elevenM’s submission to Australia’s 2020 Cyber Security Strategy

As a passionately Australian company, elevenM is emotionally invested in the safety and prosperity of this country. We recognise that national progress will increasingly depend on our collective ability to answer the significant challenges of the cyber domain.

That’s why we  were excited to lend our voice to the development of Australia’s 2020 Cyber Security Strategy, by responding to the Australian Government’s call for views.

Our contribution, which we submitted earlier this month, highlights areas we feel we should be collectively taking a closer look at. These include:

  • Taking a national approach to managing supply chain risks
  • Engaging cyber security service providers in national cyber security initiatives
  • A sharper focus on attracting and developing strategic, executive-level cyber security talent, and
  • A stronger national voice on cyber security, privacy and data issues

Our submission, and these recommendations, draw on our direct experience as cyber security and privacy practitioners. In working with prominent Australian businesses and government agencies on their digital risk challenges, we’ve observed both emerging challenges for individual businesses as well system-wide issues and patterns.

We hope our submission will be a constructive contribution to the development of the Australia’s 2020 Cyber Security Strategy.

Click here to read our full submission.

Sustaining the value from your security tools

This is the second post in a two-part series by elevenM Senior Project Manager Mike Wood on how businesses can benefit most optimally from the deployment of security products.


In the first part of this blog series, we explored how to extract value from security products. In this post we discuss how to sustain and extend this value, especially as your tool evolves.

You’ve nearly finished your delivery project and you’ve got some great data on the value the tool is starting to deliver.  You’re also clear on how you’ll measure remaining value.  Stakeholders are pleased with what they’re seeing.   Time to focus on the next thing, right?

Not necessarily.  Success with security products is not just about getting them to work in today’s context.  It’s about how they will work and improve over time.  Attackers don’t stand still.  Threats evolve and tools and security processes and procedures must keep pace.  A benefit of SaaS security tools is much of the advancement is done by the vendor.  But these benefits will be lost if you haven’t got the capability and/or capacity to keep pace.

The SaaS vendor will keep the tool working and manage uptime.  Your tech support teams can look after the integration points and manage user access.  How you effectively support the tool’s outputs and outcomes that deliver value / sustain benefits over time is critical to success.

It is therefore essential to build a support model for not just the tool, but the tool’s value.

A value support model needs to take the benefits and associated context and align them to how business processes run and the metrics/incentives of the people who are responsible.  Who does the work?  Do they have the skills and capacity?  Have they been trained?  How are they rewarded and what KPIs are in place? How do escalations flow?

Surely, delivering a value support model is part of project success?!  You’re right.  It should be.  But often support is thought of in narrow terms – does the tool work, does it deliver the data we need. Value support is often missed.

An example of a value support model is with a Cloud Access Security Broker (CASB), a tool used to enforce security policies for your business’ use of cloud services.

A CASB can flag alerts, but it is how those alerts are handled where much of the value lies.  How are alerts prioritised?  What SLAs are in place within the SOC / Forensics / Security team who manage alerts and coordinate responses to them?  How do alerts and trends feed into cloud governance and architecture decisions and strategy?  A CASB value support model will have specified and tested this, meaning the organisation doesn’t just have a tool it can run, but outcomes it can actually use to the fullest possible extent to drive security uplift and deliver the target benefits.

Our advice is to get the project to design a value support model as early as practicable in the project.  This model should align to the vendor’s product roadmap and your organisation’s security goals and strategy.  Stakeholders should be consulted and agree on a governance approach for the tool’s threat area and the tool outputs that will drive decision-making.

If you are clear about all this early on, it will allow you to test the value support model and make iterative improvements in lockstep with tool deployment (typically, such improvements will also cost you less and be less disruptive if made during the project than afterwards).  It will also give you a clear view on the funding requirements for the tool.

Building the value support model is something we help businesses with. It requires a blend of key skills and experience: security knowledge, program delivery, systems integration and support.  Investing in getting this right is key to success and also contributes towards higher cyber security maturity, which examines process efficacy as well as the systems in use.

If you have also clearly defined how you’ll measure value (per the first post in this series), then tying this value and its associated support model to a funding request will allow you to make a powerful business case to take the steps needed to not just deliver powerful new security capabilities that deliver value now, but long into the future.

Then you can focus on the next thing (as much as your value delivery model allows!).

Getting value from your security tools

It is easy to spend significant time and effort deploying a security product, only to find that it is difficult to prove the value delivered. In this two-part blog post, elevenM Senior Project Manager Mike Wood explores how to extract and sustain value from security products.


The true uplift value from any security tool comes from the context in which it is used, rather than the capabilities of the tool itself.

Consider a Web Application Firewall (WAF), which filters and blocks web traffic. A WAF is only as effective as the rules it follows and how alerts are responded to. How WAF rules are set and maintained over time, and the level of automation you use in responding to alerts, will affect the protection effectiveness of your WAF.

