Kartik Shahani is the Country Manager for Tenable in India. Based in Mumbai, India, Kartik has over 30 years of experience in the IT industry, driving momentum for enterprises. He spearheads initiatives for Tenable in the enterprise security market, manages operations, and continues efforts towards channel activities in India. Kartik has extensive experience in telecommunications, finance, and government sectors. Along with his innovative sales strategies, he is instrumental in driving growth in India.
In an exclusive interaction with The Cyber Express, Kartik Shahani talks about the need for the right cybersecurity tools, the role of CISOs in choosing them, and the best methods to protect the active directory.
Here is an excerpt from the interview.
TCE: What are the different factors that affect the choice of cybersecurity tools? Also, how can CISOs assess their existing security environment to choose the right tool?
Kartik Shahani: In today’s digital everything world, organizations operate on distributed, hybrid networks across multiple geolocations, cloud-based infrastructures, applications, virtualized platforms, services, and more. That means that there are a plethora of technologies, assets, and services – some of which CISOs may not be aware of. While attacks continue to increase in sophistication, the vast majority are opportunistic, preying on the fact that most security teams are overwhelmed and unable to address even well-known vulnerabilities. Therefore, instead of disparate tools, it’s important for CISOs to focus on the best practices around cyber hygiene and core security principles as the strongest lines of defense. This includes making sure they have visibility across the attack surface, focusing efforts on preventing attacks and having clear communication of exposure risk to make better decisions.
TCE: What according to you are the top cybersecurity tools in 2022?
Kartik Shahani: We see the need for Exposure Management which draws on deep insights into all aspects of the modern attack surface – across assets as things change, and with the context of interdependencies to accurately gauge and prioritize risk exposure. By practicing exposure management, organizations can be equipped to have visibility across the modern attack surface, anticipate threats, prioritize efforts to prevent attacks, and communicate cyber exposure risk to make better decisions.
TCE: What are the key metrics CISOs need to consider while choosing the right cybersecurity tools?
Kartik Shahani: Just as financial investments are monitored to determine their performance, organizations need to monitor their investments in security solutions. But not all cybersecurity products have actionable metrics that quantify cyber exposure. There are five crucial aspects CISOs need to consider —
- Does the solution provide complete visibility — into AD, OT, cloud, business-critical vulnerabilities, and internet-facing assets?
- Is the attack surface monitored continuously?
- Threats change over time, so does the cybersecurity solution have a large data set of threat intelligence to keep up with these changes?
- Is the platform customizable and scalable for the organization’s needs?
- Can cyber exposure be communicated in business terms??
Once CISOs have answers to these questions it becomes easier to communicate metrics in business terms back to the board.
TCE: How does cybersecurity affect data privacy? What are the benefits of using a centralized cybersecurity solution?
Kartik Shahani: When discussing data privacy, we must also consider data security – you can’t have privacy without safeguarding it. The issue is that threat actors know they can monetize their crimes by targeting valuable data. Unfortunately, in the vast majority of cases, it’s not advanced threats that cause organizations to spill their secrets, it’s known unpatched vulnerabilities. If companies want to stay ahead of the curve and avoid becoming a target, they need to appear unattainable to bad actors and that means removing the low-hanging fruit – the known but unpatched flaws in systems and software. Rather than focusing on the tactics threat actors use, organizations must focus on identifying and blocking the attack paths they look to exploit.
TCE: How does a CISO know if they are getting value for money from their investment in cybersecurity tools?
Kartik Shahani: An effective cybersecurity program should be able to measure success by risk reduction. Remediation actions should be prioritized to reduce an organization’s cyber exposure. CISOs should view, validate, and prioritize vulnerabilities critical to the business, while also understanding the context of the vulnerability. Patching and remediation are critical, but equally important are follow-up testing and quality assurance reviews. In doing so, security leaders should be able to analyze the effectiveness of their program and by default, their investment.
TCE: What is your take on the recent slew of attacks on cryptocurrency exchanges? How do you feel about the plan of the Indian government to ban cryptocurrency?
Kartik Shahani: Cryptocurrency is one of the ways cybercriminals are monetizing their efforts – it isn’t the root cause. If we got rid of cryptocurrency tomorrow, cybercriminals would just come up with another way to monetize their efforts. Instead, organizations need to focus on stopping attacks first, starting with basic cyber hygiene.
TCE: Lastly, what is the best step toward protecting the active directory?
Kartik Shahani: Cybercriminals look for unpatched software vulnerabilities and misconfigurations to gain a foothold in any organization. Once inside the system, attackers often go after the Active Directory (AD) infrastructure to gain lateral movement and compromise other systems. If threat actors gain privileged access to AD, they essentially have the “blueprints to the castle” and can create new admin-level users, add new machines to the network, deploy malware and steal data. The first step to protecting AD is to mitigate misconfigurations and reduce privileged AD group membership and privileged AD accounts. AD must be continuously monitored to evaluate user rights and to detect suspicious activity. Once visibility is achieved, vulnerabilities arising out of trust can be addressed.