Modern Cyber with Jeremy Snyder - Episode

Toby Amodio of MF&A

FireTail CEO Jeremy Snyder is joined by Toby Amodio, Director and Government Cyber Delivery Lead at MF & Associates, for a lively discussion around cyber security topics such as risk, compliance, maturity and more. Today’s episode of the Modern Cyber podcast will examine the Essential 8 in the context of cyber security to see how relevant it is today. Listen as they compare and contrast the E8 to the ISM in terms of what they address and what they lack.

Toby Amodio of MF&A

Podcast Transcript

hello welcome to the modern cyber podcast we are thrilled to be back with another episode today my name is Jeremy
Snider Founder and CEO of firet tale and as always I will be hosting this episode today I am thrilled to be joined with a
guest from the other side of the world where I actually happen to find myself as well but Toby Ando um is joining us
from Australia Toby has a long his and cyber security he's LED large diverse geographically dispersed teams to
protect detect and respond to the Cyber challenges facing government so I know we're looking for some really
interesting perspectives there Toby has previously held the Chief Information Security Officer roles at Australian
Parliament House the department of parliamentary services and the Australian taxation office and he's
currently Consulting with MF and Associates of Fujitsu company into the Australian federal government Toby is a
father to two young kids and is constantly trying to balance work life and compliance I know a lot of us are
trying to balance work in life but adding compliance into the mix has got to make things a little bit more complex
Toby thank you so much for taking the time to join us today thank you for having me Jeremy uh it's a real pleasure
and especially you know given that I am traveling on this side of the world and uh talking to a number of customers and
partners here in Australia and across kind of the broader australasia region you know one of the topics that comes up
is regional compliance and Regional standards and one of the things that is in a lot of headlines recently is the
Australian essential 8 and there was kind of an update to it last year that I was reading up on I know there's been
many updates to it over the year but I wonder if you could for the audience just give us some context of what is the
essential eight how did it come about is it a good thing is it a bad thing we we'll talk about all those things but
you know maybe set the stage for the listeners sure sure I'll jump in uh and before we jump in I'll just mention that
all my opinions are that of myself and my not my employees or the government but AB side uh the essential is an amazing
beast but we'll start one layer higher as a government agency within Australia
you get money from the from the government to deliver services to the country and an obligation of that is to
comply with the protective security policy framework and it's an overarching framework that tells you how you do physical Personnel cyber and security
governance as a whole now that's the overarching framework underneath that it's got a number of different policies
and objectives one of the policies under the pspf is to do the essential eight
and one of the policies is to implement the information security manual now the information security manual and the
essential eight are two documents developed by the Australian signals directorate and that's our intelligence
agency the the the interesting part about the intelligence agency developing the documents is obviously they've got
some insight into how to compromise other agencies and they also see a number of how agencies get compromised
and so they wrote the information security manual effectively as the control Bible on how to protect yourself
basedi they're aware of the threats they know what let's say the top risk vectors are and so that informed a lot of their
thinking and their and let's say their analysis that went into this right correct correct so that's the the ism is
the Bible it's over 800 controls at the moment and it gets updated quarterly so it is constantly evolving to the threat
landscape now the thing that they've done they've they've been delivering it for over over 15 years I okay this this
dates myself it's over over 20 years um and as that has evolved they've also
realized that it's increasingly hard to implement 800 controls in a risk-based manner and so about 10 years ago they
had to come up with a more they thought we'll come up with a more Consolidated list and that's where they came up with
the essential eight and the essential eight was the eight top mitigation strategies so not controls unfortunately
it maps to two 200 controls um but the mitigation strategies that they saw to
mitigate over 80% of intrusions that they saw against Australian government entities so they went if you do these
eight strategies it'll mitigate against the main intrusions that we see now that was when it was first created and the
interesting thing about about this is it was created by the intelligence agency to help secure the rest of the country
but it's now molded into a compliance piece that's mandated under the the protective security policy framework
which is a very past fail implementation so they were trying to do it originally as a guidance thing to say hey if you
can't really focus on the whole ISM 800 controls then just focus on these things because the the most in incidents that
we see they're affecting these things so do the basics brilliantly and you'll protect against the majority of the
incidents that we see now the eight is actually part of 37 mitigation strategies it's a whole Beast so it's
it's confusing as hell and on top of that they they did a maturity model against the essential eight and you've
