CISOs face ven­dor de­liv­ery gaps de­spite ris­ing IS bud­gets

As in­for­ma­tion se­cu­rity is­sues are get­ting com­plex, CISOs dis­cuss cru­cial mea­sures to bring in ef­fec­tive­ness:

Banking Frontiers - - News - [email protected]­ingfron­tiers.com mo­[email protected]­ingfron­tiers.com

As in­for­ma­tion se­cu­rity is­sues are get­ting com­plex, CISOs dis­cuss cru­cial mea­sures to bring in ef­fec­tive­ness

In­for­ma­tion se­cu­rity is among the top chal­lenges that banks and fi­nan­cial ser­vice in­sti­tu­tions face to­day. The chal­lenge has be­come all the more crit­i­cal as these en­ter­prises speed ahead on their dig­i­tal trans­for­ma­tion jour­ney. It is im­per­a­tive that or­ga­ni­za­tions need to en­sure that their risk ex­po­sure is ad­e­quately con­tained even as they get into the dig­i­tal ecosys­tems.

In­for­ma­tion se­cu­rity in to­day’s times is highly spe­cial­ized as at­tacks are get­ting to be pre­cise and or­ga­ni­za­tion-wide with the im­pact caus­ing alarm­ing dam­ages, in­clud­ing dis­rup­tion in op­er­a­tions, fi­nan­cial losses and rep­u­ta­tional dam­ages. It is there­fore vi­tal that or­ga­ni­za­tions, es­pe­cially banks and fi­nan­cial ser­vices in­sti­tu­tions have a com­pre­hen­sive re­al­iza­tion of the threats and their evo­lu­tion and how to cre­ate an en­vi­ron­ment to with­stand the threats.

Even as the threats loom large, se­cu­rity per­spec­tives have be­come in­creas­ingly com­plex for those com­bat­ing these threats in or­ga­ni­za­tions - the CISOs, the CIOs and the CTOs. In one sense, this com­plex­ity by it­self cre­ates se­cu­rity weak­nesses. Banking Fron­tiers in­ter­acted with se­nior CISOs of the fi­nan­cial sec­tor, with an idea to de-mys­tify the per­cep­tion and evolve a com­mon un­der­stand­ing, which can lead to a more ro­bust se­cu­rity. The dis­cus­sions cov­ered stan­dards-re­lated, ven­dor-re­lated, tech­nol­ogy-re­lated, blockchain-re­lated, se­cu­rity pol­icy-re­lated, in­no­va­tion-re­lated and cost-re­lated is­sues, while the CISOs also ex­pressed their per­sonal opin­ions and is­sues in gen­eral.

STAN­DARDS-RE­LATED

Stan­dards help cre­ate a con­ver­gence that aligns more re­sources and thereby drives faster ma­tu­rity of solutions. It also helps in the long run as non-stan­dard solutions would run out of steam much faster. We be­gan our study with this ques­tion.

Vivek Gupta, CISO at Al­la­habad Bank, touched on stan­dards-re­lated is­sues in depth. Re­spond­ing to the query on what new pro­to­cols and stan­dards (eg SAML, OpenID, OAuth, FIDO, etc) he sees as im­prov­ing se­cu­rity in a sub­stan­tial way, he said: “In case of in­ter­nal ac­cess to servers, as is the case of most of the banks, the use of open stan­dards for au­then­ti­ca­tion is very lim­ited, where the same is car­ried out through an in­ter­net en­abled web­site. How­ever, FIDO can be in­te­grated in­ter­nally, where a USB token is used, and some other stan­dards can be in­ter­nally set up in in­ter­nal servers and use of the same is ex­pected to go up. Use of au­then­ti­ca­tor apps through mo­bile phones is on the rise, as they elim­i­nate the need for OTP. The mo­bile phone of the user with any suit­able au­then­ti­ca­tor app works as sec­ond fac­tor au­then­ti­ca­tion. Evolv­ing stan­dards and pro­to­cols such as Fast ID On­line (FIDO) for strong au­then­ti­ca­tion, XML based Se­cu­rity As­ser­tion Markup Lan­guage (SMAL), Open ID and OAuth2 for ex­chang­ing au­then­ti­ca­tion and au­tho­riza­tion of data lead­ing to Sin­gle Sign On so­lu­tion will avoid stor­ing mul­ti­ple cre­den­tials in mul­ti­ple data­bases. If the sin­gle proof of iden­tity or

au­tho­riza­tion is from a trusted & re­li­able source, it would im­prove the se­cu­rity in a sub­stan­tial man­ner.”

