Looking at the increasing importance of cybersecurity, Express Computer has invited CISOs, CIOs, and CTOs from user industries to share their respective views and perspectives on topics related to enterprise security. In a similar interaction with Express Computer, Shrikant Iyer, Chief Information Security Officer, Aditya Birla Health Insurance Company Limited shared insights about the rising security incidents, emerging threat vectors, and best practices to protect a remote workforce and multi-cloud environments.
Some edited excerpts:
- What are some of the emerging threat vectors that enterprises need to be careful about?
A few of the emerging threat vectors that enterprise needs to be careful about, both in the current context and in the near future are:
Identity threat: Sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure, and credential misuse is now a primary attack vector.
Missing or weak encryption: Proper encryption scrambles data so it’s illegible to hackers. Do this step poorly, and data is exposed in transit or at rest.
Phishing: Hackers masquerade as a reputable source. Users are fooled into giving access. Trust relationships vulnerabilities: Permissive setups allow a device and a server to connect and share information too freely. That allows for easy hacking.
Mobile devices and BYOD policies: These are primary endpoint security attack vectors. It increases the possibility of reduced visibility in the network, which means devices could go unprotected or unmonitored for a long time. As a result, cybercriminals may take this opportunity to get access to and move sensitive data.
DDoS: Multiple computers connect to the server at once. The server is overwhelmed, and it crashes.
- What are some of the best practices you recommend to protect a remote workforce?
The proliferation of smartphones, laptops, and productivity apps has made it easier to work from anywhere—but it still takes time and thoughtful consideration to create work-from-home rules that set your people up for success. Here are some tips on what to include, as well as some technical considerations that will help keep your remote employees, and company data, safe.
Request and approval processes
Before employees can begin working from home, they need to know whether they’re eligible to do so, and how they should inform the rest of their team that they’ll be outside of the office. Do they need to fill out a form, put a request through your company’s HR platform, or speak to their manager? This part of a work-from-home policy should break this information into clear, simple steps.
We all struggle with technology sometimes, and those frustrations can be exacerbated when working remotely. Make sure your employees know when your company’s IT team is available, and how they can get in touch or submit help desk tickets.
Keeping users and information secure is a vital piece of the WFH puzzle. Confirm that all employees have the necessary security or encryption software loaded onto their devices, regularly remind them of their data protection requirements, and encourage them to stay vigilant to protect against security threats.
To guarantee security, as well as create seamless user experiences, businesses should integrate identity and access management with other Zero Trust solutions. Combining single sign-on and multi-factor authentication (MFA).
Other access policies to consider when managing a remote team include:
- Disallowing POP/IMAP-based authentication to Office 365 to accommodate MFA.
- Creating network blocklists to prevent access from known bad networks, tor browsers, or risk geolocations.
- Rolling out email notifications to end users, altering them of suspicious activity.
- Enabling managed device checks for mobile and desktop devices to create a frictionless experience.
- Request you share your views on protecting multi-cloud environments. What are some of the best practices you recommend?
For all the benefits of a multi-cloud strategy, there are some challenges that come with it as well. For instance, it can be difficult to secure a multi-cloud strategy because of a lack of visibility across hosts and services. There is also the question of complexity. While the cloud makes infrastructure management simple, it also introduces complexity in the form of dozens of new services, some loss of control over the data once it’s in the cloud, and a lack of visibility, as mentioned above.
When setting up multi-cloud environments, proper identity and access management (IAM) are key and fundamental to the overall security of an organisation’s infrastructure.
Upgrades and patching—vulnerabilities and remediations may be different for each cloud provider, even for the same type of infrastructure or workload. Automate software upgrades and patches, ensuring that upgrades are sensitive to the workload, the infrastructure it is currently running on, and its dependencies.
Component hardening—applications and infrastructure components must be hardened according to the relevant security best practices. This involves closing unsecured ports, removing unnecessary software, securing APIs and web interfaces, and following the principle of least privilege for access to users and services.
Monitoring and visibility—when operating on one cloud, you could rely on the basic security tools offered by that cloud provider. However, in a multi-cloud environment, you must have a tool that supports multiple clouds and enables visibility of the entire environment. A holistic view of systems across the multi-cloud is essential for detecting, investigating, and responding to cyber threats.
- DNS attacks have gone up significantly. How can DNS be leveraged to improve threat resolution?
