Building and Ideal Secure Enterprise

Organizations that monopolize data are prompting ongoing conversations about anti-trust legislation and data privacy. Almost every major organization is having its share of vulnerabilities in the form of cyber threats, in their rapid move to digitization. Many organizations have over a period, allowed their employees to bring their own device to the office. This increases the surface area and vulnerabilities. With pandemic on one hand, 2020 so far, has also had its fair share of data breaches.

• Marriott: The Marriott Data Breach in March 2020, saw information of approximately 5.2 million hotel guests being compromised, although not all of this information was present for every guest involved: contact details, loyalty account information, partnerships and affiliations and preferences.
• Twitter: The social media platform suffered a major breach in which attackers targeted certain Twitter employees through a social engineering scheme. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through the two-factor protections.
• Zoom: With the pandemic spiraling out of control and many organizations moving to work form anywhere model, the usage of Zoom saw an exponential increase in user base. At the peak of the pandemic, Zoom faced issues of privacy and security issues in its app.
• Magellan Health: Adding to these breaches is another one at Magellan Health, which saw a ransomware attack that involved compromise of names and one or more of the following: treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and addresses. 

Of late, the nature of cyber-attacks is changing. Cyber criminals are using sophisticated means of conducting such operations. Moreover, ransomware, phishing, DDoS, BEC attacks, etc. are amongst the most common types of data breaches that we have witnessed this year. Clearly, the first half of 2020 has been quite challenging for organizations from a cybersecurity perspective. The recent data breaches can give the CISOs a direction in terms of the nature of attack and set up enough precautions to thwart such attacks.

From a CISO’s perspective, while there are many areas that are of top priority, they can be captured into 6 different buckets. Addressing these would help strategize and build a robust cybersecurity practice to ensure business continuity.

1. Reduce detection, response, and remediation gap
   This is one of the topmost concerns for CIOs and CISOs these days. The average dwell time i.e. the total time spent by the attacker in your system for any APT/Malicious act is 180 days for any organization. An ideal secure enterprise should reduce this to hours or minutes. CISOs are spending sleepless to envision a strategy to achieve the turnaround time.
2. Visibility into on-premises and cloud assets and their risk posture
   The core of visibility lies in being able to control the exponentially rising volume of the attack surface across networks applications, databases, and end points. With the influx of IOT and exponential adoption of cloud, not to mention the barrage of sanctioned and unsanctioned applications, a CISO needs to have centralized visibility of all the assets present in the organization. These assets can also include smart sensors, sanctioned and unsanctioned applications, smart IOT devices and any other components including open source components.
3. Risk profiling of assets and prioritizing remediation efforts
   Visibility has no meaning if it is not backed up by a real time risk scoring of the assets in the organization. Most importantly these risks need to be updated on a zero-day basis as attacker tactics, techniques, and procedures are changing at a rapid speed. Also, organizations cannot go about remediating all the risk and vulnerabilities in one go and there needs to be a scientific method to prioritize which vulnerability to be remediated first. This is one of the most painstaking tasks for the security and business stakeholders.
4. Create adaptable security controls
   What was applicable 20 years ago is not applicable today. Nature of business and supporting technologies are changing faster than what we all can imagine. While we have covered multiple attack surfaces earlier, as an area of concern, it is important to emphasize that the security control needs to be dynamically adapted to the changing attack surface. From the technology point of view the focus of the CISO needs to shift from a signature log-based approach to a more behavioral prediction, repetitive task automation, deception, and an offensive mindset kind of approach.
5. Perform continuous assessments of security and compliance posture across the enterprise
   With the advent of regulations like NIST, GDPR, PCIDSS, CCPA ISO 27001 and the ever-expanding attack surface, it is critical to look at an organization’s compliance posture at regular intervals. Regulatory bodies like Department of Telecommunications, Reserve Bank of India, Telecom, Federal Reserve Bank, NAIC wish to enforce specific compliance / security measures for organizations in the Banking and Financial Services, Insurance, Communications, automobile, healthcare space. This real time compliance posture visibility along with automated remediation of gaps is a time-consuming activity for a CISO.
6. Automation of repetitive task
   A lot of human bandwidth goes away in doing things which are repetitive and unproductive in nature whether it is the security analyst sifting through the logs, IT helpdesk logging in the tickets, L1 analysts documenting the case etc. These analysts spend a chunk of their time in these repetitive tasks without being able to focus on the strategic aspects of building secure enterprise. CISO’s primary responsibility is to ensure that every minute of the skilled security resource is spent in analyzing and co-relating events redirecting to threats and solving larger problems by thinking critically and creatively. They need to look at current work processes and ways to eliminate repetitive tasks. Automation is a way forward to address this issue.
7. Way forward
   While cybersecurity requirements of organizations may vary by industry and company size. CISOs need to build a broad framework comprising the following four pillars:
   • Identity and Access Management
   • Application Security: GRC, DevSecops and VAPT
   • Data Security/Privacy
   • Threat Management/Hunting

As more and more organizations recognize the need for focused approach, ingraining the above will help mitigate most of the risks and secure organizations from emerging cyber threats. All of this under the strict regulatory frameworks these organizations need to work through.