Trent: Thanks for joining us Dave
David: Thankyou Trent
Trent: Good to see you
David: Glad to be here mate
Trent: I’ve got a question for you it’s from the news recently and it’s about a data breach in the health industry in Victoria. So what happened is pretty much there was a data breach in Victorian hospitals, well some Victorian hospitals and computers were down, they had to go back to pen and paper systems and some surgeries were cancelled and things like that. So it’s really impacted people’s lives from that perspective.
Now two years ago, the same thing happened on a much larger scale in the UK my question is really how is this still happening why hasn’t something been introduced to stop this
David: Actually it’s not just in hospitals we’re also hearing stories from major retailers experiencing this situation. It’s almost like week after week we’re hearing stories of cyber breach. Particularly in the case of the hospitals I think the problem is not in their security perimeter controls, I’m pretty confident they would invest in the best firewalls, the best web security, email security in the industry.
I’m pretty confident of that. So where I think the breach is occurring is not having enough systems in place to detect a breach that bypasses the perimeter control. I think that is where they have fallen short.
So what we’ve seen in that system is there are solutions in place that actually are detecting breaches that bypass perimeter control and these systems are SIEM based products or an appliance based product where they’re just getting a lot of alerts and where we find the problem with those current systems is that a lot of these are coming through and it takes a lot of time to actually go through them and sometimes an alert is difficult to decipher there’s lack of skillset so you’ve got this volume of noise cutting through and finding the real alert is like finding a needle in a haystack. So the system in place right now is actually creating a whole new problem, this noise and finding that needle is the new threat.
Trent: So what’s the answer if there’s so many alerts coming through, how do you automate that or have something in place so you’re receiving validated.
David: So there’s actually a few components to that, there’s probably four. The first one is the disproportionate spending around security there is a lot invested around that prevention, perimeter protection. But when it comes to spending on detecting a breach that bypasses all that perimeter protection it’s actually quite small and we think that the spending needs to be equal amounts. You spend as much on Prevention as well as detecting and response that needs to be invested.
Number two is the solution that you have in place not about a logging system. We disagree with that. The system needs to be able to detect and stop threats that it can act on. So it needs to be able to stop threats, so that’s number two.
Number three is where we feel is the most important in a way. We believe that a system needs to give you a validated breach, so what that means is that when you get a validated breach it means that something is happening now. You don’t need to research on it, it’s real and you need to do some meaningful action. As opposed to giving an alert and you trying to figure out is that real or not. We believe that the system needs to be a validated breach approach.
Number four is having a strong reporting system so the reporting system needs to have very good forensics that can actually detect how the attacker got in, how long they are there for, how they got around, what they stole and what backdoors that were established. So that forensics will be able to give the IT security team meaningful information to do something about it.
So those are the four things that the system needs to be in place as a post breach detection response solution.
Trent: With number three that you were talking about, which is receiving validated responses, how does a system do that. SIEM is just sending you alerts, but what’s different and how is it differentiating between a validated alert and just an alert.
David: So the solution that has in place right now is all about that border protection. So the solution in place is actually a sensor that’s sitting inside your network, taking a very offensive approach baiting and capturing an attack that’s taking place. So the solution is more about insider network, looking at traffic inside your network rather than trying to filter traffic outside.
So that’s the breach detection component, if we’re detecting something that’s managed to bypass perimeter protection and the sensor is looking at all the traffic that’s managed to come inside and that’s where I think the gap is. I think the problem with the breach that has happened recently with the hospitals I think is not having something strong enough to detect something inside the network and that’s what I think the problem is.
Trent: I think that’s my answer, so it’s really that traditionally perimeter protection has been where everyone is focusing their effort , but that’s outdated. We now realise that there’s nothing that’s foolproof. There’s something that’s going to get past your perimeter no matter what’s in place. So now we need to focus our effort on detection and response.
David: I think that if we are focussing on not just perimeter protection, which is very important, we need to focus on making sure that what’s in place when detecting a breach is effective, it’s not giving false positives and is giving something meaningful to act upon. I think if we got that right that would prevent what happened recently at the hospitals.
Trent: Well you’ve answered my question, thanks for answering that Dave.
David: Thankyou Trent.