FireTail CEO Jeremy Snyder is joined by Toby Amodio, Director and Government Cyber Delivery Lead at MF & Associates, for a lively discussion around cyber security topics such as risk, compliance, maturity and more. Today’s episode of the Modern Cyber podcast will examine the Essential 8 in the context of cyber security to see how relevant it is today. Listen as they compare and contrast the E8 to the ISM in terms of what they address and what they lack.
FireTail CEO Jeremy Snyder is joined by Toby Amodio, Director and Government Cyber Delivery Lead at MF & Associates, for a lively discussion around cyber security topics such as risk, compliance, maturity and more.
Today’s episode of the Modern Cyber podcast will examine the Essential 8 in the context of cyber security to see how relevant it is today. Listen as they compare and contrast the E8 to the ISM in terms of what they address and what they lack.
Stay tuned to hear about how breaches can actually help team’s bolster their security postures and learn the best things you can do for your security posture, per Jeremy and Toby’s expertise. Whether a seasoned cybersecurity expert or a novice, this episode offers fresh cybersecurity perspective.
About Toby Amodio
Toby has previously held the Chief Information Security Officer roles at Australian Parliament House (Department of Parliamentary Services) and Australian Taxation Office. He is currently consulting with MF and Associates, a Fujitsu company, into Federal Government. Toby is a father to two young kids and is constantly trying to balance work, life and compliance.
Toby’s LinkedIn: https://www.linkedin.com/in/toby-amodio-a58041b4/
MF & Associates: https://www.mfassociates.com.au/about-us
About Jeremy Snyder
Jeremy is founder and CEO at FireTail, an end-to-end API security platform that offers the inline, real-time, application-layer data needed to deliver true API security. Prevent breaches and protect your APIs from code to cloud with FireTail.
0:00
[Music]
0:08
hello welcome to the modern cyber podcast we are thrilled to be back with another episode today my name is Jeremy
0:13
Snider Founder and CEO of firet tale and as always I will be hosting this episode today I am thrilled to be joined with a
0:21
guest from the other side of the world where I actually happen to find myself as well but Toby Ando um is joining us
0:27
from Australia Toby has a long his and cyber security he's LED large diverse geographically dispersed teams to
0:33
protect detect and respond to the Cyber challenges facing government so I know we're looking for some really
0:39
interesting perspectives there Toby has previously held the Chief Information Security Officer roles at Australian
0:45
Parliament House the department of parliamentary services and the Australian taxation office and he's
0:50
currently Consulting with MF and Associates of Fujitsu company into the Australian federal government Toby is a
0:57
father to two young kids and is constantly trying to balance work life and compliance I know a lot of us are
1:03
trying to balance work in life but adding compliance into the mix has got to make things a little bit more complex
1:08
Toby thank you so much for taking the time to join us today thank you for having me Jeremy uh it's a real pleasure
1:14
and especially you know given that I am traveling on this side of the world and uh talking to a number of customers and
1:20
partners here in Australia and across kind of the broader australasia region you know one of the topics that comes up
1:27
is regional compliance and Regional standards and one of the things that is in a lot of headlines recently is the
1:32
Australian essential 8 and there was kind of an update to it last year that I was reading up on I know there's been
1:38
many updates to it over the year but I wonder if you could for the audience just give us some context of what is the
1:44
essential eight how did it come about is it a good thing is it a bad thing we we'll talk about all those things but
1:49
you know maybe set the stage for the listeners sure sure I'll jump in uh and before we jump in I'll just mention that
1:55
all my opinions are that of myself and my not my employees or the government but AB side uh the essential is an amazing
2:04
beast but we'll start one layer higher as a government agency within Australia
2:09
you get money from the from the government to deliver services to the country and an obligation of that is to
2:15
comply with the protective security policy framework and it's an overarching framework that tells you how you do physical Personnel cyber and security
2:24
governance as a whole now that's the overarching framework underneath that it's got a number of different policies
2:30
and objectives one of the policies under the pspf is to do the essential eight
2:35
and one of the policies is to implement the information security manual now the information security manual and the
2:40
essential eight are two documents developed by the Australian signals directorate and that's our intelligence
2:45
agency the the the interesting part about the intelligence agency developing the documents is obviously they've got
2:52
some insight into how to compromise other agencies and they also see a number of how agencies get compromised
2:58
and so they wrote the information security manual effectively as the control Bible on how to protect yourself
3:05
basedi they're aware of the threats they know what let's say the top risk vectors are and so that informed a lot of their
3:11
thinking and their and let's say their analysis that went into this right correct correct so that's the the ism is
3:17
the Bible it's over 800 controls at the moment and it gets updated quarterly so it is constantly evolving to the threat
3:23
landscape now the thing that they've done they've they've been delivering it for over over 15 years I okay this this
3:30
dates myself it's over over 20 years um and as that has evolved they've also
3:36
realized that it's increasingly hard to implement 800 controls in a risk-based manner and so about 10 years ago they
3:43
had to come up with a more they thought we'll come up with a more Consolidated list and that's where they came up with
3:49
the essential eight and the essential eight was the eight top mitigation strategies so not controls unfortunately
3:55
