Customize threat hunting and security to suit your organization’s needs, says Ramesh Krishnamurthy, Chief Operating Officer, Indium Software.  

Ramesh has over 25 years of experience in the IT industry in both entrepreneurial and senior management roles. In the past two decades, he spearheaded Quality Assurance Business and was responsible for growing it multi-fold.

In his current role, he is responsible for global operations that include Talent Supply Management, HR,  Global Infrastructure, Profitability, Delivery Process and Information Security. Since joining Indium in 2009, he played the role of CTO, Head of Infrastructure, and Head of Information Security.

This article is published as part of our CIO/CISO Knowledge Series, Powered by Sophos. 

In this era of digital transformation can you share the top three security threats businesses face today?

The three concerns facing businesses today are:

1. End-Point Security: If working remotely is the new norm then End-Point Security is the key concern every business has. We not only work remotely but also use different ISPs and WiFi connections. Businesses have to ensure every end-point is well secured, controlled and monitored for any vulnerabilities. Creating a network perimeter security is the top priority for CIOs. Providing secured VPNs and still managing the end-point bandwidth requirements are some challenges.
2. Insider Threats: Most of today’s vulnerability exploitations are due to poor awareness of what one should ‘Do’ or ‘Must Not Do’. Security protocols should be a top recall for everyone. A Continuous Security Awareness program is a must across any company. For example, most Phishing attacks are exploited due to a lack of awareness.
3. Mobile Attacks: Most of the business is today conducted over m While many businesses allow BYOD, what applications are allowed to be accessed and which ones are to be blocked is a task. Unless mobile devices are secured against malware, cyber attackers will gain access to the device and penetrate the back-end systems.

Kindly share the best practices in threat hunting to proactively protect data.

Enterprise data is not only distributed across functions but it is also accessed by various third-party applications outside an enterprise. All these have raised great concern on how data is protected over an enterprise application landscape. As a result, several countries have come up with standards such as GDPR, OneTrust, FedRAMP etc. on how PII is protected.

Security is not a reactive but a pro-active function. How one builds the best security defense system scores over others. Get people who are experts and certified to do the job. Build the right set of processes to take care of a pro-active approach than a reactive one. Without tools, the best security experts will be helpless. Monitoring tools for Event Management, tools to monitor the output of these tools etc., are key for knowing what is happening every moment.

The bottom line is that the threat hunting model must be company-specific. If a business does not fall under a particular category of threat, there is no point in pursuing that threat.

As a company providing end-to-end consultancy, development and testing solutions, what are some of the best practices in integrating security into the DevOps process?

The DevSecOps process should be addressed stage-wise as briefly addressed below, which is also advocated by the OWASP DevSecOps Maturity Model:

1. Culture: This is the core of implementation. If DevSecOps is not developed as a culture, it may not be sustainable. Have a Security Champion in every team and run regular awareness and training sessions. Have contests for — build, break & fix the system.
2. Build & Deployment: Build, Deployment & Patch Management by a complete CI/CD process.
3. Information Gathering & Infrastructure: Bring in the best practices in Monitoring & Logging such as Defence Metrics, metrics that you would combine with tests, centralized application logging, correlating the logs with any security events etc. Infrastructure hardening that you can bring in as part of your DevSecOps model will save time, help in monitoring and control.
4. Test & Validation: Prioritize on known vulnerabilities such as in middleware components, what to test and what not to test, deactivating unnecessary The key thing is to integrate vulnerability issues into the development process.

How can digital transformation technologies such as analytics and AI/ML help with threat hunting and crisis preparedness?

A very good question. Today it is not the job of just anti-virus/anti-malware companies to look for new threats. Threats are everyone’s responsibility. We cannot blame a tool today whether it responded well or not towards a potential threat. While several security tools such as SIEM provide information, how that information is consumed and used as a defense mechanism depends on how robust our systems are built. It is humanly not possible to track any trends or capture a pattern. AI/ML is the way forward to build a defense mechanism that works for you. Have this customized and don’t generalize. Anything that is generic is already vulnerable!

AI/ML has helped in several predictive models that can be used to predict a threat. For example, if we are aware of a security event, the AI/ML model can help to predict if such an event will affect our systems as well. It may also help to suggest areas of vulnerabilities.

What can be some of the bottlenecks to security in organizations? What can be some of the impacts of this?

Budget can be one of the constraints, though, security should not be compromised at any cost. That said, there are a plethora of security tools and some of them are quite expensive. How do you go about budgeting for these tools is a challenge. Not having the right security defense may compromise the enterprise data.

Many times the security response is to quickly fix the vulnerability and move on, without any proper remediation for a long-term solution. If an employee is using an older version of the software, it may be vulnerable to attacks. Instead of providing a patch for a particular device or to the laptop, patch management must be enforced and controlled by back-end systems. Creating awareness is the first step, but tools go a long way to help Security Governance.

How can you ensure scalability and future-proofing of the security and therefore the digital initiatives of your customers?

With the large adoption of cloud and especially hybrid-cloud, the scalability of business has gone tangential. Security has been the top concern of CIOs as far as the cloud is concerned. Cloud provides the infrastructure and tools where you can host and operate your applications. Ensuring the security of the cloud infrastructure and tools is basic. Large providers such as AWS, Azure, GCP do provide a security system. However, vulnerabilities may be exploited when dealing with the hybrid cloud.

Threat modeling is critical as every enterprise is unique and hence the threats associated with the software and the eco-system will be different. Based on the identified threats, we build the mitigations as part of the development process.

We recommend a shift-left approach for security, i.e. bring in security as much up in the development life cycle as possible. DevOps has enabled this to a great extent. As a result, DevSecOps has gained wide acceptance and adoption. With DevOps, security tools are instrumented into the pipeline and triggered at the right time. Imagine otherwise running code review tools every time there is a new code that is checked in!

Again, there are several security scanners, and adding all of them into the DevOps pipeline may not really give you a more robust system! Adding the right set of scanners based on the Thread Model will give the right results. Else you may be spending more time evaluating the false positives!