Genpact, a global leader in digital transformation, is committed to safeguarding its digital assets and those of its clients. To gain insights into the company’s robust cybersecurity approach, we interviewed Faizul Mufti, Vice President of Information Security and Cyber Defense Leader at Genpact. In this exclusive conversation, Mufti discusses the organization’s strategies for incident response, threat intelligence, and cultivating a security-conscious culture.
How do you prioritize alerts and incidents in your SOC?
This is one of the most important aspects and outcomes of a mature SOC to maintain a strong security posture. Prioritizing the incidents is one of the most critical decision points in the incident handling process. We follow a process of prioritizing the security alerts and incidents based on evaluating the risk rating through various factors broadly categorized under -
- Loss of Confidentiality, Integrity, and Availability.
- Determining the contextual information of the associated assets or entity like risk score, affected identity as privileged or not,
- Financial and Brand Reputation Damage,
- Regulatory Impact, and
- Threat intelligence inputs linked to each individual security alert.
This process helps us focus on critical security incidents, build effective resource management and respond promptly to the most significant threats detected in the organization.
Genpact prioritizes a multi-layered approach to cybersecurity, emphasizing incident response, threat intelligence, and fostering a security-conscious culture. This strategy equips them to stay ahead of evolving cyber threats and protect sensitive data.
We continuously strive to reduce our detection & response time using the latest technology, and automated processes (wherever possible) and ensure governance to improve SOC efficiencies by prioritizing alerts/incidents of impact with faster response actions. To handle the increased scale and complexity of attacks, as well as the significant number of events for analysis, we developed automation capabilities innovatively to accelerate response time in our SOAR platform.
Can you describe your incident response playbook and how you measure its effectiveness?
Our Incident response playbook methodology is designed to minimize the business impact, resume computing services to normal operations, reduce the risk of data loss and enable compliance with applicable regulations and standards. The overall approach to Incident Response has been modelled on the NIST framework that outlines the following 4 phases –
1) Preparation
2) Detection & Analysis
3) Containment, Eradication and Recovery, and
4) Post Incident Activity
Effective incident response playbooks provide clear, actionable steps for our teams to follow during the handling of a security incident scenario, ensuring
• Faster incident response time,
• Less damage from security breaches, and
• More (and more efficient) collaboration among different teams.
The effectiveness & key measurements that are collected in our IR playbook processes includes time-based metrics covering the following -
• Time to Detect
• Time to Respond
• Time to Contain
• Time to Close
These metrics help us to understand and continuously improve the efficiency of our incident response process.
How do you ensure effective collaboration between your SOC and other security teams?
We emphasize maintaining a culture that is driven by principles of collaboration, cross-domain & functional training, conducting technical & process-oriented knowledge sessions, preparing joint simulation efforts and driving a risk-driven framework while working on security incidents.
"To handle the increased scale and complexity of attacks, as well as the significant number of events for analysis, we developed automation capabilities innovatively to accelerate response time in our SOAR platform."
Implemented a next-gen SIEM platform, with advanced capabilities, globally to provide a richer context for incident detection, prioritization, investigation, and reporting. Also enriched security intelligence with user behaviour and machine learning capabilities. This enabled effective collaboration of work with a single pane of outcome for different security teams and developed effective situational awareness within the SOC program.
We also designed and implemented an incident response platform to drive collaboration between teams with consolidation and consistency in responding to security alerts generated by various threat detection platforms and automating certain aspects of incident handling.
The overarching factor that also helped bring better maturity in our SOC outcomes was building stronger governance to our stakeholders including CXOs and other internal governing council forums.
What are the most common threats targeting Genpact, and how do you defend against them?
Cyber-threats are becoming more sophisticated during last few years and, envisioning the digital transformation leading to adopting of multi-cloud services, newer technologies like AI, GenAI, working from anywhere and much more has added to the complexity of expanding attack surface for enterprises. Cyber criminals are leveraging advanced tactics and techniques across this expanding attack surface and at the same time also staying persistent with targeted attacks. Our primary focus areas considering the evolving threats and the industry we are in, include
- Different & Advanced Malware based attacks resulting in Ransomware
- Phishing & Social Engineering Attacks focused on compromised credentials and download of malwares
- Supply Chain Attacks
- Insider Threats
- Exposures due to Zero Days across the enterprise ecosystem
- Cloud-based attacks
The approach to ensure we are ready to tackle such threats & attacks is driven by the layers of defences through protection and detection controls deployed in our environment and our SOC team working very closely with the security & IT teams to ensure the protection controls are well configured, our security engineering team looking at the necessary threat model inputs to focus on the detection rules and capabilities of the tools with the element of effective incident response for timely detection & response.
