Shieldig Eterprises from Evolvig Cyber Attacks with a Digital Security Framework Abstract As the IT ladscape evolves, cyber threat actors also mature i respose developig ew techiques to compromise the security posture of eterprises. Some compaies take a proactive stace agaist these breaches, while most adopt reactioary oe-off measures. This begs the questio: will a predictive approach be more effective? Armed with a well-de ed strategy, compaies ca build a digital security fortress while esurig their IT ifrastructure cotiues to mature ad stregthe i the face of potetial threats. Ulike most oe-stop solutios, such a process-orieted jourey starts with due diligece, moves ito thorough security testig, creates a auditory framework, ad ally trasforms ito a robust goverace model.
From Reactive to Proactive ad Predictive Cyber Security I recet times, a umber of eterprises have falle prey to cyber-attacks, ad reportedly, the damages caused are i expected to reach USD 6 millio aually by 2021. For hackers, the focus has shifted from targetig etwork ad system level vulerabilities to ruig applicatio level exploits across idustries, particularly i the acial sectorii. Rather tha ivestig i itrusio detectio systems (IDS), eterprises should implemet a holistic vulerability maagemet program that esures fewer security breaches. Traditioal security tools, such as IDS ad rewalls, have so far bee ieffective i prevetig DoS attacks despite regular scas of applicatios ad the overall IT ifrastructure. These systems cotiue to exhibit security defects like cross site scriptig (XSS) aws. These issues are further exacerbated with orgaizatios diversifyig their IT portfolio ad lies of busiess, wherei cyber security takes precedece oly durig the al stages of 'go live' movig the applicatios from the testig to productio eviromet. To de e, build, ad implemet a ef ciet ad effective eterprise security strategy, orgaizatios will eed to formulate strog delivery ad operatioal models. These models must have a suitable auditory ad goverace framework that esures effective implemetatio, ideti es gaps, ad recommeds steps for improvig the security posture. Such a eterprise security maagemet program should largely have four stages: Stage 1: Security Cosultig (Due Diligece) Also kow as the 'as is study' ad 'process de ig' phase, the rst step is to correctly asses the eterprise security posture ad study existig processes ad cotrols i lie with various idustry stadards such as Natioal Istitute of Stadards ad Techology (NIST). The ext step ivolves developig a detailed threat pro le that best suits the eterprise's IT ladscape, lies of busiess, ad the overall idustry. This will act as the baselie to assess, aalyze, ad categorize IT assets with respect to potetial attack risks ad damages. Orgaizatios ca the prioritize those assets that require more time ad ivestmet. This will help i formulatig a prioritized security assessmet pla that covers the etire IT
portfolio, ad also de es speci c delivery models for uique test cases (Figure 1). Scope Fializa o Defie i-scope ad out of scope for the due diligece activity Idetify key stakeholders Defie assessmet pla, schedule ad deliverables Scope validatio ad sig off Iforma o Gatherig Assessmet & Aalysis Gather iformatio o all i-scope asset ivetory Gai uderstadig of the techical, fuctioal ad busiess requiremets Formulate assumptios, prerequisites ad depedecies Formulate threat profile Assess asset ivetory/ladscape Aalyze process from security perspective Idetify gaps, formulate pla for security assessmet/testig As-Is Study A Risk-Based Approach Figure 1: Steps for Due Diligece Stage 2: Security Assessmet ad Testig This stage ivolves code reviews ad tests to idetify performace, security, or reliability aws i applicatios before they go live. Eterprises will eed to perform periodic automated vulerability scas ad maual tests to discover security defects ad de e remediatio measures. Security testig eeds to be a methodical approach cosiderig the busiess, fuctioal, ad techical priorities of the i-scope IT elemets, which icludes web-facig applicatios, thick cliets, desktop applicatio, work statios, ad so o. With the help of a detailed assessmet report, eterprises will gai a better uderstadig of the curret security posture ad gai isights ito speci c issues ad their respective severity levels, issue reproductio steps, ad remediatio measures to be implemeted. Stage 3: Auditig, Moitorig, ad Traiig While periodic assessmet ad testig is coducted, it is imperative to evaluate the effectiveess of these activities ad idetify gaps, if ay. The auditig process must be i lie with idustry stadards such as Federal Iformatio Security Maagemet Act (FISMA), ad the guidelies ad scopes will deped o the lie of busiess or idustry. Each ideti ed gap must have a correspodig corrective measure alog with a speci c implemetatio timelie. This will esure a holistic closure of the issue ot just for the ideti ed istace but also at the applicatio's code or framework level. This would the be revalidated ad co rmed by the iteral security testig ad audit team. The primary aim is to re e ad ehace the curret testig or assessmet activity ad improvise.
