2021 Trends – Continuous Security Validation – Practical Strategies & Tactics

Bank fireside chat

In our recent Fireside Chat episode, our speaker Bikash Barai, Co-Founder of, FireCompass discussed the upcoming security trends in banking such as Continuous Security Validation with two industry veterans – Ananth MS, CISO, Jana Bank, and Akhil Verma, CISO, Airtel Payments Bank. The discussion stretched across recent breach trends to how one can build a great security architecture for their organization and the latest and upcoming trends in cybersecurity. 

To, Listen to the discussion, you may click below. I have also summarised the discussion to help you get a gist of it. 

The Key Reasons For Cyber Breaches In 2020

While a lot of threat vectors were mentioned, Akhil Verma, CISO, Airtel Payments Bank spoke about changing times and new modalities that are coming into the picture.

A cyber breach of a certain microblogging platform that happened in 2020 was discussed, which was primarily a spear-phishing attack where their user data was compromised. The modus operandi for this was possibly different but the point to notice was that they went after human vulnerability. 

Akhil mentioned another breach that happened with a popular online platform that people were using during the lockdown, which was primarily a credential stuffing attack. It is noticed that breaches are happening over some human element, mainly because people do not take things seriously and change their passwords often.  Akhil adds “We look for complications in breaches but it’s the most basic things that cause these attacks”.

We look for complications in breaches but it’s the most basic things that cause these attacks.

Akhil Verma, CISO, Airtel Payments Bank

 A very interesting observation about leaked credentials was observed by Bikash Barai, who mentioned that there are two kinds of attacks happening by using leaked credentials, one is very simple and the other slightly complicated.

It is very common for attackers to use leaked credentials from eCommerce websites and use the credits. While a more complicated attack would be a six or seven stage attack that starts from a leaked credential and end at a high-level organizational breach.   

Ananth MS mentioned that ” As a banker, my main concern is the data is not stored within the 4 walls anymore, it is everywhere, with partners with service providers, etc”. 

Historically it is noticed that the attacks don’t happen directly on a particular organization, it might happen through a service provider. Considering their systems are easier to breach. Also, attacks today are not just financial attacks, it has spread everywhere.

A pharmaceutical company was breached too, just when people were talking about the Covid 19 vaccine. However, Ananth felt that the basics needed to be strong.

For example, if a leaked credential could cause a seven-stage attack and the attack was allowed to reach the 7th stage it suggests that their basics were not set. 

As a banker, my main concern is the data is not stored within the 4 walls anymore, it is everywhere, with partners with service providers, etc.

Ananth MS, CISO, Jana Bank

Last year we have seen many attacks happening because of shadow IT.  Bikash confirmed that” there is a term called the shadow vendor, where vendors have access to your assets and you are not aware of it”.

Key Security Trends In 2021

Some of the new trends concerning security in 2021 were discussed such as – continuous security, red teaming, blue reaming, and purple teaming. 

Akhil mentioned that people still do traditional VAPT, where one finds vulnerabilities once a quarter and the next test happens only over the next quarter. The time that one loses in the gap is not safe.  One needs some form of security that is continuous. Basically one should know about things that are not visible normally, whether it shadow IT assets, open ports, etc. And these things are an everyday problem. So there has to be a form of security in place that exposes these invisible problems every day.

One roadblock was noted for red teaming. The problem is that the blue and red teams need to work together. But if the blue team thinks of themselves as the defenders and red as attackers then the loss is for the organization.  

While we talk about new trends, one of the things discussed was that people still confuse pentesting with red teaming. 

 

There is a term called the shadow vendor, where vendors have access to your assets and you are not aware of it.

Bikash Barai, Co-Founder, FireCompass

Bikash mentions while conventional pentesting basically says here is my target system, here is the IP address now find the flaws in security. Red teaming is not just about a target system, it’s based on an objective. Where you will not be given a list of assets or systems or inventory but you need to figure out how to break in. So to keep it short if Pentesting is a surgical strike then red teaming is a full-fledged war. 

Bikash confirms that RBI’s move on making red teaming mandatory for banks was a good thing. Very few authorities worldwide have taken cybersecurity seriously. 

Bikash also mentioned “security needs to be continuous and techniques like red teaming, VAPT, etc are not scalable and cannot be continuous. So that’s why continuous security validation is becoming a new trend in the industry.”

 Basically, a new set of tools are coming up to scale the old techniques and take them to the next level. 

Ananth adds with everyone moving to work from home in the last year. Digital transformation for every business is becoming a new thing. Businesses moving to the cloud, MFA will hold more ground. One needs to understand the asset inventory, today people in the organization do not need to go through the IT team to put up an asset on the cloud, and that increases the organization’s attack surface. The most important of all is what is the awareness program for people. There are so many people who fall victim to phishing attacks. So ASM tools are gaining momentum. 

Security needs to be continuous and techniques like red teaming, VAPT, etc are not scalable and cannot be continuous. So that’s why continuous security validation is becoming a new trend in the industry.

Bikash Barai, Co-Founder, FireCompass

Critical Capabilities That An Organization Should Have For The Future

Some of the things discussed under this were to have the right combination of people, process, and technology. As soon as you know the vulnerabilities in your organization, how soon can you remediate them?

People still do traditional VAPT, where one finds vulnerabilities once a quarter and the next test happens only over the next quarter. The time that one loses in the gap is not safe. One needs some form of security that is continuous.

Akhil Verma, CISO, Airtel Payments Bank

The concept of security by design was discussed too, which means the security team should be aware of everything from the beginning. And they should be prepared. 

Ananth, Akhil, and Bikash signed off by discussing more on building a security infrastructure for the organization and listing the success factors.