25 Years in Cybersecurity & Building Security Teams

let's call upon Ravi badada hi hi hi guys hi hi are you able to hear me yeah uh first of all thank you so much for besides Mumbai for inviting me here and it's a privilege and honor to be uh with all of you uh they asked me to summarize to share about my experience my journey last 25 years and then how to build the security team and what are the challenges we do face okay I don't have any PP I hope you are okay with that is audible yeah I'll spend time for that to have more questions so that at the end so that uh we'll have more interactive conversation yes uh briefly uh I spent 8

years with Consulting World in TCS and 7 years with uh uh Microsoft and the product landscape and last 10 years with uh Gio Geo platforms it's a mix of all uh with a uh disrupting making sure that we disrup and contribute to India that's where my role is I'm heading about the uh security leader I'm one of the security leader in goo and I'm heading about multiple platforms application security vertical architecture security vertical devops and identi access management and pki infrastructure these are the different verticals for uh Geo platforms Rel ta uh all there are multiple subsidiaries within Reliance Industries some of the industries I'll be uh core uh means contributing providing Security Services to all the

Departments that's a little background about myself what I'm doing about that when I started my journey I started as a developer as we always say when we interview when we try to hire when we give the coaching and give the importance to the different different youngsters I always give the saying about that you need to have a little development experience without my knowledge I myself started my career with a development experience as a college fresher I joined in TCS and as you know that TCS they do give the training in trendum and they do deploy in the project okay how many people have experienced or heard from this story like that yes yeah uh when I started

this one is uh they gave the opportunity to work on Linux kernel programming indirectly it's not by by blessings indirectly I got the opportunity to learn about kardal internals okay and over the that part give a little uh uh Insight how to change my portfolio from a developer to the something different skilled professional I utilize opportunity why I'm giving this opportunity uh let's say there are many people they are in U development stack or security monitoring different different verticals people are there they have a different aspirations okay why I'm trying to give this as an example utilize the opportunity whatever you have about that and try to build it and you will get the opportunity to expand your

skills okay uh um excuse me when I have about that this uh lenux kernel internals and later on I I spend most of my time in entire Linux envirment okay my uh Five Years Journey is totally in Linux okay I I will give you an example it took about 10 working days or 10 to 15 working days to explore the command of exart or Statics I'm talking about the 99 uh 2000 uh time frame okay there are no people who will guide us who will try to do uh uh how to help us about that because it's a learning self- learning why I'm giving importance this is especially security Enthusiast security researchers bug Hunters whoever ethical hackers

whoever want to pursue their career who want to build their careers in the security domain I'm saying about that you have to be consistent and persistent to fulfill your uh interest and try to move towards that okay yeah uh uh uh uh as you know in TCS in TCS world it's a Consulting Consulting uh Empire it's one of the pioneer and one of the greatest company where the Consulting is the business and bag many huge businesses but I got privileged to work in the development vertical of the TCS okay and during that phase I learned we build about the pki infrastructure public infrastructure and it became one of the certifying Authority within the country and then later on after spending

some time the Microsoft is looking for the security profession okay they are looking for the who has a hacking skills where uh uh they least both about what the background because I never worked on uh Microsoft Technologies I'm totally open source guy okay the new founder he visited in Hyderabad I'm you you I was totally motivated toward the open source open I do hate Microsoft at one point of time okay as this is one of the uh opportunity of or one of the uh professional commitment my company want to back the business from the Microsoft they asked me to participate in the interview call because Microsoft always try try to take the even there there's a

business relationship with Microsoft and TCS they always interview and select the candidates okay the there are lot of rejection TCS you may heard of the TCS seeps is there I'm based out from Hyderabad uh uh I got the opportunity because I took the challenge it's a security profile that's the only interest I spent time and try to understand about that I cracked the interview they selected with me then I moved there in Microsoft and I build the I'm acting as a uh in in 2002 4 time frame onwards to another three uh two years 3 years I worked as a consultant there then later on they offered me as a uh employee then I joined there why I'm

giving this story is because opportunity knocked me okay uh I got the opportunity to learn to contribute in uh Microsoft Technologies especially in uh uh um entire there are about 2,000 20,000 plus lineup business applications are there in Microsoft if I'm not part of application security vertical if I'm not part of the security I don't get the chance to cover and understand the different uh uh uh Landscapes of different set of applications I'm not talking about the products I'm talking about the internal lineup business applications so it give the opportunity to work on product stack little bit product stack and lineup business applications uh uh uh and in the along with that applications I worked in the

