights, etc.