All Roads Lead to SOCI: Understanding the cyber threat landscape
The following is a transcription of Episode 1 of our All Roads Lead to SOCI podcast series.
Cyber security risks are at an all-time high, and the protection of Australia’s critical infrastructure and data is an issue which impacts us all. So, whether you are a responsible entity for critical infrastructure regulated under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), part of the supply chain to critical infrastructure or just an ordinary business or consumer, well….All Roads Lead to SOCI.
To help organisations and stakeholders better understand the changes to the cyber security landscape and SOCI Act and prepare for the upcoming inaugural mandatory reporting measures for those caught by the regime, we have partnered with our long-standing client, Macquarie Technology Group, to unpack the topic.
Here, Maddocks Partner, Sonia Sharma, interviews security engineer, Hayden Mills, in Macquarie Technology Group’s Secure Operation Centre (SOC). Together they provide tangible insights into the very real cyber threats that Australian critical infrastructure comes up against every day.
Sonia Sharma: To help us provide more tangible insights into the threat that Australian infrastructure comes up against every day, we're recording this episode from inside Macquarie Technology’s Secure Operations Centre, or SOC in security speak. Now this is housed within Macquarie Technology’s Intelli Centre 3 and the data centre campus right here in Macquarie Park, Sydney. This facility is rated ASIO ‘Zone Four’, which means it's cleared to store and process data that is classified by the Federal Government. But Hayden, before we get into the nitty gritty of security, I just want to ask you one question. What was it that drove you to be a security specialist in the first place?
Hayden Mills: That is a funny story, when I was younger, I was using one of my parents laptops at the time and accidentally downloaded a piece of malware. I had to give it back in about 30 minutes. And I had to figure out, how do I not get in trouble and get rid of the malware. After that initial panic set in and I actually got rid of it, I started to think, Wow, this is pretty cool. How did this all work? And then that started me down my journey on cyber security.
Sonia Sharma: Now that's such a great story, and I love how it is you got into cyber security in the first place through mucking around with your parents computer. And when we look around, it's not often that we actually get to see the people and get a sense of what cyber security actually looks and feels like. Can you describe Hayden, what are we actually looking at here in the SOC? I had to go through a lot of security, even just to get into the building. There's human traps everywhere. There's multiple security to get through. There's tri-factor authentication. Can you give us a picture of what's actually going on to monitor and respond to cyber security threats when it comes to critical infrastructure assets?
Hayden Mills: Here at Macquarie, we run what's called a secure internet gateway, and this protects everything related to the internet that our agencies are using. All of these devices will start generating logs, and these logs will feed into our central correlation system, which then generate notable events or items that deem that an analyst should look at further. To give you a sense of scale of that, on any particular day, will process around 10 billion events. That's a lot of stuff to look at, and then from them, we generate about 300 notable events. Now a notable event is something an analyst needs to look at, quicker, and the system is deemed it needs human intervention to verify if it's non-malicious. From here that analyst will then pick it up and then investigate further and triage accordingly.
Sonia Sharma: Now, you just mentioned human power. Give me a sense of the size and scale of the human power that we're dealing with here in the SOC. How many staff do you have working at the SOC at any one time? As you walk through, I saw a number of people, you know, monitoring screens – give me a sense of how many staff that you've got here, working at any one time.
Hayden Mills: To give you a sense of the size and scale of our engineers here at Macquarie, throughout the business, we have over 200 security fleet engineers. These are vetted to negative vetting ‘Level One’, which is a secret classification. So to even get access to these rooms, you need to have the security clearance and to touch the systems you need that security clearance.
Sonia Sharma: Now, you mentioned earlier that you got into cyber security through downloading that mobile malware on your parents computer when you were younger. What type of people are attracted to security? You went through the graduate program here at Macquarie Technology, give me a sense of the people who are sitting behind those screens and monitoring those cyber security threats that are happening right now.
Hayden Mills: I think work in cyber security generally attracts people that are curious by nature. They want to unpack things and understand the inner workings of how things work, and they also have a restorative nature about themselves. So they like fixing things as well. That kind of plays into other computer science students as well. We see a lot of graduates throughout different degrees choosing a career in cyber. That could be from a degree in Information Technology, a degree in Computer Science, or even now these days, universities are offering a Bachelor in Cyber Security as well, and that’s seeing a lot of these new graduates come through.
