Posted by pritha on January 12, 2023 at 6:03pm in Blog
Kid’s Cyber-safety Task Force is a part of CISO Platform community initiative to help build a safer world for the younger generation. This Session is aimed at bringing awareness regarding cyber safety among kids. CISOPlatform community member Kiran Belsekar conducted “Cyber Security Awareness Session” for Vibgyor School on 19 November, 2022 on behalf of CISO Platform. Around 50+ students were part of this session. Apart from this Teachers, School authority and parents were also part of this session.
About Speaker
Kiran Belsekar, Senior Vice President, CISO & IT Governance at Aegon Life. A leader who brings insight from both technical and business perspectives in Information Technology, Cybersecurity, Fintech & Insuretech. Has more than 20 years of experience in IT (technical) and IT Management & business knowledge in various industries. Kiran is recognised for his work in Technology & Cybersecurity by prestigious institutions such as DSCI, CSO Forum, ISACA, IT NEXT, 9dot9, IDC, IDG & Core Media etc.
Key Pointers
Mobile phone security
Do’s and don’ts in social media
Effective Password Policy
Privacy Setting
Tips of personal data protection
Awareness on various cybercrimes
Cyber safety pledge
(Kids Session) Video Recording
Session Highlights
1. Kids should do the following thing when they start exploring the Cyber world:
Respect and protect yourself
Respect and protect others
Respect and protect copyright
Respect and protect equipment
2. Understand Cyber World - While using facebook, Instagram, Youtube and others Kids should understand whom to talk or who is strangers or friends
3. Safety in Physical world - Kids should know the space distance in terms of Public, Social, Personal and Intimate space
Public space - Stangers
Social space - Friends & Relatives
Personal space - Parents
Intimate space - God
4. Safety Circles, where to reach for help:
Parents
Teachers
5. Cyber world: Fake Identities / Stangers
Never give away - your name, phone number, address, passowrd, school name, Parents name
Cyber creeps can become you (Identity theft) Find you
Posted by pritha on January 5, 2023 at 9:49pm in Blog
We had a community round table with CISOs of top firms to create a tangible community playbook that could be used by the community in the future. We are extremely thankful to the contributors for this playbook.
CISO Contributors
Dr. Anton Chuvakin, Security Solutions Strategy, Google Cloud
Vijay Kumar Verma, SVP and Head Cyber Security Engineering, Jio Platforms Ltd
Manoj Kumar Shrivastava, CISO, Future Generali India Insurance Ltd
Mihirr P Thaker, CISO, Allcargo Logistics Ltd
Prasenjit Das, CISO, TCS
Suprakash Guha, General Manager, Lumina Datamatics
Anwaya Bilas Sengupta, CISO, ERLDC
Gowdhaman Jothilingam, Sr Manager IT/CISO, LatentView Analytics
Palanikumar Arumugam, Head Technology, Shiksha Financial Services India Pvt Ltd
Raghavendra Bhat, Head of Security Validation India, SAP Labs
Rajeev Mittal, CIO, Endurance Technologies Ltd
Ashok Kannan, President - IT, Sintex Industries Limited
Key Pointers
Challenges - Licensing, use cases, log volume optimization - how to outsource? How to select a provider? - refining SOC Practices (operations)
Mitigation Strategies
Discussion Highlights
1.Major challenges :
Convince the top management for SOC
Log volume management
Management commitment
Partner outsourcing
Skill gap & awarness training - people
Choosing right tool - native with multiple dashboard OR aggregate logs and create correlation use cases and playbooks
Organizations have assets on various platforms (Jio, AWS, Google etc.)
Effective building of correlation use cases
Building SOAR capability on ground
Maturity of the SOC (measure active response)
2. How to have effective detection and response mechanism built and the right kind of soc or the program where soc is a part of it.
Many company still are not able to implement soc and that is the major challenges what we are facing
Lack of convincing the top management on the budget, how we can take it forward and what is the return of investment
Due to huge logs and without the dedicated team or the central team it is difficult to manage and that's why we get stuck
Management commitment challenges and the other auxiliary challenges
SOC are ruined by lack of commitment from executives than by volumes of logs
3. Outsourcing to manage security services whether it's a global firm, we should explicitly drag it to the light
SOC to be looked at with 2 aspects : need to have tools, people and a processes built around it & one side build protection controls
SOC is one of the prime area where we measure the active response
Lack for the vulnerability targeted to the porter
4. Threat landscape
Log management optimization sources has caused number of soc to crash and not go well
Detection and Observation comes first and then sources needed
5. Always drill the management crisis, pick up various scenarios and do analysis. How much time it takes for the organization to respond and recover or does the organization have the capability to respond and recover. SOC is the strategy to put things in place
6. We need to have tools, people and process around a successful SOC. Protective controls involve Firewall, EDR etc. An effective SOC allows you to validate if your protective measures are working well.
