Panelists
CISO, Godrej & Boyce
Global Information Security Director, BCG
CISO, Neeyamo
Chief Technical Officer, CyberMindr
This discussion explored key themes, including the challenges of multi-cloud environments, the impact of shadow IT, leveraging AI and Gen AI, and best practices in patch management, zero trust, and risk scoring.
Multi-Cloud and Expanding Attack Surfaces
Ambarish Kumar Singh
Opened the discussion by addressing the exponential growth of attack surfaces due to multi-cloud adoption and digital transformation. He highlighted how organizations, particularly in manufacturing, face challenges with legacy systems while transitioning to cloud platforms. The increasing integration of IT with OT environments has further complicated matters. Digital transformation has accelerated over the past few years, making visibility across cloud, on-premise, and IoT systems essential. Ambarish emphasized that cybersecurity and digital transformation are two sides of the same coin, stating:
"If you take ten steps forward in digital transformation without securing your attack surface, you may end up twenty steps back."
~ Ambrish Kumar Singh -
CISO, Godrej & Boyce
Comprehensive visibility, holistic assessment of vulnerabilities, and proactive management are vital to ensuring organizations remain secure amidst rapid technological change.
Tackling Shadow IT and Third-Party Software Risks
Sudheer Kanumalli
The discussion shifted to Sudheer Kanumalli, who delved into the growing risks posed by shadow IT and third-party software components. He explained how the reliance on open-source libraries and APIs, while accelerating development, also opens doors to vulnerabilities. An example cited was the Polyfill library, where attackers injected malicious payloads into SaaS applications through open-source components. Sudheer stressed that shadow IT now extends beyond traditional asset mismanagement, encompassing overlooked software elements within an organization’s environment. To combat these risks, organizations must enforce strict policies, employee training, and proactive declaration of third-party tools.
"Employees are the key to mitigating shadow IT risks. Without their participation, security teams face an uphill battle," Sudheer remarked."
~ Sudheer Kanumalli -
CTO, CyberMindr
Tools like SIEM (Security Information and Event Management) and ASM (Attack Surface Management) can aid in identifying and securing hidden vulnerabilities.
AI and Generative AI: A Double-Edged Sword
Sachin Kawalkar
As AI and Gen AI gain prominence, they introduce both opportunities and challenges. Sachin Kawalkar discussed how these technologies are transforming attack surface management. While AI aids in discovering, prioritizing, and remediating risks, it also adds new vulnerabilities. Attackers are leveraging AI for model exploitation and poisoning. Sachin highlighted the importance of Software Composition Analysis (SCA) as an additional layer to traditional vulnerability assessments. SCA enables organizations to analyze dependencies, third-party libraries, and free utilities to detect vulnerabilities early in the development lifecycle. Visibility and threat modeling remain key to securely adopting AI and Gen AI, as Sachin put it:
"AI is a powerful ally, but without robust visibility, it can also become a gateway for attackers."
~ Sachin Kawalkar
CISO, Neeyamo
Zero Trust Architecture and Endpoint Challenges
Ambarish Kumar Singh
Ambarish Kumar Singh shared his perspective on Zero Trust Architecture (ZTA) and the journey many organizations are on toward its full implementation. He stressed that reducing the external attack surface and securing known and unknown threats should be the focus. Zero trust relies on adaptive security measures, with AI playing a crucial role. Ambarish explained:
"True zero trust isn't a one-step implementation. It's a journey where every security measure today must contribute to the overall strategy."
~ Ambrish Kumar Singh -
CISO, Godrej & Boyce
The discussion also covered the growing complexity of endpoint management as employees increasingly use multiple devices. Sudheer highlighted the risks posed by personal devices syncing with corporate environments, emphasizing the need for robust monitoring and security policies.
Patch Management and Risk Scoring
Patch management remains a cornerstone of a strong security posture. Sachin Kawalkar shared insights on the importance of testing patches in controlled environments, particularly for critical systems. A holistic patch management process should encompass asset inventory, testing, and continuous monitoring.
On risk scoring tools, Ambarish Kumar Singh suggested that the choice between free and paid tools depends on the organization's maturity and specific needs. Sachin added that advanced tools with continuous threat feeds provide valuable insights for organizations handling sensitive data.
The Role of Simulations and Red Team Exercises
The panel emphasized the importance of simulations in testing response and remediation strategies. Sudheer Kanumalli advocated for continuous self-attacks in simulated environments, allowing organizations to identify vulnerabilities before global scanners do. Additionally, Sachin Kawalkar discussed the value of Red Team exercises, which simulate real-world attacks to test an organization’s defenses. Combining offensive and defensive techniques through Purple Teaming ensures a comprehensive approach to improving security postures.
Phishing and Employee Training
Phishing campaigns remain a vital training tool for organizations. The panel stressed that campaigns must simulate real-world scenarios to improve effectiveness. Sudheer Kanumalli shared a compelling example where employees fell for a fake internal email offering gift coupon, demonstrating the need for more realistic training.
"It's not just about identifying phishing emails; employees must be trained to report them actively,"
~ Sudheer Kanumalli -
CTO, CyberMindr
Looking Ahead: Continuous Improvement in Cybersecurity The discussion concluded with a focus on the importance of visibility, proactive measures, and continuous improvement in managing attack surfaces. As organizations embrace new technologies, the need for robust tools, employee training, and adaptive strategies has never been more critical.