You could pay the SaaS vendor to do this for you, but is that good value for money? Does the vendor know your business, its context and the threats you face as well as your own people do?  Would handing this over to the vendor also mean you miss out on building knowledge among your team?

Another example is code scanning; it is only as effective as the vulnerability management process that acts on the outcomes from the scans. If you find vulnerabilities using a sophisticated tool, but don’t act on them (or you report them, but they don’t get remediated by development teams) then it’s hard to gain true value from such tools.

When tools are evaluated not just in a risk context but also in terms of people and process, value can be shown.  A good way to start is by asking yourself questions such as:

As a result of this tool or its outputs …

  • What manual security work will be automated?
  • What actions does the tool require and what processes and people capabilities need to be built to support it?
  • Are we delivering more effective security risk mitigations for the same level of effort or funding?
  • What is the contribution to overall reduction in risk? [an easy one to measure is financial impact, such as value of fraud prevented or reduction in cost spent recovering from successful attacks]
  • Are security processes running faster / is there a positive impact to velocity?
  • What is the tool’s contribution to NIST maturity and regulatory or other such obligations? [this is best measured by independent reviews]
  • What data and insights do we have that we didn’t have before and what valuable activities and outcomes have these enabled? [for example, anti-automation/bot protection tools can show you the bad automated traffic that’s hitting your assets, informing your understanding of attack vectors you’re susceptible to and how to address them. Anti-automation tooling may be enough, but to meet the objective of layered security you may also identify code changes.  Data and insights are crucial to being able to analyse, prepare, risk-assess and make such decisions.]

Another important contextual consideration is the impact to teams outside of security.  To gauge how they value security, ask questions such as:

As a result of this tool or its outputs …

  • Is security awareness increasing as a result of this tool or its outputs (measured, for example, by increased proactive engagement with the security team)?
  • Is the security team perceived differently – for eg, as less ‘disruptive’ by developers?
  • Have we freed up our security teams (typically scarce resources in the market) to focus on exceptions, forensics and strategic improvements, by empowering non-security teams to run repeatable security activities that we can then monitor and advise on?

To truly realise the value of security products, we need to have a clear view on their broader context.

In the next part of this series, we explore how to sustain and build on the value delivered by security tools over time.

Solving ransomware

We’re back in Baltimore. Unfortunately not to relive Arjun’s favourite pithy one-liners from The Wire, but to talk about something from the non-fiction genre: Ransomware.

In just a few years, ransomware has gone from nothing to a multi-billion dollar industry. And it continues to grow. It’s little wonder that law enforcement are quietly holding crises summits to ask for help.

In May of this year, the City of Baltimore was hit with a ransomware attack. The ransomware used was called RobbinHood and it encrypted an estimated 10,000 networked computers. Email systems and payment platforms were taken offline. Baltimore’s property market also took a hit as people were unable to complete real estate sales.

One click away

Like most public sector technology environments, there appears to have been a mix of old and new systems on the City of Baltimore networks. Precisely because they are old, aging systems are typically unable to be “patched” or updated for known security threats, making them vulnerable.

But getting funding to replace or update computing systems is difficult, especially when you are competing with critical services like police, fire and hospitals.

Given the hard reality that many large networks will have a high volume of outdated, and therefore vulnerable, systems that are only one mouse click away from becoming infected, should we not focus more on preventing malware from propagating?

Trust

Most global corporate networks operate using a trust principal. If you are part of the same domain or group of companies you are trusted to connect to each other’s network. This has obvious benefits, but it also brings a number of risks when we consider threats like ransomware.

Strategies

There are many strategies to mitigate the risk of a ransomware outbreak. Back up your files, patch your computers and avoid opening suspicious links or attachments are commonly advised. At elevenM, we recommend these strategies, however we also work closely with our clients on an often overlooked piece of the puzzle, Active Directory. The theory being: if your network cannot be used to spread malware, your exposure to ransomware is significantly reduced.

Monitoring Active Directory for threats

To understand this in more detail, let’s go back to Baltimore. According to reports, the Baltimore attack came through a breach of the City’s Domain Controller, a key piece of the Active Directory infrastructure. This was then used to deliver ransomware to 10,000 machines. What if Balitmore’s Active Directory had been integrated with security tools that allowed it to monitor, detect, and contain ransomware instead of being used to propagate it?

Working with our clients’ and Active Director specific tools we have been able to separate and monitor Active Directory based threat indicators including:

  • Lateral movement restriction
  • Obsolete systems
  • Brute force detection
  • Anonymous users behaviour

All the pieces of the puzzle

In mitigating cyber threats, defence teams today have access to many tools and strategies. Often, there emerges a promised silver bullet to a particular threat. But the truth is that most threats will require a layered defence, involving multiple controls and core knowledge of common IT infrastructure (like Active Directory). Or to put it again in the language of the streets of Baltimore: “All the pieces matter“.

Want to hear more? Drop us a line at hello@elevenM.com