got four levels of maturity against each of the eight controls the complexity on this is absurd and it makes it extremely
hard to implement but the concept is is eight strategies to do mitigates 80% of
intrusions okay and along those lines I mean one of the things one of the parallels that comes to my mind as you
described it is actually something called the oos top 10 and a lot of people look at the oos top 10 as if it
were let's say a compliant checklist or a framework that they can use but I
don't really see it that way to me it's more a threat model that says like hey these are your top 10 risks and you know
there's the one for applications and then there's one for apis which is the one that I run into of course running an
API security company on a regular basis but but part of the challenge that lies
therein in the fact that it's not a controls framework is that the controls are then variable to every organization
because let's say for instance the way that I use cloud is different from the way that we that you use cloud and the
way that I might need to look at let's say Cloud identity security if that were one of the eight um I know it's not and
we'll come to that in a second but the way I would look at Cloud identity security may be quite different from yours and then for the same time for an
external auditor or somebody who came in and wanted to let's say assess my maturity relative to the essential eight
they're looking at you know an apple over here and an orange over here and so you know those two things are not the
same I guess this is kind of part of that complexity that you're getting into when you say it's like a nightmare to
implement yeah 100% And it's it's one of those pieces increasingly my my role in aizo role became not just reporting
against risk but then comporting against compliance and Reporting against maturity and they three independent
lenses and ideally you should just be looking at risk going what are the threats that we face and then how do we
align our controls to those threats but then as an entity that is assured by external entities you have compliance
obligations so you have to meet those bars and then inevitably also your compliance
maturity is always in context of other agencies or other entities so it's not just like are you a four it's are you a
four but where are the other people and so I I find that those three kind of Concepts all boil around whenever I was
doing reporting up not just a pure compliance lens against as you said um a fixed a fixed or semi-fixed framework or
conceptual lens yeah and and I mean I know there's one of the common saying
that that you'll hear in many security conversations especially when a compliance person enters the room is
security is not compliance and compliance is not security that they're two very different things and like ultimately compliance is very
prescriptive whereas like security is always a riskmanagement exercise and I
guess one of my first questions is like a do you think that most people understand that here and B when you
think about like the the everything that you've laid out
let's say from the um from the ism and the 100 checks and then the the subset of 37 and then the essential Aid and the
maturity model like does it all get kind of very messy and muddled in people's
minds where they don't really know where the risk management piece leades off and then the compliance piece picks up and
how they do and don't work together yeah 100% and it becomes it becomes reduced
to a really simplified conversation especially in the media of just just do eight things it's simple just do eight
things and and as he said that doesn't take into account your risk posture the example I always used to use is when I
was at the tax office um if we implemented the essential 8 perfectly
but had a cross-side scripting vulnerability on one of our websites we would technically be compliant with the
essential 8 but we could be pumping out all of our data or if or an an opus
where they had an open API that's not one of the essential a uh so that breach
which leaked tens of millions of client records their Australian telecommunications provider again
outside of scope and so it's about going well realistically what's the lens that we do on top of it and so but it also
becomes really hard because you've got a compliance lens against these eight which are very hard to do and then that can consume a lot of your information
security program so that that will actually detract from your other risk management activities because if if
you're spending millions and millions and millions trying to get entral Aid compliant then that may detract from your application security or your API
security yeah approach yeah as you said in your overall risk management if you
you know kind of think of the broader threat model around your organization and where your risks lie if they're not
part of the essential Aid which which really leads me to you know one of the other questions and by the way I would
be remiss here if I didn't say hey Opus if you're listening please give us a call we're more than happy to to help
you out but on on the on the side of like let's say what's not in the essential a you know I know one of the
things that's been called out is that really there's almost nothing in the essential late relative to cloud and
that's that's you know whether infrastructure as a service software as a service but here we are you know
recording in 2024 and that's where the world is or is moving towards one how do you think about that
and what was your reaction when you saw the latest update and that wasn't in there and then two like what kind of
reaction are you hearing from let's say like you know no specifics but some of the organizations that you talk to on a
regular basis how are they thinking about this and like does that in their mind diminish the value of the essential
a that it's not really representative of the current state of it yeah
