Last year, the cyber team at AMP, a financial services company in Australia and New Zealand, took a “fairly audacious target” to the board: bring down the number of cyber security vulnerabilities across the company by ten to 15 per cent every month.
But, as is the case across industry, the ever rising number and scope of vulnerabilities the security team was facing could not be met with a proportionate increase in funding.
“There’s no way we could…go back to our executive board and ask for an exponential increase in the funding for cyber, it’s just not going to happen. Throwing bodies at it just isn’t the answer anymore,” explained CTO Chris Bell at AMP's Amplify technology event in Sydney last week.
“So we’ve taken a different perspective.”
Instead, AMP has got smarter in the way it deals with security threats: leveraging automation and advanced analytics, hiring a data scientist to its cyber function, introducing gamification concepts to tackling vulnerabilities and ramping up its employee education programme.
Last year, AMP rolled out a user behavior intelligence platform by DTEX, a company founded in Adelaide.
The platform combines lightweight visibility with analytics to detect insider threats, based on a user’s normal behavior. AMP integrated it with ServiceNow so that a ticket is automatically raised to the cyber security team when a policy breach occurs.
“It cuts down the time between when an issue occurs and actually being able to action it from days to hours, hours to minutes,” AMP’s head of cyber security Rahn Wakeley said.
“We’ve had a lot of success gaining insights into things that would otherwise go undetected by antivirus and firewalls and all that, just based on behaviour,” he added.
A Qualys-based system for scanning and vulnerability management has also been integrated into ServiceNow giving similar benefits, Wakeley said.
“Given the size and scope of attacks that are happening, [it’s about] how do you better leverage some of the tooling we’ve already got and start to use things like machine learning and advanced analytics to better predict some the issues we’re having and better respond to cyber attacks,” Bell added.
Earlier this year, AMP hired a data scientist to its cyber security team, the first among them not to come from a computer science discipline but rather a hard mathematics background.
“Her job is helping us understand why these vulnerabilities exist, using data science, using performance analytics, hardcore maths, algorithms and so. To work out what is the best possible strategy to reduce a vulnerability, per portfolio and at the aggregate level,” says Wakeley. “We don’t have necessarily the deep pockets that some of the big banks have. So for us it’s about an unrelenting focus on the basics.”
The data scientist – “the rate at which she’s picked up cyber has blown me away,” adds Wakeley – also produces regular dashboards for the IT teams.
“It says to them – what are their servers, what are their vulnerabilities, how are they going with their peers, who else has already fixed this vulnerability, what did they do,” Wakeley says.
The process – which adds an element of ‘gamification’ to the work – allows the IT function to reduce the amount of unnecessary repeat testing of fixes, Wakeley explained.
“If we’ve done it so many times before maybe we don’t need to put it through two weeks of post verification testing – that compresses the time and saves us money,” he said.
There has also been a significant investment in building cyber awareness among AMP’s employees and clients.
“With the increasing sophistication of attacks, and the humanistic element. You still need eyes on glass and people to be across those things,” Bell said.
The cyber security team runs regular ‘lunch and learns’, which are optional sessions for employees to learn about information security. A recent lunch on keeping children protected online was a full house.
There are also mock phishing campaigns, based on recent examples and a reach out programme for the ‘perpetual clickers’.
Despite the significant progress, Wakeley says that with cyber security, the work is never over.
“One of our big focus areas this year is to drive down vulnerabilities. That number [of vulnerabilities] is going up by 11 per cent month on month. So just to stay still you have to be patching at a rate of ten per cent," he said.
"Just to keep still, we actually have to work a lot harder."