As re­gards the query on some coun­tries like Ja­pan, Korea and now Sin­ga­pore have man­dated that or­ga­ni­za­tions have to isolate net­works sep­a­rat­ing in­ter­net and in­tranet traf­fic, he felt the ap­proach of these coun­tries is quite pru­dent and se­cure as it pro­vides en­hanced se­cu­rity, through clear air gap, not only for the em­ploy­ees, but also for the or­ga­ni­za­tion. “The like­li­hood of a se­cu­rity in­ci­dent is also min­i­mized. How­ever, with use of mod­ern tech­no­log­i­cal solutions like NGFW, Proxy, WAF, Anti APT, DLP, NBA, NAC etc in strict mon­i­tor­ing and con­trolled man­ner, lim­ited ac­cess to cer­tain sites and cor­po­rate emails. Ac­tu­ally in­ter­net and emails are main source of se­cu­rity risks, which if ex­ploited cause mul­ti­far­i­ous com­pro­mise and dam­ages. Dif­fer­ent pol­icy for var­i­ous net­work zones and based of type users should be de­fined and im­ple­mented. Sim­i­larly, con­tin­u­ous mon­i­tor­ing and dam­age con­trol ca­pac­i­ties should be de­vel­oped within the or­ga­ni­za­tion. In ab­sence of which, air gap, USB block etc are re­ally for the bet­ter­ment of se­cu­rity sta­tus,” says he.

VEN­DOR IS­SUES

CISO and his/her team may be the masters, but this is one area where they have to de­pend on ex­ter­nal ex­perts to de­liver. No bank ex­pects its CISO to cre­ate all the re­quired solutions in­ter­nally. So ven­dor de­pen­dence is very high in this do­main, and the resulting is­sues are that of de­liv­ery mod­els, gaps be­tween prom­ise and de­liv­ery, hand­ing the grow­ing num­ber of ven­dors, and so on.

Com­ment­ing on ven­dor-re­lated is­sues, Na­bankur Sen, CISO, Band­han Bank, says man­aged se­cu­rity ser­vices (MSS) in­clud­ing VA/PT and Ap­pSec, anti-phish­ing and brand mon­i­tor­ing are the most de­sir­able se­cu­rity ser­vices as com­pared to pur­chas­ing prod­ucts and li­censes. The big­gest gaps be­tween prom­ise and de­liv­ery by prom­i­nent eSe­cu­rity ven­dors, he says, are clo­sure of vul­ner­a­bil­i­ties iden­ti­fied, trans­parency in alert gen­er­a­tions and re­port­ing and ad­dress­ing false pos­i­tives / false neg­a­tives.

Sen also says the big­gest frus­tra­tion with ven­dors of non-se­cu­rity prod­ucts is that ap­pli­ca­tions are not tested and made se­cu­rity bug-free be­fore de­liv­ery. He would fore­see a model where fewer num­ber of multi-so­lu­tion eSe­cu­rity ven­dors to which BFSI sec­tor would move in the near fu­ture.

RE-BRAND­ING PROD­UCTS

Pra­teek Mishra, CISO, IDBI Fed­eral Life In­sur­ance Co, feels au­to­matic ticket cre­ation and clo­sure tool and Net­work Ac­cess Con­trol (NAC) as the items pre­ferred as ser­vices rather than prod­ucts. He is of the view that se­cu­rity ven­dors are not able to cope when the vol­ume in­creases, and they are re-brand­ing the same prod­ucts by putting AI/ML tags. He also sees re­luc­tance on the part of ven­dors of non-se­cu­rity prod­ucts for strict ad­her­ence to se­cu­rity poli­cies.