it maps to two 200 controls um but the mitigation strategies that they saw to
4:01
mitigate over 80% of intrusions that they saw against Australian government entities so they went if you do these
4:07
eight strategies it'll mitigate against the main intrusions that we see now that was when it was first created and the
4:13
interesting thing about about this is it was created by the intelligence agency to help secure the rest of the country
4:19
but it's now molded into a compliance piece that's mandated under the the protective security policy framework
4:25
which is a very past fail implementation so they were trying to do it originally as a guidance thing to say hey if you
4:31
can't really focus on the whole ISM 800 controls then just focus on these things because the the most in incidents that
4:38
we see they're affecting these things so do the basics brilliantly and you'll protect against the majority of the
4:43
incidents that we see now the eight is actually part of 37 mitigation strategies it's a whole Beast so it's
4:50
it's confusing as hell and on top of that they they did a maturity model against the essential eight and you've
4:56
got four levels of maturity against each of the eight controls the complexity on this is absurd and it makes it extremely
5:03
hard to implement but the concept is is eight strategies to do mitigates 80% of
5:09
intrusions okay and along those lines I mean one of the things one of the parallels that comes to my mind as you
5:15
described it is actually something called the oos top 10 and a lot of people look at the oos top 10 as if it
5:21
were let's say a compliant checklist or a framework that they can use but I
5:27
don't really see it that way to me it's more a threat model that says like hey these are your top 10 risks and you know
5:34
there's the one for applications and then there's one for apis which is the one that I run into of course running an
5:39
API security company on a regular basis but but part of the challenge that lies
5:44
therein in the fact that it's not a controls framework is that the controls are then variable to every organization
5:51
because let's say for instance the way that I use cloud is different from the way that we that you use cloud and the
5:57
way that I might need to look at let's say Cloud identity security if that were one of the eight um I know it's not and
6:03
we'll come to that in a second but the way I would look at Cloud identity security may be quite different from yours and then for the same time for an
6:10
external auditor or somebody who came in and wanted to let's say assess my maturity relative to the essential eight
6:17
they're looking at you know an apple over here and an orange over here and so you know those two things are not the
6:23
same I guess this is kind of part of that complexity that you're getting into when you say it's like a nightmare to
6:28
implement yeah 100% And it's it's one of those pieces increasingly my my role in aizo role became not just reporting
6:35
against risk but then comporting against compliance and Reporting against maturity and they three independent
6:42
lenses and ideally you should just be looking at risk going what are the threats that we face and then how do we
6:48
align our controls to those threats but then as an entity that is assured by external entities you have compliance
6:54
obligations so you have to meet those bars and then inevitably also your compliance
7:00
maturity is always in context of other agencies or other entities so it's not just like are you a four it's are you a
7:06
four but where are the other people and so I I find that those three kind of Concepts all boil around whenever I was
7:12
doing reporting up not just a pure compliance lens against as you said um a fixed a fixed or semi-fixed framework or
7:19
conceptual lens yeah and and I mean I know there's one of the common saying
7:25
that that you'll hear in many security conversations especially when a compliance person enters the room is
7:31
security is not compliance and compliance is not security that they're two very different things and like ultimately compliance is very
7:38
prescriptive whereas like security is always a riskmanagement exercise and I
7:43
guess one of my first questions is like a do you think that most people understand that here and B when you
7:51
think about like the the everything that you've laid out
7:56
let's say from the um from the ism and the 100 checks and then the the subset of 37 and then the essential Aid and the
8:03
maturity model like does it all get kind of very messy and muddled in people's
8:09
minds where they don't really know where the risk management piece leades off and then the compliance piece picks up and
8:16
how they do and don't work together yeah 100% and it becomes it becomes reduced
8:21
to a really simplified conversation especially in the media of just just do eight things it's simple just do eight
8:27
things and and as he said that doesn't take into account your risk posture the example I always used to use is when I
8:33
was at the tax office um if we implemented the essential 8 perfectly
8:38
but had a cross-side scripting vulnerability on one of our websites we would technically be compliant with the
8:43
essential 8 but we could be pumping out all of our data or if or an an opus
8:49
where they had an open API that's not one of the essential a uh so that breach
8:54
which leaked tens of millions of client records their Australian telecommunications provider again
9:00
outside of scope and so it's about going well realistically what's the lens that we do on top of it and so but it also
9:06
becomes really hard because you've got a compliance lens against these eight which are very hard to do and then that can consume a lot of your information
9:13
security program so that that will actually detract from your other risk management activities because if if
9:19
you're spending millions and millions and millions trying to get entral Aid compliant then that may detract from your application security or your API
9:26
security yeah approach yeah as you said in your overall risk management if you
9:32
you know kind of think of the broader threat model around your organization and where your risks lie if they're not
9:37
part of the essential Aid which which really leads me to you know one of the other questions and by the way I would
