Building a Resilient Cyber Ecosystem to Combat ThreatsTCS' Singh on Coping With the Changing Threat Landscape
To deal with the rapidly changing threat landscape, security professionals must develop strategies for data protection, threat detection and response. And building processes for recovering quickly in the event of an attack is essential, says Preet Paramjit Singh, delivery lead, special projects and cyber resilience for the enterprise security and risk management practice at Tata Consultancy Services.
"Building a cyber resilient framework thus has become the critical survival factor for organizations, as the ability to recover once an attack has taken place has direct impact to the business," Singh says in an interview with Information Security Media Group (see edited transcript below). But finding the right approach to cyber resilience still remains a big challenge, he says (see: Building a Resilient Cyber Defense).
One of the biggest hurdles CISOs face in building a resilient defense system is the lack of an industry-accepted common framework, he argues.
Organizations must assess their information security controls in order to be cyber resilient. And unless there are benchmarks which help them assess the maturity levels of their cybersecurity systems, organizations will find it challenging to achieve the desired goals, he adds.
In an interview at ISMG's recent Data Breach Summit Asia 2016 in Bengaluru, Singh elaborates on the challenges faced by organizations in building a resilient defense system.
Singh, who has more than 25 years of experience, has been with TCS for five years. He now works on defining and implementing contemporary security solutions for large enterprises.
Cyber Resilience a Top Priority
RADHIKA NALLAYAM: Cyber resilience is gradually becoming a meaningful discussion among enterprises globally as organizations move beyond breach prevention and traditional approaches to security. Do you think cyber resilience has reached an inflection point?
PREET PARAMJIT SINGH: Discussions are certainly maturing, and it's a very positive sign. A good case in point would be the cybersecurity framework launched by the Obama administration last year. It highlighted five core functions - identify, protect, detect, respond and recover. It's a clear indication that governments and enterprises now have increased awareness about the "respond and recovery" part, which is a very healthy sign. They are investing in areas which are under their control - continuous monitoring, threat assessment and a better response mechanism so as to build an ongoing awareness of information security vulnerabilities and threats to facilitate risk-based decision making.
There is also an increased understanding that security should move beyond just compliance and certifications. The primary aim of cyber resilience is also to assess the maturity of an organization's implemented security controls. Resilience is all about the capability to respond fast enough so that the intent of the attack is not fulfilled. (See: Are Security Tools Slowing Your Response?)
Lack of Framework
NALLAYAM: What is the biggest challenge faced by organizations in achieving cyber resilience? Are there industrywide frameworks available for organizations to follow?
SINGH: I think we still need to cover a lot of ground. The industry is lagging behind in terms of cyber resilience maturity and benchmarking. There are models available today which help organizations to assess the maturity of their resilience model, but they are not so prevalent that everybody in the industry can follow them.
There was a lot of work done by Carnegie Mellon around the software best practices for cyber resilience. "Octave" is the outcome of the combined effort done by the software engineering institute team from the university, and is used to assess an organization's information security needs. But it's a very comprehensive model that spans across 26 domains and will require highly specialized set of people to perform an assessment.
A more narrowed-down version would be the Cyber Resilience Review offered by the United States Department of Homeland Security as a no-cost, voluntary, non-technical assessment to evaluate an organization's operational resilience and cybersecurity practices. It gives you an overall high-level view of the existing security framework, the gaps and what needs to be done. The mandate is meant for U.S. federal agencies only and not for commercial enterprises. But many private sector companies are also working on this framework as a reference and building their own framework. But there is no common consensus for an industry-accepted framework.
NALLAYAM: Does it mean that Indian enterprises have no reference models available? What's their approach?
SINGH: Since Indian private sector companies are dealing with a lot of global customers, I would say they are at a par with their U.S. counterparts. There certainly are some best practices and frameworks they follow. Indian organizations with a global outlook are already putting a lot of effort around resilience. In fact, most of the businesses in India, even the SMBs, are doing global business and are expected to meet certain standards.
Cyber resilience is not a new concept. The present community of cyber professionals were taught to build resilient systems right from their engineering colleges. It probably would have taken a back seat with the advent of a lot of general purpose technologies.
I think the industry is now going back to the cyber resilience wave of things. A similar analogy to draw would be how cloud technology has come up. We always had parallel processing, but it was not commercially viable then. Today, it's one of the biggest technology transformations. Resilience is going to gain a lot of importance as enterprises will no longer be in control of security. The IoT space is another living proof. There is no single entity which owns the Internet of Things. There are multiple technology providers and multiple interconnected devices. So who's going to take accountability and ensure security? I think the problem is going to be more from the ownership [of security] perspective rather than from a technology side.
Being Resilient to Threats
NALLAYAM: What are your recommendations for security professionals in terms of the right approach to building cyber resilience to fight threats?
SINGH: The goal is to be able to survive attacks and thrive in the face of them and be able to work in a world where these threats aren't going away. Resilience is about doing what you need to do to keep operating, in spite of threats.
CISOs should look at using analytics to improve response - for instance, log analysis of data captured containing endpoint file activity and network traffic. It's important to build a strategy which holistically improves visibility, detection and response. Strengthening the incident response capacity is also very critical.
I would recommend:
- Continuous monitoring, automation and maturing the GRC model by integrating governance and security operations systems;
- Enabling risk-based decision making for systems supporting core functions;
- Defining cyber response policies, plans and procedures and intensive training;
- Early detection of threats followed by containing and eradicating the threats;
- Provide a roadmap outlining how to reduce risk, strengthen security posture and fortify response plan.