HOW OPERATIONAL EFFECTIVENESS IS KEY

2 | Cyber security in Australia and New Zealand : How Operational Effectiveness is Key

HOW OPERATIONAL EFFECTIVENESS IS KEY Cyber crime has been on the rise in Australia and New Zealand, and is likely to continue. Between July 2015 and June 2016, Australia’s Computer Emergency Response Team (CERT Australia) responded to 14,804 cyber security incidents affecting Australian businesses. Of these, 418 involved systems of national interest and critical infrastructure1. Preventing such attacks is vital to an organisation’s success and to the overall health of Australia and New Zealand’s information economy.

CYBER SECURITY IN AUSTRALIA AND NEW ZEALAND

Cyber security in Australia and New Zealand : How Operational Effectiveness is Key | 3

Both countries are stepping up measures in an attempt to stem the tide of cyber crime, bolstering their preventative security approaches.

A 2015 report published by the Australian Cyber Security Centre (ACSC) found that 56 percent of respondents had increased their spending on cyber security during the preceding 12 months. This was a significant increase from 2013, when only 27 percent of respondents reported an increase2.Nevertheless, much remains to be done.

With cyber attacks in New Zealand more than doubling over the last five years3, Prime Minister John Key has pledged his commitment to the cause by setting aside NZD $22.2 million for a new unit to fight cyber crime4.

When it comes to organisations’ efforts, however, even the best cyber defence strategy will fail if it’s not executed effectively. Organisations require a robust and holistic operating model that focuses the company’s risk management strategy around key threats to achieving organisational vision and mission. A security team’s ‘ground game’ will determine how well it deters, detects and responds to cyberattacks.

This is especially true when one considers that some of the most damaging cyber threats come from within organisations, predominantly insider threats. Sixty percent of the ACSC survey respondents felt that ‘insiders’ were the most concerning potential cyber actors.

Externally, the expansion of the Internet of Things (IoT), the proliferation of connected devices and the growth of cloud computing all mean that an organisation’s ‘attack surfaces’ are growing. The more interconnected an organisation is within cyberspace, the greater its attack surface becomes to a cyber actor.

In this environment, businesses must protect themselves by developing comprehensive cyber defence strategies. Achieving best-practice operational effectiveness can deliver a wide array of security-related benefits, ranging from fewer successful incursions to faster response times and quicker recoveries when attackers do hit. A strong security ground game can also reduce costs and risks for the business.

However, there’s also the simple truth: without world-class cyber security, it will be impossible for organisations in Australia and New Zealand - and the nations overall - to keep up with global competitors. Against this background, this report describes some effective strategies that enterprises and government agencies can adopt to thwart cyber criminals and stay competitive. By following specific steps to improve their security operations and establish an effective operational model, Australian and New Zealand organisations can protect their data, their customers and their future.

4 | Cyber security in Australia and New Zealand : How Operational Effectiveness is Key

ORGANISATIONS LACK CRITICALTECHNOLOGIES AND SKILLS

Too often, security operations lack sufficient rigour and consistency and key people are unaware of their organisation’s vulnerabilities. Organisations might employ a range of ad hoc processes and capabilities that offer varying levels of effectiveness. In addition, many fail to practice good enterprise-wide ‘security hygiene’ – including basics such as access control, two factor authentication, rigorous vulnerability management and password policy compliance. Security is also seen as an afterthought, and not front and centre, for many businesses.

For most, the number one operational problem comes down to people and skills – both in the business at large and among security professionals. In the current high-turnover environment, firms often expose themselves by having only one person responsible for a security area, such as malware reverse engineering or incident response. If that person leaves, all the knowledge goes with them.

Too often, organisational structures are not suited to deal with today’s cyber threats. Often businesses can be reluctant to change for a range of reasons, however, this change is necessary to compete and win against the changing threat landscape.

Another issue is cyber defence capabilities at many organisations exhibit increasing amounts of ‘noise’ that mask valid threats coming from both outside and within the organisation.

