The discussions and consultations around the recent directions from CERT-In revealed the current gap in securing business infrastructure against cyber attacks. This can be traced back to the knowledge and skills gap - a capacity problem. This is also a cultural problem - organizations need to develop a mindset in which they evaluate public facing infrastructure in terms of risks and then be planful towards mitigating the risks.
Network security monitoring (NSM) is one of the processes which a business can put in place to respond to cybersecurity breaches. Today, there are rich and complete open source tools which can be configured and deployed to undertake continuous monitoring to reduce the response time to a threat. Secure, reliable and safe network infrastructure has a positive effect on the ecosystem and businesses would need to also build up a collective ownership approach to the topic.
This panel discussion will be held at India FOSS 2.0 conference. The panel will discuss the drivers for network security monitoring, cover a set of approaches which reflect the current state of the art and will use examples across industry sectors to demonstrate that network security monitoring is not just a niche issue. This proposed discussion will help the participants to quickly get started with security hygiene; provide an overview of the regulations and policy in the domain of cybersecurity and finally discuss the risks originating from poor security practices.
Summary of panel discussion at India FOSS 2.0
About the panel #
With the availability of the CERT-In directions1 the conversations with SMEs indicated that cybersecurity, and especially network security, is not yet an area of focus. The panel hosted by Rootconf at India FOSS 2.0 is an attempt to highlight some of the key aspects towards building an organization culture around network security and security monitoring.
On the panel were:
- Avinash Jain - security engineer at Microsoft’s Identity Platform. Avinash has worked as security engineer in prominent startups such as CRED, Blinkit and Expedia Group.
- Shyamal Kumar, founder and CEO at Lavelle Networks. Shyamal has vast experience of working with, and observing, enterprise level network security practices.
- Swapneel Patnekar, Managing Director at Shreshta IT Technologies Pvt Ltd. Swapneel’s work with SMEs and active involvement in international network security communities sharpens the insights he brings to the table on cost-effective and optimal tools and approaches that SMEs can use to secure networks.
Dinesh Bareja, COO at Open Security Alliance, facilitated the panel. Dinesh has over 15 years experience in advising companies on cybersecurity safeguards and practices.
Context for Network Security #
The somewhat freewheeling discussion among panelists was drawn from their industry experience and work they contribute to expand the body of knowledge in this field. Almost all of them agreed that the first and necessary step is to identify and assign ownership. Without clear ownership of network resources, the accountability for secure functioning will be left fuzzy - and this is always the point from which ad-hoc decisions and non standard approaches become embedded into the decision-making process. So, the first bit is about ownership. It is necessary to appreciate that security threats are increasing - and often they do not even have to be innovative ones. An example provided was about the “Wanna Cry” vulnerability from 2017 which continues to show up on an extensive array of network monitoring sensors designed to gather data and generate trends around the kinds of network exploits underway.
Practical considerations towards building Network Security practice in your organization #
Ownership necessitates the examination of risks and thereafter the creation of policies which mitigate those risks. So the organization can walk the path from not having a clearly defined way to secure network assets and perimeter to one where there is an assigned owner who has been able to create a governance framework for this asset. Building policies will also need the individual or team responsible for network security to have an accurate, up-to-date and verifiable inventory of assets within the network. The panel discussion touched on the trends of cloud-based services where temporary assets are instantiated or spun down as well as the idea that the corporate networks of today have a significantly high number of devices brought in by members of the staff. The topic of “who is on the network” is an important one, and information security teams should have the necessary means to identify any adversarial presence.
Before investing a significant part of the IT budget to network security tooling it is important to appreciate that feature rich COTS toolsets and frameworks exist for companies to start with. Starting with small, planned steps and thereafter designing a strategy which could include bespoke approaches as well as a more complex mix of tools focused on addressing specific kinds of threats or particular kinds of deployment environments. The foundational aspects to be aware of when approaching tooling for network security is that it should be able to provide insights into (i) access control (ii) data and (iii) resources on the network2. Expanding from there would be a reasonable way to start building a business outcome focused culture of network security.
Businesses, especially those where information technology are enablers rather than the core business, tend to put less priority to securing IT infrastructure and networks. This originates from a flawed understanding of security practices and an underestimation of the value of IT networks in the propagation of malware. The advocacy and adoption of a security practice and building a collective ownership of the IT assets takes a number of conversations as well as practical training to build a habit. And this is the last bit - in a field that is evolving there is a need to have continuous upskilling and training in order to have secure networks.
Towards a pragmatic strategy for doing Network Security #
Network security needs reframing within the business plans as a strategic initiative. To build a culture across the organization, there is a need to focus on the following:
- Ownership of the processes
- Creating a map of risks and designing risk management approaches
- Clearly articulated policies
- Inventory of assets and presence on the network
- Starting small with COTS tools and standard guides from providers
- Regular audit cycles and addressing the gaps revealed through training and skilling
About Rootconf #
Rootconf is a platform for systems, SRE and DevOps engineers to discuss practical issues and approaches towards building and managing reliable infrastructure. Since 2020, Rootconf has expanded into the following specialized verticals:
- Data privacy - in collaboration with Privacy Mode Rootconf works with organizations and practitioners on discovering and showcasing data privacy practices, including data governance and data security.
- Optimizing costs of cloud infrastructure and cloud security.
- Cybersecurity, including network security, and how organizations - global and domestic - are tackling existing and emerging challenges to build for a safe, accountable and trusted internet.
About Hasgeek #
Hasgeek is a platform for building communities. Hasgeek believes that effective and sustainable communities are built in a modular manner, and with an underlying layer of infrastructure and services that enable communities to focus on the core of their work. Hasgeek provides this infrastructure, and the capabilities for communities to amplify their work and presence.
This summary is composed by Sankarshan Mukhopadhyay, editor at Privacy Mode, and editorial strategy at Hasgeek.
Rootconf thanks Samir Kelekar, a senior technical leader with over 15 years experience, for his support in constituting the panel, and for inputs on the summary.
CERT-In directives were issued on 28 April 2022 - https://www.cert-in.org.in/Directions70B.jsp - relating to information security practices, procedure, prevention, response and reporting of cyber incidents for a safe and trusted internet. SMEs raised concerns about impact of the directives on certainty of doing business and costs of compliance. These concerns are documented here: https://has.gy/-bxr The concerns were shared as a submission to CERT-In and policymakers.
Meanwhile, CERT-In released an FAQ document to explain the ambiguities with the directives - https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf However, this document does not have legal backing, and hence cannot be used as a basis for justifying implementation of compliance related practices.
Experts shared concerns with the CERT-In directives from the point of view of industry compliance, which paved the way for Rootconf to engage with policymakers - https://has.gy/f7n5
Based on the concerns Rootconf raised, CERT-In - specifically MOS - asked Rootconf to make a submission on feasible compliance timeline for SMEs - https://has.gy/f7n5
Thereafter, the timeline for compliance for MSMEs has been extended by three months, until 28 September. The challenges that remain with compliance are well documented in these articles - https://www.medianama.com/2022/06/223-sme-msme-india-cert-in-directive-deadline-extension/ and https://the-ken.com/story/rock-msmes-hard-place-indian-firms-uncert-in-cybersecurity-future/ ↩︎
Creating an asset inventory requires asset discovery first, which itself is a non-trivial problem. Assets also change dynamically. For example, an old, unused server which no one is aware of could be an entry vector. ↩︎