Posted by pritha on January 5, 2023 at 9:47pm in Blog
This session covers SIEM augmentation importance, benefits, common use cases, architecture stack, evaluation plan & more. Security information and event management (SIEM) solutions and security operations tools in general are not perfect, each with their own blind spots and pitfalls. However, with the addition of a single tool, you can demonstrably improve your team’s ability to detect and respond to threats and at a reduced total cost.
Session Agenda
SIEM Augmentation - Why & How (using Chronicle and benefits)
SIEM Augmentation Use Cases (common use cases)
SIEM Augmentation Architecture (data flow between SIEMS, effect on operations)
SIEM Augmentation Action Plan (short term and mide term plan to evaluate SOC stack and augmentation)
About Speaker
Sharat is SIEM Head Product Marketing, Google Cloud. Leader with a demonstrated history of working in the information technology and cybersecurity industry. Skilled in Competitive Intelligence, Management, Customer Escalation Management, Information Security, and Technical Product Marketing. Information Security professional with a Master of Science focused in Telecommunications from University of Colorado at Boulder and a Bachelors in Electrical Engineering from Anna University, India.
(Webinar) Recorded
Discussion Highlights
1. Why augment your SIEM:
-More cost saving
-New use cases
-New Telemetry cases
2. How to start augment your SIEM
Does your SIEM address all current and planned use cases cost-effectively?
Does your SIEM address current use cases but at an unsustainable cost?
Does your SIEM address current use cases but future scaling is not assured?
3. SIEM Augmentation Use Cases:
-The "Cover All Your Bases" Use Case
-The :Hoarding is Rewarding" Use Case
-The "Automation Station" Use Case
4. SIEM Augmentation Architectures:
5. What to watch for when Augmenting:
-Data collection pitfalls may materialize
-Split data needed for one use cases
-Multiple workflows add complexity
-Detection content duplication
-Source of record
6. SIEM Augmentation action plan:
- Short term recommendations
Review your detection and response tools & processes
Identify gaps in current use case coverage
Map out collection and retention of telemetry data
Identify costs and challenges to address
- Medium term recommendations
Look for cloud scenarios that are not addressed
Review choices for a joint, augmented architecture
Posted by pritha on January 5, 2023 at 9:47pm in Blog
A SOC is responsible for detecting, investigating, and responding to cyber threats. As the attack surface continues to expand, SOC teams are extremely overburdened. Further, there are talent shortages. The Google SOC team has found a way to scale and automate the detection and response process.
Eliminate security blindspots with cloud-native infrastructure
Get to “aha” faster with sub-second search, insights, and streamlined processes
Democratize security operations by leveraging threat intelligence, out-of-the-box detections, and playbooks
About Speaker
Kristen Cooper is a Security Operations Product, Google Cloud. She has over 16 years of product management and product marketing experience with the past decade focused on cybersecurity, working for companies such as Mandiant, Siemplify and now Google. Kristen has a passion for building world-class product marketing teams and working with companies to solve their security challenges.
(Webinar) Recorded
Discussion Highlights
1. Agenda:
-The need for SOC Transformation
-Modernizing people, Process & Technology
-Chronicle Security Operations
2. Security Operations is Ripe For Transformation:
-We cant store and analyze all data, resulting in blindspots
-It's cost prohibitive to ingest all the data we need
-It takes too long to investigate alerts
-We struggle to build effective detection and have too many false positives/negatives
-Our processes are too manual, we are too slow to respond to and remediate threats
-We don't have enough skilled engineers to make eevrything work
3. CISOs & Security Leaders are still asking questions:
- How can we increase the operational efficiency of our workforce?
- Are we effectively detecting & responding to all business threats?
- Can we budget, optimize and manage our financial costs?
- How can we modernize & get ahead of the talent shortage?
- Where can we co- innovate with Google?
