Wipro breach: Lessons for CISOs

IT major Wipro has confirmed that it noticed ‘abnormal’ activity in few of its employees accounts, due to an advanced phishing campaign. “We detected a potentially abnormal activity in employee accounts, on our networks due to an advanced phishing campaign. Upon learning the incident, we promptly launched an investigation, identified the affected users and took remedial steps to contain the potential impact,” Wipro said in a statement.

Earlier, cyber security blog KrebsOnSecurity said that Wipro’s systems had been breached and were being used to launch attacks against some of its clients. Wipro added that an independent forensic firm is assisting them in the investigation

A dozen of Wipro’s clients have been affected. It raises questions for companies who trust service providers on their ability to service them.

When deciding service outcomes of critical areas, “follow the principle of ‘Trust but verify’ whether it’s the company’s internal team or a third party. Secondly, set the expectations right. If you don’t know what to expect from the vendors, the outcomes will not be delivered. The conventional perception is, outcomes are better when a particular function is outsourced. However without the right ‘outcome visibility’ no matter if functions are outsourced or insourced, companies will not get results,” says Sharad Sadadekar, CISO, HDFC Life Insurance.

Companies should also list out the ‘what if’ scenarios; The Information Security Group of companies should do a granular study, internally of the kind of incidents that can occur and recovery mechanism. This exercise should be conducted before approaching the outsourced partner so that companies are ready with what to expect.

When working with third party vendors, companies should be very clear about agreements. “With GDPR already in force and the data protection law to be enacted soon, the data privacy and protection has to be kept in mind right at the time of on-boarding the outsourcing partner,” says Sadadekar. ‘Privacy by design’ is very important. The agreement clauses should include the regulatory requirement, the privacy by design and compliance requirement. Once the expectations are set right, thereafter the scope of work is only a matter of tick mark activity. The agreement should have place for clauses and penalties for non-compliance.

A through due diligence should be undertaken so that there are proper segregation of roles – Maker and Checker to ensure the best outcomes.

“After onboarding the outsourced partner, the CISO’s office should keep a constant tab on cyber security and audit related aspects for the first two years and then on it’s business as usual,” says Sadadekar. Otherwise the vendor takes the client for granted.

Another important point for clients to be cognisant about the vendor is to gauge their ability to keep adding capabilities based on the upcoming new technology trends. “The vendors should have the ability to do more with less, which is what the new technologies are capable of. Companies should partner with vendors and evolve with ways on how the scale of operations can be managed with the same resources or with less overheads YoY.

“The vendors have the right to be rewarded for good performance and quality. It there are clauses for penalties for lapses then its important that rewards are given when the performance meets the mark,” suggests Sadadekar.

Finally, the CISOs should be aware that the working relationship is a lot smoother when the senior most authority is on the governance call. “The processes are followed in letter and spirit when rules adherence is monitored from the top most level,” concludes Sadadekar.

HDFC Life has recently implemented a Next-Gen SoC with Threat hunting capabilities . It was rolled out within three months flat. The initial couple of months were intense, specifically in the first 4 weeks. Sadadekar was himself present in all the governance meetings however since then it has been a smooth sail. After six months, Sadadekar attends governance call only once a quarter. He now has more time for other initiatives.

View from a senior banker and CISO
Organisations have to work with multiple partners, which can be fintech players, ride sharing companies, ecommerce sites, etc. The APIs have to be opened for seamless data exchange. In such a scenario, companies have to evaluate what is being outsourced and the risks associated. The risks have to be weighed and outsourcing should be done accordingly. “For a bank, cheque collection vendor services is a less risky affair but outsourcing ATM operations or a SoC can be more risky, given the contextual customer information residing there. We haven’t outsourced the SoC, because it’s the heart of our operations, whereas conducting the penetration testing has been outsourced,” says a senior banker and CISO, who doesn’t want to be identified.

Moreover it’s also important to have a strong legal framework and contract with the vendor. It comes into force and helps when breach incidents happen. The contract should have clauses that binds the vendor to reveal a breach in under a set deadline after the breach has been identified.    

The companies should only outsource those processes which requires special monitoring, for example, for unusual and hi velocity withdrawals from a particular ATM, the SoC employee at the bank’s end should be informed; credit card data getting shared with aggregators or API providers, etc. These are the specific use cases for which a hi end vendor should be selected. A second or third layer service provider can fulfill routine monitoring.

“An Endpoint Detection and Response (EDR) tool can play a critical role in preparing the behavioural analysis of the activity happening on any given endpoint and can raise an alert as soon as a vulnerability is exposed. It can prove to be useful against an imminent zero day attack,” says the CISO.  