9:43
be remiss here if I didn't say hey Opus if you're listening please give us a call we're more than happy to to help
9:48
you out but on on the on the side of like let's say what's not in the essential a you know I know one of the
9:54
things that's been called out is that really there's almost nothing in the essential late relative to cloud and
10:00
that's that's you know whether infrastructure as a service software as a service but here we are you know
10:05
recording in 2024 and that's where the world is or is moving towards one how do you think about that
10:14
and what was your reaction when you saw the latest update and that wasn't in there and then two like what kind of
10:19
reaction are you hearing from let's say like you know no specifics but some of the organizations that you talk to on a
10:25
regular basis how are they thinking about this and like does that in their mind diminish the value of the essential
10:32
a that it's not really representative of the current state of it yeah
10:37
increasingly it was originally created as I mentioned focused against those risks of the time and the threats of the
10:43
time and it is primarily uh aligned with threats of intrusion into your system
10:49
which is as you said focused on that more on Prem um thick client relationship piece and as we move into
10:55
the cloud identity and policy is more increasingly the boundary and so um it
11:01
would be interesting to me for the Australian signals director to almost release a an update that then
11:07
contextualizes does this still address 80% of the Cyber risks that they see like is it still aligned and and if
11:12
that's that would be a good that would be a good refute of well the rest you can get in the ism you don't need this is what we still see um or if they turn
11:20
around and go no we've updated it and you're right that the threats are now focusing more in that um information and
11:26
access plane like the most recent Microsoft um vulnerability where they got compromised by misconfigured
11:32
permissions in a Dev tendency and all that jazz so as you know identity is the
11:37
boundary and so I think it's worth them almost coming to the table and going hey well we still see these ones as the main
11:43
pieces or no the the risks that the vulnerabilities that we're seeing or the the attacks that we're seeing the incidents have shifted our eight and now
11:50
we've got these nine or you know what I mean so yeah yeah I look I mean it's so
11:55
hard because essential Aid is such a catchy thing and and you know if it a lot of the times I know that
12:02
cyber Security Programs seem overwhelming and especially they're overwhelming to people who are new to an
12:08
organization and you step into an organization for the first time either as let's say an entry-level employee
12:13
somebody working as a um um the prototypical um sock analyst kind of entry-level cyber security role or or
12:21
you're like just joining an organization maybe you're coming from a smaller one to one that's a much higher profile and
12:26
a bigger Target it can be really overwhelming in and if you don't have good cyber security principles in place
12:34
and then you're trying to tackle a program it's great to think about there's eight things you know it's
12:39
manageable it's a small list correct not to spend too much time on it but you know tangent from my past is I worked on
12:45
cloud security for a long time and there is especially with customers that I worked with in the US there's the nist
12:52
853 guidelines and it's roughly 400ish controls 450 or so if I remember
12:57
correctly um and that's super overwhelming and so most customers would never want to start with that unless
13:03
they had an absolute requirement to do that what did they do instead they love the CIS Benchmark the center for
13:09
Internet Security why because it's like 40 controls and it's super prescriptive and I can literally go down a checklist
13:15
and think about it and you know literally go one by one so I I you know I guess my question is like you know
13:21
when you think about approaching this with new organizations that you either step into or that you're talking to for
13:26
the first time how do you counsel them do you say saying hey let's start with the a do you say hey let's start with your threat model do you say like no
13:33
it's got to be some hybrid of like the eight plus a threat a risk model applied de org or how do you start that
13:39
conversation yeah it's a really good point and I used to have a saying that Simplicity is the key so all can see and
13:46
that's the essential eight definitely hits that it hits the Simplicity thing um I usually start with the the threat
13:53
lens uh predominantly when I'm in an organization but as I mentioned before it's that risk p
13:59
needs to be passed through the lens of compliance for the organization and what they have to achieve and if they are a
14:05
government entity or they want to engage with government entities in Australia then the essential L is a great starting point and it's a great kickoff and as
14:11
you can see from the nature of the controls especially it's effectively patching applications restricting
14:17
Administration privileges application control and then doing a number of hardening pieces and then ensuring you
14:22
can recover so it is a pretty broad saave of protect detect respond um and
14:29
that's usually the language I use as well the ism actually has govern protect
14:34
detect respond um I know that the nist sub security framework has six at the top layer I try to embed that kind of
14:41
language as well to simplify the conversation so that the executive can understand um really key what we're
14:47
trying to achieve with each function and break it that way rather than starting with a control framework start with a
14:52
narrative piece and my preferred narrative exec simple and I say that as a former exec simple things protect
14:59
detect respond usually gets you across the board to articulate what you're going to try and do and then you just focus on what the key things are you
15:05
want to do in those spaces yeah yeah look that makes a ton of sense and I think I would certainly
15:11
like support your overall approach towards um keeping it simple especially when you're starting off because if you
