Create an offensive strategy with a security-first mindset: Assume you are already hacked. At all times. If a company builds its operations and defense with this premise in mind, the chances of helping to detect these types of attacks and preventing the breaches are much greater than for most organizations today.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Bindu Sundaresan.
A Director at AT&T Cybersecurity, Bindu Sundaresan is responsible for growing the security consulting competencies and integration with the AT&T Services and Product Offerings. Bindu is a security subject matter expert (SME) with the judgment and experience to right-size and customize information security solutions that both accommodate and enable business growth. She has worked to establish enterprise vision, strategies, and programs for Fortune 50 companies to ensure the confidentiality, integrity, and availability of information assets — thus protecting and enhancing multimillion/billion-dollar revenue streams.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Southern India and was offered STEM opportunities living in a household where my parents encouraged dabbling in technology and exploring different fields of study. I started off with a background in Electrical Engineering and explored data networking through internships that I pursued during my undergraduate study.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Cybersecurity became a new focus for me during one summer in high school, when I read the novel, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage.” Released in 1989, the author, Clifford Stoll, records his first-person account of the hunt for a hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).
Can you share the most interesting story that happened to you since you began this fascinating career?
When I initially started working on a Criminal Justice Information Sharing Project, I learned the important concept that securing information should start at the beginning for the software development lifecycle (SDLC), instead of becoming an afterthought once an application has been built. This project helped me to understand why security cannot just be about technology, but must truly enable a business and therefore have executive buy-in.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I have had some amazing mentors over the years, but I have to call out Maggie Cunningham who I worked closely with during my time at KPMG. She was an amazing leader who helped me specialize in cybersecurity. I also have to recognize the guidance of some amazing supervisors who helped me to innovate, be bold and expand my cybersecurity skill set.
Are you working on any exciting new projects now? How do you think that will help people?
We are working on some exciting projects focusing on helping organizations benefit from their overnight digital transformation to the cloud, while making sure security and privacy are not compromised.
We are also looking at solutions that will manage the IoT threat landscape and provide guidance on securing organizations to protect new attack surfaces, while building Zero Trust Architecture and Design services for organizations across varying security maturities.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I advise all colleagues to chase effectively versus chasing every task. This means following a routine to avoid remaining in a firefighting mode, but it’s also important to rely on team members. Cybersecurity is a team sport, and you must trust those you work with to get a job done. It’s also important to give back to team members as well. While one day they may cover for you, it’s important to cover for them the next. Taking the time to give back, nurture, and mentor team members will always be rewarding and help build a stronger force when combating burnout.
Most importantly, seek to start each day to be more productive than the last. By staying focused, you will be amazing at what can be optimized.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The cybersecurity industry is constantly evolving. Each day we encounter different challenges, new innovations, and evolving security risks. With this in mind, I’m excited for the overall growth of businesses that will involve the following:
- Cybersecurity moving towards ‘Cyber Immunity’
- Passwordless security and the emphasis on Zero Trust becoming the norm
- Cybersecurity becoming equivalent to any safety regulation
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Ransomware attack patterns have evolved significantly. Traditionally, ransomware was deployed to encrypt the victim’s data and lock them out of their own files. If the victim refused to pay the ransom, their files would be destroyed. Today, ransomware attacks have evolved to double extortion.
Typically, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker would often release small portions of the data online. If the negotiation turns out badly, the attacker would then either publish all of the exfiltrated data or sell them to third parties. These attacks are essentially a combination of a ransomware attack and a data breach.
Victimized organizations can feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or sensitive information that they would instead have destroyed then published or sold. So, it’s a double threat; the attacker will release the embarrassing data and also encrypt the company’s data. It is easy for the attacker to say they have an organization’s data, easy for them to imply they do, by releasing a small sample. This is very difficult to prove forensically because most places don’t have that layer of visibility. This puts another pressure point, and it can be easily validated by the victim that indeed the hackers also downloaded the entire database if the organization has implemented a data loss prevention solution. Since the tactic is relatively new, there are no real data points for either the attacker or the defender that says it increases the payout potential of the victim.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Most of my own experiences around breach investigations and response have centered around phishing, ransomware, and third parties. Most notably, even after 20 years after my first breach response project, we are still witnessing strikingly similar attack patterns. Looking at these projects as a whole, there are certain takeaways that remain consistent throughout the years:
- Applications are an entryway to data, meaning organizations must not limit protections to those that are just web facing
- All business-to-business and business-to-consumer applications should be in scope
- Every breach gives attackers more data to crack passwords with greater ease during the next breach
- People reuse online credentials, making the attacker reward one-to-man
- Don’t underestimate the value of backup technology
- Everything and everyone that connects to a network must be protected
- Ensure organizations are aware of all assets, including third-party connections and hosted environments
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
In response to today’s evolving threat landscape, many businesses can’t keep up with fighting against cybercrime and are realizing this isn’t their core competency. As a cybersecurity consultant, my tools include incident response services that help organizations to defend against ransomware attacks, and cyber risk assessment and vulnerability management services for attaining a sustainable compliance and privacy program. Our other strategic advisory services also help to plan and implement security-driven initiatives for digital transformation across the network, cloud, 5G, mobility, and IoT.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Limited budgets, limited staff, limited time. These are issues organizations of all sizes are facing, especially during the ongoing global pandemic. IT systems, processes and teams are stressed with supporting business continuity at scale in the new normal remote work business model, while also updating network and security controls as needed in an adaptable business environment.
