By Jack Porter
Earlier this year the Indian government issued new directives requiring organizations to report cybersecurity incidents, multiple types of events and incidents are listed below. This requirement was promoted by India’s Computer Emergency Response Team (CERT-In), who states it has identified specific gaps causing difficulties in security incident analysis and response and to address them, it needs to impose more aggressive measures.
The strict reporting requirement entered Indian law in June 2022, under section 70B of the Information Technology (IT) Act, 2000. For Micro, Small, and Medium Enterprises (MSMEs) however, an extension was granted and came into effect in September 2022.
Instant Notice About Incidents
The most notable new requirement is that any internet service provider (ISP), intermediary, data center, or government organization, must report these incidents to CERT-In within six hours of noticing them.
The same applies to incidents reported to these entities by third parties, so these service providers must ensure that incoming tips aren’t lost or ignored but processed and evaluated in accordance with the new directive.
The types of cybersecurity incidents that will have to be reported include:
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorized access to IT systems/data
- Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code links to external websites, etc.
- Malicious code attacks such as the spreading of viruses/worm/trojan/bots/ spyware/ransomware/crypto miners
- Attacks on servers such as database, mail, and DNS and network devices such as Routers
- Identity Theft, spoofing, and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical infrastructure, SCADA and operational technology systems, and Wireless networks
- Attacks on applications such as E-Governance, E-Commerce, etc.
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incidents affecting Digital Payment systems
- Attacks through Malicious mobile Apps
- Unauthorized access to social media accounts
- Attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications
To coordinate the response to this legislation, the entities mentioned above will be required to connect to the NTP server of the National Informatics Center (NIC) or that of the National Physical Laboratory (NPL) and synchronize their system clocks with them.
Finally, all system logs of service providers must be maintained securely within Indian jurisdiction for a rolling period of 180 days and shall be provided to CERT-In along with any security incident reports or when requested by the agency.
What are the challenges?
While the Indian government’s intent is noteworthy, complying with this directive will require organizations to increase their workforce and devote significant management time to meet the reporting requirements.
There is an industry-wide shortage of skilled cyber security professionals and considering that a typical organization experiences several cyber-attacks daily, reporting each of these attacks to CERT-IN in a prescribed format could pose an operational challenge.
It is widely suggested that automated incident reporting platforms that allow organizations to submit their incident reports seamlessly to CERT-IN could help in ensuring more effective implementation.
The implementation and impact of these requirements, it seems, could prove a challenge. But there are ways to navigate these.
Solving the challenges that lie ahead.
Six months on from the new legislation, Logpoint has seen an increase in engagement from end-users and MSSPs looking to implement a Converged SIEM platform to help them meet the strict requirements.
A Converged solution empowers an MSSP, they can harness and enrich SOC data using automated playbooks, enabling tier 1 analysts to carry out value-add tasks such as threat hunting. By striking the right balance between people and technology, MSSPs can reduce burnout, diminish alert fatigue, and reduce the pressures on analysts to carry out laborious tasks, increasing productivity.
Of course, as with any collection and storage of data, there are compliance requirements such as GDPR in the EU. In India, currently the Information Technology Act, 2000, currently governs data protection and reasonable security practices and procedures and sensitive data or Information Rules, 2011 (Data Protection Rules) also come under the IT Act.
Moving forward India are taking a leaf out of the EU’s book with a Personal Data Protection Bill (PDPB) or Act (PDPA), which would control the collection, processing, storage, usage, transfer, protection, and disclosure of personal data on Indian residents.
How to ensure that threats detected are sent on time – Playbooks
To put it simply, with Logpoint all you need is to run an automated playbook. The analyst builds a playbook, either by themselves or with the help and guidance of Logpoint, that automatically formats all data in an incident, which then creates and sends the authorities (Cert-in) a report upon the analyst’s confirmation. This playbook can be triggered every time a threat is detected.
With Logpoint Converged SIEM analysts can rest assured that they have all the tools they need under one roof. SIEM+SOAR, UEBA, and BCS for SAP are all included and ensure that analysts have the capability to detect, mitigate and respond quickly with automation and dashboards.
If you require assistance with playbook creation and implementation – Contact us here.