15:16
try to bite off too much at the beginning it it becomes a very demoralizing exercise very very quickly
15:22
um a couple of other things I noticed from the you know from my very brief cursory reading of the essential a mind
15:28
you is that you know one of the things that I found was not in there um you mentioned that um proper usage of admin
15:35
rights was was called out well and multiactor authentication is called out well as well but then like least
15:41
privilege as a as an overall identity and access management principle seem to be lacking and so when you think about
15:48
especially data access across distributed environments if you know my account has too much data access and
15:55
then I get compromised through a fishing email or what have you you know there's there's a a potential risk there I
16:01
didn't see that one in there and the other one that really struck Accord with me was that I didn't see configuration
16:06
Management in there and especially in you know we talked a second ago about kind of the cloud first world that we're
16:12
in everything is software to finded and almost everything is configuration based at this point you know that that seems
16:19
like a real Miss to me yeah I I I don't disagree and I do think that the um
16:25
restricting Administration privileges should evolve into least privilege like Universal least privilege and
16:32
increasingly within the greater ISM there is a focus on zero trust and zero trust is is is really geared around that
16:38
um that that least privilege Universal least privilege um Assurance uh so I
16:46
think that increasingly that's where it will go but you're right it is it is a Miss in in my opinion but they are
16:52
focusing again on the greatest threat point which is those admin roles and and what they can do in the organization but
16:58
has that kept pace with the nature of what an admin is in the modern Cloud environment and how diverse that is
17:04
because that's the other piece that people don't realize which is the nature of what an admin used to be with literally like a pseudo or or a Dom
17:10
admin account now you can Jerry chain a whole heap of um or privileges within apps and
17:17
then all of a sudden you've got you know um a domain administrator or Enterprise administrator by proxy um but to the
17:24
other piece as well that you're talking about I think that the configuration management and hardening have a a catch
17:30
all called application hardening and I think it as well that one to me it's it's focused on the core apps that have
17:37
been popped in the past like our web browsers our um office suite those core pieces that they've seen nation state
17:43
actors focus on but I do think that that could be expanded out to as you know um
17:48
the S3 buckets the standard um yeah configuration layers um looking at how Cloud you harden the perimeter and then
17:55
create a defense in depth throughout the application stack as well to en sure that you have a least privilege and and
18:01
Harden controls and follow things like this the CIS baseline or or hardening configuration guides from the providers
18:07
so so I I completely agree but I also think that it's a there is twerk tweaks
18:12
of two that are in there already that you could use to achieve that so it'd be interesting to see if they approach that in the future yeah that's fair that
18:18
there's tweaks but then you know a followup question that I would always have on those along those lines is um
18:25
you know to what extent do the do the people actually doing the implementation understand that this is a tweak of one
18:31
of these guidelines that they need to kind of incorporate that when they're looking at application hard ring they
18:36
also need to be looking at let's say the the infrastructure that an application is running on in AWS Because by the way
18:43
that application can be running on an ec2 instance that has an assigned user role or an assigned am role that might
18:50
have admin rights right and and so you know it's a question of like how deep it the understanding and sophistication is
18:57
oh 100% the devil's in the dat and as you as you mentioned it's hard
19:02
because once you simplify things up to just eight Concepts or whatever it obfuscates the detail so far that it's
19:09
not practically aligned to what the actual outcome is um yeah and and it's
19:14
it's it's an INT it's an intractable problem there's there's a saying I used to have which is the only thing that's important is a sizo is knowing what's
19:20
important but then the more important thing than that is the only thing that's important as AO is being able to then
19:25
communicate what's important and as you said tracing that traceability down to from the concept down to the actual
19:32
implementation is is is critical and and it's hard it gets lost a lot of the time
19:38
within organizations from the translation from um concept into implementation uh and and that's that's
19:46
that's problematic to say the say the least um and as you know it only the defender dilemma is that we we have to
19:52
succeed every time and the attacker only has to succeed once and the the challenge that I would have in I put to
19:59
you is I used to joke that I should have got into physical security because the locks aren't updated every three months there isn't a monthly patch cycle for
20:05
the physical locks I know I don't I know my physical security Brethren they have a hard time don't get me wrong um yeah
20:12
but but for me with the essential a because it's getting updated quarterly as well I'm constantly trying to chase
20:18
that new bar and so it's not having one conversation it's having multiple conversations and I know this is a bit
20:24
of a tangent but one of my biggest challenges in my career was I became came into Azo role and I said to the
20:31
security board if you give me x amount of money I'll get you to maturity level two on the central 8 by next year and
20:38
I'll do these things to achieve it I did all the things on that list to achieve it taret mov and the target moved so
20:44
when we got there I got to the board next year I said I spent all your money I did all the things and we're now at maturity level zero and um they were not
20:51
