AISA National Conference focused on helping members navigate the security landscape
emt Distribution exhibited at the AISA National Conference in Sydney in 2017 with Stand 20 dedicated to Thycotic and Privileged Account Management, and Stand 21 showcasing Acunetix, Flexera and local security firm Airlock Digital. The diversity of attendees and their breadth of knowledge was impressive. Most impressive was the overwhelming openness attendees had to discussing varying security topics and challenges and their eagerness to hear the experiences of their peers in the industry.
This year emt Distribution focused on the Top 4 with application whitelisting, patching (and vulnerability management) and restricting and managing privileges being core to our theme.
Cyber Security Maturity in Australia
History has shown many security initiatives have been reactionary and re-prioritisation has often been post incident. This year, the general consensus seems to be that the Australian information security culture is maturing rapidly with many organisations taking a more concerted proactive approach and broadening their measures beyond traditional gateway and endpoint defences.
The NDB scheme
The Notifiable Data Breaches scheme, coming into play in February 2018 has been received with mixed feelings among the security community. Some members believe it will have a positive impact on C and board level awareness of, and involvement in, the overall security posture of their organisations. Others are taking a more cautious attitude, believing it will take some time for Australian businesses to adjust.
Threat Mitigation and the ASD’s 37
Beyond federal government and critical infrastructure, more organisations are starting to pay attention. The vast majority of people we spoke with were aware of the ASD’s top 4, Essential 8 and the 37. As always, prioritisation, business impact and mitigation effectiveness play a major factor on the decision making process of what people choose as part of their cyber security mix. The ASD, government and commercial security community should be applauded for the work they have done in promoting the efforts the ASD have gone to bring a balanced, well researched and thought out set of mitigation strategies to the Australian public and private sectors.
Cyber Security Talent
There is no question about it. Australia has some incredible talent in this space. Speaking with the many security professionals at AISA demonstrates this. There is also no question that we don’t have enough of them. Many organisations are actively looking for people suited to security roles and coming up short. The talent is there, there’s just not enough to go around. Education institutions should be paying attention to this, whilst enterprises need to invest in the talent pool available to them.
#4 in the Top 4 – Minimise Administrative Privileges
Thycotic does this in spades. The 2017 AISA National Conference saw Thycotic back for a second year running and the wrap was unanimously positive. The main theme of the conference was collaboration, and Thycotic managed this with dozens of in depth, security oriented conversations around the landscape and threats posed by poorly managed privileged accounts.
A number of the breakout sessions and keynotes during the three day conference directly or indirectly alluded to the core security requirement of locking down privileged access, removing local and domain levels of privilege where possible, and adopting best practice around password management and rotation. In fact, one of the most talked about speeches on the anatomy of a breach ended up being in part tied back to poorly managed Active Directory credentials. The sheer interest in this case study indicates how front-of-mind Privileged Account Management (PAM) is right now.
For Thycotic, attending AISA is an equal matter of meeting new prospective customers and also raising awareness and industry recognition. A number of large government and private organisations showed very real interest as they either did not have a full PAM solution or were struggling with their current providers implementation. For Thycotic, the enterprise level feature set matched with the industry gold standard in ease-of-use and adopt-ability made for several outstanding conversations and a chance for Thycotic to demonstrate just how successful a PAM implementation can be.
#3 & #2 – Patch Operating Systems and Patch Applications
Patching shouldn’t ever be ignored. Many people visiting us on the emt/Flexera stand explained the challenges of balancing the calls from security teams to patch with operations teams day to day need to keep business running while implementing business impact projects. In many cases, application patching is done manually while server patching requires significant testing and change control process prior to roll out. Patching falls under both Security and Operations. This is where true collaboration is needed within organisations – SecOps. Besides making sure critical patches and fixes are applied within 48 hours, we need to understand what the vulnerabilities are, where they lie and just how critical they really are. What’s the real risk? Flexera Security Vulnerability Manager fits this scenario perfectly. Backed by the Secunia Research Labs, SVM allows users to reduce exposure to hacks, stay informed and most importantly, cut through the noise. It also gives operations teams set and forget ability, takes care of 3rd party patching through their existing SCCM infrastructure and gives them broad patch assessment ability. The resulting reduction in test times and verification means organisations can achieve faster patch deployment with real positive impact to business. A shout out here to all those that stopped by with an open mind to find out what is possible!
On the topic of understanding Vulnerabilities – Kudos goes to Acunetix. The sheer volume of people who visited the emt/Acunetix stand who had used, were using or want to use Acunetix Web Application Scanner with Integrated Vulnerability Management was staggering. We all know the threats posed web applications written in haste or not maintained and so the capabilities of Acunetix was high on people’s minds. Acunetix customers told us how they loved the automation, ease of use and the Acunetix APIs to automate the scanning of their most recent work. Perfect for people utilising Agile software development methodologies. A key point of interest for people was Acunetix’s ability to test vulnerabilities in the underlying technology as well. With the Equifax breach fresh on minds, Acunetix ability to test for things like Apache Struts Vulnerability was of keen interest. Acunetix had a real work out on the stand with over a dozen demonstrations given over the two days. Anyone who has worked a stand understands how hard that is to achieve.
#1 – Application Whitelisting
Why is it number 1? We’ll answer a question with a question. If it can’t execute, it can’t run, if it can’t run, what harm is it going to do?
Airlock was built ground up around the controls the ASD specify. That in and of itself, as far as this writer knows, is unique in the app whitelisting space. The fact that the creators have extensive experience in implementing controls from the ISM, writing SANS course on whitelisting and experiencing the pain it can cause, made them take stock and create an Application Whitelisting solution that wasn’t an imposing, daunting task. Being the new kid on the block, Australian, and gathering a real following in the sec space made Airlock a real attraction for attendees. Questions focused heavily on understanding how to deploy the solution and around gaining understanding into the Airlock product workflows that make application whitelisting actually work. There were also many follow up questions on how the solution handles developers and administrator groups, a traditional pain point in whitelisting solutions. Daniel Schell, co-founder of Airlock Digital didn’t have much time to relax with demos, barrages of questions and follow up appointments coming thick and fast. If there is a company and product to watch with keen interest through the remainder of 2017 and 2018, Airlock Digital is it.
Now to be clear, All the companies and product mentioned here may be trademarked by their respective owners, and in no way are we suggesting that the Australian Federal Government or ASD has any endorsement or affiliation with them. It just makes it a lot easier to pigeonhole solutions into mitigation strategies where it makes sense to do it to help out the end user community.
AISA National Conference 2017 was incredible for both members, sponsors and exhibitors. If you are not an AISA member and you work in security, you should seriously consider it.