In tech circles, attempts by governments to introduce legislation affecting the internet, cybersecurity, privacy and IT policy are laughably overdue or hopelessly wrong. Over the past two years, Australian government policies are arguably an exception. The reclassification of large swaths of the industry as comprising “critical infrastructure,” for example, makes sense to anyone aware of the power and reach of internet bad actors.
Whatever your opinion of any government’s efforts to protect its people and economy, there’s no denying that threats exist in a connected world. Protecting key systems from breaches should be top of mind. When successful attacks make headlines (Colonial Pipeline, Solar Winds et al.), it confirms that attacks can cause more than just disruption to an organization’s operations. Real and present dangers threaten to disrupt networks of electricity, food, communications and basic amenities.
Supplying electricity to more than 1.7 million Australians in 900 homes and businesses in the south of the country, SA Power Networks is certainly part of the “critical infrastructure”. Fortunately, he takes that role seriously, investing in what Lindbergh Caldeira, the company’s head of cybersecurity operations, calls a “proactive, plan-informed capability” that will help the company protect itself and protect the essential services it provides to many clients.
Cybersecurity professionals will readily recognize many of the issues that Caldera and his team encountered from an operational perspective. “SOC focus areas such as log management, incident response, and vulnerability management have not received due attention. And there have been security incidents that have flown under the radar” , she told Spotlight21, a cybersecurity conference organized by Exabeam (available on demand here).
In addition to the increased frequency of cyber incidents, SA Power’s security team experienced operational challenges in assembling the various elements of the team’s responses to track the root causes of an issue. “If it was a high-severity incident, we usually put together a timeline showing the previous events. However, that was very time-consuming and required a lot of creative writing,” Lindbergh said. of the team realized that he wore many hats: “In the past, we spent a lot of time managing system resources, fixing problems, […] and [on] app updates. »
The answer was to seek a fully managed SaaS platform to recoup and realign analysts’ time and focus more on detection and response.
SA Power Networks tested Exabeam’s self-learning DR platform over an eight-week exercise to see its capabilities firsthand, executing a simulated attack during that time using tools penetration testing. “Alerts triggered in a very concise sequential timeline view,” Lindbergh reported.
During the proof-of-value period, “data sources have expanded far beyond just Windows and Linux logs, and have included network VPN detection and response logs to name a few. This use case mapping not only gave us this holistic visibility and coverage into our data sources, but also the mapping to mitigate attack tactics, techniques, and procedures.
Exabeam’s intelligent system quickly builds a self-improving picture of normal user and system behavior patterns, even using relatively limited sources drawn from sample logs. From there, anomalous activity can be flagged and a consistent, readable timeline of an incident can be established quickly. When armed, even first-level response teams can identify problems and see how to improve them.
SA Power Network’s hiring policy changed after working with Exabeam, Lindbergh said. “We are looking for recent graduates or people new to cyber to develop their cyber skills. […] The ease of use makes it much easier to hire new analysts. With basic training, they can be immediately operational.
After investigating the possibility of using outside agencies to fill their initial gaps in cybersecurity personnel and capabilities, SA Power instead used Exabeam’s technology to alleviate some of the common problems caused by the current shortage of qualified security personnel. It is also able to report faster and more clearly to business stakeholders using the current platform of choice, Microsoft Power BI. “Integrating our reporting into a service [stakeholders] daily use definitely increases engagement, which we’ve seen in our initiatives,” Lindbergh said.
“The decision to go with Exabeam was very easy,” Caldera said at the start of the presentation, explaining the company’s adherence to Australia’s energy sector cybersecurity framework (based on the industry maturity model). capabilities of the US Department of Energy). With infrastructure a clear target for malicious actors, Exabeam’s detection and response SaaS helps protect businesses and people in South Australia, allowing them to continue with their lives without fear that critical infrastructure will fail. stopped due to an attack.
Learn more about Exabeam, get a demo to see how the platform can extend your cybersecurity detection and response stack. There’s also an interview with two company SecOps pros in our own Tech Means Business podcast here.