very thrilled with that outcome yeah and I hadn't brought them along for that Journey but it is one of the challenges
20:57
of um the constantly evolving nature of of cyber security and and our threat environment and how do we ensure that we
21:04
move from a a point in time governance risk and compliance model to uh a realtime Assurance model that that
21:10
validates the controls on a regular basis and automates the remediation of them because as you said um
21:17
configurations down into the nuances of how a specific um implementation of ec2
21:23
is done we should be automating them as much as possible both for the detection and the remediation because otherwise
21:29
we're never going to be to achieve this increasing for me it's it's how does the security governance lens work hand in
21:36
glove with the security operations to not just assure them on paper but ensure that they're embedded in an ongoing
21:41
basis and that that we can automate those remediations as much as possible
21:46
yeah it's really interesting I mean there's a couple points in what you said that I want to dive into the first of which is that you know talking about
21:53
that Journey that you went on where you you know you you had an X budget to achieve y out outcome that was on the
21:59
maturity scale that's a really interesting way to look at it because one of the challenges that I get from a
22:04
lot of people around cyber security in general this is across like almost anything is it's very hard to measure
22:11
cyber security results you know there's there's one measurement that really matters which is hey did we get breached
22:18
right but then yeah and and and it's that question that you often get honestly with like General Practitioners
22:24
in on the medical side it's like how much do you pay or reward or value your
22:29
GP when you don't get sick right and so this model in cyber security is like
22:35
it's a it's a very thankless job 99% of the time until you have the one bad day hopefully it's just the one bad day a
22:41
year or whatever year decade whatever that the time frame that you want to measure is um where as you said you have
22:48
to be right kind of continuously all of the time but when you bring that you know that is a measurable result but it
22:55
doesn't necessarily ort a positive Roi on a year-by-year basis and so it's very
23:01
easy for people who make funding decisions to look at that and say oh well you didn't get popped clearly you
23:07
don't need any additional budget and so there's almost an argument to be made
23:12
that you need a little bit of breach in the organization to kind of justify continued investment into cyber security
23:18
I mean I see you nodding and laughing because you must have gone through this conversation not not nothing nothing
23:24
pads a cyber security program like a breach but and funly enough this is is 100% being a focus of my career which is
23:32
how do how do you how do you report your improvement into the organization and then how do you show Roi on your outputs
23:40
now there are there are some like tangible specific examples I can show where we we've removed costs to the
23:46
organization like removed fraud from a business life cycle flow chain um and those are really good positive one-offs
23:52
but they're not an ongoing piece one of the ways that we did it is and this is a big shout out to our us counterpart
23:58
Parts but we at one of the organizations I was at used the National Institute for standards and Technology cyber security
24:04
framework and did a cmmi assessment against it and that gave us a score out
24:09
of five for our maturity against not just not the overarching cyers and then
24:16
each of the the six domains under the new model yeah and we found that was really helpful to have a conversation
24:22
with our board about if you give us 10 million it puts us up 0.1 and it also
24:28
gives us a mean about the average four we worked with a big four partner who had done a lot of these but it meant
24:35
that we could get a hey government across the world is at a 3.8 so then we could go well we're
24:42
actually at a 3.9 so our investment's probably right sized at the moment um but if you want to go to Best in breed
24:48
the best in breed is 4.1 and each increment costs X and so we use that as
24:54
a justification to go more of and that's that maturity piece where how do you compare with your your brethren because
25:00
I haven't found a really good like I know that there's some people that play in the market around a breach costs this much money so the amount of days that we
25:07
haven't caused a breach of saving you this much money but I feel like those are just esoteric and unfortunately and
25:13
depressingly for cyber Security Professionals a lot of the stock market results have bounced back quite well after breaches so I don't think it's
25:20
actually an enduring cost to a number of the public listic companies and so it's about how do you quantify the dollar
25:25
value of trust um and how you report that within your context of your
25:30
organization th this brings up a really good point because one of my observations and this is me completely
25:35
speaking as an outsider so correct me on this is you know in a lot of the conversations that I've been having with
25:41
customers and partners here locally one of the things that I'm hearing pretty consistently is oh we just had our worst
25:47
year for breaches ever there were these really big ones we mentioned Opus but there was meta bank and latitude
25:53
financial and one or two others that are not coming to mind and I you know I haven't deeply researched the Australian
26:00
New Zealand Market or or Australia in particular on a country basis to know you know what is the rate of data
26:06
breaches look I'll tell you from a US perspective there're a dime of dozen they're happening every day and to your
26:11
point there's a there's very little Financial penalty either from The Regulators or from the financial markets
26:19
and you know I'd say most organizations assume that they either most like larger us publicly traded organizations assume
26:26
that they either are or will be breached and any kind of fines or credit
26:33
monitoring identity theft prevention to the consumer is just built into the overall model they maybe get Cyber
26:38
