October is considered globally to be the “National Cybersecurity Awareness Month”. 2020 has shown us that our focus on cybersecurity should be sharper than ever. Traditional approaches to cybersecurity no longer help in an interconnected world, where the concept of perimeter security is dead. Organizations need to look at software-defined security, enabled by models like Zero Trust and implemented through micro-segmentation and dynamic isolation. These technologies when deployed in conjunction with AI and network monitoring help elevate the security posture of any organization.
Keeping this theme in mind, CiOL talks to Ashwin Pal, Director of Cybersecurity Services, Unisys Asia Pacific about the current and future of cybersecurity in India. With more than 22 years' experience in the IT security industry in the Asia Pacific, Ashwin has hands-on experience and understanding of the evolving security challenges facing CISOs and other C-level executives from both a technical and business impact perspective.
He is responsible for running the security business within the APAC region for Unisys. The focus of this senior security role is the
management of the delivery capabilities across all lines of Information Security Services. He is also a CISSP, CISA, CSSLP, CGEIT, CRISC, CCSK, C|CISO, PCIP, QSA PCI DSS (lapsed 04-12) and ITIL qualified professional.
Why is cybersecurity so important in the current times?
The global pandemic has accelerated the pace of digitization in most countries. It is changing the threat landscape across the world. The evolution of recent threat landscape, disappearing network boundaries and a huge number of connections inside and outside the organization, increase the attack surface significantly. During COVID-19, there has been an increase in phishing attempts with intruders using this as an opportunity to gain unauthorized access to organizations or to spread ransomware. We have also seen an increase in cloud-related security breaches, many of them stemming from misconfigured cloud deployments. This requires organizations to enhance their cybersecurity posture.
What advantages does the modern cybersecurity have over traditional cybersecurity models?
Many enterprises still look at data security from a compliance perspective. Traditional approaches such as perimeter security-based approach simply do not work anymore. Organizations need to assume that there will be an attack at any point in time and work towards building cyber resilience into the organization’s plan of action. Investments in this space will define how swiftly they can bounce back post an attack.
Considering the redundancy of perimeter security-based approaches, enterprises now require an approach that can overcome the limitations of it. Zero Trust is a viable alternative and is quickly becoming a popular security paradigm for organizations around the world. It is a security approach, based on the guiding principle of ‘never trust, always verify’. This model only allows authenticated and authorized users, and devices to access applications and data.
Micro-segmentation is one of the ways to implement Zero Trust. It isolates workloads logically in virtual environments by enforcing granular segmentation policies. Micro-segmentation, combined with network monitoring and dynamic isolation also ensures that one allows no breach to spread laterally and contain it within that segment alone. This prevents a breach from growing into a full-blown data theft.
Emerging technologies such as Artificial Intelligence, Machine Learning and Biometrics further enhance the effectiveness of a Zero Trust-based cybersecurity approach. Together, these approaches provide a strong data security posture that can help address the threat landscape that exists today.
Has Covid-19 had significant implications on the cybersecurity of businesses?
It certainly has. We have seen a shift to working from home. This has increased the threat landscape as intruders are now targeting home computers and the home network to gain access to target corporate networks. Covid-19 forced many organisations to fast track their digital transformation initiatives to allow employees and customers remote access to their systems. This in turn has increased the attack surface due to the speed at which this transformation was necessary.
Covid-19 has required a lot of organisations to move to the cloud to allow greater and easier remote access to data. Where organisations have not secured this access adequately, security issues have increased. Finally, with the increased reliance on VPNs, these have now become a bigger target for DDoS attacks as well as broader breach attempts as a means to gain unauthorised access to corporate environments.
Has the change brought in the need for cybersecurity personnel? If so, what are the qualifications for the person?
Post the COVID-19 pandemic, cybersecurity has become business-critical for every organization. This is due to two factors. Organizations themselves have gone into the virtual model of operations, as much as their business models permit. This has led to a significant widening of the attack surface, making them more prone to cyberattacks. Statistics indicate that there has been a significant increase in the number of cyberattacks that organizations are subject to.
This makes it mandatory to have a cybersecurity expert at senior leadership levels. They can steer the organization safely through this pandemic and the evolving cybersecurity landscape. Besides expertise in cybersecurity, this leader will need to possess a few other capabilities as well. Given the present circumstances, these leaders will need to be able to embrace accelerated digital transformation that comes with the new normal.
What are some basic approaches that can prevent cyberattacks?
The first step for any organization is to understand their risk exposure and prioritize technology investments accordingly. To facilitate these conversations with the senior leadership and the board, CIOs/CISOs need to be able to translate highly technical cyber risks into the language of business. Quantifying the likelihood and impact of these risks in objective financial terms is essential to gaining the executive buy-in they need to protect their organization.
In an interconnected world, physical perimeters are meaningless when it comes to security. The attack surface of every organization is growing. Traditional security measures can’t keep up with these expanding threats, leaving businesses open to attackers who aim to steal data, disrupt operations, and gain control of the IT infrastructure. Organizations need to establish a software-defined perimeter that creates a Zero Trust environment. Through the power of micro-segmentation, encryption, and dynamic isolation, they can stop attacks – even sponsored, sophisticated ones – in their tracks. And, should an attacker get inside, these approaches prevent data exfiltration so that they can contain the breach.