Today’s organizations are advised to build a degree of trust with customers and show that data privacy and data security are taken seriously. Failure to highly secure data is a catastrophic event for any organization and may result in hefty fines.
So how can organizations cope with these limitations?
While the pandemic caused organizations, in many cases, to shift priorities and focus; cybersecurity is something that needs to stay top of mind in helping the business be able to adapt to changes quickly. As priorities shift, organizations will need a trusted advisor to help them on their journey to cybersecurity and network resiliency. Through a Managed Security Services approach and strategic consulting engagements, organizations benefit from having skilled professionals advise on the right processes and technology to use for security programs, while also monitoring and managing security operations 24/7.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Attacks often go undetected for weeks, months, and in some cases, years — by which time the damage is done. The critical first step is determining that an organization has been breached. Given the advanced nature of the attacks and their discrete techniques, an effective way to detect a historical, ongoing or imminent attack is by proactively hunting for evidence of attackers on an organization’s systems and network.
Unusual behavior of assets within an organization may be a hint that the organization is undergoing a cyberattack, while unusual outbound network traffic, anomalies in privileged user account activity, and increased database read volume are all significant signs that should be flagged as suspicious and potentially dangerous.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical-level incident is no time to be figuring out a game plan.
Incident response can be stressful and is stressful when a critical asset is involved, and you realize there’s an actual threat. Incident response steps help in these high-pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.
Achieving compliance is not the ultimate goal, it is about sustaining compliance. Security and compliance are not equal. With data governance measures such as the CCPA, CPRA, GDPR, compliance management has become an ongoing program that needs to be continuously maintained. To make the journey easier, organizations will need to follow an integrated compliance and risk management framework that addresses security, privacy, risk, and compliance. This provides a more manageable program and allows you to report compliance posture more efficiently.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Business is not static, and neither are the solutions that enable and protect it. To grow, compete, and innovate in the market, a business must adopt the right models and technologies to stay relevant and competitive. As the business evolves, so too must the operations and security solutions that protect it. Today, a cybersecurity strategy needs to be nimble to match the pace and dynamic modeling of the business it is protecting.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
The impact of COVID-19 is creating more opportunity for malicious actors to target organizations in many industries, especially healthcare. Cybersecurity threats to these organizations are real, especially in the wake of a global pandemic. Healthcare organizations expanded their remote system access and management but are challenged in keeping up with protecting sensitive information from malicious actors.
We are seeing more highly publicized ransomware attacks on hospitals, for example, with patients being diverted to other hospitals and an inability to access patient records to continue care delivery. From small, independent practitioners to large, university hospital environments, cyber-attacks on healthcare records, IT systems, and medical devices have previously infected many systems. Now as healthcare organizations and consumers lean on telemedicine during a pandemic, the risks of these attacks will increase, and it’s important to educate people broadly about how and why.
This also means helping patients to understand the power they have to protect their own data and how to make smart decisions when using virtual health services. Communicating that principle is one responsibility of a provider organization that offers virtual services. So is the parallel responsibility to make sure physicians who use the system approach it with the same understanding. Although telehealth is a sought-after platform given the current situation, practitioners will have to take certain precautions to prevent cyber-attacks. To address this challenge, an organization needs a robust authentication process before giving access to data externally and needs to offer educational training programs internally. Specific to telemedicine, we expect threat actors will focus on device security, patient and provider identification as well as access system-level security vulnerabilities.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Create an offensive strategy with a security-first mindset: Assume you are already hacked. At all times. If a company builds its operations and defense with this premise in mind, the chances of helping to detect these types of attacks and preventing the breaches are much greater than for most organizations today.
- Formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings. Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation.
- Data governance is necessary in order to provide and protect high-quality data throughout the lifecycle of that data. This includes data integrity, data security, availability, and consistency. Data governance program policies must include:
- Delineating accountability for those responsible for data and data assets
- Assigning responsibility to appropriate levels in the organization for managing and protecting the data
- Determining who can take what actions, with what data, under what circumstances, using what methods.
- Identifying safeguards to protect data
- Providing integrity controls to provide for the quality and accuracy of data
4. An organization’s brand is a valuable asset, but it’s also a great attack surface. Threat actors exploit the public’s trust of that brand when they phish under the organization name or when they counterfeit its products. The problem gets harder when an organization engages with the world across so many digital platforms — the web, social media, mobile apps. These engagements are obviously crucial to a business. So, something else should be obvious as well: Guarding an organization’s “digital trust” — public confidence in the company’s digital security — is make-or-break for a business, not just part of a compliance checklist.
5. Building a security culture takes time and effort. What’s more, cybersecurity awareness training ought to be a regular occurrence — once a quarter at a minimum — where it’s an ongoing conversation with employees. One-and-done won’t suffice. People have short memories, so repetition is altogether appropriate when it comes to a topic that’s so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management. Awareness training should be incorporated across all organizations, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up rules, separate from the broader business reality. It means instilling a security-first mindset to help protect a business and deliver better business outcomes. Security belongs to every employee in the company, from the C-suite down to the seasonal intern — every employee owns a sliver of the exposed attack surface, but security programs work best when everyone understands that security makes the business stronger and their jobs easier.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would greatly encourage the idea of a cybergym, where teams of security professionals can work to grow their own cyber skills. Security experts are responsible for the cyber health of their organizations, and therefore must constantly grow and expand their expertise to face tomorrow’s newest cyberattack.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!