Insurance around it Etc but one of the things I've heard is that the the regulatory fines here are pretty brutal
26:45
and they've been very serious and I've heard from people that it feels very much like an overcorrection which may or
26:51
may not be viewed as a positive thing depending where you're sitting and how you feel about it and your own role in organization I mean what's your reaction
26:58
action to all of that I I think it's really timely uh I think that your
27:03
assessment especially across the US implementation is right on the money and I don't think it is having necessarily A
27:10
positive trend on the control posture because I do think that there are a number of bean counters who think that
27:15
they can just Bean counted away or balance it out in the greater run but it has been reflected in so the Australian
27:21
government recently put in securing critical infrastructure uh all of the five eyes uh countries so Australian New
27:28
Zealand UK Canada and USA have very Sim similar um approaches to screwing
27:34
critical infrastructure a lot of the key policies mirror and so we're constantly changing ours in line with the us but
27:40
we've actually gone a bit more Hardline and the lens on that is similar to the
27:46
tax office here which is support the people that are trying to do the right thing and punish the ones that aren't if that makes sense and so if if you are
27:53
engaging and trying to do the right thing then they will give you all the support to the end of the world to fix it but if you're willfully not engaging
28:00
with it then they' they've given themselves the tools and the freedom to be able to um undertake actions to
28:05
encourage um compliance and Alignment um and I think that that approach of the
28:11
the hug um where people are trying to get support but then punish where people
28:16
are being willfully non-compliant is a really good balance and and is a bit more PR pragmatic it's not just doing
28:23
attacking people for like the old you wouldn't blame someone for getting punched in the pub so I don't know why
28:28
we blame people to get breached so this is similar if someone's getting punched in the pub it's only if they keep going
28:34
to the same Pub all the time and they wear a shirt that says punch me that we start going hey maybe you should stop doing this um but otherwise we're going
28:41
to put the wraparounds in to protect them and I know I'm stretching that ex that analogy very wide yeah yeah but but
28:47
look I think the point is taken the the look and I don't want to get too deep onto this in today's conversation
28:54
because we've got other episodes um where we've been talking about the US regulatory environment recently and and
28:59
some of the personal liability that's coming along with it that to your point is kind of putting blame towards the
29:05
people who got punched in the pub and you know in some instances to to kind of
29:11
stretch this analogy even further got blindsided by a person who was sent in
29:16
there by a Mafia Boss to go punch somebody Rand not random punch one particular targeted person in a pub and
29:23
then that might have the knock on effect of punching thousands of people across thousands of pubs so so you know I think
29:30
that point is well taken and I I'm glad to see that this kind of a response is
29:35
what's seeming to happen I'm curious from a um how much of that has been kind
29:41
of correlated with consumer data protection you know in in I'm you know
29:46
half American half European I've lived in both sides of the pond for a lot of my life in addition to some time spent
29:52
in Singapore and gdpr as a European citizen feels very good to me in terms
29:59
of protecting my own consumer data how much has consumer data protection factored into this conversation around
30:06
either supporting organizations or um assessing the the scale of a fine
30:11
towards an organization that does get breached very strongly and they as you may know they've got the office of the
30:17
Australian information commissioner here which whose only role is to assist with data breaches and guideline entities to
30:24
respond and manage the data appropriately and that has been baked into the new critical infrastructure as well and they've actually expanded gone
30:30
look we recognize that um pii is critical but they've also gone it's bigger than just the pii it's also the
30:37
systems that manage that Pi or the systems that manage the delivery of services to the publish public and we
30:42
have to make sure that we've got the appropriate wraparounds for all of them I think that there are a number of I
30:49
think I think that the balance in Australia is is quite good I don't I think some of the balance speaking out
30:54
of turn on the gdpr side is almost security theater I think the fact that we have to all click show me my cookies
31:00
everyone it is theater it's not actually cheaping anything but I get I get the intent and I also appreciate the fact
31:07
that they're thinking about it and so I think that it's it's it's that fine regulatory balance between overburden
31:14
the market um but also making sure you've got the controls to support the entities and I think that there is an
31:20
okay balance here but there're still proving it out like the legislation in Australia is under 10 years old for like
31:27
the um CRI so for breach of information and all that jazz so it's still being proofed out in court cases and instances
31:34
and that testing of what is willful negligence I think is is still being
31:39
right leveled if that makes sense and I think in a few years when we see more of those cases come through and as the
31:46
infrastruct the legislation changes um I think that we'll have a better feel for
31:51
is it providing the right level of assurance um but the problem is as you
31:56
know the cost of entry for attackers at the moment is so low that that I
32:04
mentioned before the Defenders dilemma but it's it's not if you get breached it's when you get breached and that
32:10
comes back to the how do you detect and respond to breaches to minimize the the consequences of it yeah I mean this
32:17
point is is one of the points that I you know I bring up in almost every conversation where somebody says oh yeah
32:22
but we're not a Target and I said well you first of all everybody's a Target