Xbox little bit Xbox security and uh uh a little bit about the windows windows this one and then spend some time with the security for the Skype and Yammer acquisition these are the different gamut I got the exposure to to provide security services why I'm giving this one is you have to use every opportunity to convert into the uh uh opportunity to learn enhance your security skills and uh uh the security controls the security recommendation that you provide for a lineup business applications and what we provide for the products is totally different okay uh I'm now I'm just fast trck to the in TCS when I joined here they asked me to set up the practice

here when I'm here I moved to Mumbai uh with a oneway ticket flight sorry with uh with a plan to stay for only one day in Mumbai okay I'm staying continuing in Mumbai and Geo platforms from last 10 years because there is a continuously on uh uh every day I'm getting the opportunity to innovate and Excel and uh uh a master new technology Stacks work on new things in Geo why I'm giving this one example is because in the industry we do have a lot of opportunities a lot of opportunities that you get a chance to work about that okay uh here uh um uh um the exposure with the Consulting and products and here it is it's a

disrupting okay this is a little background about myself what we're trying to say that let me give one this one is uh if I give a WhatsApp as a review in any Enterprise organization will it clear infoset clearance how many people raise their hand will it clear about infoset clearance or security clearance it won't get cleared but is that is the only leading player in the uh uh instant messaging or not that is the only leading the reason is innovation and customer friendly business drives we have to be uh a business enabler the more we understand the business the more we are closely understand that what is that how we can compete with the competitors how we can

innovate ourself then only you will get the answers and in the behind the scenes security is always be the intangible contributor and invisible contribut to the organization are you are you with me if we try to see that CH has expanded Last 5 Years Journey we have about close to 400 plus million subscribers did you see any major headlines especially from security perspective the reason behind is behind the scenes security team are contributing it and building the customer confidence and building the partner ecosystem and indirectly helping the company helping the organization to gain the uh uh strategic investor confidence as well when different different players are investing into the organization okay they do look for the

uh uh dark web they do look about the what data is lying outside why I'm giving this is these are very important so that how you can build your careers uh whichever stream you are in okay you have to understand the business first and help them and try to see that building security around the uh The Innovation idea okay do you feel about the security controls what WhatsApp has uh satisfactory or not it's a satisfactory as well okay I will give the another analogy so that you'll get about that uh yes there are some loopholes I'm a defensive not an offensive side that's the I'm just Pro about solving the problems coming to the other aspect persp when you start about

the Goot TV or geoc Cinema initially when we last about that there are no sign up did you experienced about that there is no sign in mechanism the reason is it's a constant decision to support to ensure about that how I can give this particular solution to grandma or a rala or a person who doesn't know anything about uh uh uh uh any technology he has to click it and start watching his movies why I'm giving this example that you have to along with the security uh uh uh vulnerability mindset hacking mindset you need to have about that empathy towards a developer empathy towards your customer who are the customer focused about that so that we

can jointly it will give the opportunity to learn new things okay this is a challenge how to address that how to do about that uh to continue the same story about that initially there's a risk appetite as a jointly security organization and a business oranization we took about that skip signin okay Sim based signin Sim based signin for 100 to 200 million subscribers the moment the risk is shooting up the moment the user base is shooting up then we introduced about that it's a mandatory OTP based then after 300 400 we try to introduce about that it's a single device binding or multiple devices so that so that the the the organization as a solution is

doing about that you need to add more sec controls along with the business yeah when you are building this particular why I'm giving this one is uh uh especially when you talk about the cxos non-security cxos and when we talk about security they don't understand the cxos doesn't understand what security what we try to say about that why this is vulnerability okay if you have to expl exploit this vulnerability uh he has to enter into the system he has to know the tokens he has to know there are many reasons the cxos doesn't buy in you are to find the mechanism how to convince them and how to understand their side perspective when we showcase

