Cyber attackers around the world are showing an increasing level of sophistication. This is a major concern for Australian CISOs and their teams, who often lack the resources to deal with more frequent and sophisticated attacks from well-resourced cybercriminals.
At the same time, legacy Security Operations Centers (SOCs) are dealing with an unmanageable volume of alerts. This leads to “alert fatigue” that slows down key processes and makes it easy to miss potentially significant issues that could be buried in the noise. Hiring an army of security engineers to deal with these challenges is also expensive and does not scale.
SOCs also use too many security products (the average company may have dozens of cybersecurity products deployed), and many rely on manual processes for day-to-day operations as well as incident response. Too many menial tasks require significant human interaction and labor, which can be stifling.
Senior technology executives recently gathered for a discussion on ways they can move from a reactive to a more proactive cybersecurity environment. The talk was sponsored by Palo Alto Networks.
Initially, attendees were asked how they ensure a consistent security posture that prevents the loss of sensitive data and malware across all traffic streams, regardless of where the user is working or the applications they are accessing.
Leonard Kleinman, chief technology officer of Cortex at Palo Alto Networks, advised attendees that the starting point for achieving a sensible security posture is to have visibility into all aspects of the work environment.
“After all, you can’t protect what you can’t see or know about. But the approach would be to aim for visibility or telemetry from all sources. These include the network, endpoints and cloud, regardless of location, identity or device.
“Such a unified platform provides tremendous flexibility to meet various objectives related to, for example, regulatory compliance and governance, incident response and data loss prevention. The more sources, the richer the telemetry, the better the context. This enables faster and more informed detection and response decisions,” he says.
Ian Palmer, head of ITDS at UTS College, says the education provider’s cyber security stance is based on the risk to data through access and use.
Applications that store personal data are currently protected by the organization’s firewalls with any user needing access via a UTS College laptop having a VPN back to the firewalls.
“This gives us protection no matter where the user works, as access to our devices is multi-factor authentication (MFA), depending on the risk factors presented. All traffic, including Internet traffic, goes through the firewalls, but we don’t see any degradation of service with excellent bandwidth,” he says.
Nabil Saleh, chief information officer at Woollahra City Council, says his organization maintains a consistent security stance by not allowing staff to bring their own devices to work and providing them with managed devices that have VPN access. This disables split tunneling to ensure all traffic is intercepted and encrypted, he says.
“VPN access provides a centralized standard operating environment that is the same regardless of location. Devices have XDR endpoint protection to ensure compliance with our security policies.
“With respect to the leakage of sensitive data, unlike loss, it can happen regardless of the controls in place and depends on the diligence of the user to protect the data from unauthorized access,” he says.
Ashwani Ram, general manager, cyber security infrastructure and operations at Chartered Accountants Australia and New Zealand, believes that malware, for example, is easier to deal with these days due to the unification of EDR and XDR tools with a managed security operations center ( SOC ) services.
“Of course, you need to overlay this with EDR/XDR intelligence and DNS security so users have less chance of being redirected to suspicious sites in the first place.
“Access to zero-trust applications and web browsing platforms with DNS threat management and web security ensure secure VPN services. It means users can leave the house and work from their favorite coffee shop and be productive – that’s how we need to rebrand and sell endpoint security,” he says.
Losing sensitive data is a more difficult and complex problem, adds Ram.
“Before we can prevent data loss, we must first be able to monitor data at all stages from creation to destruction. Once we better understand this cycle and usage, we need to take a two-pronged approach – education and tools.
“Just as we say that people are the best firewalls, the same is true when it comes to preventing data loss,” he says.
Hybrid work brings new risks
Some attendees said they reviewed their risk models as workers move from the office to their homes and other remote locations that are outside their network perimeters.
UTS College’s Palmer says the organization has undertaken internal risk reviews and external audits of its cyber security posture to ensure risk can be managed where there is no network perimeter.
“We’re trying to move to a zero-trust model, and we’ve implemented great capabilities to ensure we’re protected by layers of security,” says Palmer.