increasingly it was originally created as I mentioned focused against those risks of the time and the threats of the
time and it is primarily uh aligned with threats of intrusion into your system
which is as you said focused on that more on Prem um thick client relationship piece and as we move into
the cloud identity and policy is more increasingly the boundary and so um it
would be interesting to me for the Australian signals director to almost release a an update that then
contextualizes does this still address 80% of the Cyber risks that they see like is it still aligned and and if
that's that would be a good that would be a good refute of well the rest you can get in the ism you don't need this is what we still see um or if they turn
around and go no we've updated it and you're right that the threats are now focusing more in that um information and
access plane like the most recent Microsoft um vulnerability where they got compromised by misconfigured
permissions in a Dev tendency and all that jazz so as you know identity is the
boundary and so I think it's worth them almost coming to the table and going hey well we still see these ones as the main
pieces or no the the risks that the vulnerabilities that we're seeing or the the attacks that we're seeing the incidents have shifted our eight and now
we've got these nine or you know what I mean so yeah yeah I look I mean it's so
hard because essential Aid is such a catchy thing and and you know if it a lot of the times I know that
cyber Security Programs seem overwhelming and especially they're overwhelming to people who are new to an
organization and you step into an organization for the first time either as let's say an entry-level employee
somebody working as a um um the prototypical um sock analyst kind of entry-level cyber security role or or
you're like just joining an organization maybe you're coming from a smaller one to one that's a much higher profile and
a bigger Target it can be really overwhelming in and if you don't have good cyber security principles in place
and then you're trying to tackle a program it's great to think about there's eight things you know it's
manageable it's a small list correct not to spend too much time on it but you know tangent from my past is I worked on
cloud security for a long time and there is especially with customers that I worked with in the US there's the nist
853 guidelines and it's roughly 400ish controls 450 or so if I remember
correctly um and that's super overwhelming and so most customers would never want to start with that unless
they had an absolute requirement to do that what did they do instead they love the CIS Benchmark the center for
Internet Security why because it's like 40 controls and it's super prescriptive and I can literally go down a checklist
and think about it and you know literally go one by one so I I you know I guess my question is like you know
when you think about approaching this with new organizations that you either step into or that you're talking to for
the first time how do you counsel them do you say saying hey let's start with the a do you say hey let's start with your threat model do you say like no
it's got to be some hybrid of like the eight plus a threat a risk model applied de org or how do you start that
conversation yeah it's a really good point and I used to have a saying that Simplicity is the key so all can see and
that's the essential eight definitely hits that it hits the Simplicity thing um I usually start with the the threat
lens uh predominantly when I'm in an organization but as I mentioned before it's that risk p
needs to be passed through the lens of compliance for the organization and what they have to achieve and if they are a
government entity or they want to engage with government entities in Australia then the essential L is a great starting point and it's a great kickoff and as
you can see from the nature of the controls especially it's effectively patching applications restricting
Administration privileges application control and then doing a number of hardening pieces and then ensuring you
can recover so it is a pretty broad saave of protect detect respond um and
that's usually the language I use as well the ism actually has govern protect
detect respond um I know that the nist sub security framework has six at the top layer I try to embed that kind of
language as well to simplify the conversation so that the executive can understand um really key what we're
trying to achieve with each function and break it that way rather than starting with a control framework start with a
narrative piece and my preferred narrative exec simple and I say that as a former exec simple things protect
detect respond usually gets you across the board to articulate what you're going to try and do and then you just focus on what the key things are you
want to do in those spaces yeah yeah look that makes a ton of sense and I think I would certainly
like support your overall approach towards um keeping it simple especially when you're starting off because if you
try to bite off too much at the beginning it it becomes a very demoralizing exercise very very quickly
um a couple of other things I noticed from the you know from my very brief cursory reading of the essential a mind
you is that you know one of the things that I found was not in there um you mentioned that um proper usage of admin
rights was was called out well and multiactor authentication is called out well as well but then like least
privilege as a as an overall identity and access management principle seem to be lacking and so when you think about
especially data access across distributed environments if you know my account has too much data access and
then I get compromised through a fishing email or what have you you know there's there's a a potential risk there I
