The Voice of Cyber®

Episode 154: Shishir Singh
First Aired: January 04, 2023

Shishir Singh is the Executive Vice President and Chief Technology Officer for the BlackBerry Cybersecurity business. A seasoned senior executive, Shishir brings 15+ years of cybersecurity leadership. With his wealth of experience and expertise, Shishir works across the entire organization to set a clear vision roadmap for our next-generation cybersecurity products and services. He engages with our customer base on strategic direction, and identify key partnerships to implement a market-winning technical strategy and vision. Shishir is a passionate advocate for customer-centric design and the use of data and analytics to create compelling offerings that thrill customers.

Before BlackBerry, Shishir served as Senior Vice President and Chief Product Officer, Enterprise Business Group at McAfee. In this role, he was responsible for product strategy, execution, and delivering cutting-edge cybersecurity offerings that protect Enterprise customers from threats to their applications, networks, data, devices, and other critical assets. During his tenure, he transformed the company into a true cloud company and pioneered the teams that delivered McAfee’s XDR, CNAPP, and SASE (Unified Cloud Edge) solutions in the industry. These products are offered in both on-premises and cloud form factors. They have a footprint across the entire gamut of industry segments, ranging from fledgling start-ups to established banks, Fortune 500 Enterprises, and federal institutions across the globe.

Shishir has also held various engineering, development, and product leadership positions at Cyphort (acquired by Juniper), Cisco, IronPort Systems (acquired by Cisco), Bluecoat Systems (acquired by SYMC/Broadcom), and Silicon Graphics. At the onset of his career, Shishir worked for the Defense Research and Development Organization, (DRDO), a public service undertaking that develops advanced avionics systems for India’s vast defense sector. He was nominated for the Young Scientist of the Year award for his contribution to the indigenous AWACS project for India.

Shishir holds master’s degrees in Computer Science from Allahabad University and Electrical Engineering from the Indian Institute of Science, Bangalore, India. Additionally, he has published and presented multiple academic papers for IEEE and holds several patents in the fields of Neural Networks, Artificial Intelligence, and behavior-based modeling for malware analysis. Apart from his boundless passion for his work, in his free time, Shishir enjoys keeping himself active. He loves hot yoga, playing squash, and hiking.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:27) You are listening to KBKast Cybersecurity podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:42) Joining me today is Shishir Singh, executive vice president and CTO from BlackBerry. And today we're discussing the need for accountability in cybercurity. Shishir, thanks so much for joining. It's wonderful to have you here. Shishir Singh (00:53) Thank you for having me, truly appreciate it. Karissa (00:56) So Shishir, I really want to start now, as I mentioned before, accountability cyber security. I want to start with your definition of what accountability cyber security means to you. Shishir Singh (01:08) Look, there are three pillars of accountability in cyber. The first one is people, process and product. And when I say product, all technologies out there, right? Some organisations build their cyber defences by acquiring Bestinclass technology, but their security team lacks the staffing or knowledge to fully implement it. Other companies hire the brightest mind in the security industry, but without the strategic processes in place, they fail to fully leverage the team. In other cases, teams are laser focused on super policies and process and all of that, but are missing the advanced technology to carry them out. In each of these scenarios, cyber defences are like a two legged stool, unable to bear the full weight of an organization's security requirement. For this reason, many organisations look to managed service partners to provide a more stable and balanced cyber security platform to protect their operations. I want to dig in each of these areas. So first one on people. I want to make sure most of the people are completely security aware and they are trained for all the users. The second one we have to have adequately skilled members of the security. And the last one, we need to have a sufficient staffing for 24 by 7365 cybersecurity cover. Shishir Singh (02:32) Now coming to the process. One, we need to have appropriate policies and management systems. The second one, the use of proven frameworks like the Nest Cyber Security framework we need to follow. And the last one on processes, planning, performing audits and reporting on audit findings is extremely important. Now, maximising the technology, the last piece, the product part, right? That pillar within cybersecurity involves having the right people and process and integrating those two pillars with items such as systems in place in mirror your security policies and risk appetite. The second one, having a mature AI powered solutions that can stop attacks before they start. I think the time has come when people should start depending on these AI. ML techniques to solve some of this complex problem. And the last one, I would say, is having an appropriate mix of in house security and outsourced managed services because it's really important that your staff size is based on skill set and you get those skill set where it's possible and so that you can have the maximum possible best outcome for your infrastructure, for your solution. Karissa (03:43) Got you. Okay, so going back to the NIST framework now, I was speaking to someone