HDFC Bank, India’s largest private sector bank, has been the front-runner when it comes to digital transformation. Since its incorporation in August 1994, the bank has made significant investments in technology to be on par with global banks
when it comes to creating customer experience. The digital roadmap of the bank has been no less aggressive. With its digital strategy centered around increasing efficiency, accelerating geographic expansion, and improving customer
convenience and ease, the bank has been second to none. Behind the success of the bank’s digital push is a robust information security strategy that ensures data safety, customer privacy and business continuity. Moreover, cyber security needs to be prioritized along with the business. Mitigating the risk quotient requires new approaches. Muqbil Ahmar (MA), Executive Editor, dynamicCISO caught up with Sameer Ratolikar (SR), Executive Vice President and CISO, HDFC Bank in a free-wheeling chat about the bank’s cybersecurity initiatives and how the changing threat landscape warrants new approaches to mitigate the emerging risks.
MA: What are the Challenges facing cyber security professionals in 2019?
SR: Skill set and talent is a major challenge. There is acute shortage. If you look at the skill development report, there is a shortage of almost 1.2 million information security professionals as new areas shape up in cyber security such as threat hunting, artificial intelligence, crisis management, business continuity, and advanced level of vulnerability management. This is the most important challenge. Moreover, attacker and hackers are also getting innovative. Attackers are also trying to deploy AI and ML to launch new attacks.
Similarly, there is a technological revolution which is happening in the form of the Internet of Things. There will be a plethora of new IP addresses which will become part of your network. The risk is huge. One has to be vigilant and carefully plan the infosec strategy in order to handle the emerging technological landscape as well as the threat landscape. Moreover, emerging regulations like those for data privacy are also challenges facing cyber security in 2019.
MA: What work flow changes and planning do organizations need to ensure foolproof cyber security?
SR: There is nothing like 100% cyber security. It is a myth. We all know that. We just need to focus on four basic elements: protect your organization; detect attacks quickly; respond quickly; and recovery or resiliency. These are the four pillars on which cyber security should rest. In order to make all these four pillars effective we need to make a strategic choice of people, processes and technology. We need to have strong skill sets and the right people to make sure that people related efforts are productive and there is the right organization structure as well as the right budget. We also need to ensure a good amount of visibility and sensitization.
MA: HDFC Bank has been experimenting with modern technologies likes Artificial Intelligence (AI) to take the cyber security preparedness to the next level. You have also concluded a pilot in the cyber security arena. How has your experience been in terms of improvement in performance and efficiency?
SR: As far as AI and ML are concerned, we already have many uses for it. We have been using a number of components for quite some time now. We have used machine learning algorithms for our credit card transactions and debit card transactions. As the threat landscape has become more evolved, regulations have progressed and customer demands have taken a different shape. In fact, the digital ecosystem has evolved. I therefore think that there is a need to shift from a typical signature-based approach to a more heuristic and behavior-based approach to resist cyber-attacks. The focus has to shift from reducing the window from days and hours to minutes and seconds. This is our thought process as we embark on this journey of AI and ML.
We have carried out a POC with a well-known company in our environment, covering information assets such as proxies or other core technological components. We got immense value out of that, which points to the difference between a signature-based approach and a behavior-based approach. AI and ML use neural networks and heuristic behavior patterns. I think that by using this, resistance to attacks will become more refined, accurate, and granular. This is what we have observed as part of the picture. We will take forward this journey, not only to cover information security use cases, but also cover cyber fraud and various other use cases such as capacity management and data centers. In my view, there is no limit to using AI and ML. From the point of view of cyber security, we have good visibility now. But it is too early to put any numbers to it but we have got value out of every model. Moreover, the implementation involves a number of things such as a Big Data platform, a data lake, where all the data has to recide and then its deployment. It is an expensive and resource intensive proposition but one has to do it as the benefits are huge. Also, as new technologies such as IoT and Blockchain emerge, the current technology will mature and provide huge benefits.
MA: What characteristics are needed in the cyber security framework in this age of API banking?
SR: Today people are talking about API banking or the open banking system. This is much prevalent in Europe and the United Kingdom. There is a lot of focus on open banking. Traditional perimeters are getting blurred and today one bank is in a position to talk to another bank and become part of the overall payment ecosystem. You need to protect your own infrastructure to combat malware related threats or internal employee based threats and other vectors such as API Injection or rogue APIs or non-authenticated APIs. Such a cyber-security framework will have to revolve around something like the model that we have. Our model stands on the four pillars of cyber, which are protect, detect, respond, and recover. I am sure that as part of protect, there are technologies available to protect your APIs. There are solutions available which keep a track of the APIs being published or consumed. All aspects need to be taken care of.
Apart from that there has to be a system through which an attack through an API or open banking gets detected. Such a protection mechanism has to be in place. The SIEM also needs to be in place as well as a crisis management plan. Response and resiliency mechanisms also need to be factored in. Last but not the least, since the API is an ecosystem element, it is equally important for your ecosystem partners to be sensitized about various security controls and precautions which are needed to be set up. They also need to put in a lot of effort and resources to ensure that their API banking is secure. Such banking has to be a collective approach in my view.
MA: Do you think banks should come together in the form of a consortium and leverage machine learning for cyber security?
SR: As far as AI and ML are concerned, most organizations are in a stage of discovery. They are trying to develop the use cases and create the surrounding infrastructure in the form of a data lake and then probably the journey will start. But there is a substantial difference in the maturity level of organizations. In my view, some organizations or banks have deployed the SOC or the Security Operations Centre. Once everyone is brought to a common level of technological adoption, the question of using an ecosystem or a collective team developed to implement the AI platforms would be more meaningful. But today I don’t think so. I think it will be better to leave it to the individual organizations to take forward the strategy. Ultimately, it boils down to eliminating and removing the attacks. I am sure we can identify common use cases because in banking most of the use cases would be the same. Once we identify use cases and partners, it should be left to the organizations. We also need to keep in mind that it entails a cost. So, the priorities of organizations have to be kept in mind. Implementation should be left to the banks but information sharing can be good.