Speaker:
Vishal Salvi, CISO, Infosys Ltd

Vishal Salvi, CISO at Infosys, kicks off our summit with a review of the cybersecurity landscape in India, highlighting the state of the cybersecurity solutions and services, and the effectiveness of contemporary technologies. Have those technologies helped practitioners adequately counter threats to their organizations? The session details recommendations on effective countermeasures and the optimal approach to dealing with emerging attack patterns.

Speaker:
Rajnish Gupta, Regional Director, RSA

Cybersecurity is entering an age of chaos, where small intrusions have secondary and tertiary effects never before anticipated. Most organizations are shifting their focus from dealing with cybersecurity as a technology problem to a business problem. Organizations must now plan for chaos; and chaos could manifest in various ways, from an increase in unexpected expenses and budgetary constraints to a mere rise in cyberattacks.

This session reviews:

• Fighting the battle at the right time, with the right approach;
• Assessing risk management;
• Prioritizing investments in line with business goals; and
• Developing a collaborative approach to tackling multifunctional challenges.

Speaker:
Krishna Sastry Pendyala, Exec. Dir., Cyber Security Incident Response & Digital Forensic Service, PwC

The dark web has become synonymous with cybercrime, with a burgeoning underground economy for data, attack tools and malware flourishing in the parts of the internet inaccessible to the World Wide Web. Sophisticated hierarchies and support mechanisms that mimic real-world organizations have transformed the launch of a cyberattack from an art - the preserve of highly skilled hackers - to a commodity service available to anyone with minimal technical skills, who can launch an attack for as low as $5.

Malware-as-a-service and its better known cousin, ransomware-as-a-service, have successfully evolved in this environment, driven by the potential of massive financial gain and low risk.

The session addresses:

• Building a better understanding of malware-as-a-service;
• Mapping the risks from the dark web and responding to the challenge; and
• Building proactive defenses.

Speaker:
Amit Sharma, Additional Director at Office of Scientific Advisor to Defence Minister, Ministry of Defence

Born from nation-state espionage, hundreds of tools and services are now available for assembly into custom-built attack suites fit for almost any purpose at scale. As these attacks gain momentum and sophistication, with India as a target, we need to adapt our defenses accordingly. We must understand how attackers function, drawing parallels from fighting terrorism and emulating the model to apply to the nation's information security charter.

This session features a discussion around:

• The current statistical scale and scope of targeted attacks;
• The threat actors executing these attacks and their motivations for doing so, including making money, obtaining personal identity information and waging terror;
• The types of valuable data and/or critical infrastructure attackers are targeting; and
• Where resources should be focused to defend against these evolving threats.

Speaker:
Apurva Jain, Regional Sales Manager, Darktrace

From insiders to sophisticated external attackers, the cybersecurity threat is already inside your network. A new approach to cyberdefense is needed. Based on unsupervised machine learning and probabilistic mathematics, new "immune system" technologies are capable of learning the "self" of an organization.

Rules and signatures are not keeping pace with today's rapidly evolving cyber-attacks, and the enterprise immune system represents a fundamental step-change in automated cyberdefense.

This session reviews:

• How new machine learning and mathematics are automating advanced cyber defense;
• Why 100 percent network visibility businesses to detect threats in real-time; and
• How smart prioritization and visualization of threats allows for better resource allocation and lower risk.

Speaker:
Ashish Sud, Head, Western Region, Sophos

Point products can stop individual elements of an attack, but they can't protect your data, devices and network from sophisticated, coordinated cyber-attacks. Additionally, overstretched IT departments struggle to respond to attacks fast enough. This is where so-called "synchronized security" can enable defenses to be as coordinated as the attacks they protect against, by automating threat discovery, analysis and response.

This session reviews:

• The need for eliminating silos;
• How threat discovery, analysis and response can synchronize security; and
• Where automation can help in the exchange of threat information.

Speakers:
Ankur Kushalka, InfoSec Practice Head, Atos India Ltd.
Ashutosh Jain, CISO, Axis Bank
Cdr. Mukesh Saini, Head-IT Security, Essel Group
Geetha Nandikotkur, Managing Editor, Asia & the Middle East, ISMG
Vishal Salvi, CISO, Infosys Ltd

In the wake of ransomware attacks such as WannaCry, what lessons must India learn? While WannaCry was not particularly sophisticated or stealthy, its impact was widespread. That's because of the techniques used to rapidly distribute the malware, as well as the failure of so many organizations to get security basics right.

Panelists discuss why CISOs must adopt a "wartime mindset" and lead the way to developing more effective security action plans. What are the best practices to adopt in the fight against ransomware? What kind of preventive measures are effective?

In this session, experts address:

• How easy it is to become a victim, and what steps can be taken to mitigate this risk;
• Engaging with law enforcement;
• Proactively protecting systems against such attacks; and
• Recovering from a ransomware strike.