yesterday and they were saying, like on the show, a lot of people, yes, of course, follow a NIST framework, but then perhaps maybe people are too reliant on that. Or the other thing is, maybe they don't need all of the Spit controls that are outlined in the NIST framework. Would you say with your experience, that perhaps people are very relied on frameworks and aren't really looking at their organisation specifically, and so then as a default, they decide, okay, we'll just follow the framework, which yes, helps, but it's not the silver bullet. Shishir Singh (04:18) No, I agree. The framework integrates the industry standards and best Practises to help organisations manage their cyber security side. But it has to be a combination of both. Right. We need to have a common language that allows your staff, your users, at all levels within an organisation so that you can have the right security posture. And this is where some of the framework is more of a guideline than having a way to depend on that one. You need to provide your security postures based on this framework as best as possible. Karissa (04:48) Yes, you're right in terms of yes, absolutely. Having the guideline. Would you say, though, that people are super dependent on it? Because, I don't know, maybe they don't have the correct partner or the right staff and then they are in a regulated industry and they've got people breathing down their neck. So it's just maybe an easy sort of rule of thumb to follow. Would you say that there's a little bit of that in there? Shishir Singh (05:08) That's exactly right. That's a really good starting point. Right? That's a framework and you can start from there, but bring the right expertise into the mix so that they can provide the right solution, because it's all about customization, it's all about your environment, it's all about your infrastructure. And that needs a customization, that needs the right expertise and mix of the product process and the people I just talked about. Karissa (05:32) Okay, so you make a great point. Now, I want to then lead that into my next question. How can people start getting accountable? Because this whole theme of today is about having accountability in cyber, and you've outlined that quite well, but I guess there are probably other people in the space that are just saying, oh, people need accountability, but they're not they don't maybe there's not that level deeper around what that actually means. So, from your perspective, what can people start doing to drive that accountability? Shishir Singh (06:02) Yeah, no, that's a great question and I'm going to answer in two parts. The first one is SMBs and the another one I'll just talk about in the context of the large enterprise. Now, SMBs often don't have enough resources to respond cyber security, 30 incidents, right? So it's hard for making them accountable. But what they can do is to run a health cheque of their infrastructure to make sure their patches, their softwares are completely up to date. I would say that there are often some weak links where you put your old machines with the old software, which is not completely up to date, and that becomes a weak link for attackers to get into your environment, right? So that's the number one. That's the basic thing. I would say people should follow that. The second one is about the multifactor authentication and authorise access to applications based on users roles and responsibilities. And I want to stress this point because a lot of people can confuse or interchangeably. They use authentication and authorization. That's not true anymore. You have to authorise people based on their authentication, but you can limit their authorization based on their roles and risk. Shishir Singh (07:10) So there are a few other common practises you can adopt in this context. For that. Your authentication is often used interchangeably, like I said, but make sure that your authentication is proper and you have got the multifactor authentication in place. The second part is you can protect all your endpoints and devices and encrypt their data at rest and in trust for safety and compliance reasons. Most important, they can work with cyber security secret companies that will provide continuous monitoring and regular assessment to prevent attackers from exploiting any vulnerabilities. I think a lot of times what happens is that you design your security posture and you feel like you are good for the next twelve months, 18 months or not. But nowadays I think it's really important that you have that for 24 by 7365 days being monitored. Now, coming to the next part of the answer here is the large enterprise. I would say all of the things which I said above needs to be followed by enterprise. But there are a few more things we need to do from a large enterprise. There is also a responsibility to protect our people, our users, along with the assets and the applications, because our users and applications are everywhere. Shishir Singh (08:23) People are connecting from any place, any location, to get access to their application. And that's creating a lot of holes for hackers too. And the last thing I would say is that having some control points, whether it's in your endpoint device or in your network or in the cloud, there is a very common thing that happened, which I call that as a configuration drift. Whenever you are developing new software and trying to host it in the Cloud, you have to make sure the configuration drift is taken care of because over a period of time that actually creates vulnerabilities in your systems. And you should do this continuously monitoring those workloads. Whatever you are developing in the Cloud so that there are no vulnerabilities are exploited by that act. Karissa (09:07) Thanks for sharing. So I want to look at accountability now