CISO Contributors

  • Igors Konovalovs, Director Global Solution Specialist, Mandiant
  • Bikash Barai, Co-founder CISO Platform; FireCompass
  • Pradipta Kumar Patro, GM, Adani Group
  • Mohd Imran, Group - Head Information Security, L&T Financial Services
  • Manoj Kumar Shrivastava, CISO, Future Generali Insurance
  • Vijay Kumar Verma, VP & Head Cyber Security Operations Center, Reliance Industries
  • Sachchidanand M, Director, J.M. Financial Services Limited
  • Pravin Desai, AVP Technology Cloud & Security Operation, Fullerton Credit India
  • Nithin R, CISO, Bajaj Finserv Limited

 

Key Pointers

  • Gaps in testing and validation
  • What is BAS (Combining Intelligence with BAS)
  • Reference Architecture (BAS & Control Validation)
  • Critical capabilities
  • Success and failure factors

 

 

(Fireside Chat) Recorded

 

 

Discussion Highlights

  • So whenever you do a testing so the first portion that we need to see is the triangle completion that what is the time available for testing what is the scope of testing and how much the costs or the bandwidth in terms of manpower is available with you. You need to fill in this information and always there has to be a priorities assigned and before that you can have both blind testing as well as a intelligence led testing where you have a knowledge of a internal network so you always have to prioritize what are the internal internet exposed assets and out of those internet exposure sets how many are critical to your function
  • Once you do a testing you also need to define on the objective of testing what is the objective of my testing. Is it just limited to finding vulnerabilities which could be exploited or can you define some kind of a success criteria that can be many things either getting a shell access to a system or getting a parameter manipulation where you have one credential to one system and whether you can manipulate your parameter and get access to other systems so these kind of success parameters on different applications of your targets could be designed and with these things in your mind you can actually then do that bridge attacks and then you can carry out your simulations.
  • Mature organizations have a vulnerability management process in their organization, that scans, finds vulnerabilities and fixes them. The challenge which we face is identifying the vulnerabilities and fixing it and rescanning it. Between 2 resecans the gap is huge - gaps of 1 month or more. In these times this can be easily exploited by the adversaries. Major solution can be a continuous scanning on monitoring of these threads that will help or fill the gap of these months. So this is a major challenge which is kind of unsolved as an industry.
  • The major breaches which has happened, the most important thing missed was asset management. What to protect is a major challenge and it's a practical challenge everywhere. There should be some solution with client-based solution and continuous assessment and a certain layer may be virtual patching etc. A lot of organizations work in silos and that intelligence is not being passed on to each others. There's not a single unified view. Setting up this process is very important. This is the automation part (Proactive vs Reactive Process)
  • A lot of attacks target through systems not on payload. Threat Intel visibility or detection point view for SOC may not cover 100% of the organization. The attack surface is further increased with remote work from home. Autonomous SOC (level 1 alert triage) is about the volume, virtual analyst, machine leraning application. So ideally you want to automate detection and you also want to automate kind of attack or red team so if you can automate blue and red team and consistently and continuously do that then you actually can come to a place in your soc and your security where you only need to decide what do you want to test, no longer need to worry how you're going to test it who is going to detect it when you automate the basic part of detection and to a degree response and the attack part which breach and attack simulation is actually all about. 
    Then you start getting to that what we call autonomous soc and intelligence. This is kind of that component that you can use to direct your validation efforts by simply saying if we can use an attack a malware binary or a payload from an existing instance response investigation load it into a breach and attack simulation tool and then blast it against my autonomous soc which will automatically triage and detect it. That's how i know whether my security technologies are working or not so that is what we've seen actually being fairly powerful combination.

  • The threat landscape is growing at an exponential rate while the regulatory bodies and security team talents grow at a slower pace. Combat is a huge issue. We need to have some kind of a platform or tool which will integrate all these pain points and give one dashboard. This dashboard will enable the CISO to efficiently track and monitor. External penetration testing is more rigorous while it's less rigorous for user segments and shared services. So that actually strengthens your complete zones and complete environments rather than just testing from your perimeters. So this kind of a scenario once we take an assumed breach and then we can have realistic targets also and then we can see whether you are secure when we start moving from those zones and in addition suppose you have certain controls which are placed to detect lateral movement it may be like you are doing some traffic monitoring from span ports which originates from cross zones.
  • One interesting thing about intelligence-led bass is it focuses on the most important areas (bass) rather than a complicated view.

    If you have two sets of data and when you do the intersection you have that narrow set which tells that these are big threats from our threat actor perspective from our industry perspective etc. I can effectively prioritize better. One of the very interesting use case is that when you have this intelligence-led, you can actually do much better prioritization so that you can focus on only few things which you need to fix today rather than thousands of things which needs to be passed.

 

 

 

 

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)