didn't see that one in there and the other one that really struck Accord with me was that I didn't see configuration
Management in there and especially in you know we talked a second ago about kind of the cloud first world that we're
in everything is software to finded and almost everything is configuration based at this point you know that that seems
like a real Miss to me yeah I I I don't disagree and I do think that the um
restricting Administration privileges should evolve into least privilege like Universal least privilege and
increasingly within the greater ISM there is a focus on zero trust and zero trust is is is really geared around that
um that that least privilege Universal least privilege um Assurance uh so I
think that increasingly that's where it will go but you're right it is it is a Miss in in my opinion but they are
focusing again on the greatest threat point which is those admin roles and and what they can do in the organization but
has that kept pace with the nature of what an admin is in the modern Cloud environment and how diverse that is
because that's the other piece that people don't realize which is the nature of what an admin used to be with literally like a pseudo or or a Dom
admin account now you can Jerry chain a whole heap of um or privileges within apps and
then all of a sudden you've got you know um a domain administrator or Enterprise administrator by proxy um but to the
other piece as well that you're talking about I think that the configuration management and hardening have a a catch
all called application hardening and I think it as well that one to me it's it's focused on the core apps that have
been popped in the past like our web browsers our um office suite those core pieces that they've seen nation state
actors focus on but I do think that that could be expanded out to as you know um
the S3 buckets the standard um yeah configuration layers um looking at how Cloud you harden the perimeter and then
create a defense in depth throughout the application stack as well to en sure that you have a least privilege and and
Harden controls and follow things like this the CIS baseline or or hardening configuration guides from the providers
so so I I completely agree but I also think that it's a there is twerk tweaks
of two that are in there already that you could use to achieve that so it'd be interesting to see if they approach that in the future yeah that's fair that
there's tweaks but then you know a followup question that I would always have on those along those lines is um
you know to what extent do the do the people actually doing the implementation understand that this is a tweak of one
of these guidelines that they need to kind of incorporate that when they're looking at application hard ring they
also need to be looking at let's say the the infrastructure that an application is running on in AWS Because by the way
that application can be running on an ec2 instance that has an assigned user role or an assigned am role that might
have admin rights right and and so you know it's a question of like how deep it the understanding and sophistication is
oh 100% the devil's in the dat and as you as you mentioned it's hard
because once you simplify things up to just eight Concepts or whatever it obfuscates the detail so far that it's
not practically aligned to what the actual outcome is um yeah and and it's
it's it's an INT it's an intractable problem there's there's a saying I used to have which is the only thing that's important is a sizo is knowing what's
important but then the more important thing than that is the only thing that's important as AO is being able to then
communicate what's important and as you said tracing that traceability down to from the concept down to the actual
implementation is is is critical and and it's hard it gets lost a lot of the time
within organizations from the translation from um concept into implementation uh and and that's that's
that's problematic to say the say the least um and as you know it only the defender dilemma is that we we have to
succeed every time and the attacker only has to succeed once and the the challenge that I would have in I put to
you is I used to joke that I should have got into physical security because the locks aren't updated every three months there isn't a monthly patch cycle for
the physical locks I know I don't I know my physical security Brethren they have a hard time don't get me wrong um yeah
but but for me with the essential a because it's getting updated quarterly as well I'm constantly trying to chase
that new bar and so it's not having one conversation it's having multiple conversations and I know this is a bit
of a tangent but one of my biggest challenges in my career was I became came into Azo role and I said to the
security board if you give me x amount of money I'll get you to maturity level two on the central 8 by next year and
I'll do these things to achieve it I did all the things on that list to achieve it taret mov and the target moved so
when we got there I got to the board next year I said I spent all your money I did all the things and we're now at maturity level zero and um they were not
very thrilled with that outcome yeah and I hadn't brought them along for that Journey but it is one of the challenges
of um the constantly evolving nature of of cyber security and and our threat environment and how do we ensure that we
move from a a point in time governance risk and compliance model to uh a realtime Assurance model that that
validates the controls on a regular basis and automates the remediation of them because as you said um
configurations down into the nuances of how a specific um implementation of ec2
is done we should be automating them as much as possible both for the detection and the remediation because otherwise
we're never going to be to achieve this increasing for me it's it's how does the security governance lens work hand in