Sonia Sharma: And it's such an important issue, isn't it, because we've got this massive skills shortage in Australia when it comes to cyber security, seeing these people come through that graduate program is actually so important, we need to be fostering that next generation. And of course, security doesn't sleep. It's not a nine-to-five job. It's not a nine-to-five operation. How do you go about managing 24/7 security operations? What goes into running the SOC 24/7?
Hayden Mills: Our analysts work on three different shifts, so the morning shift, an evening shift and an overnight shift. Of course, our senior engineers don't work 24/7, because humans do have to sleep. However, there's proper escalation paths in place. So if someone on the overnight shift cannot solve a security incident, they have channels to go through to raise the incident and get someone on a call very quickly.
Sonia Sharma: Yeah, it's really interesting, isn't it? Cyber security is not 24/7. You always seem to get that call on a Friday. We call it Forensic Friday for a reason. It's always a Friday before a public holiday.
With cyber security, we often focus so much on the tech, so much on the technology. But what I want to focus on for a moment is the people, and the Federal Government has emphasised this. As a country, we have this massive skills shortage of people, and people are so key to cyber security.
I know that Macquarie Technology has built its reputation on delivering an industry leading customer service. Tell me more about the people in the SOC. I want to know more about them. They've come through your graduate program, and these people are working to protect your critical infrastructure assets. What is it that Macquarie Technology look for when it's hiring a cyber security professional, such as yourself?
Hayden Mills: What I think Macquarie Technology Group has done really well, in terms of their branding, is its people are actually part of the brand as well. So the reason we get a really good industry rate on NPS score and customer satisfaction is because they heavily invest in their employees as well. So I came through on the Macquarie Graduate Program, and in some cases, that can run up to 10 years. So what we do is we address the skill shortage – we can't find cyber professionals out there, so we train up Australia's local workforce and then bolster our defences. What this looks like is you'll come in fresh out of Uni as a graduate, and every six months, you'll receive funding to acquire an industry certification. And then this is how we train our staff over a number of years to be at the forefront of Australia's cyber defence.
Sonia Sharma: Looking into the red lines and all the monitoring that's going on here, it's super interesting. But before we get into specific details around critical infrastructure, and critical infrastructure being those sectors like defence, energy, transport, communication. Speaking with cyber security professionals as part of my work, it's a widely held belief that cyber criminals sort of view Australia as a soft target for cyber security threats. And the Australian Government has noted that too, in its 2023 report, that it receives a report of a serious cyber incident every six minutes, and that number’s gone down. I think the year before, it was every seven minutes, and before that, every eight minutes. So they're happening much more frequently, and that's just what's reported. Does Macquarie Technology hold that view that the cyber criminals have? Is Australia a soft target?
Hayden Mills: Yeah, I think good wording for that is Australia is quite an attractive target. A cyber criminal can leverage $20,000 from a local Australian business, and if you’re part of a developing country, you can live off that money for a long time. And traditionally, in Australia, smaller and medium enterprise businesses haven’t really been focusing on their cyber security. They didn't have to. They'd rather focus on serving their customers, provide customer service or sell their products, whereas now they're getting targeted by these malicious actors to extort them for their money.
Sonia Sharma: I think that's very much our observation, too. Australia's a rich country. We've got a lot of data, but historically, some sectors or industries and businesses haven't really been focused on cyber security. So we're looking at a lot of screens, and there's so much information coming through. Can you give us a sense of the numbers and potential issues that you are getting through the SOC on a daily basis? Give me a sense of the scale of potential cyber attacks that you're dealing with any given day.
Hayden Mills: We have two main sources of intelligence coming into our system. So we've got our traditional customers that are part of our internet gateway, and we've also got our SOC-as-a-service customers where we extend our security services into their own network as well. For any one day, SOC could be looking through about 10 billion events. These events could be anything from someone accessing a website, to one server connecting to another server within an environment. It could be me uploading a file to the internet somewhere.
And then what we have to do is write some really clever detections then from those 10 billion events and then synthesise that down to about 300 for analysts to look at, investigate further and then determine if we need to raise an incident with a customer.
Sonia Sharma: Wow. It really is such a large number. It is mind boggling. And I expect those numbers are only going to increase. Is that what you're forecasting as well?
