Deepa Kuppuswamy has over 20 years of experience in the software industry and currently spearheads the security team at ManageEngine and Zoho. She led the engineering initiatives for several IT management products in Zoho Corp for a decade and has been working in the information security domain for the past eight years.

In her current role, she is responsible for designing and managing technical security and ensuring privacy measures within the organisation. Through her tenure, she has led the transformation of information security functions in various areas with specific expertise in cloud security, application security, security engineering and architecture, risk management and data privacy. Evangelizing security and building a strong security culture within Zoho Corp has been the motto of her team.

She shares some of the trends and best practices to make enterprises secure and future-proof their digital transformation initiatives with security as an integral part.

This article is published as part of our CIO/CISO Knowledge Series, Powered by Sophos. 

In this era of digital transformation can you share the top three security threats businesses face today?

We have seen an increased acceleration of digitization since the pandemic. This is not just the new age of digital-first businesses but also traditional industries that have invested heavily in digital infrastructure to remain competitive and relevant in this context. We have seen years’ worth of digital transformation projects which is getting implemented in the last couple of years.

When your information ecosystem grows more complex, there are more connected systems, and your data is sprawled across systems, your security threats also emerge. The job of keeping information security is going to be a difficult challenge, which needs to be addressed as part of the business digital transformation journey.

The three top areas of security would be:

Cloud Security: Every organization has adopted cloud computing in various degrees within their business. During the pandemic, in fact, the cloud has been a savior in ensuring business continuity. But questions about how safe it is also keeps being asked. It is an important concern. Organizations moving to the cloud must be aware of the relationship and the shared responsibility they have with the cloud providers. Businesses may misunderstand it but they cannot outsource the risks when they move to the cloud. The cloud provider is responsible for securing the cloud but the business has to determine who has access to the cloud, how they access the cloud, the protection of the data in the cloud, etc. Shared responsibility in the security context is very important when moving to the cloud environment. We hear a lot of breaches on the cloud due to misconfigurations.

Remote Workforce Security: Initiated by the pandemic, there has been a global change in how and from where employees access business data. Initially, remote working seemed to be a very temporary measure but looks to be more permanent and the future may move to a hybrid workforce model. Organizational users are outside the perimeter accessing data from any location. We cannot depend on the traditional, perimeter-based security which has been the foundation control all these years. So businesses need to think of a strategic change in their enterprise security architecture. When you have a decentralized workforce, there are going to be more potential avenues for attack. You will also have cases of remote workers accessing data from personal devices. So there needs to be a strategy for a decentralized workforce.

Supply Chain Security: In the security community, we say that you are as strong as the weakest link. This refers to the security posture of your supply chain. Business data is going to flow across multiple third-party vendors, most of who work with subcontractors. Breaches due to the supply chain are increasing in number. So businesses must have a view of their third-party suppliers which is absolutely essential for running the business as any breach can cause a threat to confidentiality and integrity. Any business must monitor the risk posture of these suppliers continuously.

Kindly share the best practices in threat hunting to proactively protect data.

Threat hunting is a proactive strategy. You look for signs for any security attacks to prevent them before any damage is done. It involves thinking like an attacker and spotting your weak points. Observe any abnormal activity that does not match your normal environment. The best practices would be:

Understand and baseline your environment.  You should know what is normal in your environment so that you can detect any differences and anomalies. Some basic things include having a comprehensive CMDB (Configuration Management Database) which will define all your access and all your data sources to understand your attack source.

Have proper log data. There is centralized log management which will collect logs from across your assets like end-points, servers, cloud, on-premise systems

Have automated security alerting system, called SIEM (Security Incident Event Management) or EDR systems.

Finally comes your threat intelligence. We do have a lot of IOCs (Indicators of Compromise) which you can get from other third-party feeds. You build a network of peers and share those IOCs so that it can be a collective effort in having a proper threat intelligence feed.

You see a lot of Ransomeware attacks these days that are disbursed on the dark web. So businesses must keep track of the dark web proactively to find out if the brand or business is mentioned there as part of threat hunting.

What are some of the best practices in integrating security in the software development lifecycle?

