October, being the National Cybersecurity Awareness Month, sees a flurry of initiatives across organizations to create awareness among employees for #BeingCyberSmart. The CISA and NCSA initiative, which kicked off in October 2003, is far more relevant and important than in previous years. The onset of increased digitalization means the attack surface has exponentially expanded for enterprises, small businesses, and individuals. The new-age working model leaves us increasingly vulnerable to emerging cyberthreats, opening the floodgates to more sophisticated attack techniques.
Minu Sirsalewala, Editorial Consultant, CISO MAG, chatted with Vishak Raman, Director, Security Business, Cisco India and SAARC, on what it takes for organizations for #BeingCyberSmart in this digital-distributed age. Raman also delved into the new age cybersafe techniques like Zero Trust Architecture, current security trends, and new-age cyberthreats.
Raman leads Cisco’s Security business for the India and SAARC region. He brings over 20 years of experience in the Information Security Services space with stints in product management, sales, marketing, and business development.
Prior to Cisco, Raman was the Senior Regional Director (India & SAARC) at FireEye. He was also the Global Head of Content Delivery Network (CDN) & Managed Security Services (MSS) business at Tata Communications for three years. Before joining Tata Communications, Raman was the Senior Regional Director for Fortinet and is credited with having built Fortinet’s Unified Threat Management success story in India and SAARC for 10 years. He was instrumental in setting up the first-of-its-kind Global Technical Assistance Centre in Bangalore to support Fortinet’s customers worldwide. Raman has also worked at WatchGuard, Sify, and HCL Technologies. He has an engineering degree in Computer Science and MBA from IIM – Ahmedabad.
Edited excerpts of the interview follow:
What does #BeingCyberSmart mean for an organization?
#BeingCyberSmart is knowing what to defend and what is the maximum I need to defend. As the budgets are limited, you must bite what you can chew. IoT Security, DDoS, and other large threat vectors have been observed during the pandemic, contributing 70–80% of the attacks. So, being able to prevent the most vulnerable and probable attacks is #BeingCyberSmart.
The four big vectors that need to be closely evaluated are email security to avoid phishing; endpoint security, which is the last line of defense; cloud security, which ensures cloud data is secure; and the most important is securing technology by adding layers of security towards the identity part. #BeingCyberSmart means picking the right battles and reducing the risks in these probable vectors which are email, identity theft, cloud, and endpoint.
Is zero trust approach an answer to better protection or just a buzzword?
Zero trust is not a buzzword; it’s a framework for organizations to put together their security posture. It starts with fundamentals like, what are you trying to protect? It is to simply design a trust framework and to look at the design philosophy for zero trust.
If you look at zero trust, foundationally there are five pillars. What you assume is environmental – be it an SMB customer, a very large enterprise, a government, a critical infrastructure – you start with a baseline assuming that all the environments are hostile and in a state of a paranoid breach. So, when you go into a security posture, you assume that the environment is already hostile and that is the zero trust fundamentals. The second part is no access until the device proves its trust. It means you must challenge the authentication, challenge the identity of that access. If you are connecting from your home, I would make sure that the endpoint is running the right patch, the operating system is running anti-virus and anti-malware endpoint, and it is not a jailbroken device that is coming from a trusted source. Essentially, the second principle is no access until the user on the device is proven as a trusted device. Third, authorize every single transaction and encrypt all the transactional force. There is no non-encrypted traffic that will be going in or out of the setup. While there is a big hype about state-sponsored attacks, Zero trust focuses on data protection and how you classify your confidential data — the fourth pillar. You cannot protect all your crown jewels; you need to classify which needs maximum security because data classification is the foundation. And for the fifth pillar, you must log all the activity and keep a repository of all the transactions.
While these are the foundational principles, the way to classify zero trust is into three large buckets. First, your workplace, which is the on-premise setup, your server, email, etc. For asset identification, you follow a 3W framework — workplace security, workload cloud, and workforce — which is for the endpoints and users — the most vulnerable. Zero trust principles must be applied across the workforce, workload, and workplace framework. It does not stop with the selection of products; you have to look at enabling it with credible threat intelligence.
SMB cyber incidents in India have been peaking. What were the most exploited vulnerabilities?