the value towards that they will be more than happy to help you about that they will be the organization will support about each one is a different one let's say for example there are some small startups there are midsize entities there are mlcs they do have a budgets to the security for different departments they may not be having about that you have to use why I'm giving this uh uh uh uh tidbits are slores because about that you have to use that every uh conversation every business interaction is a challenge I will give another two three examples so that I will uh uh do about that for example when covid when lockdown has happened do you know about

in in Gio or anything to issue a SIM card to have a customer care the call centers Works in a fixed location do you agree or not all call centers to work with the fixed location when there's a lockdown and from next day onwards they have to work they have to operate from home they don't have a laptops they don't have a iPads they don't have a this one we have to find a mechanism to avoid any business disruptions and at the same time it is a duty of security how to safeguard the customer data because call center people they are privileged to see the all the call records when you make a call he has

to open the record and will be available for him we have to ensure about that security is taking care from the uh uh protection from the customer perspective as well so we have to innovat think about that how to do about that like masking so none of the data won't be visible about that these are security controls where we can help about that to uh uh uh without having any single day description we enable them to do the Citrix way or VPN tunnel way different mechanisms and ensure about that they don't see any data before accessing any customer data he has to validate with the OTP these are the different uh uh uh innovatively are specific to that

particular situation we have to help them and try to do that that's another scenario I will give another scenario about that uh uh for example IPL matches two years 2 to three years before when anyone backed the license from the IPL it's a paid one hot star or other things is paid one when G entering this one is it's IPL matches is it's free they've made it a free perspective I'm not in interested about the business perspective I'm talking about a security perspective only okay the the moment the uh uh the announcement has done saying about that it's a free to ever with that the uh customer footprint the throughput the expected load is it traveled with

the 3x or 4X concurrency when we have a concurrency of 3x and 4x suddenly the infrastructure has to be increased okay whatever the security controls that we have about that are the security controls if we continue maintain the same security controls how it is impact the user experience if the user have the experience about the goal go goal goal if he's trying to we'll be happy about that while watching the movie while watching the IPL match so we have to balance excuse me balance about security controls versus Innovation and at the same slightly tweaking the some of the controls and helping them the business to do about that once it is done then again we apply the security controls

again why I'm giving this it's not lowering about that understanding the business context and giving the appropriate guidance and giving about that that's what I want to share about the little experience about my profile how to build in your team's perspective uh especially one uh topic how to build the team okay as you know in security domain uh uh is anyone is for any person is it possible to learn Java C++ python all the technology all the programming languages Android iOS it's not practicable may call it as Jack of all or master of this one the the the it's very difficult to do about that and the lifespan of any security engagement it's hardly about one week or two weeks or 3

weeks weeks depending on the project but the developer he spend about 6 months or one year when you're trying to do secure or enhance a security poster or you try to hack about that or you try to prod some advisory your window is very small and their exposure to that is very huge yeah when we are building that te security team you have to back your team okay they are good in the hacking they are good in the exploring identifying the vulner ities but they may not be good in bulldozing by the developer community and the pmo pool the architecture pool the business pool they do bulldo the security people saying about that it's not an issue okay I

don't have to follow this compliance about that okay you are blocking me this one is as a team we have to empathize we have to stand we have to give the right examples to safeguard and protect our own uh uh resources and on the job we have you continuously I'll give I follow the three mantras learn continuous learning whatever it is uh uh his experience his profile whatever do about the continuous learning and along with that one you should do the contribute learn and contribute learn and contribute and and Excel operation Excellence so that's where to improve make it better and existing processes I believe strongly believe in the in any organization they'll be having policies

standards and procedures I believe these standard procedures policies has to be living documents so that they can make the changes whenever any employee give the feedback when business teams give the feedback it will go to the compliance team and compliance team will ask the security team and try to enhance the policies documents why I'm saying it's continuously operational excellence okay in the operational excellence the for the uh uh security teams they need to have a Helping Hands with the automation giving the AI tools so that to do about that and the last one is I want to have about the innovate when they have about that these three metrics and give a free Power hand