from a different lens. Now, in Australia we've had these large breaches so there's people online, social media, wherever you want to look, saying oh, they need to be held accountable. So what is it that people want to see from an organisation around? They need to be held accountable. So for example, organisations being breached, people's information is out there, that is what it is, it's reality of what's happened. But then people are now saying I want to see accountability. What does that look like? How does a company being breached show that accountability to their customers who've been impacted? Do you have any insight on this? I know it's a hard one to answer, but I'm just curious to know what is it specifically that people want to see? Shishir Singh (09:50) Yeah. What people are looking for is some kind of assurance that if they get breached, they should have all the knowledge and the context of the breach, how attackers are coming into their environment. They want to see the complete lifecycle of the attack and so that they can feel confident that the products, what is being deployed in their environment is working. Now what is happening is that a lot of times the customers and the infrastructure they depend on the signature based antivirus tools that are ineffective against today's threat and it's really important they see that some of the AIbased cyber security secure solutions are ideally suited for SMEs. They leverage the same technology used by large global enterprises and I think it's really important that some of these areas are actually covered so that that can give the confidence. The second part I would say is that some of the zero trust framework ideas are being actually talked about it. I think they want to see this getting implemented in their infrastructure. When I say Zero trust framework it's about never trust, always verify. And when you are going with that concept I think that definitely limits your exposure. Shishir Singh (11:00) Some of the threat we are talking about right? So I think I would say that much better security posture, much better infrastructure, much better modern thinking of the network design, how endpoints are used, how they are protected. I think it's a combination of all that is what people want to see so that they can feel much better confident and feel like okay, if something happens, somebody is accountable, at least they can say that. I have done all of these things. Here are the security maturity level of my organisations in the scale of one is to ten and I am at ten. I understand all the gaps here and I have filled all those gaps as best as possible as to to best of my knowledge here. Karissa (11:39) Okay, I understand what you're saying, but it's just more so if they look at telco here in Australia, like someone who's not in security, they're not going to understand, oh, we've implemented zero trust. So I don't think that maybe saying that and leading with that to a non tech security audience really matters because I don't think they care. So if I look at it from that consumer lens, what is it? That an organisation to say that, okay, we've been breached, we've made a mistake, this has happened. It's more from that angle I get from the tech and the security side of things. But looking at the consumer that has no idea what zero trust means, that's just going to go over their head and they don't really care about that. So I'm just curious to know from you as a leader, like, what is it? What's the sort of language that people can start adopting to say, hey, we've made a mistake, this is what's happened. And I understand that people want the context of a breach, but that could take up to 90 days to really get specific around what happened. And what's often happened in the past that I've seen is people have spoken too early and then all of a sudden the story then changes. Karissa (12:45) So I'm just curious to know, do you have any insight on that front? Shishir Singh (12:48) So I think it's really important that we understand what is happening outside our environment in a very common man language, like to your point, or some of the stuff which I'm talking about, AI, ML techniques, it's a very inside view of how you protect. But if you don't have the information about how attackers are actually thinking about your systems right, I think that is going to create much more problem and the knowledge here needs to be shared here. Right. I think understanding that hackers technique and seeing that how they are actually attacking in a very common man language, I think that's going to be a key here. I also want to say that additional challenges from the security teams, what they face is understanding of the knowledge of how the attackers are actually seeing your platform. Most of the time, what happens is that a lot of people are trying to protect their front door with all these security solutions out there, but back door like cloud and some of those things, that crystal transformation is causing a lot of loopholes and attackers are actually coming into that part of it. So to answer your question, I know it's a very complex question, but understanding the both inside view as well as the outside view and getting them connected is the first start point for communicating and having that accountability, what you just talked about. Karissa (14:12) Yeah. And you're absolutely right. You need to have that inside view to be able to provide context. I think it's just the language needs to change. So what's coming up in my mind as you're speaking is if I'm a doctor and I need to perform a surgery on someone, if I'm speaking to another surgeon, for example, the language that I use with the surgeon is going to be different to them what I say to the patient, because they're not going to understand all of this medical technicality of