The constantly changing IT environment that characterises most large enterprises can make it difficult for the security team to keep track of critical information and protect it. For example, most leaders intuitively know what the organisation’s digital ‘crown jewels’ are – they may be customer data, a secret recipe or operational algorithms.

Ensuring that security teams know where to find these resources requires robust information asset management, which can prove challenging when IT infrastructure needs to flex and change to meet new demands. Keeping track of such issues requires security staff to improve their ‘soft skills’ in order to become more effective in engaging and partnering with the business.

There are instances, however, where what an organisation perceives to be the ‘crown jewels’ is different to that of an adversary. Attack simulation is particularly critical in these instances because, when done successfully, it can result in some surprising findings around what those actors determine to be of value.

Cyber security in Australia and New Zealand : How Operational Effectiveness is Key | 5

New approaches such as software-defined infrastructure (SDI), which deploy network compute and storage resources as services, can make assets more dynamic in terms of where they reside and what they can do within the enterprise topology. SDI is the future – the advantages offered by SDI such as automation and orchestration are a powerful weapon in the response to cyber adversaries. SDI leveraging Software Defined Security (SDSec) can reconfigure an entire SDI environment security controls at the click of a button. Coupled with security analytics across the SDI, this enables security teams to proactively respond to real threats, rather than sifting through the ‘noise’ of false alerts. Deploying new technologies and approaches to enterprise environments means cyber adversaries need to ‘re-learn’ the technology environment to ensure that their exploits work as effectively as they would in a traditional environment.

Likewise, security managers often have insufficient visibility into their organisation’s ‘asset landscape’ due to the limitations of the tools and processes it used. For instance, a security analyst might receive an alert that a potential attack is happening on the network, but because of limited access to the necessary information and people, they may spend hours or days attempting to figure out the problem. Yet another hurdle is time itself. Where most breaches happen within a few days, the industry takes seven to eight months on average to detect them. It is critical that industry closes this gap.

Deploying new technologies and approaches to enterprise environments means cyber adversaries need to ‘re-learn’ the technology environment to ensure that their exploits work as effectively as they would in a traditional environment.

6 | Cyber security in Australia and New Zealand : How Operational Effectiveness is Key

Australian and New Zealand organisations can take a number of steps to improve their security operations. These range from fundamental actions to advanced measures such as the use of ‘sparring partners’, as outlined below.

Assess security capabilities

Evaluate the security processes the organisation currently uses in terms of their effectiveness when responding to a threat. The arrival of major new sources of data such as the Internet of Things and cloud computing are complicating this challenge. While many organisations understand the issue from a theoretical perspective, introducing real-world elements such as the use of ‘sparring partners’ can help security teams test the practical effectiveness of their defences.

Invest in talent where it makes sense

Given the almost daily reports of high-profile cyberattacks, demand for top security talent has skyrocketed. This makes it increasingly difficult to attract and retain good security talent. Organisations need to create new value propositions that go beyond compensation, such as providing access to cutting-edge tools, training, and peer and industry knowledge-sharing. Other incentives include the chance to participate in conferences and opportunities to innovate by adapting tools and technologies to new applications. Given budget realities, organisations also need to understand which capabilities really matter and outsource those that do not.

Automate intelligently

Understand the time-consuming and frequent tasks within security operations that occupy staff, and investigate the prospects for automating them to focus talent on tougher challenges. Hackers hold the high ground today as attack surfaces proliferate. Consequently, good security organisations are relying less on ‘eyes on glass’ by automating monitoring tasks, and introducing security analytics. This can help them deal with basic threats like ‘spear phishing’, where the attacker personalises emails sent to recipients. Currently, most organisations do this work manually. However, with the rapidly increasing volumes of security data, organisations must scale their responses appropriately using automation to eliminate the ‘noise’ in security.

