Reactive vs. pro-active cybersecurity: Why traditional security no longer works?

Dataquest and Keysight Technologies recently hosted a webinar on Reactive vs. Proactive Cybersecurity. The webinar is part of the magazine’s capacity building and information sharing initiative where we bring to you experts from the industry to talk about technology trends, latest developments and CIO challenges, as also “how to” training programmes and strategy sessions.

The session was addressed by Rohit Naik, Application Engineer, Keysight Technologies, and moderated by Shubhendu Parth, Editor, Dataquest. Rohit Naik has over a decade’s experience across leading Network and Cybersecurity technologies and will take us through the steps and processes of proactive security, particularly since we all understand and know that in this hyper-connected world traditional security no longer works.

In fact, in its recent statement before the Parliament of India, the Ministry of Electronics and Information Technology informed that Indian citizens, commercial and legal entities faced almost 7 lakh cyber attacks till August 2020 this year.

We are all aware that during the peak of border skirmish with in June, hackers based in China attempted over 40,000 cyber attacks on India's Information Technology infrastructure and the banking sector.

We are also aware about the use of artificial intelligence and big data analytics by rogue companies, including the monitoring and profiling of over 10,000 influential Indians as part of a hybrid warfare that aims to cripple the economy by hitting the businesses.

So what do we do? While data and information security was always important, COVID and the work from home thereafter has unleashed security nightmare at a scale that one never imagined. Today, CIOs and security experts are on their toes ready to throw in more money.

But does that help? Can all these increase in investments on cyber security controls make modern enterprise safe? One common problem that many organizations face is their inability to effectively measure the security posture. And If you can’t measure something, how can you manage and improve it?

This also means is that you can’t quantify the risks to your business and therefore cannot calculate the return on your security investment, or understand how to optimize it.

The proactive approach that our speaker will talk about today will help you up your ante and prevent the breach to happen rather than reacting to manage the situation.

Opening his presentation, Rohit Naik, Application Engineer, Keysight Technologies talked about the importance of proactive cybersecurity. There have been over 7 lakh cyber attacks in India, so far in 2020. That says various things.

One, we are probably lacking something from the cyber security front. Or, we are probably improving, and adding new tools. We are also adopting to the newer technologies. We are also talking about the remote workforce, where the way of handling data traditionally, has completely changed. Complexity has also been added in the network.

When you are doing something new, there will be some challenges. We have to change, going forward. Niti Aayog had mentioned that India is the third-most attacked country behind the USA and China. We have to change the way we are looking at cyber security. We are in the right direction, and adopting some new technologies.

Keysight conducted a global research among the leadership positions. There has been lack of insight, leading to breaches. About 57% are confident that the security solutions are reducing risk. Only 35% can prove that their security solutions are correctly configured. And, 50% of the breaches, where, half discovered a solution wasn't working as expected, only after experiencing a breach. Half the companies have seen that there solutions are not working, once a breach has happened. You need to test your existing network.

We have always keep on adopting newer technologies. SecOps teams are always on the defensive. When there is an incident, you really can't expect two teams to collaborate. SecOps never really took off, as more focus is on the defensive side. SecOps are bombarded with alerts. Many tools are being added on the network. It is about monitoring the tools, looking at reports.

Threat intelligence has many approaches and many users. You are trying to gather intelligence and improve your action. Threat intelligence is strategic, operational, and tactical. There is threat hunting and incident response, followed by block, detect and remediate. Finally, there is breach and attack simulation. You need to look at the history of the different kinds of attacks in the past. The teams have to consume it in different ways to respond to the incident.

Traditional use of threat intelligence has been reactive. We are talking about taking this to the next level. We need the right visibility to the events happening on their tools, etc. You have to get proactive to complete the threat intelligence lifecycle.

The SOC team has to understand how to think like an attacker or a hacker. We want our SOC guys to be the soldiers in the network. You need to have the internal process and different frameworks. We are talking of advanced attacks. We want our teams to refer to some kind of frameworks.

They also need to understand what is happening in the market from an attacker's framework. What is the pattern?

Attackers may have certain locations, and particular techniques. They may change the machines. Changing the technique may be a little difficult for the attackers, as per the experts. We should have SOCs to understand the techniques of attackers. We may create some process today.

We can either build teams or partner with companies. You should maximize the existing tools and measure the impact of new ones. There should be a breach and simulate attacks on your live production network to understand this better.

Keysight offer complete SecOps testing and visibility. We have branch locations across the globe. It is not easy to do threat hunting. Which are the attackers that are relevant to you? We have the expertise. You need to rethink the way you are using threat intelligence. We help our customers stay ahead. We have a global team of security researchers and application protocol engineers.

We manage a continuously updated database, cataloguing millions of known and emerging threats. We have trusted partner of top NEMs, service providers, governments, and enterprises. In the real-world, the Keysight ATI Research Center released the Wannacry audit 17 days before the attack. We need to improve and validate our networks more frequently.

Keysight has a threat intelligence database. The Keysight ATI Research gathers threat intelligence from different sources. You need to set up global honeypots. We have our own products set up on live networks. We also develop the evasion techniques. If a malware changes its pattern, it may be difficult. You have to train devices on those evasion techniques. We have to refine and analyze the feeds. All Keysight products consume the threat intelligence. There is lot of hard work that goes into the ATI team.

Security assessments today include vulnerability assessments, breach and attack simulations, pen-testing and red teams, and pre-deployed security tests. You need to find a balance between validation frequency of attacks and validation thoroughness. There is no one-size-fits-all solution for cyber security.

You can run vulnerability assessments frequently. You can segregate the risks that you expect. The gap between getting these is also dependent on how long you need to patch up your tool. Pen-testing can be really expensive. They may try to find out whether there are vulnerabilities to your end points. These are a snapshot of time. How do you validate there are no errors in your reports? You can fall behind on time due to pen-testing.

Gartner is talking about the breach and attack simulation. You need to adopt a technology that addresses the gaps.

Breach and attack simulation tools are getting popular. There are different types of attacks. Also, misconfigurations cause breaches. You need to have a tool to tell you whether you have configured it wrongly. There are best practices for vendors that you can follow.

You can reduce risks using the Keysight threat simulator, to get automated, safe and continuous assessment. You can improve the security before purchasing new tools. Easily remediate gaps in your coverage, and safely simulate the entire kill chain. You can also assess your detection and blocking capabilities, and stay ahead of the curve, thanks to the continuous releases. You also get a score, that acts as a good reference point to check how you are doing. You need to consume the threat intelligence proactively to remain ahead in the game.

Threat intelligence should be accessible to 98%. It is ready to be used proactively. We have 15+ years of threat intelligence and security testing for the world's largest organizations. Threat intelligence-driven breach and attack simulation is the output. Finally, networks have security gaps. Find out yours, before the attackers. EDR tools will be in demand. Cloud and encryption are going to be important.