Security related visibility tools will be game changers, says Yes Bank CISO Rajesh Thapar

The wave of digitisation has metamorphosed banking into an operational model that is more interactive and open, having more mediums to exchange information (Internet, mobile, APIs, etc) vis-a-vis before when the physical branches were more prevalent.

In the current scheme of operations, when digitisation is picking pace, identity theft is the most prominent reason of most of the breaches in the recent past and thus, managing identity related aspects is of paramount importance, be it the identity of the host, server, IP address or even the device.

Rising cases of identity based attacks
Hitherto, the identity of the person was a natural authentication, because the transactions were happening in the branch. “With digitisation, it is very important to authenticate the sender of the traffic first, to establish if the person or the interfacing infrastructure or application component is the same as it claims to be. As organisations continue to find more value in digitisation, several novel ways are being explored to tackle the issue of these impending threats while balancing the ‘openness’ and seamless nature of conducting communication and business. Identity validation and authentication of transactions in addition to having the right authorisation checks in place has become very important. Standards and protocols will become even more important for communicating application / devices and systems and most importantly, non-repudiable trust among all transacting entities with AAA (Authentication- Authorization- Auditing), should be of paramount importance,” says Rajesh Thapar, CISO, Yes Bank. In the banking delivery channels, methods of authentication have been continuously evolving over the years.

Fraudsters are organising themselves to align with social engineering techniques. “In this background, it’s very important that dynamic Multi Factor Authentications (MFAs) are put in place; real-time transaction monitoring happens by putting context to every transaction in terms of the customer behaviour and to confirm behavioural trends observed in the past. This also has to be correlated with multiple channels,” says Thapar.

In the organisational parlance, it becomes much more challenging. For example, in the API banking scenario, the bank trusts the server, host or IP of the corporate or partner. The authorisation, in this case has to be calibrated on a need to access, with clients also given access on utility-only basis. Banks should exercise limits on what and how often an API can perform with adequate logging. Authentication, Authorisation and Limit enforcement are the three important characteristics of security enforcement in an API banking scenario.

Robust authentication mechanisms
While authentication is important, be it through OTP, biometric, PIN based, etc, the fundamental reason why cyber breaches happen is due to lack of security awareness and also due to the gaps in primary controls like inadequate user access management, patch management, gaps in asset inventory and lack of visibility of traffic in networks, etc. This is an open invitation for hackers to intrude. “If we don’t know the inventory, where the hosts are, how will the assessment and risk mitigations be complete? For example, Privileged Identity Management (PIM) will not be managed well, in the absence of correct inventory of hosts and identities,” says Thapar. Moreover, financial institutions should map their crown jewels i.e, the core infrastructure and periodically review the adequacy of controls.

Once the infrastructure is properly documented and designed, appropriate controls have to be put at the right place. They have to be with regular patch management, scanned periodically, and users entitlements reviewed to commensurate access with the business need only. The movements of internal traffic have to be tracked too, to check for any aberrations. For example, some critical tools like the User Entity Behaviour Analytics (UEBA) tool profiles entities and employee access behaviour and helps in protection against insider threats.

Prevention is important but detection is paramount
From a CISO perspective, prevention is definitely important, detection is also very important because sophistication of attacks has now reached different levels wherein it may not be practical to prevent all cyber threats. “The point is, when these controls are breached, what is the visibility layer, in order to track the hacker,” says Thapar, stressing that while prevention is important, detection holds more importance, because the hacker will someday be able to sneak into the system.

It’s important to have the right tools to track and trace the traffic. “CISOs are trying to get handle of the ‘unknown-unknown’ problem for which prevention controls may not be feasible. This can be done by certain improvements in the technology eco-system or process improvements, which can be as follows: Hitherto, there was talk about network segmentation. Time has come for application segmentation, which allows the app to talk to only certain components, rather than have a flat conversation scenario, where all the servers are talking to each other. This micro segmentation is being enforced, but it may still not mitigate against all threats and detect what is not fully prevented,” says Thapar.

Apart from the Security Information and Event Management (SIEM) tool, usage of big data analytics and big data lakes is also picking up. While SIEM helps to monitor and analyse data traffic in real-time and may extend upto a few hours, big data analytical solutions can pick up trends from old data, which normally wouldn’t have been observed in traditional SIEMs. Security vendors are now integrating AI and ML piece into these solutions, which enhances visibility in the IT infrastructure. Additionally, deception technologies can be used to name fake assets as crown jewels, e.g. the fake identities can be named as an active directory or a swift server, which might lure the hacker into attempting to access the system. The importance of infrastructure protection was always there, however visibility led tools like traffic behavior analysers, deception technologies, security analytics will be game-changers.

Thapar is of the view that the detection leg will have to be beefed up by the CISOs, followed by a fitted response and resilience strategy. The orchestration tools will play an important role in timely responding to the attack, in such a manner that the damage is contained and the genuine traffic is still allowed to operate, wherever feasible. However, this requires the right thresholds underneath to operate in the way it is supposed to, under the given circumstances.

Customised training
Owing to rapid digitisation today and underlying interconnects, following the usual compliance ordinances and securing systems and infrastructure alone is not enough. Adding a ‘human element’ to the equation is very important. The idea that the problem is universal in nature and needs to be addressed with a sense of shared responsibility across functions, teams and individuals is being taken up as a part of change management exercises within organisations and ingrained in their core strategy and organisational culture.

Most organisations today have a top-down approach to manage cyber risks and organisation structures are evolving fast. In addition to making employees ready to tackle future risks, Boards are also being upskilled to respond better and organisations are open to having at least one specialist Board member.

It is also becoming increasingly important for organisations to align the business unit, the technology function and security team. IT projects are being designed and implemented with security in-built from the beginning and not as an afterthought. With most organisations clearly demarcating the roles of CISO and CTO, conflict of interest is contained and consequently risk.

Increasing focus from various regulators is also ensuring that organisations evolve to take these threats seriously. Commenting on this, Thapar says, “Organisations must build their risk frameworks around the three pillars of People, Processes and Technologies (PPT). Awareness within the organisation must be of paramount importance. People should be as much a part of the process as are security systems and formal information security governance mandates. Continuous training to apprise employees regarding organisation, function as well as individual-level threats should be undertaken.”

Secondly, businesses need to ramp up processes to counter risks. Risk appetite of the organisation needs to be well documented in addition to having a robust remediation plan in place. The focus needs to be on primary controls – have good asset management practices, logical access controls, network segregation, anti APT, malware protection, etc., and make awareness a priority, not just within but also among customers. Back-up this process with proper secondary controls in order to supplement the primary controls.

Deploying right Tools is essential too. For instance, having a multi-factor authentication to prevent breaches and implementing constant context- aware transaction scrutiny for early detection and warnings.

The PPT frameworks implemented needs to ensure that organisations are well-equipped to identify and mitigate cyber risks as proactively possible.