Cyber-Attacks: Re-Thinking ResponseCSS Corp's Ravikiran Bhandari on Proactive Security Strategies
In many instances, CISOs continue to deploy conventional SIEM tools to prevent attacks, but these security controls cannot always stand up to today's most advanced threats.
Ravikiran Bhandari, assistant vice president for enterprise security services at CSS Corp., offers a new strategy. "Security practitioners can leverage cyber-attack thwart services, which enable organizations to pre-emptively see what risks they are sitting on which are just waiting to explode," Bhandari says. He sees value in deploying new kinds of services to detect attacks and gain insights into potential threats.
"I believe that mapping the culture and networks and gaining intelligence into the behavioural pattern of the employees are critical to ensure a secure environment," he says.
In an interview with Information Security Media Group, Bhandari discusses modern cyber-attacks and their implications for CISOs, including:
- Avoiding reliance on outdated tools that fail to track attackers and their motives;
- Pre-empting attacks with effective strategies;
- Using cyber-attack thwarting services.
Bhandari, an ethical hacker, has more than 16 years' experience in the information security industry, covering application security, security operations centre, security assessments, information security governance and other topics.
Geetha Nandikotur: What is your take on emerging cyber-attacks and the challenges that CISOs face?
Ravikiran Bhandari: Cyber-attacks are evolving in varied forms, posing immense challenges to CISOs. There has been a spate of attacks that have been in the limelight, from Stuxnet to an attack on one of the largest retail chains in the U.S. ...
Another challenge for CISOs could be that the increased use of tools like Tor and Freenet has only made it difficult for organizations to trace the motives of the attackers, who are always on the prowl to exfiltrate sensitive information and offer a helping hand to competitors. What's creepy and deplorable is that most of the dealings happen in the same place as those involving underground drugs or arms trade.
Against this backdrop, there is a need for CISOs to go beyond firewalls/anti-virus and traditional defence systems and aggressively take up cybersecurity defence strategies of an organization.
Pre-Empting Targeted Attacks
Nandikotur: How can CISOs pre-empt targeted attacks, and what should they do to detect them?
Bhandari: CISOs can pre-empt targeted attacks by creating simulated cybersecurity attack scenarios. This will enable them to know who is targeting the network and what they are interested in. That can help in shaping defence strategies toward cyber-attacks more aggressively and effectively, apart from knowing potential user targets within the enterprise. One way to detect targeted attacks is to use the method of trapping and leveraging iSoC (Intelligent Security Operations Centre). I also would recommend CISOs place custom honeypots as a trap to ensnare hackers.
So far, CISOs have been using conventional SIEM [security information and event management] tools to prevent threats or attacks, but these can no longer stand up to the current sophisticated attacks. One way to pre-empt attacks is to correlate events with a consolidation of logs. There are a few ways by which one can get insights into the attacks - taking up live monitoring of attacks, mitigating issues on the fly, having a hotline with the teams and daily attack briefings, [using] offensive defence, understanding why attacks occur, .... etc. However, for stopping the attackers, CISOs need to re-design their strategy and find hacker motives via honeypots.
Cyber-Attack Thwart Service
Nandikotkur: You have been recommending that security practitioners deploy cyber-attack thwart services. How does it help in securing an enterprise?
Bhandari: Security practitioners can leverage CATS, which enable organizations to pre-emptively see what risks they are sitting on which are just waiting to explode. Culture, systems and people will be assessed as part of the service. These services can be deployed on-premises or remotely. A CATS framework would essentially help in gaining market intelligence through analytics, whether with regard to high/medium/low/critical location/users/systems segregation based on business objectives or with regard to competition threat analysis, user behaviour to hacking analysis, or culture analytics. ... And staff checks and remote checks are possible to identify targeted spear phishing simulation or targeted APT simulation/social engineering attempts.
The framework will make possible network anomaly observations and sniffing; honey pot design, implementation and fine-tuning; anti-XF device-based monitoring/installation of baseline tools on clients; installation of CATS clients and forensics.
Involving the Board Room
Nandikotkur: How can CISOs gain the boardroom's buy-in when it comes to deploying CAT services?
Bhandari: CISOs should ideally put forth concerns [to] board members [about] becoming the target of APTs and convince them that traditional defence mechanism don't work in the current scenario. There are several ways in which board members become vulnerable to APTs as personal information could reach hackers via different forms. It could be through Twitter feeds, blogs and conferences, use of iPads, visiting Starbucks and leaving the USB on the laptop and so on.
It is important to map the culture of the organization. CEOs should understand what can be outsourced. On an average, about 2 percent to 6 percent of the budget is spent on IT; and now the focus on security is huge. Hiring cyber-espionage teams is critical, and having a regular security assessment audit is vital. These audits, on an average, would cost between $25,000 and $100,000 spanning over one to 4 weeks.