32:28
and you know the the example that I like to give to people is like and I I I always mention this two things that
32:34
people you got to aware be aware of number one hackers have credit cards they may or may not be accurate credit
32:40
cards but what it does give them is it gives them access to cloud and it gives them access to you know in number two
32:46
hackers have internet connections and they they can go scan GitHub they can get every open source automation tool
32:53
you know uh Cobalt strike Metasploit all of these tools that have good legitimate
32:59
use cases for pen testing and for hardening your own applications can also be used by the other side right and so
33:06
like you couple Cloud Automation and you know in open source
33:11
and I'll tell you that everybody's a Target our own lab environment we stand up apis on a regular basis to test our
33:16
own product with them to test exploits attacks Etc every single API we put
33:22
online with just a randomly assigned IP address gets traffic within about three
33:27
to five minutes yeah every the whole internet is being scanned perpetually
33:32
constantly constantly and not just scanned by the way scan with some
33:38
intelligence yeah actively T 100% exactly because we see this Behavior
33:43
where it's like oh I got a response from random IP address 1234 let me see if
33:48
it's running WordPress let me see if it's running Drupal let me see if it's running move it file transfer software
33:55
again and again let me see if I can find secrets ials environment variables any of these things that I might use to
34:01
breach the organization or map it out or understand what's running there that's all valuable well and I've actually seen
34:08
sorry I didn't interrupt but I've seen instances instances of that where the people are running that software and
34:13
they're not even using it to compromise it themselves they're automating that basically they'll compromise your
34:18
machine every time you type in a password they're not even going to use it to breach you they're just putting it straight onto the dark web to sell
34:24
because that's how they make money they do that at scale so that they're not even one that attacks you they sell it on to someone else who attacks you
34:30
they're the initial access broker effectively yeah exactly and we had an instance in government where a member of
34:36
the Public's credentials were compromised through this method they were part of a botn net and they were
34:42
available for sale on the dark web and there we got access to this is the
34:47
credential that was broken um that was that was compromised and with that one credential which cost you about $2 us
34:54
you could have rolled over their entire life savings their super which was about $700,000 instantly cuz they're over 65
35:01
in Australia so it's like 100% And and one one funny thing about you know how people say it's what they would never
35:08
Target me working uh in my role at Parliament House I heard that same thing from everyone up the chain it wasn't no
35:15
one thinks that they're going to be targeted it's it's a one universal opinion no everyone says oh I wouldn't be targeted I'm like everyone everyone
35:21
is targeted you you are targeted by existing yeah I mentioned our lab environments one of the other things
35:28
that's happened to us at we're look we're a tiny company we're a 12 person organization spread across a few uh
35:34
different geographies yes we work with customers around the world Etc uh just
35:39
the other day I was checking my spam folder and I saw impersonation emails
35:45
with the names of my employees telling me that they needed to update their bank account information on our payroll
35:51
system you know and everybody's targeted everybody is automated it is very it's
35:57
trivial to discover who works in an organization and then to catch their names and so on and put that in there so
36:04
um and just just on that before we divide the other thing that's a driver for that
36:10
is the level of poverty in some countries means that if they get one person to accidentally send them $50
36:16
once a month they've made their quota and so then sending a th emails cost them only their time and so again that's
36:24
scale sorry to interrupt but that's the perfect example of if they can get one pace to them not sent to you then
36:30
they're set for the month they can eat for the month yeah you bring up a really interesting point there that you kind of
36:36
said as in passing which is hit their quota You' got to remember that these individuals are generally part of larger
36:43
organizations that are criminal Enterprises fundamentally and that's correct you know yes there maybe nation
36:49
states aren't targeting you maybe right maybe if you work in critical infrastructure they are but maybe for me
36:55
as a small um C security company working on API security software maybe nation
37:01
states are not targeting me but criminal Enterprises absolutely are you know we've only got a couple
37:08
more minutes but I know there were a couple of other things I really wanted to get your take on as somebody who's been doing this for a little while and
37:14
that's you know when we think about kind of this transitioning environment as we
37:19
move further and further into the cloud I tend to think of cloud as actually being better from a cyber security
37:25
perspective why because everything can be kind of programmed right everything software defined it can be interacted with over apis it's
37:31
primarily data and configurations that I'm worried about I'm kind of curious to get your lens because you know let's say
37:38
like globally there's a perception that government organizations are typically a little bit behind that curve when it comes to Cloud adoption and and you know
37:45
they may have more Legacy it than uh it infrastructure than a born in the cloud
37:51
organization like us how do you view that and then what are some of your top recommendations for organization that
37:57
they're going through a transition or struggling to manage kind of Legacy it infrastructure I I think the biggest
38:03
challenge for me is not just the Legacy it infrastructure but also the Legacy it
38:08