words. So I think, yes, we need to understand at that the root level, this is the problem. But then, of course, the discourse in which we talk to our patient or our customers needs to change. And I think that's probably a big gap that we face in this market to be able to say, hey, this is what's happened, and here's the context. But it needs to be able to make sense for people that aren't in our space, rather us. This is going to go over their heads which lends itself to the assurance and to the accountability. It's not an easy one to answer but I guess that's why I have this show to bring people like yourself on to help people shape their answers and understand what is it that you're saying to make up their own sort of mind around how they can go about managing these things. Karissa (15:19) There's not an easy answer to this question. Shishir Singh (15:22) I completely agree. Recently I talked to one insurance company, Carvis, right? And they are the ones who write the premium for some of these companies and the companies always say hey, I bought all the product in my environment, whatever is out there and still you are charging very high premium for me. What are the gaps, how do I take this, how do I understand this problem? What you're just talking about it. The key findings of this study was very interesting which I thought I'll share with you here the importance of cyber insurance in business deal is growing with 60% of respondents claiming they would be hesitant to enter a new agreement with any organisation lacking cyber insurance. That was the key study which we found. The second was that it doesn't get necessary focused during the conversation with careers. Right. Four in five respondents they were talking about okay, I have these existing policies and I'm doing everything what my vendors are asking and now you're telling me it is not good enough for me. Right? So what is the gap? What do I need to do here? So it's a very interesting problem what feel they have and what the gaps are there and how they are going to fill so that they can be completely secure and be accountable. Shishir Singh (16:35) To answer your question yeah and again. Karissa (16:37) It'S a tough one and because there's so many different you need to speak to be able to disseminate that information correctly. Talking about accountability still I want to understand from you like how can people maintain that accountability? The analogy I like to use is like going to the gym. Going the first time is easy, but then going on your 50th time is a lot harder. And going on your 50th time when it's raining and it's cold outside, is a lot harder than, hey, I'm going to go for the first time and I feel motivated. So how can people gain this level of accountability? Shishir Singh (17:11) No, you're right. One of the things is the routine cheques of the cyber posture is very important. Like the example you give about the gym. Right. Healthy cyber habits must be incorporated into the daily operations of an organisation. A lot of times what happens is that the security is compromised for convenience, right? If it is convenient, I'm going to drop these things, I'm going to make it easy. So having an optimal security requires a small manageable set of complementary technologies to get the job done. So that's the number one thing I would say. It's just a hygiene kind of stuff, which we need to take care of it. The second is today's attacks are infinitely variable in their approach and tactics, so we need to mirror some of that variability in our defences. We need to take advantage of high performing security models, not just one, and ideally source from multiple vendors with different code bases and technology approaches. I would say that technology should even have a little overlap, just enough to fill each other's gaps and perhaps even provide a bit of redundancy. And most importantly, we need to focus on technology approaches that deliver the right balance of business risk and fail safe capabilities for each of these organisations. Shishir Singh (18:29) Your example of going to the gym is really nice. And this is where I see these are some of the stuff if you can do I think we can maintain this for a very long time. Karissa (18:39) Going back to the routine cheques, how often should people be doing this? And I guess the answer depends. But if you had to pick a vertical in an industry, can you give some high level indicator? And yes, it depends on maturation and all these other things, and staff and budget. It's like a rule of thumb, because I think people just want to know a barometer on this stuff. Shishir Singh (18:59) Yeah, this is really one of the things I recommend people to do, like at least a month earlier in the past, if you see, they would do once in a year or once in 18 months and all I think that's really late in the game. If something happens, you won't be able to react. So having a monthly cheque up the security posture is a good hygiene. And one of the things I always suggest that with the increase of the unmanaged devices and some of the smartphones and the way we are, corporate infrastructure and applications in our devices gets intermingled with our personal data and that has to be clearly kept separated and we have to monitor that policies on a regular basis as well. The second thing in the context of current world where everybody is working from home and the only way you can access your data is through connecting into your corporate infrastructure either through VPN or through any other sources. I think it's important for you to make sure that some of your postures are contextual and it's based on behaviour and also based on geolocations. So if you are travelling, if you are in a place where you can't access or you should not access your corporate data because you're using a public