Mishra sees the model of an in­creas­ing num­ber of spe­cial­ist eSe­cu­rity ven­dors as emerg­ing for the BFSI sec­tor in the near fu­ture.

Gupta of Al­la­habad Bank says MSS through qual­i­fied, ex­pe­ri­enced and suf­fi­cient sup­port team on a 24x7 ba­sis with net­work, email, user and data­base se­cu­rity, along with se­cure con­fig­u­ra­tion are more mean­ing­ful than procur­ing and in­stalling se­cu­rity prod­ucts alone. “Fre­quent VAPT and IS au­dit, sup­ported with bal­anced and quick com­pli­ance of the same is an­other im­por­tant pil­lar of strong se­cu­rity ba­sis of an or­ga­ni­za­tion. More­over, se­cu­rity ser­vices such as avail­ing anti-phish­ing, anti-mal­ware, web­site mon­i­tor­ing etc can be out­sourced to pro­fes­sional ven­dors hav­ing world-wide tie-up ar­range­ment for tak­ing down fake sites, which are oth­er­wise not cost ef­fec­tive when han­dled in-house,” says he.

TIME-SCHED­ULE LACK­ING

As re­gards the big­gest gaps be­tween prom­ise and de­liv­ery by prom­i­nent eSe­cu­rity ven­dors, he says the crit­i­cal one is about ad­her­ing to a time sched­ule. “A de­layed project off­sets other projects and some­times off­sets ini­tial ad­van­tages. Lack of abil­ity to warn against new type of cy­ber at­tacks and also lack of abil­ity to han­dle any un­seen / new type of cy­ber at­tack on the sys­tem are also im­ped­i­ments. In ad­di­tion, quality, ex­pe­ri­ence, ex­pert level train­ing, at­tri­tion, at­ti­tude, in­te­gra­tion with the or­ga­ni­za­tion, SLA im­ple­men­ta­tion etc are se­ri­ous con­cerns while tak­ing ser­vices of a se­cu­rity ven­dor,” says he.

Gupta main­tains that non-se­cu­rity ven­dors do not have any pro­vi­sion for re­cov­ery of dam­age due at­tacks and they pro­vide only one op­tion of restor­ing any old / pre­vi­ous backup. Co­or­di­na­tion be­tween engi­neers of var­i­ous ser­vice providers, ver­sion con­trol and test­ing and com­pli­ance to se­cu­rity and in­for­ma­tion sys­tems au­dit are big con­cern for banks, he says, adding: “A ma­jor role is played by CBS, in­ter­net banking, mo­bile banking, CTS, SWIFT and help desk ap­pli­ca­tion ven­dors and the scope for dis­sat­is­fac­tion, scope to set right the key is­sues on ur­gent ba­sis go the same way”.

He also sees the a fewer num­ber of multi-so­lu­tion eSe­cu­rity ven­dors as the ideal en­gage­ment model for the BFSI sec­tor.

A CISO of a pub­lic sec­tor bank, who does not wish to be named, felt se­cu­rity au­dit ser­vices, cy­ber se­cu­rity train­ing, anti-phish­ing, anti-rouge, anti-tro­jan and man­aged se­cu­rity ser­vice are bet­ter availed as ser­vices rather than buy­ing as a prod­uct/li­cense.

PROM­ISE VS DE­LIV­ERY

He is of the view that the big­gest gaps be­tween prom­ise and de­liv­ery by prom­i­nent eSe­cu­rity ven­dors per­tained to un­der­stand­ing the re­quire­ments prop­erly, com­pli­ance to the stan­dards and ef­fec­tive dash­boards for proper vis­i­bil­ity.

Non-in­volve­ment of IS re­quire­ments from the be­gin­ning of the project and non-de­ploy­ment of enough skilled staff, ac­cord­ing to him, were the big­gest frus­tra­tion with ven­dors of non-se­cu­rity prod­ucts. He also felt an in­creas­ing num­ber of spe­cial­ist eSe­cu­rity ven­dors as the pre­ferred ven­dor en­gage­ment model for the BFSI sec­tor.

