What is the difference between defensive and offensive solutions for cybersecurity?
For the last 20 years, customers have deployed defensive cybersecurity, that means primarily, the objective is to protect themselves—when something happens, we will block, or investigate, or be alert. That is actually a reactive approach, where you only start blocking after the attack has happened.
Offensive security is much more from an offensive perspective, using all the tactics, techniques that hackers around the world have used to challenge every security control and fine-tune it. All defensive security controls are already there, but they need to be configured properly, they need to be updated. It needs to be ensured that all the configurations or definitions are updated on a regular basis. Only then you can actually make the cost of an attack exorbitant for the hacker.
For every cyber attack, there is a cost. When you make the cost of that attack exorbitant for the hacker, the hacker would move to a different target. So the objective of using offensive securities is actually to use all the means and methods that hackers around the world use. The idea is to challenge your security, defensive security controls that you have deployed for last 20 years.
It’s like when a hacker is using state of the art weapons and you're using a sword to defend, you're never going to win. So it's all about continuously validating your posture, and ensuring that whatever you have, you use it in the best possible way.
As technology keeps improving, is there a likelihood of cybersecurity and threat levels eventually reducing, you think? Or will Indian companies only face more attacks and more threats going forward?
If you read all the reports, in the last year, some organisations quantified that data theft cost in India is about Rs 18 crore for every threat. And India witnessed close to a million plus cyber attacks in the last one year, which is almost 150% growth over year.
The cybersecurity products market has grown too, and so have your threats, and the cost of data breaches has also increased. All that points to the fact that just by investing in technology and adding new layers of technology your cyber exposure may not come down. Exposure to cyber threats can only come down by fine tuning what you have invested in.
Today, the biggest challenge for the industry is whatever validation methods the industry has, they are never available on demand. People are validating their security once a quarter or once in six months, when they are facing hundreds or thousands of threats on a daily basis.
Unless industry changes the approach of validating what they are investing in, we will keep getting the same contradictory figures, which show that we keep investing but at the same time the number of attacks is also increasing and the cost of data breaches is also increasing.
Are there any tools that industry can adopt to be constantly validating their security systems? Is there a way for companies to be constantly quantifying their threat levels?
Yes, there are tools available. One is called an attack simulation where you launch attacks on your internal security controls and try to find out how they are misconfigured, and a second one is the data of the organisation that is already out in the public domain that may be used to launch a targeted attack, so what is your external threat?
There are tools and technologies available. Smart organisations are deploying it effectively to contain the risk financially. Every organisation has to live with cyber risks.
The most important thing is that risks should be manageable and that risks should be already known in advance to the customer, to their management, so that they can afford to live with it. They know what costs are associated with that risk. There is a breach-and-attack simulation technology or attack surface management, or Continuous Automated Red Teaming, these are the technologies that are available.
Are these expensive solutions that small companies may find prohibitively expensive to implement?
What I'm trying to say is you can adopt the solution based on the industry they are in and the solutions are also quite affordable. The cost associated with data breaches is already pinpointed by different researchers, and I think managements will have to make necessary adjustments in their budgets.
Because there is now a realisation that the cyber attacks are going to pose a real threat. Breaches could disrupt your supplies, it could disrupt your production cycles. Not only large companies are at risk, all the smaller companies and small organisations also have to worry. Frankly, from a cyber security point of view, everybody has to worry.
Also, as the general saying goes, whatever you purchase, you need to use it effectively. And this applies for tools that small organisations may have but need to optimise and finetune.
Are there any interesting examples you can share about what are the kinds of attacks that companies in India are facing and how their operations are getting disrupted during a cyber attack?
Already, there are a lot of high profile attacks that have happened in India that are in the public domain.
Cymulate’s job is to tell customers that the same kind of high-profile attack can happen in many more ways in your organisation. As a company we have already told many customers that these are different methods, every security control that they have deployed may be breached, and these are the ways how they're getting breached and what they need to do so that they improve the mitigation.
There are case studies on our website in which organisations using our technology have said that they previously thought they had many things configured but realised now there were misconfigured security systems. And these could have actually exposed the organisation to different potential attacks, and we took preventive and preemptive action.
I think every organisation in India would have been attacked by some or the other cyber attack. They need to look at it as not one attack, but that there may be more attacks that may have already happened and the organisation had not noticed it.
We have some banks in India where crores of rupees were siphoned off, we have some online portals where the customer data, their transaction details, everything has been exposed.
Our latest data privacy laws published by Parliament are very stringent now. So if you look at the losses for organisation, there are intellectual property losses, they lose credibility in the market, they may face supply chain disruptions, logistics disruptions, order book mismatches, accounts fudging—there are multiple ways the organisations can be targeted to create a disruption in their operations.
There are many more disruptive methods where there may not be an explicit demand for money through ransomware but potential losses in terms of disturbances in manufacturing. For example a pharma company may find the parameters of its mixers changed, and they may have a totally different composition of tablets that could get manufactured.That is just a hypothetical example, but people are already preparing for it.
What would be your advice for any companies that are seeking to improve their security or pinpoint whatever their security gaps are in their networks? What is your advice to them?
See, one needs to be vigilant. And the only way one can be vigilant page by continuously monitoring the exposures.
My advice to customers is don't just blindly invest in cybersecurity products. Assess yourself, do an assessment and validation exercise, then create a roadmap for upgrades in new technologies. In the army, they say that it's important to know where the enemy is, but it's also equally important where we are.