Woollahra City Council’s Saleh says the organization has carried out a telecommuting risk assessment and trained staff through cyber awareness training on the dos and don’ts of telecommuting. Remote access in the council also meets the ACSC Essential Eight Maturity Modelhe says.
Palo Alto’s Kleinman adds that risk management is a dynamic paradigm and constantly evolving.
“The reality is that risk in business can never be truly eliminated, but identifying and minimizing risk can be significantly beneficial,” he says.
The move to “work from anywhere” is a great example of the dynamic and reflective kind of risks enterprises face as their business grows, evolves and reacts to stay competitive, he says.
When it comes to reassessing risk, Kleinman suggests that organizations should start by asking “what are the goals and what are the risks that will affect the organization’s ability to achieve those goals?”
“Regular review of the risk model and risk management plan is essential to identify new risks, develop new treatment plans and then monitor their effectiveness,” he says.
A voice at the boardroom table
There is no doubt that in recent years, company boards have become more aware of the risks to their organizations from cyberattacks, as well as their potential liabilities following a breach.
Kleinman agrees that the main change in recent times is clearly the level of accountability and responsibility boards have for cyber-related risks, much of which stems from the increase in new regulations and legislation.
“There is a preponderance of data that supports the position and most board members are aware of that. However, many board members still see cyber as a black box with a lack of cyber literacy and expertise,” he says.
Kleinman says a recent survey of the cyber security skills of directors of ASX 100 companies found that only one per cent of non-executive directors responsible for overall governance and strategic direction had any cyber experience.
“I believe the conversation needs to shift from a conversation focused on ‘how to become compliant’ to one about understanding business goals and the risks that will impact the organization’s ability to achieve those goals.”
“History shows us that mere compliance does not mean security. Assuming a quality CISO has access to or participates in the board, he should focus on having the right conversation about cyber risk to ensure it is integrated into the broader enterprise risk management program and other activities in corporate governance,” he says.
He adds that boards should ensure they have frequent conversations with CISOs, constantly reviewing the state of cybersecurity across the business.
“For example, lessons learned from security incidents are invaluable in addressing gaps and updating response plans. However, I also believe that addressing cyber knowledge/experience at the board level would be a better board augmentation than simply relying on the CISO.”
Chartered Accountants Australia and New Zealand’s Ram, adds that unfortunately, the CISO only has a voice at the boardroom table through the CIO.
That’s slowly changing, he says.
“I think boards have realized they need to understand cybersecurity, but they’re struggling to understand it. However, in their defense, I think CISOs also need to get better at translating risks into business terms and presenting them in the language that the board knows and understands.
“I also think there is an opportunity for the enterprise risk management team to better interact with the cybersecurity team to help translate cyber risks into business risks at a strategic and operational level.” I believe that once this interface gets better, we will be in a better position to help the board understand cyber risks,” he says.
UTS College’s Palmer says that over the past two years the organisation’s board has become aware of the personal liability it now bears in the event of a breach.
“The big firms were talking to the board to make them understand the impact of cyber, so that provided more visibility,” he says.
Palmer reports to UTS’s Audit and Risk Committee (ARC) on cyber security on a quarterly basis and is questioned about perceived risks or threats.
“External audits are also carried out regularly by independent organizations to ensure we are covering the risks that are brought directly to ARC. Having a former CIO for UTS on our board and ARC has created more awareness and a deeper understanding [of cyber issues],” he says.
Woollahra City Council’s Saleh says that having successfully enabled remote working since day one of the pandemic, the board recognizes the value IT offers to businesses during a crisis and, to some extent, the risks associated with it.
“Through awareness training for the board and management team, all members are more aware of cyber security risks than before. Also, a few months ago there was a cyber security incident that affected a similar organization and made it to the media. As a result, our board is very aware of the reputational damage a cyber incident can cause, so pay sufficient attention to security requirements when presenting at meetings,” he says.
No more weekend war rooms: Shift from reactive to proactive security