Cyble eect: why the cybersecurity company India’s CISOs love to hate may trigger a big shift

 By Nirmal John

ET

India’s CISO community is pissed. And rightly so. As if ghting an assortment of attack vectors malicious actors unleash from across the world and wrestling with their management and boards for more money to defend their company weren’t enough, chief information security oicers (CISOs) have something new getting their goat. Cyble Inc, an Atlanta-based company, has been getting under their skin, slowly and steadily, over the last many months. It employs a number of Indians and is co-founded by Beenu Arora, an NRI. Arora, who has become something of a hated gure for many, has been into cybersecurity and consulting for the best part of a decade and half. He joined an executive MBA oered jointly by the London Business School and Columbia Business School, which he claims gave him the impetus to start Cyble. The reason why CISOs are annoyed is that they feel Cyble operates in a manner reminiscent of old-school villains. According to conversations with multiple CISOs, the following is Cyble’s modus operandi. 1. Find a cache of leaked data in the dark Web. 2. Connect with the company in question and inform them of the breach. 3. Oer Cyble’s services. 4. Else publish the news about the discovery on its blog. There may also have been instances, where step four comes even before informing the company in question, according to those ET Prime talked to. This leaves companies in a quandary as to how to tackle the fallout and pushback from the public as well as regulators. On top of this comes the peddling of Cyble’s services, not something that the industry has welcomed. A CISO who felt the heat from a Cyble announcement of a data breach on his company says, “The way they deal with sales is somewhere between blackmail and extortion”. He alleges that making the breaches public even before the company has had a chance to verify the BY Nirmal John 10 MINS READ Nov 23, 2020, 08:08 AM IST Share This Article GIFT ARTICLE FONT SIZE SAVE COMMENT 1 / integrity of the cache of data in question, and then demanding that the company uses the services of Cyble to address the issue clearly amount to extortion. While Cyble’s modus operandi may border the unsavory and could even be irting with the illegal, what is increasingly becoming clear is that there have been breaches of services that hundreds of thousands of Indians have been using, with the companies themselves not knowing they have been breached. Worse still, even once they knew, many companies have chosen to keep mum about it, without informing their users that their data was now being sold in the dark Web. User data — a mix of names, addresses, phone numbers, passwords, and more — has been oating out there, being bought and sold, with the individuals in question not knowing about it. Depending on when these databases were compromised, that may have been used to compromise other services these users signed up for. Simply put — nobody knows. That is the crux of a problem crying out to be solved in Indian cybersecurity — the transparent disclosure of breaches and informing both the authorities and aected users about it. The personal data-protection bill, 2018, references the need to report any breach of personal data to the Data Protection Authority (DPA), with the onus being on the DPA to decide whether it needs to be communicated to the user. In a way, breach disclosures will become inevitable — certainly to the DPA and likely eventually to users — once the bill is passed into a law, but that is still somewhat away. The parliamentary committee is still deliberating the bill as of this moment, and it will likely take time before it is introduced in Parliament for voting. Cyble’s misadventures, whilst being diicultto swallow, may oerthe industry an opportunity to be transparent before the law mandates it. ill ittake it? A discussion long overdue / "The way they (Cyble) deal with sales is somewhere between blackmail and etortion." — A CISO who felt the heat from a Cyble announcement of a data breach on his company Cybersecurity is a parade ground of cliches and there is one that seems especially relevant in today’s context. It goes — “There are only two kinds of companies. Those who know they’ve been breached and those who don’t.” There is a distinct drone of inevitability to the news of breaches streaming out with alarming regularity. While companies and CISOs are no doubt trying hard to improve their cybersecurity posture, the question of how a breach itself is handled clearly needs more attention. One of the things that companies rarely do is proper disclosure. According to Nimitt Jhaveri, managing partner, BitScore CyberTech, it is imperative to formulate a clear strategy to communicate about any breaches to the users. He notes how Dunzo communicated post its breach and compared it to others who, just yet, haven’t been as forthcoming. Beyond the obvious breach of one’s right to privacy, there is an imperative to give users a chance to safeguard themselves, especially if, say, passwords are involved in the breach. Many use the same password for multiple services and any compromise of one may necessitate a change everywhere else, lest nefarious actors try their luck elsewhere. There have been instances, wherein passwords that were compromised in one breach led to another breach, notably in the case of Zomato in 2017. At that point, Zomato, too, had communicated with its aected users that they may need to change their passwords. Zomato had even detailed how a compromise of a Web-hosting company led to its own database being leaked because one of its developers used the same email address and password as the Web-hosting company that he was using on code repository GitHub. / This eventually led to the breach, something that Zomato had highlighted to the community as an experience to learn from. English Premier League club Manchester United, which late last week disclosed a cyberattack and a breach of its databases, is only the latest among several foreign entities that are mandated to disclose a breach, or in some cases do it anyway because that is the right thing to do. The match is just getting started Sadly, this sort of transparency has stayed an exception than the norm. The opaqueness, coupled with the fear of damage to reputation, has led to