to the team members to the team build that they will stick to you they'll be more than happy to be part of the team and allow him toow grow uh exposed to different different verticals especially in my organization I do have privilege to work spend time sometime in retail and then media and then gaming and iot different different ways that we can give the opportunity that I have a liberty there but some places may not be there but if you're in uh whenever if you have that opportunity allow him to explore other verticals also because security Geeks want to have every two years every 6 months every one year two years they want to have a

change if you have to build the right people and you want to retain the talent you have to keep it in mind so that to grow in the organization this what I want to touch Bas about the how to build uh Team here and coming to the how much time we have uh we have top trends what I can think about that excuse

me yeah I will just want to a touch base about some of the what I pursue personally because you do see Google out and try to see that what are the top trends what's happening what's going around this is from my own perspective I want to give you about that based on industry what is the Hands-On perspective I want to give about that as you always know about that the with with 4G and then 5G and then 6G 6G the digital footprint will be huge and there are so many iot Gadget will be going to come over there and automations will be happening about that and local clusters will be there the way we have a cloud transformations will be

happening about that the uh earlier before covid it's an hybrid from covid to now it's a totally uh uh uh Cloud only it's a mix of all and going forward after having 5G and 6G it is going to be localized let's say for example H hirani cluster if they're building about these many blocks they can afford a one dedicated connection for their entire population if a a factory which a industry having about that they can can have their own private Wi-Fi so the uh the changes that we are going to see see with 5G and 6G it's a huge the iot space perspective the automation space perspective that is one of the uh uh Trends we are going to see

in the coming year this year or next year that's I see about that and uh uh the footprint with the cloud is again changing to the Edge Edge Cloud hybrid and then private and then Edge Cloud because many entities especially big mnc's as well they are feeling the pinch of the cost when they when the cloud is uh uh getting popular they say about that you are going to save about 10% cost you have to spend only 10% instead of spending about 90% 100% in the data center way but companies are realizing about that it's not that within within two years whatever they used to spend in data center 2 to three years they have

to spend that much amount they are seeing about that there is no cost benefit now again the trend is moving towards the they have the localized one it's a mix this will continue it doesn't mean that uh uh when a comes about that we do always see about that uh stories and hear about that we will lose the jobs okay during 2000 uh will anyone lose the jobs it will change we have to adopt to the new technologies only nobody we going to lose it they have to adopt to the the new technologies some jobs will Obsolete and some other new jobs will be coming about that in 2000 it happened that way 2007 it happened that way 2013

is happen that way in the future also it is going to happen in the same way okay in Ai and it's a must the way the way we do learn about that for example uh um adopting to the AI is important everyone has to be prompt Engineers whether we like it or not everyone has to be good prompt Engineers how to use the AI uh and try to see what's happening about that the reason for having AI especially as an individual is it will help to increase the efficiency to help to know about before in of it's like your uh like a uh Robo or the new uh uh uh KY um different one what is the name Bui in the same

manner that when you are Master about the AI chatboard your one you'll be having a helping hand to do how to respond in FASTT track mode okay how it is going to disrupt in cyber security trans perspective okay it is lowering the cost of the attacker from the attacker perspective earlier if it is taking about 100K or 200k with AI and Automation and affordable tools it is coming down to from 100K to 20K 30k okay whether they have to have a successful social engineering attack or they want to have about that uh ransomware simulation or they want to have a targeted person how to get catold of their identity AI is helping the hacker Community as well to enhance it and do

about that in a fast track mod with a less cost effective that is going to change about that in the same manner we also have to enhance of secur stance around that yeah that's another as you know about that the cloud footprint uh um uh earlier we do know about that how many ports are open how many services are open now it is going to be a so many services uh pass Services is Services SAS services and each one has a their own public IP their own different different ports perspective yeah going forward it is going to be zuro trust model only zuro trust model in the sense is is it multiactor are you recommending