Approaches such as micro-segmentation help in creating secure zones in data centres and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It aims to making network security more granular. Micro-segmentation also helps in providing role-based access to employees, customers, partners/vendors so a breach attributed to any of these stakeholders does not extrapolate into a full-fledged data theft. The above technologies when coupled with network monitoring, as well as AI, deliver superior protection from cyberattacks.
Here are a few tips for organizations to keep in mind to ensure cybersecurity:
1. Make it easier for employees to be secure when connecting from home. That means less use of old-style VPNs that don’t scale and aren’t suited for COVID-era WFH security and more use of ZTB technology. This also includes always-on encrypted direct access, identity verification tools and a software-defined perimeter to limit the damage from malware getting in.
2. Don’t lose sight of the human side of both employees’ experience and security. Now, more than ever, it is important to stay connected to employees; both as a way to prioritize their well-being, and to make sure they understand the new rules that come with a WFH environment.
3. Utilize emerging technologies, including biometrics, to extend safety precautions in the age of work from home. With most people working away from the office, unauthorized access to one employee's laptop could mean access to the whole company. However, firms can equip their employees with additional security controls such as multi-factor authentication, or even biometric logins such as facial recognition or fingerprint scans. People are familiar with them to due smartphones.
4. Look beyond “winning” with security and focus on resilience and trust. As the level of sophistication of cyber threats continues to evolve, an organization is inevitably going to have to come face-to-face with an attack on its network. A proper focus on trust and resilience could be the difference between whether an organization recovers or not.
5. Be forward-facing: Prioritize and implement the adoption of next-generation cyber tools. The pandemic has presented an opportunity for organizations to expand their usage of advanced security automation capabilities, including utilizing artificial intelligence and machine learning, to improve their cyber posture. With the right training, implementation and technical support, AI and machine learning capabilities can be key to look for discrepancies and see if there’s a problem, such as scanning for irregular behaviours or for malicious users who access documents or parts of the network unrelated to their job.
Is the 80-20 rule really effective as far as the technical definition goes?
It definitely is. Organisations must realise that they can mitigate 80% of their risks by investing in just 20% of tech out there. The key parts to realise here are what are those risks are via a focused risks management program and then investing in the right technologies, people and process controls to mitigate those risks. Without this methodical approach, an organisation will struggle to address its risks regardless of the spend.
Are activities such as Private browsing and VPN really secure?
They can be as long as they are deployed adequately and configured to address key security issues. Taking VPNs as an example, they will be a recipe for disaster if they are not patched against known vulnerabilities. In this case, it wouldn’t matter if there is a VPN. It will be vulnerable and a point of unauthorised entry.
What laws does an Indian have when it comes to an individual, group, or national cyberattacks?
Although India does not have a policy that is dedicated only to cybersecurity; the Information Technology Act 2000 (the IT Act) comes with the rules and regulations to deal with cybersecurity and the cybercrimes associated with it. The act provides legal recognition and protection for transactions through electronic data interchange; other means of electronic communication; contains provisions that are aimed at safeguarding electronic data; information or records, and preventing unauthorised or unlawful use of a computer system. I am also positive of the fact that the government will roll out the National Cybersecurity Policy 2020 this year.
Please explain the importance of Cyber resilience, cyber recovery and cyber insurance?
Cyberattacks are unavoidable in the current time. Organizations need to accept that and prepare themselves so that they can recover from these quickly without facing too much damage. This requires a cyber-resilient approach that not only helps in protection, but also covers identification of key assets, with the ability to detect, respond to, and recover from a breach so that the incident is a minor inconvenience and not a newsworthy event. Automated breach response mechanisms such as dynamic isolation are key here to improve response times and limit the damage; thus allowing quick recovery.
Cyber insurance is gaining importance among enterprises as cyber threats increase with every passing day. It effectively transfers your cybersecurity-related risk to an insurer in the case of the risk eventuating as a result of a cybersecurity incident. The incident can take many forms – from an attack by a hacker to an unintentional release of data by an employee. The specific events covered by the insurer will be in the insurance policy which must be carefully reviewed to ensure you have the right types of events covered.
How do we identify a fraud/crime/misleading activity before it happens to scam us?
This is interesting as it is looking into the area of predictive security. There are several approaches here that one should consider:
1. User education is key so that users can spot these before they fall victim to them.
2. Greater use of threat intelligence so that organisations can identify who is targeting them; how to be able to protect themselves proactively. The key here is knowing what to do when you have this intelligence - ‘actionable intelligence’
3. Greater use of AI and ML particularly in the areas of the user, network and machine behaviour analysis. This approach profiles what ‘normal’ behaviour is and any deviations are quickly picked to be investigated. It can help prevent attacks from doing extensive damage; but can be prone to false positives and does require careful tuning to increase accuracy.