4. Legacy SOC
Inspired by IT helpdesk philosophy
Treats incidents as rare and abnormal
Focuses on alert pipeline and pairs alerts to analysts
Centered on a SIEM (SOC=SIEM analyst team)
Has walls between alert handlers and alert tuners
Threat intelligence is sometimes consumed
Shallow metrics on handling time
5. Modern SOC
Teams are organized by skill, not rigid level
Process structured around threats, not alerts
Threat hunting covers cases where alerts never appear
Multiple visibility approaches, not just logs
Automation via SOAR works as a force multiplier
Deeper testing and coverage analysis
Threat intelligence is consumed and created
Soc elegantly uses third party services
6. Five Key Steps:
-Baseline skills required against workforce & identify gaps
-Shift hiring program to align to new skill structure
-Implement an automation backlog, focus on toil reduction
-Fill gaps with partners, 3rd parties, and "shift-left" via x-fn
-Strive to achieve 40/40/20 ops-eng-learning utilization
7. People Transformation:
-Tactical
Analysts are organized by skills and focusing on threats not alerts
Posted by pritha on December 29, 2022 at 11:43pm in Blog
The healthcare industry in India has faced 1.9 million cyber attacks this year till November 28, as per data published on Thursday by cyber security think tank Cyber Peace Foundation and Autobot Infosec Private Ltd. The attacks came from a total of 41,181 unique IP addresses, which were traced back to Vietnam, Pakistan, and China. The objective behind most of the attacks was to inject a malicious payload into the network of the healthcare company and trigger ransomware attacks. The sensors found 1527 unique payloads used for trojan and ransomware, the report shows.
About Speaker
Srinivasulu Thayam : CTO, Aravind Eye Care .
Srinivasulu is Senior Leader in IT with 27+ years of global diversified experience in Product engineering, Product development and assurance, Business Unit development, Strategic management, Delivery, Program and Practice Management, Test Automation tools, Non-Functional Testing, change controls, account management, Transformation, and Transition management, scaling high performing organizations, maximizing revenue & growth through client satisfaction and disciplined leadership.
Webinar(Recorded)
Discussion Highlights
1. Healthcare Data breaches
2. Why healthcare is the biggest target for cyber attacks
Private patient information is worth a lot of money to attackers
Medical devices are an easy entry point for attackers
Staff need to access data remotely, opening up more opportunities for attack
Workers don’t want to disrupt convenient working practices with the introduction of new technology
Healthcare staff aren’t educated on online risks
The number of devices used in hospitals makes it hard to stay on top of security
Healthcare information needs to be open and shareable
Smaller healthcare organizations are also at risk
Outdated technology means the healthcare industry is unprepared for attacks
3. Fear the attacker
4. Recent Ransomware scenarios
A major cyber security breach that has forced it to take a number of critical systems offline following an alleged social engineering attack on an employee by an apparent teenage hacktivist
Data breach at Uber saw information on 57 million user accounts – 2.4 million in the UK – compromised
Uber was fined almost $150m for covering up this breach, and its then chief security officer, Joe Sullivan, is currently facing criminal charges over the incident
AIIMS Delhi turns manual following ransomware attack and around 40 million patients might have been exposed
The FIR stated that after two encrypted mails, there was a message: “what happened, your files are encrypted, all files are protected by strong encryption with RSA-2048, there is no public decryption software, what is the price to repair, the price depends on how fast you can pay to us, after receiving money, we will send program and private keys to your IT department right now, do not attempt to decrypt your data after using third party software, this may result in permanent data loss, our program can repair all files in few minutes and all servers will work perfectly same as before, free decryption as guarantee, you can send us upto three free decrypted files before payment.”