Based o the digs from these audits, eterprises ca pla ad coduct security awareess sessios, classroom or web traiig, ad certi catio programs. These should cover: Ethical hackig Secure SDLC Secure codig OWASP top 10 OSSTMM BSSIMM Agile security DevOps Cloud security Stage 4: Security Goverace The ext step is to establish a robust goverace program usig the ope software assurace maturity model (ope SAMM) as the baselie (Figure 2). This model will help de e the broad busiess fuctios ad the associated security policies ad frameworks, which ca be customized as per requiremets. This will be followed by formulatig detailed security stadards ad guidelies for every process or work stream accordig to idustry stadards. SAMM Overview Software Developmet Busiess Fuctios Goverace Strategy & Metrics Educatio & Guidace Policy & Compliace Costructio Security Requiremets Threat Assessmet Veri catio Desig Review Secure Architecture Security Practices Figure 2: SAMM Overviewiii Threat Assessmet Secure Architecture Deploymet Eviromet Hardeig Opera oal Eablemet Vulerability Maagemet
I order to achieve applicatio security maturity, orgaizatios will require policies ad guidelies caterig to secure SDLC cosultig ad implemetatio, as well as agile ad DevOps security maagemet as per NIST, ISO, BSSIMM, OSSTMM, ad similar stadards. Similarly, the ifrastructure elemets will eed to establish security priciples based o NIST, ISACA ad ISO. The ext step would be to strategize ad establish a eterprise wide vulerability maagemet program which icludes IT security risk assessmet ad maagemet, vulerability maagemet addressig the applicatio ladscape, ad ifrastructure elemets. This eterprise security goverace ad compliace strategy must be approved ad subsequetly supported by seior maagemet for effective implemetatio. The goverig body overseeig the audit ad moitorig activities should ideally be accoutable to the CISO ad the board of directors. Implemetig the Right Delivery Models The success of such a strategy depeds o the effective implemetatio of a layered delivery mode (Figure 3), supported by either a dedicated team or through SLA-drive shared services. Shared Model Maagemet Layer Customer-owed or Self-owed Tools Aalysis Layer Sca Layer Shared Model Customer 1 Customer 2 Customer 1 Customer 2 Customer 3 Customer 3 Dedicated Team Dedicated Team Dedicated Team Dedicated Tools Dedicated Tools Dedicated Tools Delivery SPOC Delivery SPOC Delivery SPOC Figure 3: A Layered Delivery Model
Each layer core operatioal, fuctioal, ad strategic should be staffed per the skills required to execute the required activities. For hadlig oe-off tasks, idividuals with the ecessary capabilities ca be deployed while for larger programs, a etire team ca be assiged. While formulatig the delivery model, eterprises must factor i cost, quality, ad turaroud time. Joureyig through the Stages of Security Maturity For ay orgaizatio, the mai objective will be to trasitio from a reactive to predictive maagemet of iformatio security. The reactive approach teds to be more evet-drive, where oe establishes a defese mechaism after a breach or attack has occurred. Istead, eterprises eed to be more proactive, implemet layered security solutios, coduct periodic assessmets, ad close the gaps before the systems are breached. This will evetually help them move to a predictive model aalyzig threat vectors ad metrics, ad focusig o buildig ad implemetig a more cohesive security solutio. These stages have bee highlighted i Figure 4. Reactive (Evet Drive) Defesive strategy Log aalysis Perimeter moitorig solutios Evet drive ad retrospective metrics Proactive (Defese i Depth) Layered ad itegrated solutio Automated scas ad aalysis, secure code reviews Risk, audit, ad compliace maagemet Predictive (Predictive & Prospective) Offesive ad cotextual approach Predictive aalysis ad modelig Threat itelligece Patter drive ad prospective metrics Figure 3: A Layered Delivery Model Securig the Road Ahead The security uit withi ay orgaizatio must be empowered with the ability to either remediate or root out cases of ocompliace. This uit must be moitored ad complemeted by a equally strog audit ad goverace team, which directly works with ad reports to seior maagemet. Eterprises with
a global footprit operatig multiple lies of busiess should adopt a top-dow approach to successfully implemet such strategies. While there is o silver bullet whe it comes to esurig security, the battle agaist cyber threats ca be wo through meticulous strategic plaig. Refereces i] https://www.csoolie.com/article/3153707/security/top-5-cybersecurity-facts- gures-adstatistics-for-2017.html ii] http://www.verizoeterprise.com/verizo-isights-lab/dbir/2017/ iii] http://resources.ifosecistitute.com/implemetig-secure-software-developmetprogram/#gref
About The Author Diesh Sawriraja Diesh Sawriraja is a Iformatio Security Cosultat ad Delivery Lead with the Cyber Security Practice at Tata Cosultacy Services (TCS). He has more tha ie years of experiece i applicatio security, risk maagemet, ad data security. He has worked with may leadig eterprises icludig oe of the Big Four audit ad cosultig firms, a major Australia retailer, ad for the British govermet. Diesh is a mechaical egieer ad has a double masters i Maagemet Operatios, ad Marketig ad Fiace Cotact Visit the TCS Cyber Security page o www.tcs.com Email: cyber.security@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is delivered through its uique Global Network Delivery ModelTM, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2018 Tata Cosultacy Services Limited TCS Desig Services I M I 01 I 18 About Tata Cosultacy Services Ltd (TCS)