Hayden Mills: Absolutely. So three years ago, dealing with 4 to 5 billion - it's doubled since then. Lots of new systems coming in, agencies growing bigger. Online presences becoming bigger. It's just generating more information. And we're seeing everywhere there's information overload. You need to be clever with how you deal with it
Sonia Sharma: We can confidently say the issue is not going away. It's basically only going to get harder to deal with, right? And it's such a complicated space because cyber security, it evolves so much faster than the law, it's hard for the law to keep up. And the Australian Government has pointed out there's another general trend that we're seeing. In its annual reporting, things such as third party risks, we're identifying that as a major threat. The decreased time that vulnerabilities are exploited, that window is now incredibly short. What are the trends that Macquarie Technology is seeing in the threat landscape, which owners and operators of critical infrastructure assets should really be aware of?
Hayden Mills: Yeah, well, the trends we're seeing is there is a huge uptick in what we like to call scanning activity. When the Australian Cyber Security Centre published that there's a decreased time between the old remedy being released and that being exploited. We're seeing data to back that up. So that could be anything from a firewall patch being released that's fixing an exploit. And a lot of these attacks now don't have someone sitting on the other end of them. These are automated scans, and if they find something vulnerable, they'll exploit it automatically, and then from there, it will trigger a workflow that will then ransomware your environment. Something the key operators need to be very mindful of is what you have exposed to the internet that you don't think might be and just knowing what you have in your environment and keeping your assets up to date, because we’re seeing huge evidence that there’s a whole lot of exploits going on.
Sonia Sharma: And those cyber criminals, they’re leveraging technology, they're automating. They're operating at a high level in the way in which they're exploiting critical infrastructure data. It's very interesting. It's no wonder that critical infrastructure assets and networks are attractive targets for malicious cyber activity, as these assets need to hold sensitive information, they maintain essential services, and often have, you know, this high level of connectivity with other organisations and other assets. A cyber incident could result in a range of impacts to critical services. If we sort of toy this out, an example might be the distribution of an electricity grid could cause an entire region to lose power. Are you able to share with me any near misses with our listeners, you know something that you saw, which you helped to mitigate, what would be the consequences if that issue wasn't caught?
Hayden Mills: So to give you a sense of our urgency, as well.
At Macquarie, we serve around 42 per cent of Federal Government requirements, so we have to get it right.
And one attack that we saw that we were one of the first in the world to pick up is a new type of malware called 'Angry Song'. This came in through our email gateway, and it passed the traditional security controls, and we have what's called an email sandbox. This will detonate any attachments in an email – so if I send you a PDF, it would run that PDF in a controlled environment and look at what it does and then determine if it’s malicious, or not. We picked up this Excel document that had some hidden macros embedded in it. So if anyone opened it from our customers, it would actually download some malware into their environment, and who knows what could have happened after that? And so what happened was this was targeting all of our customers, so we were one of the first in the world to pick it up. We gave these indicators of comprise, so the file name and a copy of the actually malicious document to the Australian Cyber Security Centre, and they also then found other instances of this online.
Sonia Sharma: Thank you so much Hayden. Sitting in the SOC has been so fascinating, walking through those secure environments, those human traps, just even to get in the building in the first place. It really highlights how important security is to the data that's here, and hearing your story about how you became a security engineer, your commitment to customer service and security and the evolving threat landscape, which is just so complicated. This is all really highlighted to me the importance of what the government is trying to address with SOCI. As well as the challenges that organisations who are regulated by SOCI and other entities as well, such as in the supply chain, are going to be facing.
All Roads Lead to SOCI podcast series insight articles
Next up: Episode 2
Keep up to date with our legal insights and events
Sign upRecent articles
When will employers be liable for compensation for injuries sustained at home?
A recent case serves as a reminder that no fault workers compensation liability extends beyond the employer's premises.
What Victorian Government personnel need to know about ensuring privacy compliance with ChatGPT usage
Findings on practical uses of Generative AI (GenAI) in the Victorian Public Service.
FOGO is GO GO in NSW
The NSW Government has legislated local councils collect and transport food and garden organics waste from 1 July 2030.
New Short Stay Levy to bring challenges and opportunities for owners and developers
There has been a rise of disputes within apartment buildings due to increased growth of online accommodation platforms.
Partner
Sydney