infrastructure Personnel because often they'll bring the same approach that they take to managing on Prem to into
38:14
the cloud if that makes sense so you have to do the people process and Technology uplift as you migrate and I
38:19
see a lot of the ways where it fails is because they're just trying to basically do what they were doing on Prem in the
38:26
cloud and as you probably know from a cloud Journey that also doesn't that doesn't cost less if you just move your
38:32
machines into IAS yeah you're you're just spending more money so you're not actually achieving the benefits of the
38:37
cloud it doesn't give you the scalability it gives you the um redundancy and and that piece but you're
38:42
not baking into your apps the scale up scales down you're not baking in the automated security controls so for me
38:48
it's about going when we move to the cloud do it with purpose and move each application um with intention one of the
38:55
approaches and an agency I used that they did like a gold silver bronze rust approach where they took a catalog of
39:02
their apps and they went gold is we move it to SAS and then then we just managed the policy um Silvers we move it to Pas
39:08
bronze we move it to aaz rust we can't move it and we're got to kill it because it's stuck so structure it and work out
39:15
your approach um there's been a number of instances recently where people have just lifted and shifted directly into
39:21
the cloud and unfortunately that shifted their problems into the cloud and your problems can go at scale in the cloud
39:28
and exposed to the internet very quickly so it's about for me the biggest the biggest fundamental piece is making sure
39:33
you have the right knowledge in the right people to do that transition and don't use the same tools you used for on
39:39
Prem to achieve your outcomes in the cloud and work really clearly to layer your controls up from the base so that
39:45
you bake in if you're doing an i or PAs implementation you understand what the the controls are for the shell and then
39:52
everyone that works within it works within their piece um and if you can build natively in a zero trust way as
39:58
you migrate to the cloud because that's the other benefit you can do which is stop the east west traffic get everyone
40:03
coming through a front door um automatically whether that's a je front door or an 8s app Gateway or whatever
40:10
partner client but if you can natively do that as part of the migration you just remove those East West Trend like
40:16
um vectors so someone can't jump into a desktop and then pivot into your environment so the two main things I
40:22
would say is don't treat it like you treat on Prem so get the get the right skills and then bake in zero trust and
40:28
identity as a as a front when you're doing it because otherwise it's you can't retrofit it this is a perfect
40:34
chance to do it properly once yeah yeah to to that point along those lines of
40:40
the second thing that you said is retrofitting is really tough I've seen organizations that made that transition exactly as you said they kind of went
40:46
the classic lift and shift they didn't change their operations model at all they got into the cloud and then they
40:51
realized really we're just using someone else's data center at this point at best we got out of Hardware management and
40:57
yes it is quite costly right at that point and you can do a little bit of like Financial optimization with
41:03
contract mechanisms and reservations and capacity commitments all fine but when
41:08
you're really trying to get let's say the benefits of the cloud and let's say the the flexibility and the eeral nature and the scale up and the scale down and
41:15
the scale out and all that good stuff you really have to change your operations model and to that point what
41:21
I've seen with organizations that kind of make the lift and shift mistake or
41:26
frankly I've I've seen they wait until the very end and it's like data center end of life or end of Colo contract and
41:33
they're like oh crap we got to get out of here let's just lift and shift what they inevitably end up doing is then
41:39
creating a new Cloud organization and they do a cloud to Cloud migration to go
41:44
from the lift and shift operations into the actual cloudy way of getting it done and look that can work but it is not
41:51
cost effective um yeah anyway correct correct and and it's always easier said
41:57
than done I understand have people have apps that are older than me running that uh that are that are that are critical
42:04
to the delivery of services so I I to I totally get it yeah and by the way those
42:10
app are probably power powering your bank account and mine and every flight reservation that we're making around the
42:16
world on a regular basis so you know some of them are pretty important so I do get that as well awesome well Toby
42:23
it's been a real pleasure I don't know if you have any closing comments you want to share with the audience but I know from my standpoint I've really
42:28
enjoyed learning about some of the uh challenges relative to the Australian Market some of the the you know come of
42:34
the guidance coming out there for anybody who for any closing thoughts or anybody who wants to get in touch where
42:39
can they find you what would you share with them uh if anyone anyone wants any help feel free to um reach me out on
42:45
LinkedIn um but for me the biggest driver is how we as a community engage
42:50
with the business and the the benefit of the essential eight and those conversations as you said is having a simplified engagement model
42:57
and that's really telling for me the biggest benefit of the essential a is the consumption from the business and the engagement on that side so think
43:03
about your narrative as a mentioned before the only thing that's important is how you articulate what's important and if you're not ahead of that
43:09
narrative as a cyber professional within your organization then you're you're not you're not going to succeed at all so
43:15
make sure you think about the people and how you sell your piece and then tie your deliverables to that that's a great
43:21
point and I think that's a great note to end today's conversation on Toby thank you so much for joining us on the modern
43:26
cyber podcast thank you for your time [Music]