glove with the security operations to not just assure them on paper but ensure that they're embedded in an ongoing
basis and that that we can automate those remediations as much as possible
yeah it's really interesting I mean there's a couple points in what you said that I want to dive into the first of which is that you know talking about
that Journey that you went on where you you know you you had an X budget to achieve y out outcome that was on the
maturity scale that's a really interesting way to look at it because one of the challenges that I get from a
lot of people around cyber security in general this is across like almost anything is it's very hard to measure
cyber security results you know there's there's one measurement that really matters which is hey did we get breached
right but then yeah and and and it's that question that you often get honestly with like General Practitioners
in on the medical side it's like how much do you pay or reward or value your
GP when you don't get sick right and so this model in cyber security is like
it's a it's a very thankless job 99% of the time until you have the one bad day hopefully it's just the one bad day a
year or whatever year decade whatever that the time frame that you want to measure is um where as you said you have
to be right kind of continuously all of the time but when you bring that you know that is a measurable result but it
doesn't necessarily ort a positive Roi on a year-by-year basis and so it's very
easy for people who make funding decisions to look at that and say oh well you didn't get popped clearly you
don't need any additional budget and so there's almost an argument to be made
that you need a little bit of breach in the organization to kind of justify continued investment into cyber security
I mean I see you nodding and laughing because you must have gone through this conversation not not nothing nothing
pads a cyber security program like a breach but and funly enough this is is 100% being a focus of my career which is
how do how do you how do you report your improvement into the organization and then how do you show Roi on your outputs
now there are there are some like tangible specific examples I can show where we we've removed costs to the
organization like removed fraud from a business life cycle flow chain um and those are really good positive one-offs
but they're not an ongoing piece one of the ways that we did it is and this is a big shout out to our us counterpart
Parts but we at one of the organizations I was at used the National Institute for standards and Technology cyber security
framework and did a cmmi assessment against it and that gave us a score out
of five for our maturity against not just not the overarching cyers and then
each of the the six domains under the new model yeah and we found that was really helpful to have a conversation
with our board about if you give us 10 million it puts us up 0.1 and it also
gives us a mean about the average four we worked with a big four partner who had done a lot of these but it meant
that we could get a hey government across the world is at a 3.8 so then we could go well we're
actually at a 3.9 so our investment's probably right sized at the moment um but if you want to go to Best in breed
the best in breed is 4.1 and each increment costs X and so we use that as
a justification to go more of and that's that maturity piece where how do you compare with your your brethren because
I haven't found a really good like I know that there's some people that play in the market around a breach costs this much money so the amount of days that we
haven't caused a breach of saving you this much money but I feel like those are just esoteric and unfortunately and
depressingly for cyber Security Professionals a lot of the stock market results have bounced back quite well after breaches so I don't think it's
actually an enduring cost to a number of the public listic companies and so it's about how do you quantify the dollar
value of trust um and how you report that within your context of your
organization th this brings up a really good point because one of my observations and this is me completely
speaking as an outsider so correct me on this is you know in a lot of the conversations that I've been having with
customers and partners here locally one of the things that I'm hearing pretty consistently is oh we just had our worst
year for breaches ever there were these really big ones we mentioned Opus but there was meta bank and latitude
financial and one or two others that are not coming to mind and I you know I haven't deeply researched the Australian
New Zealand Market or or Australia in particular on a country basis to know you know what is the rate of data
breaches look I'll tell you from a US perspective there're a dime of dozen they're happening every day and to your
point there's a there's very little Financial penalty either from The Regulators or from the financial markets
and you know I'd say most organizations assume that they either most like larger us publicly traded organizations assume
that they either are or will be breached and any kind of fines or credit
monitoring identity theft prevention to the consumer is just built into the overall model they maybe get Cyber
Insurance around it Etc but one of the things I've heard is that the the regulatory fines here are pretty brutal
and they've been very serious and I've heard from people that it feels very much like an overcorrection which may or
may not be viewed as a positive thing depending where you're sitting and how you feel about it and your own role in organization I mean what's your reaction
action to all of that I I think it's really timely uh I think that your
assessment especially across the US implementation is right on the money and I don't think it is having necessarily A