Neelesh Kripalani, Sr. VP and Head – Center of Excellence, Clover Infotech says, “The approach towards cyber security threats needs to be proactive rather than reactive. We recommend implementation of Database Activity Monitoring (DAM) solutions to monitor database traffic for detection and blocking of threats. For cloud environment, we suggest to implement role based access so that the administration privileges do not stay with single user account. Additionally, we recommend implementation of cloud access security management tools for greater security control and access visibility of SaaS and PaaS solutions”.

Updated: 18 April, 1.40PM
Suryanarayanan K, CISO, Central Bank of India

When SOC is managed by a third party operator, few areas which are to be considered are : a) Background check of all the operators involved b) Non-Disclosure agreement with the company c) Confidentiality agreement with individual operators d) Right to audit the company and its operations e) Service level agreement for functional as well as security / privacy related requirements f) Penalty / counter measures for non-compliance of the agreed terms and conditions g) Exit clause. Organization’s team also to monitor the SOC activities (through random incident creation, dashboard etc.)

Multiple partners : In addition to the above, certain measures will be : Define the boundary/responsibility of each and every partner in accordance with the area of their operations, data exchange in encrypted form, data life cycle in accordance with the related guidelines, proper consumption of data available with individual partners etc.

SLA with security providers: In addition to the functionality/availability of the service, certain security related aspects are also to be covered in the SLA. This will include a) Data privacy related aspects b) Penal action in case of security breach/privacy breach c) Certification requirements (ex : PCI-DSS for card vendors)

Further, certain general inputs will be : a) To include third party operations also in the cyber insurance coverage acquired by the institution b) Assurance of security to be obtained in writing from the vendors c) periodical audit/ audit reports of the third party.

Updated: 18 April, 2.30PM
Keyur Desai, CIO – Essar Ports & Shipping, Head InfoSecurity, Network & Communications – Essar
Some of the critical best practices while outsourcing the security operations to managed security service provider.
– Outsourcing any facet of IT, needs a lot of due diligence and assessment of the service provider hygiene practices, processes & technical competency. When it comes to Outsourcing the IT Security Operations, it requires extra caution and care.

– Prior to approaching any managed security service provider, knowing the current risk and vulnerabilities within the setup is very important. Professional vulnerability assessment service helps a lot before finalising the SoC service provider. This gives the knowhow of the current risks and helps defining the scope in a much better way.

– The technical capabilities of the service provider with respect to the Organisation’s IT landscape plays a very vital role. It helps to achieve better visibility on real-time data correlation and reduce the false positives. The technical expertise of the service provider for the critical assets and if possible vendor specific expertise, ensures fine tuning the configuration policies to further reduce the Organisation risk. This can include the expertise in SIEM, different layers of security products viz. Perimeter firewalls, IPS, Web Security, Email Security, End Point Security, Database Security, DLP, PIM, Enterprise Mobility Management (EMM), WAF, etc.

– The technical expertise also ensures the logs received from various different sources are parsed properly and configured with the appropriate use cases based on the IT landscape, applications and business work flow

– The focus is required in defining the overall scope of managed security services:
o It becomes imperative to define the number of assets, preferably critical assets to start with. This may include all critical applications, databases, security and IT infrastructure.
o The level of access to respective assets with either read-only access or access to change the configurations as well.
o Defining the number of activities is equally important. It helps becoming more specific when it comes to actions from the managed service provider.
o Identifying and creating new use cases based on the real-time and daily report analysis.
o A proper response mechanism in case of a security breach should be included and proper emphasis on this pointer is a must.

– The defined access to known assets with fixed number of activities helps in better governance and control. It also helps to identify the exposed risk of the critical data sources.
– Once the scope is finalised, the overall dataflow should be clearly defined. Any access to data including the logs, reports, alerts should be monitored closely to prevent the data leakage.
– Regular governance meeting to discuss and deliberate on the report findings should be included in the activity list. This will help to observe and highlight any anomaly or unusual trends and form quick action items accordingly.
– Zero day attacks and advanced threat vectors are increasing drastically, these practices will help in identifying and mitigating such critical risks.

Critical SLAs:
– While finalizing the Managed SoC service providers, the SLAs although very important – need to keep them simple that covers monitoring, management, reporting and forensic analysis.
– SLAs must protect the customer business by limiting the risk.
– Apart from any security breach, the SLAs should also cover alerts to any potential privacy-related compliance issue as well.

While the best practices may further be fine-tuned as per the Organisation’s requirement and business workflow, these broad guidelines can be helpful in defining the overall framework while outsourcing the security operations to the third party service provider.