multifactor that's not I'm not recommend multiactor as such whichever way it is a single Factor double Factor multiactor way what about that zero trust model don't trust by default okay B have a suspicion model have designed the solutions with a verify model verify the user authenticate the user verify the uh uh whether they're using the authorized assets or not okay from location from which location is trying to login and what is the pattern he's trying to do that Define the thresholds that's what I believe in the zuro trust I don't believe the purchasing a tool and then do about that Euro trust our solution should have the authentication right authentication device management would do about that

geolocation and uh uh uh what is the pattern okay regularly he used to rabi used to log in at 11:00 and then at 8:00 and suddenly uh uh at One Fine Day or one specially 2:00 2 a.m. 3:00 a.m. there are huge hits that should be the anomaly that should be the anomaly to throw an alert it may be genuine request that should the anomaly of our sock our security mon to throw alert are there is special abnormal behavior why Ravi from Ravi account there's a more requests are coming at 2: a.m. 3:00 a.m. that's what I believe in the zuro trust adoption and how it will give the feed to the uh uh New Generation uh sock

systems yeah yes as I said previously as a social engineer attack and ransomware is another uh uh this one iot I said about that and Quantum Computing as you know you would hear about the quantum I'm hearing about the last 10 years before I'm going to hear about now also it is going to be there as well in the future also but it is going to take some time Quantum Computing but at the same time but before because uh earlier we don't have libraries to be having a Quantum uh Quantum protected U crypto using the C now nowadays we do have libraries are available wherever you feel about that encryption and cryptography accessive cryptography people are using about the

like a chat BS or interactive one for example signal or Whatsapp or our own geoart it it uses the underline it uses the cryptography which is having RSA AES and at the same time uh ready for the quantum Computing choose the algorithms choose the random entropy specific to the quantum safe that's one way to prepare ourself to do about

that yeah the uh uh and the last one uh last two but not least uh supply chain when we talk about supply chain I uh I don't mean about the in an organization do we have a Cisco many people will have Cisco do you have Microsoft adob there are so many products which are very popular we do take it as a granted they're secure I believe that the way we treat our line of business applications our products the way we integrate any OEM product any volum product I don't buy us anyone any entity any volum product we have to be little conscious little be suspicious about that what is the security control you going to bring to me you would have

seen the so many headlines about that Microsoft Exchange Server okay OA there are so many uh breaches happened in the last one the reason behind saying about that we do assume saying that they are secure they are coming from the well established entities no I believe that supply chain is the uh uh uh we have to include their applications within our boundary to cover with the scope and uh the last but not least privacy and Regulatory Compliance in the coming as the new government and they're going to introduce the policies uh uh uh and it is a must to why it is a uh uh privacy and regulation compliance is very must because if a small entity startup entity

or midsize entity or MC case if you want to compete with world leaders or World competitive uh uh entities okay you have to be compliant with their different regulatories if you go for European you have to be compliant with gdpr if you have to be in Banking and Financial industry you have to be pcss if it is in the uh uh healthcare industry you have to be H Hippa compliance okay is for 27,000 there are so many complaints is going to come about that and and data localization is going to come about that these are very very important you have the foundation controls when you are giving the recommendation when you are identifying the vulnerability so that okay try to

give somebody we come across AAR card is visible or some pan cards are visible or Pi data is publicly available we have to educate to the people saying about the why those are available in a clear text formats okay uh why I'm giving you these are thrs because these are very important to do about that and the next uh last one investing on the people you need to have a cyber Warriors or good set of people who will help you to uh it's a continuous because you know that there's scarcity is there in the market you don't find the right people when we interview the people as well it's very difficult people the right right right

mindset right skilled people uh organization has to invest and human they have to continuously invest on the people that's what I want to touch B about these are the few trends that I can think about that that's uh uh that's it uh I will open for the questions depending on the time how much time you have actually okay five minutes yeah two three questions any questions from anyone yeah

please uh so I wanted to ask like how do you uh what are your thoughts on Insider threats and and uh how do you approach The Insider threat and what are the steps you take to uh mitigate that fantastic fantastic it's very uh for the benefit of all uh Insider threat in a small medium and then large entes as as the company grows the employee pool the it pool the people who has privileged access will be more so the risk will be exponentially is growing that way only yeah uh uh uh the two the best one is saying about is the we do have multiple security controls to about that okay uh Insider threat is he will misuse the internal