positive trend on the control posture because I do think that there are a number of bean counters who think that
they can just Bean counted away or balance it out in the greater run but it has been reflected in so the Australian
government recently put in securing critical infrastructure uh all of the five eyes uh countries so Australian New
Zealand UK Canada and USA have very Sim similar um approaches to screwing
critical infrastructure a lot of the key policies mirror and so we're constantly changing ours in line with the us but
we've actually gone a bit more Hardline and the lens on that is similar to the
tax office here which is support the people that are trying to do the right thing and punish the ones that aren't if that makes sense and so if if you are
engaging and trying to do the right thing then they will give you all the support to the end of the world to fix it but if you're willfully not engaging
with it then they' they've given themselves the tools and the freedom to be able to um undertake actions to
encourage um compliance and Alignment um and I think that that approach of the
the hug um where people are trying to get support but then punish where people
are being willfully non-compliant is a really good balance and and is a bit more PR pragmatic it's not just doing
attacking people for like the old you wouldn't blame someone for getting punched in the pub so I don't know why
we blame people to get breached so this is similar if someone's getting punched in the pub it's only if they keep going
to the same Pub all the time and they wear a shirt that says punch me that we start going hey maybe you should stop doing this um but otherwise we're going
to put the wraparounds in to protect them and I know I'm stretching that ex that analogy very wide yeah yeah but but
look I think the point is taken the the look and I don't want to get too deep onto this in today's conversation
because we've got other episodes um where we've been talking about the US regulatory environment recently and and
some of the personal liability that's coming along with it that to your point is kind of putting blame towards the
people who got punched in the pub and you know in some instances to to kind of
stretch this analogy even further got blindsided by a person who was sent in
there by a Mafia Boss to go punch somebody Rand not random punch one particular targeted person in a pub and
then that might have the knock on effect of punching thousands of people across thousands of pubs so so you know I think
that point is well taken and I I'm glad to see that this kind of a response is
what's seeming to happen I'm curious from a um how much of that has been kind
of correlated with consumer data protection you know in in I'm you know
half American half European I've lived in both sides of the pond for a lot of my life in addition to some time spent
in Singapore and gdpr as a European citizen feels very good to me in terms
of protecting my own consumer data how much has consumer data protection factored into this conversation around
either supporting organizations or um assessing the the scale of a fine
towards an organization that does get breached very strongly and they as you may know they've got the office of the
Australian information commissioner here which whose only role is to assist with data breaches and guideline entities to
respond and manage the data appropriately and that has been baked into the new critical infrastructure as well and they've actually expanded gone
look we recognize that um pii is critical but they've also gone it's bigger than just the pii it's also the
systems that manage that Pi or the systems that manage the delivery of services to the publish public and we
have to make sure that we've got the appropriate wraparounds for all of them I think that there are a number of I
think I think that the balance in Australia is is quite good I don't I think some of the balance speaking out
of turn on the gdpr side is almost security theater I think the fact that we have to all click show me my cookies
everyone it is theater it's not actually cheaping anything but I get I get the intent and I also appreciate the fact
that they're thinking about it and so I think that it's it's it's that fine regulatory balance between overburden
the market um but also making sure you've got the controls to support the entities and I think that there is an
okay balance here but there're still proving it out like the legislation in Australia is under 10 years old for like
the um CRI so for breach of information and all that jazz so it's still being proofed out in court cases and instances
and that testing of what is willful negligence I think is is still being
right leveled if that makes sense and I think in a few years when we see more of those cases come through and as the
infrastruct the legislation changes um I think that we'll have a better feel for
is it providing the right level of assurance um but the problem is as you
know the cost of entry for attackers at the moment is so low that that I
mentioned before the Defenders dilemma but it's it's not if you get breached it's when you get breached and that
comes back to the how do you detect and respond to breaches to minimize the the consequences of it yeah I mean this
point is is one of the points that I you know I bring up in almost every conversation where somebody says oh yeah
but we're not a Target and I said well you first of all everybody's a Target
and you know the the example that I like to give to people is like and I I I always mention this two things that
people you got to aware be aware of number one hackers have credit cards they may or may not be accurate credit
cards but what it does give them is it gives them access to cloud and it gives them access to you know in number two
hackers have internet connections and they they can go scan GitHub they can get every open source automation tool