Safdarjung Hospital, a 1,500-bed government hospital, recently disclosed that cyber criminals also hit its IT system in November. No data, however, was compromised when the system went down in a day
While Medical Superintendent Dr B.L. Sherwal did not expound on the nature of the attack, He added that the system was immediately restored by the National Informatics Centre, the government agency responsible for enabling all government IT systems in India
The processes at Safdarjung Hospital are not as computerized as those at AIIMS, which is why the harm wrought by the cyber attack was not as serious as that at AIIMS
Personal details of more than 1.5 Lakh patients (data is from 2007 to 2011) of a Tirupur Hospital have been put of for a sale by Cyber hackers through Telegram channels and specific Cybercrime forums
The leaked information contains personal details such as birth dates, doctor details, residential addresses, and basic vitals of patients such as height, weight and blood groups
The database was advertised for $100 (meaning that multiple copies of database would be sold) for cyber criminals seeking to be the exclusive owner of the database, the price is raised to $300 and if the owner intends to resell the database, the quoted price is $400
CloudSEK (a contextual AI company that predicts cyber threats) has revealed this
Customer data was encrypted by Cyber attacker repeatedly 3 times in last 5 months
During 1st attack, partial ransom was paid (for specific clients) by the data processor, however ransom was ignored during 2nd time and they went to Cyber insurance to manage the damage and again 3rd time was attacked most of his customer networks (common to data processor and his customers)
5. Crowdstrike Blog
6. Causes
Social engineering using phone calls and text messages to impersonate IT personnel, and either directing victims to a credential harvesting site or directing victims to run commercial remote monitoring and management (RMM) tools
Social engineering “most dangerous” threat, say 75 percent of security professionals. In May, Cyber Security Hub research revealed that three out of every four cyber security professionals considered social engineering or phishing attacks to be the “most dangerous” threat to cyber security at their companies
Ransomware has accounted for around 20% of cyber breaches so far in 2022. For comparison, the use of stolen credentials (hacking) accounts for 40% of breaches as of October 2022, and phishing accounts for around 20%
93.28% of detected ransomware files are Windows-based executables. The next most common file type is Android, at 2.09%
The most common entry point for ransomware attacks is through phishing, with 41%
Cause of ransomware infection - Spam/phishing emails: 54%, Poor user practices/gullibility: 27%, Lack of cyber security training: 26%, Weak passwords/access management: 21%
7. Threats
Malware
Cryptomining
Phishing
IAM abuse
Outgoing DDoS attacks
Bruteforce
Leaked credentials
Hijacked accounts
Compromised machines
8. Threat Management
AD Security
Increase Visibility
Improve Third- Party Security.
Expand Cyber Threat Awareness
Implement Multi-Factor Authentication
9. Data sources
10. Signs that your organization is at risk
Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affects the organization’s security
Employees are unaware of the steps they should take at all times to ensure that the devices they use—both company issued and BYOD—are secured at all times
Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk
Employees break your organization’s security policies to simplify tasks
Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions at all times
Posted by pritha on August 2, 2022 at 12:36am in Blog
Kid’s Cyber-safety Task Force is a part of CISO Platform community initiative to help build a safer world for the younger generation. This Session is aimed at bringing awareness regarding cyber safety among kids.
Suprakash Guha, ISMS Head of Lumina Datamatics, conducted “Cyber Security Awareness Session” at Adithya Vidyashram School, Pondicherry on 9, 13 and 16 July, 2022 on behalf of CISO Platform. Around 400 students of class IX, X, XI and XII were part of this session. Apart from this teachers, School Principal and Founder were also part of this session.
Posted by pritha on July 11, 2022 at 6:54pm in Blog
Hello Members,
There has been some very interesting findings in the Verizon DBIR Report 2022. The community has been asking many questions and is excited. We requested a community session from our partner firecompass research division which you can join for free and ask any questions you have.
We are hosting a session on "Dissecting Verizon DBIR : What caused 3000+ breaches" by J.Chauhan (IIT Kharagpur Alumni; Head Research @FireCompass). Our speaker analyses the report and we understand the most common attack vectors and patterns. In this webinar, we will look deep into the Verizon DBIR report and find out how attackers navigate to your valuable assets and what you can do about it.
The last year has been notorious in cyber crime including well publicized critical infrastructure attacks to massive supply chain breaches. In the DBIR report, it has analysed data to find patterns and action types used against enterprises. This year the DBIR team analyzed 23,896 security incidents, of which, 5,212 were confirmed data breaches. (Reference : Verizon DBIR 2022)
Key Learnings From Session :
Learn which are the top 5 attack vectors that contributed to 80% of the breaches ?
Learn about the rise of the ransomware & 5 top ways they get the initial foothold
Learn how attackers are leveraging web applications in breaches ?
(This is a free session exclusive to ciso platform community members.) As always, we look forward to your feedback and thoughts. Please send us your ideas on how we can make the community a better value add for you and your peers. Email pritha.aash@cisoplatform.com
Session Recording (with Q&A)
Executive Summary
1. Agenda
Objective
Taxonomy of attacks
Top 5 attack vectors that contributed to (approx.) 80% of the breaches
Rise of the ransomwares and few top ways ransomwares get initial foothold.
How attackers are leveraging Web applications in breaches?
What about human errors?
Recommendations
Q/A
2.What Is The Objective ? The objective to get insights from Verizon DBIR 2022 (Breaches) analysis report and orient the security roadmap, if required.