assets or Insider threat is he will extract the data and do the take a steal the data IPR data perspective for each one we have to address we first of all we have to list on the all the risk associate to that and then he is a privileged access or he has access to uh uh uh DLP will be helpful okay having the least R access is helpful just in token perspective when anyone any Insider if is having they have to separate about the production data and development environment for the production and operations when we have about that it is it doesn't matter which role which title they are in it has to be justified every

role every user has to be justified and if anyone is doing the privileged operations for example example troubleshooting and uh uh he has to download report generation for example I'll give an example Troy we have to there's a compliance requirement is there uh we have to share the data to the Troy devote this is a compliance requirement but the data what we do is pretty huge even though the same person is doing about that after activity is completed it has to be revoked and when they're communicating the data it has to we have to use the authoriz channel preferred to have the B2B and perimeter level controls and uh uh broker Cloud broker control there are

different different things and continuously monitoring about that assets okay that's these are the different controls that we can think about how to avoid it and security awareness social engineering to avoid the this continuously awareness and making them accountable also okay by having the pledge by having the responsibilities perspective I'll give you that example to gating if any walk in using my card if you're able to walk in about that I can always say that I'm not the one but when I give my card to you I'm equally accountable so these in the uh there are Fear Factor has to create in the organization as well so that he should feel about that yes he's accountable okay that's that's a few uh

recommendation that how we can avoid that any other yeah please sir good morning uh so my question was that uh being a cyber security consultant as you mentioned other than using the facts such as uh as you mentioned about Hippa and uh n Frameworks what are the other roles that cyber security consultant might work and might use in the industry can you repeat again like basically what are the other roles that cyber security consultant uses in the particular industry other than uh the N framework and the Hippa as you mentioned yeah yeah yeah it's a primarily risk framework okay the uh risk framework will include about that different each one has a each business organization has

a different one like a gaming gaming industry will be having different media industry is having a different banking will be different uh uh from risk perspective all are same from security controls perspective it varies differently okay uh uh our we have to step we we should not have an attachment to the any business organization we have to step back the fundamentals doesn't change the security fundamentals will always remain irres of the technology irres of the domains authentication has to be there okay their underlying data has to be protected the infrastructure has to be secured how the operations will be there how the data they taking care about that these fundamentals doesn't change we have to keep our

fundamentals whatever we have the security uh uh principles that we follow to access these things we have to keep in mind and accordingly apply to the respective domain especially IA when you touch P about Thea perspective it's a let's say I'll give an example you will understand about that when a patient walk into the uh I had a little experience recently when I went to the uh 40s for health whole body checkup they give him one consent form okay all your reports you are giving the consent to me to give it to my third party for further analysis okay as a patient I walk into the doal he was taking my own concern saying about that I'm ready to give all your

reports to the third party one there is no option to decline about by being the security professional I said I not opting for it I don't want you to give my data to the third party these are why I'm giving this example is saying that Hippa this Healthcare products perspective without your knowledge if you go to the airport B yra how many know that it's an optional many people doesn't know D is an optional only as I said about this awareness is important and when we try to do about the when we try to do about you always saying that is nurse should be required to see all the reports no General physician should see the all

the reports no like a chest specialist can he see the all the reports if you try to see about that really Hippa way uh Western Way look about that only select two sections of the report report can be visible to the authorized doctors they have to ear Mark of the data sets this data set will be accessible these people this data set will be accessed by these people data set will access out of your own reports that's a real way to implement about that and following the security fundamental principles is the way to handle that and risk framework you pick anything Sans risk framework or any other risk framework and customize it which is you are comfortable there is no

single is a quality only thisis framework what you implement about it it's up to you because you are as a security consultant you are the one who has to justify all the questions all the answers all the recommendation that you're going to give to the client so feel free to customize the risk framework what you come across about that without losing the essence of the broader context one last question done yeah done thank you so much uh offline we can uh have a further discussion if anyone has any questions thank you so much