you know uh Cobalt strike Metasploit all of these tools that have good legitimate
use cases for pen testing and for hardening your own applications can also be used by the other side right and so
like you couple Cloud Automation and you know in open source
and I'll tell you that everybody's a Target our own lab environment we stand up apis on a regular basis to test our
own product with them to test exploits attacks Etc every single API we put
online with just a randomly assigned IP address gets traffic within about three
to five minutes yeah every the whole internet is being scanned perpetually
constantly constantly and not just scanned by the way scan with some
intelligence yeah actively T 100% exactly because we see this Behavior
where it's like oh I got a response from random IP address 1234 let me see if
it's running WordPress let me see if it's running Drupal let me see if it's running move it file transfer software
again and again let me see if I can find secrets ials environment variables any of these things that I might use to
breach the organization or map it out or understand what's running there that's all valuable well and I've actually seen
sorry I didn't interrupt but I've seen instances instances of that where the people are running that software and
they're not even using it to compromise it themselves they're automating that basically they'll compromise your
machine every time you type in a password they're not even going to use it to breach you they're just putting it straight onto the dark web to sell
because that's how they make money they do that at scale so that they're not even one that attacks you they sell it on to someone else who attacks you
they're the initial access broker effectively yeah exactly and we had an instance in government where a member of
the Public's credentials were compromised through this method they were part of a botn net and they were
available for sale on the dark web and there we got access to this is the
credential that was broken um that was that was compromised and with that one credential which cost you about $2 us
you could have rolled over their entire life savings their super which was about $700,000 instantly cuz they're over 65
in Australia so it's like 100% And and one one funny thing about you know how people say it's what they would never
Target me working uh in my role at Parliament House I heard that same thing from everyone up the chain it wasn't no
one thinks that they're going to be targeted it's it's a one universal opinion no everyone says oh I wouldn't be targeted I'm like everyone everyone
is targeted you you are targeted by existing yeah I mentioned our lab environments one of the other things
that's happened to us at we're look we're a tiny company we're a 12 person organization spread across a few uh
different geographies yes we work with customers around the world Etc uh just
the other day I was checking my spam folder and I saw impersonation emails
with the names of my employees telling me that they needed to update their bank account information on our payroll
system you know and everybody's targeted everybody is automated it is very it's
trivial to discover who works in an organization and then to catch their names and so on and put that in there so
um and just just on that before we divide the other thing that's a driver for that
is the level of poverty in some countries means that if they get one person to accidentally send them $50
once a month they've made their quota and so then sending a th emails cost them only their time and so again that's
scale sorry to interrupt but that's the perfect example of if they can get one pace to them not sent to you then
they're set for the month they can eat for the month yeah you bring up a really interesting point there that you kind of
said as in passing which is hit their quota You' got to remember that these individuals are generally part of larger
organizations that are criminal Enterprises fundamentally and that's correct you know yes there maybe nation
states aren't targeting you maybe right maybe if you work in critical infrastructure they are but maybe for me
as a small um C security company working on API security software maybe nation
states are not targeting me but criminal Enterprises absolutely are you know we've only got a couple
more minutes but I know there were a couple of other things I really wanted to get your take on as somebody who's been doing this for a little while and
that's you know when we think about kind of this transitioning environment as we
move further and further into the cloud I tend to think of cloud as actually being better from a cyber security
perspective why because everything can be kind of programmed right everything software defined it can be interacted with over apis it's
primarily data and configurations that I'm worried about I'm kind of curious to get your lens because you know let's say
like globally there's a perception that government organizations are typically a little bit behind that curve when it comes to Cloud adoption and and you know
they may have more Legacy it than uh it infrastructure than a born in the cloud
organization like us how do you view that and then what are some of your top recommendations for organization that
they're going through a transition or struggling to manage kind of Legacy it infrastructure I I think the biggest
challenge for me is not just the Legacy it infrastructure but also the Legacy it
infrastructure Personnel because often they'll bring the same approach that they take to managing on Prem to into
the cloud if that makes sense so you have to do the people process and Technology uplift as you migrate and I
see a lot of the ways where it fails is because they're just trying to basically do what they were doing on Prem in the