DevSecOps, which is also called Shift Left, incorporates and enforces meaningful security controls in the various phases of your software development life cycle without slowing down your development velocity. The advantage of having this approach is that this will save a lot of time, money and provide better risk reduction. This brings up the concept of security by design, or security by default, which should be the base principle of your development life cycle. Security is not an afterthought you add to your product. It also reinforces the fact that every person in the product development is responsible for the security and not just a centralized security team.

Some of the best practices would be to start early, during the requirement and design phase, whenever the product roadmap is being defined. Get the privacy and security requirements, get the risk assessment done right at that stage so that you can identify the threats you will need to address as part of the product. You can also start planning to mitigate them right at that stage at a lower cost rather than waiting till the end. Also choosing the right tools for DevSecOps matters.

From the requirements and design phase, we move to the implementation or the coding phase, where the developers or engineers get involved and start building the product. You have to make sure that all the code analysis tools are embedded within the default development environment that the developer uses every day so that there is minimum friction. The developer gets in, uses his default tool and he also gets to know what are the security violations and how to fix them. Choosing those tools is very important and they must give the results in minutes rather than after hours of scanning. It should also be in the developer context, speak the language of the developer, giving meaningful information on how to fix the issue.

Even when the product gets into production, there should be design feedback loops. Have some instrumentation to catch security errors in real-time so that developers can fix them and the design can be improved.

How can digital transformation technologies such as analytics and AI/ML help with threat hunting and crisis preparedness?

AI/ML plays a critical role in threat hunting through anomaly detection and UEBA (User Entity Behavior Analysis). Simply put, identities are easy to fake. Nowadays there are lots of password leaks. But while it may be easy to leak an individual’s identity, not so their actions and behavior. This is what we call Indicators of Behaviors. These play an important role in mitigating threats. Depending upon the goals the actions that a person does for his or her job profile is the expected behavior. The modern-day ML algorithms come with an option for unsupervised learning because, for security, there are going to be several abnormal behaviors. Every hacker can bring in his own way of trying to attack the systems. Unsupervised learning helps to direct and model the normal behavior of the users and alert them whenever there is any deviation. For example, a user changes his location for a single day or a user uploads or downloads large amounts of data, all such unusual behaviors can be automatically detected and alerted.

The other area where AI/ML is being used is in malware detection at the endpoints. The traditional anti-virus used signature-based detection. We are moving to the next stage of behavioral analytics there also with EDR, Extended Detection Response.

What can be some of the bottlenecks to security in organizations? What can be some of the impacts of this?

Rather than technology, we see a bottleneck in building a sustainable security culture within an organization is. The business and development teams are more worried about delivering functionality at a high velocity. In the past, security was seen as a gatekeeper. They were considered a roadblock that would cause a delay in innovation. An imaginary line has separated cybersecurity from the business, without producing the required results. This is something every organization must address. You must have information security aligned with your business objectives without slowing down your business process. But security can really survive and thrive only if it is embedded in your fast-paced business process cycle. Businesses will evolve and the security solutions and tools, which are going to protect your business, should also evolve as an integral part of this journey. This thought process should pervade the organization. It is not the responsibility of the security team alone and the more people understand it, the better protected the organization would be.

How can you ensure scalability and future-proofing of the security and therefore the digital initiatives of your customers?

Security is not a sprint but a marathon where you have to keep improving. Nobody predicted this 100% remote working. We are used to working remotely but this pandemic changed everything and we had to go for remote working. So obviously there will be a change in technology and, naturally, your security initiatives should change alongside. The first key thing is to have a sustainable security culture, have security as a part of the DNA of your organization, and it has to be embedded in every business unit. Engineering, marketing, finance, HR, every team should have a security champion to advocate security within that business unit.

For scalability, automation and AI/ML are going to help as the organization grows in size and your business expands.

Though the cloud does raise security concerns, rather than investing in on-prem infrastructure, they are going to have a major advantage by moving to the cloud for business operations because it can provide them better security. Cloud providers invest a lot in resources and technology compared to what an individual business does for its on-premise infrastructure. So migrating to the cloud can surely unburden the IT and security teams to a degree, letting them focus on their own data security initiatives.