How can statistics help us ? Stats based on breaches can tell us where we should focus on. We believe that continuous security assessment in a way real attackers perform, especially on top of baseline activities such as VA/PT, will help in preventing future potential security incidents and breaches.
3.Taxonomy Of Attack In The DBIR Report
4.Explain The Taxonomy Of The Attack In The DBIR Report?
Taxonomy consists of multiple concepts such as attack patterns, attack vectors and attack varieties etc.
Attack Patterns are the complex form of attacks such as system intrusion. An example of system intrusion is multi stage attacks from outside to inside the network
Attack categories are the group of attack vectors.
An attack vector consists of multiple attack varieties at the individual levels
5.What Are The Top Attack Patterns (Complex Attacks) That Contributes To More Than 80% Of Breaches ?
These are the ones: System Intrusion - Multi Stage attacks to gain access to systems via one or more attack vectors to install backdoors and ransomware. Basic Web App Attacks - such as Web vulnerabilities, Credential Stuffing using stolen credentials Social Engineering - Phishing to lure users to submit sensitive information or download and install malicious code Misconfiguration - Exposed Panels, Exposed Keys, Public Cloud Buckets etc.
6.How Do Ransomwares Get Initial Foothold ?
Ransomwares are the on the rise increased above 20% of the all major breaches. Ransomware generally intrude and gain access to the network using various attack vectors as follows: Use Stolen credentials Desktop sharing softwares such as RDP, VPN, Anyconnect etc,
Phishing via email Install ransomware code
Exploit vulnerabilities Web applications Product and Frameworks such as log4j
Errors and Misconfigurations Open Databases, Kubernetes, docker instances
7.What Automation Is Being Used By Hackers To Attack Enterprises?
One of the typical automation, without any human intervention is following
Scan for targets on mass scale
Profile the targets using custom crawlers or fingerprinting techniques
Detect CVEs based on technology, or banner
Attempt exploitation
Attempt persistence
8.What Are The Other Ways To Get Initial Foothold Into An Organization ?
Misuse Partner Access using stolen credentials or other means such as phishing
Supply chain attack by compromising devops pipeline, system management tools such as Solarwind etc.
Target desktop sharing software
Use stolen credentials
Exploit a vulnerability
Phishing
Target a Web Application vulnerability Once the initial foothold is attained, generally a backdoor / c2 agent / ransomware is installed to carry out pivoting
9.How Attackers Are Leveraging Web Applications In Breaches?
Web applications are the most exposed assets on the internet.
Attackers use stolen credentials to perform attacks such as Credential Stuffing or brute force attacks
Exploiting a vulnerability,
Misconfiguration such as exposed admin panels etc.
10. What Is The Contribution Of Misconfigurations/Error In Breaches?
The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls. The data tends to be from customers, and it is also the customers who are notifying the breached organizations in a high number of cases. However, Security researchers are still the stars of this Discovery show (although their percentage is down from last year).
11.Suggested Action Items For Prevention And Mitigation
Posted by pritha on May 9, 2022 at 10:41pm in Blog
Interesting learning during the journey of cyber war & peace. Areas of learning in the life journey as leader, professional.
About Speaker
Nick has 25 years of experience from the digital battlefield to 21st-century technology adoption. Disciplined execution with creative improvisation for better security risk management outcomes.
Bikash Barai is the Co-Founder of FireCompass, an AI assistant for IT security decision makers. Earlier he founded iViZ an IDG Ventures backed company which was later acquired by Cigital. He is also an early advisor at CISO Platform.
Posted by pritha on May 9, 2022 at 10:01pm in Blog
Operational Technology cyber risks is a growing problem for organisations in the manufacturing, infrastructure, energy, resources and logistics industries. The increased adoption of digital technologies to drive productivity and increased connectivity with suppliers and customers have resulted in a growing digital footprint and associated cyber threat across the operations value chain. We will analyse practical steps organisations can take across mitigation and insurance, and explain how to address key exposures and stakeholder needs.
About Speaker
Anthony drives WTW risk and analytics service in Australasia to help clients across their full journey of improving cyber risk awareness. He has a deep understanding of the quantification and financial impacts caused by cyber events. He has triaged major cyber claims and coordinated the incident response and management of over 400 cyber incidents.
Rob is an experienced cyber security leader who has held senior executive leadership positions where he has built and run information security capability across multiple industry sectors. He has been highly engaged with industry bodies including Australian Information Security Association (AISA) and the Information Systems Audit and Control Association (ISACA).