SE­CU­RITY AU­TOMA­TION

Speak­ing on emerg­ing ar­eas where se­cu­rity au­toma­tion can make a big dif­fer­ence, Mishra of IDBI Fed­eral Life In­sur­ance says au­to­matic ticket cre­ation and clo­sure is the key area. Says he: “Se­cu­rity de­vices are gen­er­at­ing huge amounts of logs which gets in­te­grated with SIEM. L1 an­a­lyst spends a ma­jor amount of their time in iden­ti­fy­ing the anom­alies and rais­ing tick­ets for the same. Same is the case with threat hunting from his­tor­i­cal logs. A so­lu­tion is needed to au­to­mate the iden­ti­fi­ca­tion of such anom­alies by cor­re­lat­ing with his­tor­i­cal data and sub­se­quently ticket must be raised. His­tor­i­cal anal­y­sis is miss­ing as of now.”

De­cep­tion, NAC and ad­her­ence to the ba­sic se­cu­rity hy­giene, ac­cord­ing to him are among the most ef­fec­tive of the emerg­ing se­cu­rity tech­nolo­gies.

Gupta of Al­la­habad Bank is of the view that com­plete se­cu­rity au­toma­tion could be an ul­ti­mate goal to meet the ev­er­ris­ing se­cu­rity and com­plex re­quire­ments and prac­tices. “How­ever, the task is not so easy and can­not be achieved in shorter time­frame or with re­stricted ef­forts. It in­volves in­te­gra­tion of com­plex solutions, con­fig­u­ra­tions, in­tel­li­gence shar­ing, auto up­da­tion, etc. Soft­ware solutions are avail­able and are be­ing used. Most of the banks are to plan in this di­rec­tion,” says he.

CX/UX VS SE­CU­RITY

On the topic that cus­tomer/user ex­pe­ri­ence is of­ten in con­flict with se­cu­rity, Gupta says it was tra­di­tion­ally be­lieved that en­hanced cus­tomer/ user ex­pe­ri­ence leads to com­pro­mise with se­cu­rity. He pointed to the fact that in the re­cent past, a num­ber of ap­pli­ca­tions / An­droid based mo­bile apps with ap­peal­ing fea­tures have taken their way to de­liver var­i­ous BFSI ser­vices to the cus­tomers. “As a re­cent in­no­va­tion, these apps are sub­jected to var­i­ous se­cu­rity analy­ses and test­ing as well as user ac­cep­tance test­ing in test en­vi­ron­ment with in­volve­ment of ul­ti­mate users to achieve the twin ob­jec­tives. BHIM UPI, banking sites, pass­word man­agers, au­then­ti­ca­tor ap­pli­ca­tions for sec­ond fac­tor au­then­ti­ca­tion, mega eCom­merce por­tals like Ama­zon, Flip­kart, Snapdeal etc, travel and ticket book­ing sites as well as on mo­bile apps, have shown reg­u­lar in­te­gra­tion and up­da­tion of se­cu­rity and user ex­pe­ri­ence en­rich­ment,” says he.

He feels for the banking sec­tor blockchain tech­nol­ogy, use of ar­ti­fi­cial in­tel­li­gence and se­cu­rity orches­tra­tion would go a long way in de­liv­er­ing prod­ucts and solutions per­tain­ing to se­cu­rity of fi­nan­cial as­sets.

The CISO of the pub­lic sec­tor bank felt au­to­mated se­cu­rity con­fig­u­ra­tion, de­cep­tion tech­nol­ogy, etc as the emerg­ing ar­eas where se­cu­rity au­toma­tion can make a big dif­fer­ence. Sim­i­larly im­ple­men­ta­tion of PIM so­lu­tion has im­proved the user ex­pe­ri­ence with­out com­pro­mise in se­cu­rity.

Ac­cord­ing to him the most ef­fec­tive among the re­cent and emerg­ing se­cu­rity tech­nolo­gies, it is de­cep­tion tech­nol­ogy.