WiFi system, I think that can be prevented by some of the policy regulations. Shishir Singh (20:19) And some of the monitoring I'm talking about, ideally for the large enterprise, for the sensitive enterprise where they're dealing with health or federal or a lot of those financial stuff, I would say 24 by seven monitoring is really important. Karissa (20:33) So when you say once a month, do you find in your experience that that often goes by the wayside? Because it's about, again, going back to the gym analogy, it's about having the intention, I'm going to go to the gym every second day, for example. But then it's like, oh, something comes up, I've got a work late, oh, it's raining, I don't feel well. Then all of a sudden you just stop doing it. Do you think there's a little bit of that in there? Because other things pop up because it's security. Like things happen all the time, right? Like we're trying to get ahead above the water at the best of times, otherwise, okay, we've got to do a routine monthly cheque, which makes sense, but then when it gets the reality of it, it's hard to do. So do you find that this often just slips down the list? Shishir Singh (21:11) I completely agree. These are all the additional challenges you're talking about, right? Going back to your gym example, a lot of times people say, hey, I don't have enough budget, I don't have the right expertise here. I would say because of those reasons. Many of them have incomplete or poorly defined cyber security strategies and they might even lack cohesive process of investigating, detecting and mitigating the threats. So I completely see your point here. And this is one of the reasons why I would say that having the visibility of your data is really important. So that even if you have a monthly cheque on your security postures, you have all the evidence, you have stored all the incidents in one place so that you can go back and cheque what has happened. I completely get your point. I do hear that the budget is the big constraint and they're not able to do what I'm asking them to do it. But I think the time has come where the security team and the It team needs to work together. The security has to be a philosophical discussion and it has to be on the table for everybody to think about. Shishir Singh (22:18) It's not about after thought or this is something nice to have, or this can be compromised just because of my convenience. I think if you start doing that way and the drift will take you in a very different place. Karissa (22:31) So how do you have the philosophical conversation? Because I know many people out there and they're like, oh, I had to do security awareness training today. I didn't listen to it, but I have to be compliant within the organisation. And so oftentimes, especially if you're traditionally talking to an It or a development team about security, like, people's eyes start rolling. Okay, here we go. How do you get people really on board with the idea? And I know it's hard, but I think this convergence still needs to happen with security and It and even our broader business, do you have any sort of advice to really take people on that journey, to get people more excited about cyber security? Shishir Singh (23:11) I do. I do believe that people have to think about the cybersecurity as a fundamental and they need to incorporate their daily lives. It might be hard, but I think it's really important because once you get into the situation of being attacked, whether it's a ransomware, you see the ransomware attacks or some of the complex attacks, which is attacking the infrastructure, the water, the way we drink, if that gets polluted, what happens? The impact is pretty big. Right. So I think that thinking has to come. And the way I see this, and I'm going to explain this in a much more layman word here, it's about your house. You are protecting your front door and you have got all the cameras in place and it's very natural for you to go and see your camera, that even if you're not at home, who is coming next to your door? They might not be knocking the door, but at least they are coming next to your door and they are the suspicious character. You might not be able to convict them because they haven't done anything wrong, but having that information is really important for you, so that you can be much more secure. Shishir Singh (24:18) And the second part is that if you have a house which is old or which is not completely secure, you need to think about, how do I remodel my house so that I can put the right camera, right control points in my back door, my side door, so that I have the visibility of all the detection. If I need to do, I can go and make that happen. So I think it has to be seen in the context of the danger it is going to pose, the threats which are going to pose. Because most of the hackers, most of the attackers, they are 24 by seven active. They are looking at your infrastructure, they are looking at you. Right. Whether it's for to defaming or it is for a country based sponsored attack or it is about the infrastructure attack or anything and the impacts are so severe so that people have to take this very seriously because prevention first is the right approach. I think you need to think about how to prevent and then only think about how to take this forward from the advanced tool and from the advanced techniques point of view. Karissa (25:22) So why would you say people in the past haven't really been accountable? Shishir Singh (25:26) I think the reason I say is that in the past we haven't seen those kind of attacks, the complex attacks I've been talking about, if you look at in the last three, four years, most of the attacks were actually done by a work from anywhere situation. Like they found the weak link in the houses to get into your environment. In the