cloud and as you probably know from a cloud Journey that also doesn't that doesn't cost less if you just move your
machines into IAS yeah you're you're just spending more money so you're not actually achieving the benefits of the
cloud it doesn't give you the scalability it gives you the um redundancy and and that piece but you're
not baking into your apps the scale up scales down you're not baking in the automated security controls so for me
it's about going when we move to the cloud do it with purpose and move each application um with intention one of the
approaches and an agency I used that they did like a gold silver bronze rust approach where they took a catalog of
their apps and they went gold is we move it to SAS and then then we just managed the policy um Silvers we move it to Pas
bronze we move it to aaz rust we can't move it and we're got to kill it because it's stuck so structure it and work out
your approach um there's been a number of instances recently where people have just lifted and shifted directly into
the cloud and unfortunately that shifted their problems into the cloud and your problems can go at scale in the cloud
and exposed to the internet very quickly so it's about for me the biggest the biggest fundamental piece is making sure
you have the right knowledge in the right people to do that transition and don't use the same tools you used for on
Prem to achieve your outcomes in the cloud and work really clearly to layer your controls up from the base so that
you bake in if you're doing an i or PAs implementation you understand what the the controls are for the shell and then
everyone that works within it works within their piece um and if you can build natively in a zero trust way as
you migrate to the cloud because that's the other benefit you can do which is stop the east west traffic get everyone
coming through a front door um automatically whether that's a je front door or an 8s app Gateway or whatever
partner client but if you can natively do that as part of the migration you just remove those East West Trend like
um vectors so someone can't jump into a desktop and then pivot into your environment so the two main things I
would say is don't treat it like you treat on Prem so get the get the right skills and then bake in zero trust and
identity as a as a front when you're doing it because otherwise it's you can't retrofit it this is a perfect
chance to do it properly once yeah yeah to to that point along those lines of
the second thing that you said is retrofitting is really tough I've seen organizations that made that transition exactly as you said they kind of went
the classic lift and shift they didn't change their operations model at all they got into the cloud and then they
realized really we're just using someone else's data center at this point at best we got out of Hardware management and
yes it is quite costly right at that point and you can do a little bit of like Financial optimization with
contract mechanisms and reservations and capacity commitments all fine but when
you're really trying to get let's say the benefits of the cloud and let's say the the flexibility and the eeral nature and the scale up and the scale down and
the scale out and all that good stuff you really have to change your operations model and to that point what
I've seen with organizations that kind of make the lift and shift mistake or
frankly I've I've seen they wait until the very end and it's like data center end of life or end of Colo contract and
they're like oh crap we got to get out of here let's just lift and shift what they inevitably end up doing is then
creating a new Cloud organization and they do a cloud to Cloud migration to go
from the lift and shift operations into the actual cloudy way of getting it done and look that can work but it is not
cost effective um yeah anyway correct correct and and it's always easier said
than done I understand have people have apps that are older than me running that uh that are that are that are critical
to the delivery of services so I I to I totally get it yeah and by the way those
app are probably power powering your bank account and mine and every flight reservation that we're making around the
world on a regular basis so you know some of them are pretty important so I do get that as well awesome well Toby
it's been a real pleasure I don't know if you have any closing comments you want to share with the audience but I know from my standpoint I've really
enjoyed learning about some of the uh challenges relative to the Australian Market some of the the you know come of
the guidance coming out there for anybody who for any closing thoughts or anybody who wants to get in touch where
can they find you what would you share with them uh if anyone anyone wants any help feel free to um reach me out on
LinkedIn um but for me the biggest driver is how we as a community engage
with the business and the the benefit of the essential eight and those conversations as you said is having a simplified engagement model
and that's really telling for me the biggest benefit of the essential a is the consumption from the business and the engagement on that side so think
about your narrative as a mentioned before the only thing that's important is how you articulate what's important and if you're not ahead of that
narrative as a cyber professional within your organization then you're you're not you're not going to succeed at all so
make sure you think about the people and how you sell your piece and then tie your deliverables to that that's a great
point and I think that's a great note to end today's conversation on Toby thank you so much for joining us on the modern
cyber podcast thank you for your time [Music]

Discover all of your APIs today

If you can't see it, you can't secure it. Let FireTail find and inventory all of the APIs across your organization. Start a free trial now.