MULTI-CLOUD SCE­NARIO

How should com­pa­nies fine-tune their se­cu­rity poli­cies to ac­count for multi-cloud sce­nario, ie the com­pany will not have com­plete se­cu­rity con­trol when us­ing cloud ap­pli­ca­tions like O365 cloud, Sales­force, Cor­ner­stone, etc?

Sen of Band­han Bank re­sponds: “I would rec­om­mend that logs be shared by the cloud ser­vice providers with in­di­vid­ual com­pa­nies to en­able them to in­te­grate these logs with their SIEM so that any un­to­ward in­ci­dent can be iden­ti­fied first hand and suit­able alerts gen­er­ated. This prac­tice, if es­tab­lished, will go a long way in com­pa­nies adopt­ing cloud ser­vices more and more.”

Al­la­habad Bank’s Gupta feels use of strong pub­lic and pri­vate en­cryp­tion mech­a­nism, en­sur­ing data at rest, in mo­tion and in process to highly se­cure, cloud com­put­ing can be ex­plored. With­out this, the cloud com­put­ing may not be se­cure, says he.

“Sim­i­larly, DLP, ISO cer­ti­fi­ca­tion, fre­quent se­cu­rity au­dits, com­part­men­tal­iza­tion of re­sources and sup­port, strong lo­cal­iza­tion of data etc in cloud com­put­ing would leverage proper use of vast po­ten­tial and com­fort of in­stal­la­tion, mi­gra­tion and us­age, in ad­di­tion to be­ing very cost ef­fec­tive in shorter run,” he adds.

Mishra says it cryp­ti­cally: “Cloud Ac­cess Se­cu­rity Bro­ker (CASB), which is on-premises or cloud-based soft­ware, must be ap­pro­pri­ately im­ple­mented by as­sess­ing each cloud sce­nario.”

SOURCE OF IN­NO­VA­TION

To a query on what has been the source of the most in­no­va­tive ideas re­lat­ing to eSe­cu­rity, both Mishra and Sen say it is web re­sources. The CISO from the pub­lic sec­tor bank listed these sources as in­for­ma­tion se­cu­rity team mem­bers, other em­ploy­ees in the com­pany, ven­dors, sem­i­nars and

con­fer­ences and web re­sources. Gupta too main­tains that these are sem­i­nars and con­fer­ences and web re­sources.

COM­MON SENSES MEA­SURES

Which ac­cord­ing to the CISOs are com­mon sense se­cu­rity mea­sures but which are still not be­ing im­ple­mented in many BFSI or­ga­ni­za­tions?

Gupta gives a de­tailed re­sponse: “Uses of dual au­then­ti­ca­tion in in­ter­nal en­vi­ron­ment with­out ex­cep­tions, use of re­mote ac­cess of sen­si­tive servers from less se­cured and con­trolled en­vi­ron­ment, use of emails or USBs in priv­i­leged sys­tems, com­mon user set in help desk/ ser­vice sup­port sys­tems which run in shifts, var­i­ous pol­icy val­i­da­tions in­clud­ing do­main and groups, man­age­ment of se­cured con­fig­u­ra­tions, us­age made by su­per users (if PIM is not im­ple­mented), man­ag­ing var­i­ous ven­dors, ver­sion con­trol and weaker se­cu­rity of test sys­tems/ net­works/ data/ users/ backup etc are some of the mea­sures which are very es­sen­tial but are not im­ple­mented of­ten by BFSI in­sti­tu­tions.”