most CISOs being quiet even when there were incidents that needed to be reported. That, in a nutshell, leads to the rise of what we have today — the brand of coercion that Cyble is being accused of. It is the other extreme — what one senior gure in the nancial-services cybersecurity calls, “white-collar extortion crime,” referring to Cyble. He adds whilst using words that are unprintable on ET Prime, “There is a ******* better way to do disclosures. Making a wow statement to get eyeballs is not it. ******* You don’t have to make a hungama over someone’s misfortune. People end up losing their jobs because of this unfortunately, even when they may not be at fault.” There is still far too little that is known about Cyble. But the Indian CISO community isn’t waiting to know more. ET Prime connected with several top CISOs in India and others in the country’s cybersecurity community. What is clear is that there is an unoicial alliance of sorts that is brewing as a way to counter the alleged extortion done by Cyble. The CISO of a major bank characterises it as necessary because it “is a question of ethics. They (Cyble) are giving extortionists a corporate look,” he says, adding that CISOs have the right to push back, as it is their job that is on the line every time Cyble makes a pitch. A deant Cyble With news breaking last week in Founding Fuel and / questions swirling around Cyble’s methods, the company has been on the defensive. The company cancelled a call it had conrmed with ET Prime on Friday, November 13, just a few hours before the story broke. Since then it published a poorly articulated defence about its methods through a public relations distribution service called Business ire. Late last week, Cyble reconnected with ET Prime and indicated its willingness to talk and set on record its point of view. Where Cyble agrees with at least some of those in India’s cybersecurity business who aren’t happy about them is in the need for mandatory breach disclosures. “This level of transparency is necessary to solve this menace for the marketplace as whole. Otherwise, aected companies naturally take decisions best suited for short-term gains, which are not necessarily healthy for the ecosystem.” One would think that the cops would have reached out to Cyble after registering FIRs in various cases. But oddly enough, Cyble says to date it “has not received any letter or notication from any Indian agency. We believe in being fully compliant with regulations and laws, and will gladly engage with any such requests.” At the same time, strangely it was invited by a parliamentary joint committee on the data-protection bill to give “oral evidence” on the bill on November 19 at 11:30 am, right in the middle of the drama unfolding around the company. On asking if all the pushbacks will make it re-evaluate its model, the company says, “Absolutely not. We always make responsible disclosures — where we share all possible information with a victim at no obligations whatsoever. Often, it’s the rst time they become aware of a specic breach. In some cases, certain organisations (sic) have asked for support such as incident response and negotiate data retrieval post our disclosures.” An allegation levelled against Cyble has been that it is in cahoots with nefarious hackers, something that it / again denies. But there are more than a few inconsistencies in how the company presents itself. It continues to claim to have SingtelInnov8 as an investor, even though the Innov8 website doesn’t list Cyble as a portfolio company. Where it is listed is ICE71, an accelerator programme run jointly by Singtel Innov8 and National University of Singapore, as part of the third cohort. The seed money that has been raised from this, according to Crunchbase, is a mere USD22,ooo. The bottom line Cyble, in its own words, “is a technology company providing dark Web and cybercrime-monitoring solutions [SaaS] to enterprises”. While Arora characterises it slightly dierently in his testimonial in the eMBA page, saying Cyble is “a cybersecurity enterprise solution focused on providing visibility to cyber threat and risks in supply chain using automation, integration, and intelligence”, it is clear that over 2019, the company pivoted to concentrate more on dark-Web monitoring. Cyble also seemingly had another leader, Sandeep Taileng, who, according to his LinkedIn page, was with the company in an advisory role between September 2019 and February 2020, but has been listed elsewhere as a co-founder. Cyble claims that Taileng “is a family friend of Beenu Arora, who left Cyble in 2019 due to his personal commitments.” All said and done, while Cyble’s approach may have ruled many feathers, it is a much-needed jolt for the business-as-usual mentality seen in Indian cybersecurity space. It also oers an opportunity for other stakeholders to evaluate how cybersecurity is looked at. For Cyble itself, it may be important to become even more transparent in how it does business, and hold itself to the same rules it demands of companies. The CISO of a company that Cyble has put in a spot says what gives Cyble fuel is the media’s propensity for sensationalism, which translates into publishing Cyble’s accusations without verifying their veracity. “Media needs to verify what is shared by Cyble before / 1 day ago 1 COMMENTS ON THIS STORY Piyush If Cyble brings some harm to this business as usual mentaility of Indian Corporates that the Law has failed to coz of inability to execute then i say that's good VIEW COMMENTS ADD COMMENTS writing about it. The data that it claims to have unearthed is often stale data. It is not as if nancial information is being compromised.” Stale data refers to information that may not be relevant and holds little value. While the stale-data argument may not hold water, given the responsibility of companies to make sure that all user data needs to be secure, it nonetheless highlights the need for better reporting of breaches in Indian media, given there will be plenty more to report on in the coming days.

Source: https://economictimes.indiatimes.com/prime/technology-and-startups/cyble-effect-why-the-cybersecurity-company-indias-cisos-love-to-hate-may-trigger-a-big-shift/primearticleshow/79351659.cms?utm_source=newsletter&utm_medium=email&utm_campaign=prime_dailynewsletter_paid&utm_content=heading_14&ncode=ae88c8a4f8742a8682bf7d9294253f7f