past we never saw the OT and IoT attack or OT are getting weaponized to attack on the It environment, right? We are seeing a very different generation of attacks. Here what we used to see five to ten years back, if you go back ten years, it was all about the perimeter sick. If you come into the corporate infrastructure, you are a trusted person, you can do anything you want, you can access any applications, any services in the environment. Now those days are done, right? You can work from anywhere. You are accessing all the applications which are in the cloud. Most of the modern work is happening in the cloud. You think about Office 365 salesforce workday, right? They have got bunch of configuration out there and any wrong configuration can get into the hackers in your environment, right? Shishir Singh (26:35) We have seen a lot of lateral movement happening in the customers environment. So the world has changed very dramatically in the last, I would say two, three years. Especially with the digital transformation, with the cloud adoption work from anywhere situation and especially with all the multiple products which is coming in the environment speaking different languages. It's like having 20 smartest guys in the room and they speak all 20 different languages. So all of these things combined together has make it very complex situation and that's the reason why the cyber security's security has to be taken very seriously. Karissa (27:10) Fair to say, Shishir, that moving forward people will adopt more accountability. Based on what you've just said the last two, three years, the complexity is there more of these attacks? Do you think people will start to take this more seriously or do you think there's still going to be a process? Shishir Singh (27:27) I think rather than relying on the incumbent, I would say a lot of the older technologies, like signature based, a lot of those firewall based rules and heuristics are not going to be effective right. In today's threat, the complex threat, which I just talked about, it time has come where we use the AIbased cyber security solutions to solve some of these problems. I'm talking. About. Now they have to leverage the same technology used by some of these organisations to make sure that their cloud adoption and some of the digital transformation is not getting blocked because of these attacks I'm talking about. I think people will have to adapt to this one because we are beginning to see a lot of this bad thing happening in the customers environment and some of this infrastructure getting attacked and I think people will start taking very seriously. Karissa (28:21) Now, I know that there was a recent lawsuit in Australia by Chubb that highlights the risk for businesses that don't have adequate protections. Can you talk through this, like what was highlighted? Shishir Singh (28:32) Yeah, I mean, if you look at that particular attack, basically the recovery of the ransomware attack, such as cost of forensic, incident response and replacement hardware as inclusions were not specified, outlined in the insurance policy in that particular attack. So there was a big dispute out there as well. The security professionals, both on prem and externally managed teams, they should be able to explain the financial and the operational risks to the business decision maker. So I saw there was a big gap between what the incidents procurement process was saying and what the risks were actually talked about it, or what the policy was actually talking about. So there was a gap between that. But as the threat landscape continues to evolve, the security professionals must be aware of third and fourth party CISOs across the supply chain. Because a lot of times what happens is that you think you're responsible for your own software, but the third party software which comes and gets integrated with your environment, you are also responsible for that. It doesn't matter what it is, including SAS technology I'm talking about. So I think one of the learnings, at least I put it on my note, was be aware of your supply chain attacks, be aware of the third party software which is getting integrated and getting the visibility of that is really, really important. Karissa (29:58) And so you said there was a gap. Can you explain what was the gap specific that you can share? Shishir Singh (30:06) It was about what they found, that the victim, they cannot claim the cost incurred in the cleanup and recovery from its ransomware attack. So the gap was basically the cost which was supposed to be covered by cleanup. I think that was not covered as the forensic, the incident response and replacement hardware as inclusions were not specifically outlined in the incidents policy. I think that was the gap, is what I'm talking about. And this is, again, whatever I have read about that particular attack there. Karissa (30:34) So what do you think, like, moving forward then? Do you have any sort of hypothesis? We've touched on a number of things today, whether it's accountability, it's having the visibility, it's ensuring that we're looking at fourth party risk, third party risk. Is there anything that you'd like to share that you sort of think about as we now transition into 2023. Shishir Singh (30:58) So here's what I think you need to simplify your It operation. I think that's the important piece of it. I would say that you also need to think about in four categories. Let me summarise this way. If you think about your ransomware and IoT and OT, you need to have a very powerful MDM solution out there. The second part is having the prevention first approach is important and having an AI ML based technique for protecting your endpoint and network is the first principle. So get your ransomware, IoT and OT in control. The second one is about data leakage and insider