Contextualise the collected threat data

Security teams often lack situational awareness when an incident occurs. They need to know what it means for the business, who the players are, what the priorities are and whether they can act based on the information at hand. Organisations must determine whether the security team understands enough about specific assets to contextualise threat data effectively. For example, as the business expands, security needs to know what to look for in the threat feeds and how it ties to the growing attack surface. They also have to keep things up to date: one organisation created a security monitoring system but failed to update it on a timely basis, with the result that within a year the system covered only 70 percent of the expanding service.

ACHIEVING OPERATIONAL EXCELLENCE IN CYBER DEFENCE

Cyber security in Australia and New Zealand : How Operational Effectiveness is Key | 7

Know what you don’t know

Identify the types of questions that the security team can’t answer with its current capabilities, and then pinpoint the data needed to operate effective analytics and provide clarity. The organisation may not be asking the right questions, or may not have the visibility to see the required data. It’s particularly important to address this issue given the rapidly expanding digital attack surfaces it needs to cover with the growth of cloud and other network elements. The ideal complement to strong situational threat awareness is a comprehensive understanding of the company’s defence capabilities and the ability to control them effectively.

Invest in a highly efficient operating model

Several models align IT services with the needs of an organisation’s business side, providing a touchpoint for developing effective security operating strategies. Given the near-constant rate of change of IT, as organisations integrate massive new cloud and IoT assets into their networks, they need to manage the evolving role of the security team. Factors to consider include risk management, business liaisons, the use of ‘hunting teams’ and staff job rotations.

Experience also confirms the importance of balancing the time spent running the security operations, implementing new technologies and testing the organisation’s security posture. Organisations also need to establish a strong feedback loop that updates their defences when incidents do occur.

Find a sparring partner

It can be difficult to develop cyber security capabilities without the equivalent of a boxer’s sparring partner. For example, after mastering static ‘punching bags’, firms need a life-size opponent to drive additional improvements. The sparring partner needs to apply all of the attacker’s creativity and intent to ensure that the company’s security innovations keep pace with the latest and growing hacker advances. That means engaging all of the business stakeholders: insurance, risk management, marketing and communications, legal staff, the fraud team, and so on.

Done right, the sparring partner approach replicates real-world attacks to a far greater degree than is possible by running tabletop exercises, working through compliance checklists or conducting an annual penetration test. The approach reflects a statement by past heavyweight boxing champion Joe Louis, who declared, “Everybody has a plan, until they’ve been hit.”

8 | Cyber security in Australia and New Zealand : How Operational Effectiveness is Key

A successful cyber defence plan hinges on a 360-degree approach and a relentless focus on business impact. Enterprises need well-trained employees who can react to clear-cut incident response plans and procedures for handling everything from a zero-day vulnerability (an undisclosed computer application vulnerability) to a large-scale, public breach. But they also must have the appropriate tools, and commitment from business for this to be successful.

DEFINING AN EFFECTIVE

OPERATIONAL MODEL

Best practices demonstrate what truly sets a good cyber security operating model apart. Such a model will assist the security team to prepare and protect for a breach by providing usable threat intelligence and actively managing vulnerabilities. It then enables security to defend and detect intrusions using advanced analytics and by monitoring critical assets. Finally, it makes it possible for the organisation to respond and recover effectively by employing active defence strategies and actively managing security incidents.

Leading organisations drive their security operations based on actionable threat intelligence. Consequently, they need a model that’s capable of informing security about current threats. Specifically, cyber defenders need to understand what tools, tactics and procedures attackers are using against the organisation on a daily basis. In other words, once something trips a trigger, what does security do about it? Block it using automation, contain the system, and study the intrusion – or all three? The only proven way to determine the correct response is to regularly practice and train for different types of incidents. That’s because organisations typically can’t accumulate enough generalised knowledge to deal quickly with new attacks from an enterprise-wide perspective.

Cyber security in Australia and New Zealand : How Operational Effectiveness is Key | 9

Forward-thinking capabilities that help to scale security activities in order to deal with anticipated threats and prepare teams for the challenges driven by new IoT, cloud and product development realities.

