HDFC Life is a joint venture between HDFC Ltd., one of India’s leading housing finance companies and Abrdn Plc, (formerly Standard Life Aberdeen Plc) – a UK-based global investment company.
Established in 2000, HDFC Life offers a range of insurance solutions including Protection, Pension, Savings, Investment, Annuity, Health etc to both individuals and groups. As per the last update, it maintains 38 individual and 13 group products, along with 7 optional rider benefits, catering to the diverse needs of customers.
It has a pan-India network served by 372 branches and additional distribution touch-points through over 300 partnerships comprising traditional partners such as NBFCs, MFIs and SFBs, including new-ecosystem partners.
Being a financial sector company, it contains a lot of sensitive data of its customers. Trust and security are two key factors in customer retention for any financial sector company. With the rising sophistication in attack vectors and ever-widening attack surface, it is nothing less than a nightmare for security practitioners to safeguard the valuable data and information assets of their respective organisations. HDFC Ltd. is no exception.
The Challenge
Security teams have long been grappling with this elephant in the room for long. On one hand, while it is imminent to test the strength of the organisational defence through organised red and blue teams, on the other hand, it is equally vital to have a clearer, practical scenario of the organisation’s preparedness to sustain a real attack. And to that effect, a Breach & Attack Simulation platform helps a great deal. It performs the critical functions of red and blue teams but in an automated way.
Sharad Sadadekar, Sr. Vice President and Group CISO, of HDFC Life says, “To gauge the security posture on-demand and on the fly without engaging any partner/vendor, is the mission. Breach & Attack simulation provides the necessary performance metrics to know if security is in a solid-state to withstand a real incident.”
Leading a team of 30 infosec professionals, Sharad was looking for a platform that is proactive, gives visibility, and helps the company transition from manual to automated so that it runs continuously and not as one time exercise.
“Manual advanced persistent threat (APT) testing is simply ineffective in most rapidly evolving contexts. The dynamism of most networks makes the manual approach fundamentally flawed,” says Sharad.
The Solution
Breach & Attack simulation allows for Simulate, Validate & Remediate every hacker’s path to the crown jewels. The platform deployed by us continuously exposes all attack vectors from the point of the breach to any critical assets, acting as a fully-automated purple team. It also provides complete visibility to take the test of the defences, proactively protect and provide knowledge on effective improvement.
“During the course of deploying the platform, many configuration changes and additional modules were implemented/upgraded to match the Mitre ATT&CK framework. “Not only did we implement the solution, but also integrated it with the Security Information & Event Management (SIEM) tool so that any simulation that is not detected can be prioritized to re-align with the correlation rules,” explains Sharad. “This helped us in revisiting the SIEM detection capability every month rather than quarterly or bi-annually,” he adds.
The choice of the solution and further integration at the right place have helped HDFC Life to not only have a great ROI from this implementation but also that of their Security Operations Centre (SOC).
But what about investment? Most technology and security implementations hit this strong wall and budget always plays the spoilsport. In this case, HDFC Life indeed had to commit a fresh investment to procure the platform and also to integrate it with an existing solution. “It involved many POCs with different vendors on stringent and defined criteria. The key criteria included:
- Effectiveness of existing solution and its configuration
- Scorecard evaluation
- Coverage on the basis of Mitre ATT&CK
- Graphical representation of attack vectors alongside tactics and techniques used
- Attack coverage
- Integrated reconnaissance phase
- Support, technicalities, cost, and, of course, a strong justification for ROI
Post the evaluation of about 75% of platforms, a score rating was developed by including people, process, and technology criteria too.
The Outcome
The cost of cyber defence is rising year over year. With the increasing costs, it is important to not only have an impact assessment but also ensure that the security controls are producing a good return on investment (ROI).
Sharad and his team were meticulous in this task and exploited the solution to the fullest. “The deployment gave us a proactive detection of any misconfiguration using an ‘On-demand’ assessment without any dependency on the OEMs. The Mean-Time-To-Detect (MTTD) any misconfigurations was significantly reduced as compared to the manual approach for critical services like email and Endpoint security,” adds Sharad.
The deployment provides an overall effectiveness score and benchmarking. It has also automated threat intelligence-led testing with the immediate threats module updated daily with new threat assessments. Using the MITRE ATT&CK framework as a reference the security team at HDFC Life can now use automated assessments in addition to crafting assessments that validate specific use cases.
Summarising the entire journey, Sharad feels that the key security gaps can be immediately exposed, and subsequently remediated by following mitigation guidelines provided by the Breach & Attack Simulation tool. “The concept is sustainable by the frequency of simulation being scheduled when new emerging threats are released on the platform. The solution we deployed is adding more features to cover the changing threat landscape. In the future end-to-end integration is expected with the kill chain and thus providing an overall organizational attack surface with blast radius analysis,” he concludes.
NOTE: This story is based on the nomination submitted by Sharad Sadadekar for 8th Annual Dynamic CISO Excellence Awards 2022.. Sharad and his Team won the Dynamic CISO Visionary CISO Award 2022 for this