"Our hunting process is more oriented to augment the detection use cases and help uncover the anomaly patterns focused on the specific attack vectors for targeted outcomes."
How do you leverage threat intelligence to improve your security posture?
As per my opinion, the adoption of Cyber Threat Intelligence (CTI) signifies a shift from a reactive to a proactive cybersecurity posture. While enabling cyber threat intelligence makes analysts take informed decisions based on high-level, actionable data, but it is also important to not get carried away with immense information collected or made available through CTI.
Focus is to reduce cyber-attack “dwell times” via intelligence-driven hunting/detection and mitigation processes which also consider threats in the context of the business.
From our outcome perspective we have made it quite clear to develop a clear line of sight in terms of the applicable threat related information linked to the latest TTPs, vulnerabilities, attack scenarios etc. applicable for our threat specific response strategy and necessary actionable including advisories for validation and remediation actions are performed on continuous basis tracked by our SOC operations. We ensure our threat intelligence improves the situational awareness in our Cyber operations for detecting and handling threat & Zero Day vulnerabilities effectively with appropriate attribution.
Can you share an example of a successful threat-hunting operation?
As mentioned earlier, threat hunting if not oriented with outcomes can become more of a data analysis overload, so we have taken a cautious approach in looking at our threat models and attack vectors like Identity, perimeter, authentication & access events, and endpoint telemetry for running specific proactive Hunt use cases to detect anomalies and perform necessary incident response processes. Our hunting process is more oriented to augment the detection use cases and help uncover the anomaly patterns focused on the specific attack vectors for targeted outcomes.
"For our AI Adoption, we are also looking to find capabilities with continuous visibility and proactive risk mitigation across our AI models, trained data and other services through a new concept of AI Security posture management."
We also follow a very robust hunting operation for the applicable Indicators of Compromise (IOCs) which are tracked by our Cyber Threat Intelligence (CTI) team from external sources we use for our threat intelligence. The process of hunting & searching continues for the IOCs through our SOAR platform with automation developed to detect any hits for a defined period running on our SIEM/EDR platforms.
How do you ensure consistent security across multiple cloud environments?
The adoption of multi-cloud environments has increased with the digital transformation requirements and business benefits. Securing multiple cloud environments requires robust strategies that align with security, compliance, and data protection regulations. Different cloud service providers’ security protocols and procedures may vary, making maintaining uniform standards across platforms difficult.
Therefore, we started with standardizing our security controls and common minimum baselines (CMBs) as a first step towards migrating & adopting different Cloud service providers (CSP). To ensure effective monitoring and governance we started leveraging advanced tools in the cloud for maintaining cloud security posture, infrastructure entitlement management, workload protection, compliance, integration of security & audit activity logs to central SIEM with threat-driven correlation rules and enhancing the Data Security posture requirements.
For our AI adoption, we are also looking to find capabilities with continuous visibility and proactive risk mitigation across our AI models, trained data and other services through a new concept of AI Security posture management.
What are the biggest challenges in building and retaining a world-class SOC team?
This is the most difficult part of work to handle for SOC leaders and ensure operational continuity with mature efficiency. Some of the key challenges in my experience include -
Combating Alert fatigue - We ensure to reduce alert fatigue through a continuous process of filtering, correlating and prioritizing alerts based on the severity, risk context and relevance. We focused on improving our detection capabilities to reduce alert fatigue and introduced automation for the possible playbook steps.
Skill Gap - To address the skill gap, we invest in continuous learning and development for our SOC team members, such as providing them with training, certifications, mentoring, and career progression opportunities. We also emphasize cross-domain skill development and selecting candidates from diverse backgrounds. We prioritize technical skills, managerial skills and soft skills for all team members as they are all very important for building a stronger culture in our SOC function.
Exposure to a number of Dashboards/Console Tools - To solve the tool integration problem, you adopted a centralized security orchestration, automation, and response (SOAR) platform that processes, enabling you to automate workflows, streamline operations, and improve visibility and collaboration.
How do you foster a culture of security within the organization?
Genpact is committed to driving Information Security Training and Awareness programs as the company and believes that the targeted training can effectively build a culture focused on information security and risk management.
We operate continuous assessment programs to influence the behaviour of our employees for building our security culture through –
- Periodic phishing and spear phishing assessments, Progressive outreach program post phishing assessment, running Interactive online games & quizzes for awareness.
- For ensuring motivation, we have a Champions program to amplify security messaging at all levels, and
- Education through e-learning mandatory training, Newsletters and awareness emails, Awareness months e.g. October Cybersecurity Awareness, January Data Privacy Day etc. and role-based and targeted byte-sized trainings for specific user populations like Privileged users, developers etc.