The domain name system (DNS) is a foundational network service that is critical to both connectivity and security, as it can provide a back door for data breaches. It should therefore not be overlooked as a first-level security control, especially in times of crisis and change, like the recent influx of home/remote workers.
DNS is a key starting point for threat investigation. DNS queries and responses are one of the top three data sources that security teams use for threat hunting and investigations. DNS fills gaps left by other security tools. There is no perfect security tool that will fix all your problems, but it is important to have tools that fill in the gaps left open by other tools.
Surveyed S&R leaders said the top benefit of using internal DNS, as a security control point to stop malicious attacks, is being able to catch threats that would otherwise not be caught by other security tools such as DNS tunneling/ data exfiltration, domain generation algorithms (DGAs), and lookalike domain attacks.
- How can AI play a vital role in improving security posture? What are some of the possible use cases?
Detecting new threats
AI can be used to spot cyber threats and possibly malicious activities. Traditional software systems simply cannot keep pace with the sheer number of new malware created every week, so this is an area AI can really help with.
By using sophisticated algorithms, AI systems are being trained to detect malware, run pattern recognition, and detect even the minutest behaviors of malware or ransomware attacks before it enters the system.
Bots make up a huge chunk of internet traffic today, and they can be dangerous. From account takeovers with stolen credentials to bogus account creation and data fraud, bots can be a real menace.
AI and machine learning help build a thorough understanding of website traffic and distinguish between good bots (like search engine crawlers), bad bots, and humans.
AI enables us to analyse a vast amount of data and allows cybersecurity teams to adapt their strategy to a continually altering landscape.
Better endpoint protection
The number of devices used for working remotely is fast increasing, and AI has a crucial role to play in securing all those endpoints. Sure, antivirus solutions and VPNs can help against remote malware and ransomware attacks, but they often work based on signatures. This means that in order to stay protected against the latest threats, it becomes necessary to keep up with signature definitions.
This can be a concern if virus definitions lag behind, either because of a failure to update the antivirus solution or a lack of awareness from the software vendor. So if a new type of malware attack occurs, signature protection may not be able to protect against it.
AI-driven endpoint protection takes a different tack, by establishing a baseline of behavior for the endpoint through a repeated training process. If something out of the ordinary occurs, AI can flag it and take action — whether that’s sending a notification to a technician or even reverting to a safe state after a ransomware attack.
Use Cases: Network Threat Analysis/Malware Detection/ Detecting Anomalies
- What are the best practices you recommend for improving RoI from existing security investments?
Investing in cybersecurity has become, without a doubt, one of the most crucial aspects for a business – whether small or big. The damaging effects of a data breach can be extremely alarming – according to estimates by Cyber Security Ventures, the cost of cybercrime damages is expected to touch US$ 6 trillion+ by 2022! Devising an effective cyber security strategy is a critical way for CISOs to address business risks and promote business health and longevity.
Yet, it’s hard to quantify the returns of cybersecurity, given the fact that it is a preventive measure – it neither impacts the revenues directly nor does it provide immediate payback.
In that case, how does one calculate the RoI of cyber security investments?
Comparison with industry peers
Comparing security budgets with other organisations in the industry is a good way to gauge the effectiveness of security investments. Plus, industry-specific research helps with identifying the kind of security risks that the industry is facing within verticals and discovering best practices to deal with specific issues and set baselines. The best way to get an unbiased analysis is to reach out to an analyst enterprise and get a detailed vertical overview.
Assessing the compliance status
Compliance status is a good metric for evaluating security investments in terms of how adherent they are to the set compliance standards. Compliance status can include the findings of regular internal audits to check the alignment of processes with the required security frameworks mandated by the standard, analysis of grades on recent regulatory audits, and determination of the areas of improvement. If cybersecurity investments aren’t improving compliance status, companies should investigate the reason.
Operational cost savings
Cost savings is one of the most obvious measures of ROI, especially when the CIO or head of IT is also responsible for security. If a project enables you to reduce storage space, consolidate licenses, or reduce time and effort through automation, you can calculate the returns with reasonable certainty.
The caveat here is to understand this should never be the only reason for the investment. The main goal of IT security is to manage risk, and you’re doing yourself a disservice with any project that does not start there. However, cost savings works great as an additional reason to invest in something that reduces a risk the company cares about.