An IT strategy that not only specifies what an asset is, but more broadly defines how IT will meet the business objectives by pursuing capabilities where it enables the business to respond, detect and mitigate cyber activities. This means using advanced operational monitoring techniques to move beyond the hardware and where it’s ‘plugged in’. Security teams also need to gain a greater understanding as to the identities, data sets, and technical and business functions that reside in their environment. They need strong vulnerability management capabilities to know which security threats can greatly affect the business as a whole, and how different elements of these threats relate to each other.

High-powered analytics capable of pre-empting and detecting incidents. Companies need the ability to identify changing behaviours that indicate security risks in systems, networks, users and business processes. In fact, recent fraud cases show that changes in the execution of processes within a business can be threat-related.

An emphasis on visualisation to identify anomalies quickly as the volume of security data increases. From an operational monitoring perspective, reading through logs and text to understand what’s happening is too slow today given the flood of digital information coming from the IoT and the cloud.

Platforms that guide security operators in hunting for unknown threats within security data, to help companies to detect incursions more quickly.

A focus on training that replicates the way an organisation fights attackers. This is the best way to prepare the security team for real-world adversaries. Activities should test both the security operations and any linked strategic channels in the business. The models used by organisations with effective cyber defence operations share a number of attributes. They:

• Start with a big-picture strategy of how security efforts support business performance and include detailed, proven processes and roadmaps customised to the organisation

• Establish effective communication channels and relationships with IT, the business and outside service providers

• Clearly define the roles and responsibilities of the teams that manage the cyber defence capabilities and how they need to work together

• Conduct security operations monitoring with a consistent focus on what matters to the business

• Concentrate on incident response, threat intelligence, technical intelligence and vulnerability management. Proactive organisations also include security analytics and active defence measures

• Address governance and decision-making issues, staffing requirements and ways to measure success on a comprehensive basis.

KEY ELEMENTS OFTHE MODEL INCLUDE:

CONCLUSIONAn organisation’s cyber security game plan needs the right mix of talent, skill, capabilities and technology.

It also requires something more: a robust operating model that focuses the organisation’s risk management strategy to accomplish three goals:

Prepare and protectPrepare and protect for the challenges ahead by delivering useful threat intelligence and providing a vulnerability management program that supports the organisation’s business strategy.

Deter, defend and detectDeter, defend and detect threats using a combination of advanced security analytics and advanced operational monitoring capabilities.

Respond and recoverRespond to and recover from attacks quickly and with the least exposure possible by employing state of the art security incident management and an active defence strategy.

There are few signs that the brutal assault on the digital assets of companies and institutions worldwide will diminish any time soon; in fact, the opposite is probably true. Given this risk-filled environment, firms need the best operational security capabilities possible if they hope to attain the cohesion and clarity required to defend their organisation’s most valuable digital assets.

1

2

3

10 | Cyber security in Australia and New Zealand : How Operational Effectiveness is Key

Cyber security in Australia and New Zealand : How Operational Effectiveness is Key | 11

16-3697

Copyright © 2016 Accenture All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

CONTRIBUTORSJoshua Kennedy-White Managing Director, APAC Security Lead joshua.kennedy-white@accenture.com

Kelly Bissell Managing Director, Global Security Services

Ryan LaSalle Managing Director, Security Growth & Strategy Lead

Kevin Oswald Managing Director, Security Lead - Products

Harpreet Sidhu Managing Director, Managed Security Services Lead

Patrick Joyce Senior Principal Information Security, Global

Matt Carver Senior Manager, Security Research & Development

FOR MORE INFORMATION accenture.com/operationaleffectiveness

REFERENCES1. “ACSC Threat Report 2016”. https://www.acsc.gov.

au/publications/ACSC_Threat_Report_2016.pdf

2. “2015 Cyber Security Survey: Major Australian Businesses”, CERT Australia and Australian Cyber Security Centre 2015.

3. “Cyber-attacks on NZ Double in 5 Years.” http://m.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11736097

4. “John Key’s $22m Budget Reveal: New Cybercrime Unit to Tackle Online Espionage” http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11633915

ABOUT ACCENTUREAccenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With approximately 384,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.