threat. And this is where I was trying to explain the Zero Trust framework and having an Er and XDR type of capabilities to give you insider threat and prevent you from any data exfiltration with insider threat. All of that needs to be controlled. And when I say Zero Trust Framework for your listener, I want to make sure that part is clear. Zero Trust is basically can be defined into three parts. The one is the secure connectivity from your managed unmanaged devices, from your remote offices, branch offices, into the cloud framework, right? Shishir Singh (32:12) If you're trying to access any applications which are hosted in the cloud or if that application is hosted in your data centre, this provides a secure it basically provides a policy framework where you can access these applications based on what you're authorised and what you can make use of that. So that's the number one. The second part of Zero Trust is all about providing a very rich threat detection or the pipeline of the threat detection. The first one is the file based detection, IP based detection, the static based detection or sandboxing based detection. All of that needs to be very well defined. So when your traffic gets into this threat detection pipeline and when it comes out, it's all the second part of Zero Trust Framework is all about the data awareness, who is using your data, where your data is right, so that you have the complete visibility and you can provide the analytics. So that's how the Zero Trust framework is what I mean. And that is really important in the context of the modern technology. The third one is about supply chain and zero. This is where I think the solution like managed XDR, where you can have 24 by 7365 days, somebody monitoring it has to be a holistic approach. Shishir Singh (33:30) It has to be based on AIML technique as well as based on the human intelligence, the expert SoC analyst who can actually give you all the visibility of all the supply chain and any kind of a zero day which is happening in your environment. You need to detect early because most of these attacks move laterally in that. And the last piece is about the regulatory and the compliance thing, understanding your attack surface, understanding some of the risk and resiliency is important from the compliance point of view where your data is, is your data leaving the airspace, how your data is being used. So that is my recommendation. This is how people should actually put in the four buckets to protect themselves much better. Karissa (34:11) And just a quick question on the Zero trust. There's a lot of vendors out there talking about zero trust now some say some vendors aren't doing zero trust correctly. Depends on who you ask. So would you say that people's definition of how they do zero Trust and how they implement zero trust is fundamentally different depending on each vendor, each service. Shishir Singh (34:33) Provider, I would say the fundamentally they're looking at those three things is what I just talked about. There could be a different form and shape of that one. But the zero trust use case is basically the VPN replacement is one. The second one, as I mentioned about the Granular policy management, you need to have a Zero trust policy and based on any behaviour anomalies you see, you should be able to enforce the Zero trust policy in those kind of traffic for those kind of users and applications, right? You need to make sure some of these users, applications and services are mapped in one bucket in category so that they can have a different policy set. Having an end point posture assessment, I think that's another part of the Zero Trust. Having this kind of stuff will give you much more powerful policy enforcement based on the context, based on the geolocations, having a real time visibility and investigation is also important part of the Zero trust framework and the last two, three things is about the productivity and the collaboration. We depend on collaboration heavily nowadays. So having a collaborative tools and having to go through some of the Zero trust framework is also important because if I am presenting a data, if I'm having a sharing some slides and somebody basically double clicks my information or the slide, I think that's a loss of data for me, that's loss of my IP here. Shishir Singh (36:00) And the last one is the most supply chain, which is a common use case. I talked about it. So if you look at Zero trust, those are all the important use cases is what zero trust framework supports. Zero Trust is not just buying one product and that product can help you get the zero Trust. It's a much more of a design philosophy. This is the security posture philosophy. You need to think about your network segmentation, app segmentation network, how things are designed, how things can be protected. Karissa (36:29) I think that was a great definition of it because again, people say that they still feel a bit overwhelmed by so many different people talking about Zero Trust. So anytime people bring it up, I always like to ask. So thank you so much for your time, Shishir. I think it was really valuable and insightful conversation because again, it's very easy to default to generic answers, so I really wanted to get one, two levels deep to really explore that and what that means for people who are listening. So thank you so much for coming on the show today. It was an absolute pleasure and I can't wait to get you back. Shishir Singh (37:01) Thank you so much. Thank you for having me. Appreciate it. Karissa (37:04) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercksec, the specialists in security, search and recruitment solutions. Visit to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KB Dot digital. This podcast was brought to you by KBI Dot Media, the voice of Cyber.
Share This