The Enterprise Threat Landscape
The threat landscape facing Indian enterprises has changed significantly. Ransomware has evolved from opportunistic spray-and-pray campaigns to targeted Ransomware-as-a-Service (RaaS) operations where attackers spend weeks in a network before deploying the payload. Nation-state-sponsored intrusions have expanded beyond government targets to supply chains and critical infrastructure.
For most organisations, the threat vector is not a zero-day exploit β it is an unpatched vulnerability in a perimeter device, a phishing email that bypasses a weak email filter, or a misconfigured cloud storage bucket. Defence must be layered, visibility must be comprehensive, and response must be rehearsed.
Defence in Depth: A Layered Security Architecture
No single control stops all threats. Defence in depth applies multiple overlapping controls so that the compromise of one layer does not lead to full breach:
Perimeter Security
- Next-Generation Firewall (NGFW): Application-aware inspection, TLS/SSL decryption, and integrated threat intelligence. Vendors like Palo Alto Networks, Fortinet, and Cisco Firepower provide unified NGFW + IPS + URL filtering in a single platform.
- Intrusion Prevention System (IPS): Signature and behaviour-based detection of known attack patterns at line-rate.
- DDoS Mitigation: Cloud-scrubbing services (Cloudflare Magic Transit, Akamai Prolexic) for volumetric attacks; on-premise mitigation for protocol and application-layer attacks.
Internal Network Segmentation
Once an attacker is inside the perimeter, a flat network is catastrophic. Segmentation controls lateral movement:
- VLAN-based segmentation separating IT, OT, guest Wi-Fi, IoT, and management traffic.
- Micro-segmentation in the data centre β every workload has an explicit allowlist of permitted communication paths.
- Internal firewalling at the distribution layer to inspect EastβWest traffic, not just NorthβSouth.
Endpoint Security
- Endpoint Detection and Response (EDR): Real-time behavioural monitoring and automated threat containment. CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne are the leading platforms.
- Patch management: Unpatched endpoints are the single largest attack surface. Automated patching pipelines should close critical vulnerabilities within 48 hours of patch release.
Threat Detection and SOC Operations
Detection is where most organisations fail. Logs are collected, but nobody is analysing them with the right context and speed. A Security Operations Centre (SOC) architecture requires:
- SIEM (Security Information and Event Management): Centralised log collection, correlation rules, and dashboard visibility. Microsoft Sentinel and Splunk are the enterprise standards. A SIEM without a tuned ruleset generates more noise than signal β rules must be refined quarterly.
- SOAR (Security Orchestration, Automation and Response): Automated playbooks that triage, enrich, and respond to alerts without manual intervention. Mean Time to Respond (MTTR) drops from hours to minutes.
- Threat Intelligence Integration: Feeds of known malicious IPs, domains, and file hashes enriched with context about attribution and tactics. MITRE ATT&CK framework mapping enables teams to understand which adversary techniques are being used.
Incident Response: Speed and Decisiveness
When an incident occurs, every minute of dwell time is damage. A well-prepared incident response programme consists of:
- Preparation: Documented playbooks for the most likely incident types (ransomware, data exfiltration, business email compromise). Named incident response team with defined roles.
- Detection & Analysis: Triage alerts within 15 minutes. Determine if true positive. Escalate to IR team if confirmed.
- Containment: Isolate affected systems at the network level immediately. Block lateral movement while preserving forensic evidence.
- Eradication: Root-cause analysis, complete removal of attacker tooling, and patch of exploited vulnerability.
- Recovery: Controlled restoration of services with enhanced monitoring. Validate integrity before declaring clean.
- Post-Incident Review: Lessons-learned session within 5 business days. Update playbooks and controls based on findings.
Compliance & Regulatory Requirements
Indian enterprises must align their security programmes with applicable compliance requirements:
- RBI Cybersecurity Framework: Mandates risk assessment, incident reporting within 6 hours, and business continuity testing for banks and NBFCs.
- SEBI CSCRF (2024): Cybersecurity and Cyber Resilience Framework mandating qualified SOC, vulnerability assessment, and cyber drills for all SEBI-regulated entities.
- CERT-In Directions (2022): All organisations must report cyber incidents within 6 hours, maintain system logs for 180 days, and respond to CERT-In information requests within 6 hours.
- ISO 27001:2022: The global standard for Information Security Management Systems β increasingly required by enterprise procurement processes.
Conclusion
Network security is not a firewall purchase β it is a programme. The organisations that avoid major breaches invest in people (trained SOC analysts), process (documented and practised playbooks), and technology (integrated, not siloed tools). The cost of proactive security is a fraction of the cost of a breach.
π Key Takeaways
- β Defence in depth β no single control is sufficient. Layer perimeter, network, endpoint, and identity controls.
- β Internal segmentation is critical β a compromised endpoint should not be able to reach payroll servers.
- β A SIEM without tuned rules creates noise, not visibility. Rule quality matters more than log volume.
- β Incident response is a rehearsed discipline β quarterly tabletop exercises reduce breach dwell time by 6Γ.
- β CERT-In mandates 6-hour incident reporting β organisations without a SOC cannot meet this SLA.