As cyber attacks are rampant across the world, Varun Vij, Regional Infosec Lead, Serco (Middle East), expresses his views about how to deter the attempts with small steps without much of fancy technologies.
How do you see these days IT and cyber security aligning with business performance?
Cyber security is becoming a top agenda, thanks to the regulations like GDPR and all these cyberattacks are also bringing it into limelight. So, there was a very famous breach in Equifax where even the CEO of the organization you know unfortunately got sacked so it has become one of the talks of the town and cyber security being one of the biggest risks. So world economic forum says the biggest one of the biggest risks after pandemic globally is actually cyber so it gives a lot of weightage and that’s why we are seeing that now senior management are started talking about cyber security that is one of their agenda now in the board room and I think it is very essential for a cyber security professional to talk cyber security in business terms and try to also align it with the strategy. So, for instance because you know you can spend billions of dollars in cyber security without affecting the bottom line so understanding the nature of the business. If someone is an e-commerce organization then their key components of cyber security would be like application security. If they’re in cloud, they focus on cloud security. So, try to prioritize the business objectives and try to accept the risk with business. If business is saying, we are willing to accept the risk you be agile and adaptive to embrace the organization objectives.
What is the trend you are seeing in the pure play cyber security space?
It’s a very interesting time in cyber security. The reason I say it’s quite interesting for cyber security professional is because we call it as industrial revolution 4.0. Many experts said that the changes world has seen from 1900 century to 2000 – in 100 years the same changes now we are seeing in a matter of next five years. So, world is changing dynamically even because of this pandemic the growth with which cloud got adopted and mobility got adopted is extraordinary. So, experts say that if organizations are not willing to embrace the digital revolution, then they will be left behind. Now how does that help in cyber security? When we talk about these innovation technologies, we are talking about blockchain, artificial intelligence, big data, mobility, and cloud. IBM has got something called as IBM prediction curve. They say that the amount of data what we are exposed, gets double in every 12 months. But now they are saying with IOT coming, into play the amount of data will get doubled in 24 hours. So, the amount of data what cyber security professional need to protect is actually monumental and now the second reason why I am seeing that the trend is changing, and we have this new technical revolution is now there are no parameters. Earlier there were perimeter for the organization. Now you have mobility and cloud. There is literally no physical parameter out there so your scope and your purview what you are trying to protect has become complicated and when that become complicated the threat landscape become very intrinsic very sophisticated and that’s why the job of cyber security professional has become way complicated than ever.
“You should never underestimate the attacker because they have to be lucky once, but you have to be defensive and successful every single time.”Varun Vij, Regional Infosec Lead, Serco
In a very large organization like Serco how do you ensure security and what are the new technologies that you are evaluating to protect the organization and the assets?
One of the key technologies which we focus and it’s as I said risk management is the cornerstone of any cyber program because Microsoft spends one billion dollars annually on cyber security and even that is not enough. What we have done from a risk management standpoint is that we realized 85 per cent of times, some privilege accounts get compromised during a cyberattack. So, we have heavily focused on each privileged solutions, identity, and access management solutions, focusing on application whitelisting solutions having a good and updated antivirus having a next generation firewall, etc. I think these are some of the technologies which are kind of the forefront. It improves your cyber security operations dramatically. Along with these prevention technologies, there should be focus on detection response and that’s where the SOC comes into play and then in SOC you have the SIEM solutions and networking anomaly solutions, etc. And that is how it gives you a 360-degree view of your time security.
These days predictive analysis and SOAR are becoming very important, what’s your strategy around that?
The biggest drawback right now the disadvantage what we’re coming across is there are hardly one percent and that’s very controversial some people say three percent that the successful detection of a security incident by a SOC is less than one percent which is very minimal. Then the management asks we have spent such a huge amount on cyber security, and we are not even able to detect uh the security incident what’s the point of spending so much money. That’s where you know some very wise people came up with this SOAR concept and that’s where we are seeing a huge change happening. Because when you saw a talk to SOC analysts, and you know try to understand their pain points it’s – like why you are not able to detect what are the challenges you face. One of the key challenges what you will hear is there is a concept called as alert fatigue. Literally they are finding a needle in a haystack so there are millions of events happening and they have to find that one which matters the most. And that is where because humans have their own limitation that’s where these advanced technologies like SOAR are bringing huge value. They are finding a needle in a haystack for you and then you apply your human intelligence. it improves your detection and response capabilities dramatically it has a huge value add. One of the famous and the biggest data breach what we have seen in the past was Target and in Target data breach which cost millions of dollars to an organization. There were two root causes found: one was a misconfiguration and second one was detection and response capabilities. So, the detection and response capabilities are improvised using a SOAR, organizations will be proactive. They will be able to see some blind spots and able to connect the dots that something fishy is happening in the environment and they are able to take necessary steps.
There is always a blame game between the OEM and the customers incase of breaches, what needs to be done and what is your best practice?