From an attack surface point of view, phishing was a larger vehicle through which the hacks happened. Phishing, malware, DNS tunneling, DDoS are the four large attack vectors that were looked at by the hackers. Close to about 85% of them experienced malware attacks in the last 12 months, followed by phishing attacks.
DNS tunneling is the biggest vulnerability and is not very well understood by enterprises. DNS basically translates an IP address to a domain name. When you type into google.com it goes to an IP address in the backend, but somebody is resolving that domain name to an IP address. So, the tunneling part is important because any hack or malware implant needs to go and communicate back to a downloader.
Another attack that surged is the denial-of-service (DoS) attack. In a DoS attack, a legitimate connection request is sent to the server but the connection is never completed. Malware attacks (around 85%), phishing attacks (about 70%), DNS tunneling (about 68%), and DDoS attacks (around 64%) are the top four major vectors APJC SMBs have experienced over the last 12 months.
The security hygiene can get ugly if the DNS layer and Active Directory security are not managed or secured. How can organizations avoid being targets of these advanced cyberattacks and vulnerabilities?
You need to have a framework approach. Let’s take an endpoint, when you look at DNS as a protocol, it is stateless. It just makes a connection, there is no information around it. You got to have layers of security. When you look at endpoint protection, first and foremost, you need to have the base of a virtual private network (VPN), where you want to have a connection back to your corporate setup working from home, and ensure a VPN is established.
Besides VPN, you have to look at the DNS security, because the corporate VPN will go through a SaaS application, direct to a Dropbox. How do you secure that? You add one more layer of cloud security and make sure that you do a split tunneling of VPN, where the VPN connects back to your corporate network for your corporate applications, for SaaS application — it does not have to go to the corporate and then to the cloud. You are doing a split tunneling option, as most of the home connection and endpoint connections are on a shared Wi-Fi with multiple users from the family.
Man-in-the-middle attacks become common, and if there is no encryption between your laptop and Wi-Fi access point, you want to add another layer of security on top of the VPN, which is DNS security. You want to make sure that there is a cloud-based solution that will tell you that the domain is good, bad, and ugly. The third layer you add is your identity. How do you make sure that the user who is accessing the corporate resource is a real person? So, you resort to passwordless authentication, whereby your device and user identity are protected.
This ensures you have the VPN, DNS layer of security, identity access management, and anti-malware solution. Make sure that the endpoint which is connecting back from the home has an anti-malware solution. Security at the endpoint layer has become a lot more important. This is a principle for zero trust for endpoint security.
This is a framework that we have been successfully enabling in India post-pandemic when the lockdown was announced. We enabled half a million endpoints within two weeks of adopting this framework, so people can continue working from home with secure infrastructure.
What about the new-age cyberthreats?
New age attacks are state-funded. They are geopolitical in nature and target supply chains. Supply chain attacks look at your trusted hardware and software. They plant malware or threats into the trusted networking partner. I would rather not break into the company setup; I would look at what was the most popular setup of products and services they use and plant malware on their updates. We are seeing the new-age attacks very clearly towards supply chains. Talos has written a blog on a group called Gamaredon. Cybercrime-as-a-service is being delivered. We mapped all these attacks during 2019 and the pandemic, and then we looked at the highest vulnerable medium. These new-age attacks that have emerged are email, cloud visibility and endpoint. We saw zero trust in action for endpoint security. If you block and have a zero trust approach across all these four domains, you are cyber smart. The key focus areas will be: how to ensure cyber preparedness, how do you look at remote working and access policies, how do you augment your security monitoring capability, how do you look at a trade-off between employee information on privacy and how do you train your people when we were working from office. The first line of defense is humans. So, how do you prepare your remote workforce against social engineering attacks? It is not just about technology.
Let’s take an example of incident response. When there is a breach, how do you respond and look at your roles and responsibilities? How do you report the breach and how do you rework all your playbooks? Playbook works like you are writing a security rulebook, the DOs and DON’Ts, and the steps to follow in case of a breach. How do you conduct cyber drills in a remote environment?
Look at how to audit privileged access for remote workers. How can we enhance the SOC monitoring capability? These are questions beyond technology that need to be evaluated and updated. A practitioner’s view is very different. You will have frameworks, but operationally, it’s more complex than what we think.
About the Interviewer
Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.