Speaker:
Prashant Mali, President & Founder, Cyber Law Consulting (Attorneys & Advocates)

Too many organizations continue to address breach response from a reactive mode - having a crude disaster-recovery plan in place in case something "does" happen, rather than accepting that something "will" happen and proactively preparing for it. Once a security incident has occurred, the security incident response team is focused on identification, containment, eradication and recovery. In other words, they are trying to get operations back to normal. The preparation phase is the time to thoughtfully consider and research the legal decisions required during a security event. Legal considerations to include in the incidence response plan include the pertinent laws and regulations, what to do if prosecution is a possibility and maintaining advocate-client privilege.

It's critical to understand what well-prepared organizations are doing right when it comes to proactive interaction with law enforcement, information sharing and breach investigation and response.

The session will discuss:

• Lessons learned from case law involving breached entities that have run afoul of the law;
• Recommendations for a contextualized breach disclosure regime in India and the impact of GDPR;
• Data breach prevention, readiness and response.

Speaker:
Harshil Doshi, Security Strategist, Forcepoint

Human behavior is complex, and it's the weakest link in the cybersecurity chain. This session explores how using an amalgamation of technology based on behavioral analytics and risk modeling can help organizations change the ways they view, perceive and remediate insider risk before it becomes a threat or an attack. By using technology that understands the rhythm of the people and the flow of data, organizations can build baselines of behavior, detect outliers and sniff out indicators of risk based on artificial intelligence, machine learning and a host of other behavioral models.

This session reviews:

• Understanding and adopting human behavior as a parameter for security controls;
• Building a behavioral baseline using AI and machine learning; and
• Applying risk-adaptive protections to insiders.

Speaker:
Dr. N. Rajendran, CTO, National Payments Council of India

As many as 44 banks in India have migrated to the Unified Payments Interface to enable their customers to instantaneously transfer funds.

With the ease of funds transfers also comes increased security risk from the digital infrastructure and the associated integration challenges across core banking technologies of different banks.

This session looks at how proactive security and fraud management is built into UPI's architecture and the preventive controls it uses. It addresses:

• The real story of how UPI is secured and how it can ensure seamless, secure transactions in the digital economy;
• The use of multifactor authentication for a secure transaction at the back end; and
• The concept of the virtual payment address as a unified identifying factor.

Speaker:
Brijesh Singh, Inspector General of Police (Cyber) and CISO, Maharashtra

The Union Home Ministry acknowledges that India is increasingly susceptible to international cyberattacks, and the increasing move toward digitization means that security experts in law enforcement need to become adept at investigation, detecting and thwarting cybercriminal activities. While most countries have been successful in protecting the physical space by establishing credible deterrence to thwart crime, it's been a challenge to ensure cybercriminals are identified and prosecuted.

It's getting much more difficult to identify or locate criminal use of the internet because of its inherent anonymity and the use of sophisticated encryption techniques. Additionally, many crimes today have a digital evidence component, which means the integrity of the digital evidence must be protected. Against this backdrop, how do we ensure that all stakeholders collaborate and respond collectively to enable law enforcement to tackle cybercrime effectively?

This session addresses:

• How law enforcement is empowered to tackle new-age crimes and cybercrimes;
• The training and capacity-building of law enforcement; and
• Learning the art of responding to cybercrime through innovation.

Speaker:
Y.V. Ramana Murthy, GM & Group CISO, State Bank of India

The e-commerce and digital payments industry in India is evolving. The next generation focuses on futuristic solutions like hyper-local commerce, innovative mobile platforms and an omnichannel experience. Banks have been witnessing increasing customer interaction through the mobile channel, and the inclusion of UPI this year in Indian banking platforms has boosted this trend. Beyond the demonetization move by the government of India, there has been an increased impetus to move to digital transaction models and a cashless economy.

There is an imminent need, therefore, to look at the security robustness of the cashless payments infrastructure and the potential for fraud, even as adoption increases. New authentication strategies and robust frameworks for securing new digital payments innovation are proving necessary. From a CISO's point of view, it is critical to identify the weaknesses in the system and the potential risk for adopters.

This session outlines:

• A practitioner's view on the security of the changing digital/cashless payments landscape
• Understanding the emerging risks from new platforms and their liabilities
• Future authentication and risk strategies

Speakers:
K. K. Mookhey, Founder & CEO, NII Consulting
Krishna Sastry Pendyala, Exec. Dir., Cyber Security Incident Response & Digital Forensic Service, PwC
Ravikiran Avvaru, CISO, Toyota Kirloskar
Shivkumar Pandey, CISO, Bombay Stock Exchange LTD

Equifax, the credit reporting bureau, recently revealed that hackers had stolen the data of 145.5 million Americans, as well as millions in the U.K. and some in Canada.

Like many high-profile breaches, the Equifax breach was caused by a failure to update software components that were known to be vulnerable.

Protecting systems is one thing, but how can data be truly protected so we won't see another massive breach? What are the lessons Indian organizations need to learn from this breach?

The panel features discussions around such questions as:

• What are the long-term implications of the Equifax breach in India?
• Is complacency the enemy?
• What are the key steps to complying with breach reporting?
• Does one size fit all when it comes to breach prevention and response?