Our strategy is quite simple. There are two elements into it. One is measure. We say you cannot improve if you cannot measure. That’s where the moment you don’t have the key performance indicators and key risk indicators. So, you start with key performance indicators and then you start shifting towards key risk indicators. Because business understand risk. If you have built some metrics around it, where you can weigh that: hey guys we are good in these areas, but we lack in these areas. Then there are certain risks which may require investment which may require funding may require projects. Those things you convey to the right stakeholders get those risk accepted and documented. Now what happens when things spin out of control when unanticipated even happen then there is not going to be a blame game or at least the blame game is going to be suppressed to a large extent because you have a data to show that ‘I told you so’ that’s the strategy what we use.
What is your awareness strategy against any spoof mails?
There is a famous thing said by FBI director: there are two types of companies in the world – those who have been hacked and those who don’t know that they have been hacked. So, we always say that cyberattacks are inevitable. We are just trying to reduce the probability and the impact. We want to become resilient so now when it comes to having the security awareness, because you said it’s so many apt attacks with all sophisticated technologies, there are flaws. So, we have a concept which is a globally accepted concept it’s called as defense in depth. We are saying that okay you receive some spam email user was supposed to do the due diligence and let’s say that failed but you still have a good control the second control to prevent you from sample attack that could be a very amazing effective antivirus solution if that fails you have an amazing application whitelisting solution then you can prevent that compromise machine to affect other machines. You have layers of defenses in place. Maybe one machine gets compromised but that cannot bring the entire organization down. So defense in depth plays a very pivotal role because when I speak to business users sometimes they are really caught up so much into their day-to-day operation, they say that it’s just in the spur of the moment they just clicked on the mail and you know that thing happened. And to answer your second question, it is a combination of technical security and the awareness yeah so that you are able to spot genuine emails so there are some fantastic concepts, which prevent your MD or CEO’s mail to be spoofed. Like DMARC is an email security concept which helps you in that you have SPF records. There are technical elements which can take care. From an awareness standpoint, I highly encourage to have phishing simulation program so that you don’t need to experience the real spam email you experience a simulated one and then you measure, so in an organization generally if you have less than five percent clicking ratio your organization is doing quite well.
You said that the management is talking a lot about cyber security now, are they convinced about the budget that you are asking for?
One thing I have seen when cyber security is a top agenda, I think getting the budget approval and getting the acceptance from the management becomes relatively easy. But at the same time the organizations during this pandemic have also hit the bottom line. That is where the second level what you work upon is the risk management basis. Yes, we have seen a very incredible spike in the Funding in the last five years but in 2022 I think it’s going to be slow down a bit. We’ll focus more on the risk management.
Any new projects that you have in the pipeline?
As we discussed on the misconfiguration element, that is where we are trying to work on something what generally people found it boring like your day-to-day operations trying to improve the configurations of the assets. So, you don’t need to invest into new Technologies. You already have technologies in place. Experts say – especially in Middle East – they have bought all the fancy shiny tools, but the overall utilization is less than 15 per cent. So, the prime focus is to improve the capabilities of the existing solutions and avoid misconfigurations. We have KPIs to find that these are the X number of misconfiguration and try to fix it because doing several security assessments, we have found out that you always miss the basics. They say the zero-day attacks stand for less than three percent of the total attacks. So, you have to focus first on the 97 percent of the common attacks, which the world knows and then climb up the ladder.
What your one best practice that you feel that your peer group needs to adopt.
There is one advice, which has got four components but that is the crux of everything. Australian government did some research on loads of cyber-attacks. They call it ASB top directorate. What they found interesting after studying so many data breaches. There were some very basic things they said if you have those basic things in place in an organization, you can prevent somewhere around 85 percent of the cyberattacks. The beauty is that it doesn’t require massive investment. It requires some of the basic things. One thing is you patch your operating system on a regular basis and then you patch your applications also sitting on your OS on a regular basis. Then you have an updated antivirus and last but not the least is you apply the least privilege concept at every level – whether it’s your end point or it’s your infrastructure server. So, if you apply these four things on a regular basis and you measure it, you can prevent around 85 percent of the cyberattacks. I always encourage that ‘yes technologies like SOAR we discuss is such a fantastic technology and it is doing wonders for the organization but let’s not underestimate some traditional fundamental concepts of cyber security. These two should go hand in hand that’s my advice along with that I would also say that you know I think management can understand cyber security as long as you articulate in a simple language. We always say that the biggest irony and the dilemma in cyber security is that we you should never underestimate the attacker because they have to be lucky once, but you have to be defensive and successful every single time. You have to fix hundreds and thousands of vulnerabilities, but they have to just find one vulnerability. What we found in Equifax is just one vulnerability and the entire organization burned into ashes. Let’s not have a hundred-dollar fence around a five-dollar asset!
Brief Introduction of Serco and Varun Vij, Regional Infosec Lead, Serco
Serco is a fortune 500 companies and it has got 65000 employees across the globe. It has four key regions – UK, which is the headquarters, is one region and other regions include North America, Middle East and APAC. The key businesses what Serco is into include offering services to government and semi-government organization in the areas of Aviation, Transport services, Facility Management, Citizens Services, which also includes Prison Management for different regions.Varun Vij as a regional infosec lead is responsible for cyber security operation across Middle East including UAE, Saudi, Qatar, etc.