He lists sug­ges­tions for en­hanc­ing se­cu­rity that do not in­volve the use of any se­cu­rity spe­cific tech­nol­ogy:

Use of se­cure & closed net­work (Air Gap) within the or­ga­ni­za­tion Aware­ness of users about the uses of pass­word pro­tected sys­tems Seg­re­ga­tion of ap­pli­ca­tions and their mod­ules to the spec­i­fied users only Re­stric­tion of free us­age of emails on ev­ery sys­tem in­side the or­ga­ni­za­tion by each and ev­ery em­ployee

Sec­ond fac­tor au­then­ti­ca­tion for sys­tems and ap­pli­ca­tions

Reg­u­lar VAPT and se­cu­rity au­dits and quick com­pli­ance of the same

Prop­erly man­aged se­cu­rity team and reg­u­lar re­views of ex­cep­tions and pro­cesses

Ex­cel­lent top level sup­port for se­cu­rity team

Sen says scru­ti­niz­ing logs care­fully, con­fig­u­ra­tion of alerts through SIEM not by de­fault and im­ple­ment­ing se­cu­rity pol­icy strictly are the ar­eas that BFSI or­ga­ni­za­tions com­monly ne­glect. He is of the view that pe­ri­odic risk as­sess­ment, not al­low­ing ap­pli­ca­tions with se­cu­rity bugs in pro­duc­tion en­vi­ron­ment, rec­ti­fi­ca­tion of vul­ner­a­bil­i­ties in a time-bound man­ner or else pe­nal­ize those con­cerned and pe­riod check of firewall rules are some of the min­i­mum mea­sures needed to en­sure se­cu­rity.

For Mishra the mea­sures that are rou­tinely for­got­ten are au­to­mated in­ven­tory man­age­ment (of CCTVs, desk­tops, print­ers, servers etc), thor­ough user ac­cess man­age­ment (ac­cess given to em­ploy­ees along with those given to the ven­dors), se­cure con­fig­u­ra­tion and patch man­age­ment across all the sys­tems, met­rics on the ef­fec­tive­ness of in­di­vid­ual se­cu­rity con­trols and im­proper API in­ven­tory and API as­sess­ments.

He sug­gests in­no­va­tive ways to im­part user aware­ness and cre­at­ing se­cu­rity met­rics for board pe­rusal as the 2 mea­sures that can en­hance se­cu­rity with­out the use of tech­nol­ogy.

PER­SONAL VIEWS

With Bit­coin and its likes in the news ev­ery day, one ques­tion that many peo­ple think about is whether it will em­power crim­i­nals more than hon­est cit­i­zens. All the 4 CISOs here unan­i­mously agreed with this sen­ti­ment. So pol­icy mak­ers and de­ci­sion mak­ers should def­i­nitely fac­tor this in their fu­ture plans.

An­other is­sue of pub­lic con­cern and de­bate is about the race be­tween so­cial en­gi­neer­ing be­ing used for cheat­ing and crime and tech­nol­ogy be­ing used to counter it. The CISOs rep­re­sent­ing the PSU banks be­lieve that tech­nol­ogy will over­come the chal­lenges of so­cial en­gi­neer­ing, while the other two CISO be­lieve oth­er­wise.

One fac­tor that af­fects the per­for­mance of CISOs is whether man­ag­ing their team is be­com­ing a more com­plex task, or is the com­plex­ity de­clin­ing. 3 out of our 4 CISOs say that team man­ag­ing com­plex­ity has in­creased. The dis­senter is the CISO of a PSU bank.

The fi­nal ques­tion that we con­sid­ered which is on ev­ery­one’s mind is which is the greater eSe­cu­rity threat – an in­sider within the or­ga­ni­za­tion or some preda­tor be­yond na­tional bound­aries. Mishra be­lieves that the in­ter­nal em­ployee is the great threat, while our other 3 CISOs fear the ex­ter­nal forces out­side the coun­try.

Vivek Gupta feels com­plete se­cu­rity au­toma­tion could be an ul­ti­mate goal to meet the ever-ris­ing se­cu­rity and com­plex re­quire­ments and prac­tices in BFSI sec­tor

Na­bankur Sen fore­sees that BFSI sec­tor would move to a model where there would be fewer num­ber of multi-so­lu­tion eSe­cu­rity ven­dors

Pra­teek Mishra ad­vo­cates im­ple­men­ta­tion of CASB by as­sess­ing each cloud sce­nario in or­der to en­sure se­cu­rity in a multi-cloud sce­nario

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.