Cris Bailiff: 0:00
Nobody should really be selling you an antivirus product anymore. If that’s what you’ve got as your cyber defence, you’re in big trouble. The world has moved on, so endpoint detection and response is the buzzword. That’s a fairly broad field as well, but that’s a key security control, modern cyber defence.
Michael van Rooyen: 0:18
In a world where every device is communicating, we’re no longer concerned only with connection, but protection. Welcome to Securely Connected Everything, your gateway to understanding the intertwined worlds of connectivity and security. We have a great conversation today, so stick around and we’ll jump right in. Today we’re going to be talking around managed cyber security services from Orro, and we’re joined by Cris Bailiff, the CTO for the Cyber Division. Cris, welcome, thank you. Before we start, are you able to briefly introduce yourself and your current role within Orro, and maybe describe your journey to that role?
Cris Bailiff: 1:04
Absolutely. So yeah, Cris Bailiff, I’m the CTO for the Cyber Services Division in Orro. My job really is looking after the technology platforms, the security services and products and dependencies. However, as long time IT security industry technical lead, we basically end the escalation for every other branch of the division. So I’m occasionally helped with incident response, consulting, managed services, design. So yeah, I’m happy to be asked questions on anything as long as the answer is technical.
Michael van Rooyen: 1:43
Fair enough. Fair enough, just for context for people listening or watching, the show is around. E-secure was an acquisition by Orro became part of Orro’s cyber. Obviously there was the right acquisition which forms other component of the cyber business. But just for listeners, can you just help explain the difference between the two businesses? Your E-Secure was very focused on one vertical and market and maybe talk about the other, if you can.
Cris Bailiff: 2:10
Yeah. So E-Secure pure play cyber for that entire period, slightly before I joined, was a network company that made a decision to pivot to purely cyber in about 1998 and not really offering products, offering managed services, but mostly in regulated markets. So large financials, telecom, some government, and then on joining the Orro group, basically becoming the cyber specialists. Riot has joined the Orro family from a background of a spread of services, but again the cyber division, quite a broad range of customers, very Queensland based, so that’s a nice fit with Sydney, melbourne based and a complementary technology platforms. So we’re basically aligning and merging those operations as quickly and seamlessly as we can at the moment. So yeah, that’s been great to see some of the customers from the right side. You’ve got a few customers that have got a much larger footprint than we’ve experienced before, which has been good. I know that there’s some customers with more than 100,000 assets under management. That’s quite exciting.
Michael van Rooyen: 3:32
Yeah, yeah, I look absolutely. But what it means across the two is we have a holistic opportunity to help customers with their cyber journey and any from strategy consult to this full suite of services, and you touched on really focusing on managed services. So, from your perspective, what role does a managed security service provider fit? How does it fit, I should say, into today’s kind of cybersecurity landscape?
Cris Bailiff: 4:03
Yeah, I think a managed security services provider as opposed to a managed services provider and we’re trying to blur that distinction, I guess, within the Orro Group is very useful in terms of having access to specialist skills and knowledge. There just aren’t enough people in the cyber industry for every company to have a team of 20 cyber specialists and all those services and I think, as a managed service provider, especially in Orro’s market, those smaller and medium-sized enterprises really haven’t had the ability or the resourcing to use those specialist skills, specialist tools and services effectively without the help of a service provider.
Michael van Rooyen: 4:50
Right, right, yeah, and we struggle enough getting skills today right in the market. So really, what you’re saying is it brings a broad range of access to quite a vast set of people and skills that they can supplement. What you’re doing is some of our customers have some sort of cyber practice internally. We supplement them. In some instances, we’re covering for them as a holistic offering.
Cris Bailiff: 5:14
Yeah, absolutely. It doesn’t really matter how knowledgeable or experienced you are in the cyber industry these days, you cannot be a specialist in every area. Yes, I’ve given up trying. Have a go. But, I’ve got to accept that there are people who really know a lot more about the detail of every possible aspect. Yeah, and you want to make friends with those people or hire those people?
Michael van Rooyen: 5:38
Yes.
Cris Bailiff: 5:39
So yeah, in today’s landscape you can’t be insular and keep everything in-house, no matter how hard you try. Yeah, fair enough.
Michael van Rooyen: 5:47
And on that, what are you seeing from our point of view, MSP point of view, what are you seeing as the major cyber security trends and threats organizations should be most concerned of?
Cris Bailiff: 6:01
So a big problem is that there is a middle market who have not caught up with cyber security yet. They’re learning rapidly and there’s been a lot of recent incidents and publicity, but that demand is growing, both through incidents and risk management, but also through compliance and legislation. So obviously the regulatory environment has changed. SOCI Act has expanded into a lot more areas and people are now really at director level worrying about these things and asking the questions and preparing to spend the money. So that’s probably the biggest driver of the option of services. Yes, the issue there is you need to make sure that you’re getting value for money and getting quality services. If you go to your standard managed services provider who basically doesn’t have that security specialisation, you might be getting a product but you won’t be getting necessarily protection.
Michael van Rooyen: 7:04
Yeah, fair enough. And on that then, if you think from a customer’s point of view, so a great discussion point would be. I can do a quick search and I can find lots of people purporting to be managed security, managed services, and your point is that you really need to make sure or tease out that they have got the right level of depth of knowledge is because, if we think about the most recent large high profile breaches, are you seeing clients’ demands and concerns significantly shift over the last couple of years after some of these high profile breaches?
Cris Bailiff: 7:39
Absolutely. I think the compliance is possibly more of a stick than a carrot. We’re seeing a big increase in the demand all of a sudden for essential aid compliance. The essential aid model has been updated to now have a maturity management model, so it was just a list of eight things you do. Now there’s a maturity level for each of those eight things, basically one, two or three, and people are asking for better than level one, so that’s basically a measurable yardstick. Eight things is not too many to target. We have obviously the CSC 18 for larger organisations and we have the ASD top four, which is a nice start but it’s not very ambitious. But that, yes, the essential aid is now a buzzword. People are coming and asking specifically for compliance with those controls and more than the basic maturity level, which is interesting, it’s probably important to point out.
Cris Bailiff: 8:41
No matter the organisation, the size of the organisation, your security services provider can only operate with your cooperation. So we have the joint responsibility model. You can outsource the controls and the assessments and the operations, but the organisation still has to own the risk and understand what it is they want to achieve. We do see some organisations less mature who believe that they have purchased security and everything is going to be okay, and it’s very difficult sometimes for them to really understand where they have their own level of responsibility and it’s got to be a partnership with your security services provider. You cannot throw it over the fence. It needs to be a two-way, ongoing communication.
Michael van Rooyen: 9:30
So it’s a collaborative journey, right? People need to understand the right. It’s not just I’m now engaging you to deliver a service, which is obviously important, and we have SLAs and all that sort of, but it really is that collaborative journey together. So I guess you keep a key message there. So did you see there was no doubt a lot of customer requests around their posture, their health post. Some of these large incidents and no doubt we’ll still see a few more over time Is it the bell curve where people get really worried and they reach out and say can we double check? Everything’s good and now that’s trickled off again, anything but there’s been no more breaches or anything. It’s taken consistent because it’s always in the back of the mind.
Cris Bailiff: 10:11
I don’t think it’s a bell curve. There’s always something to kick it along a little bit I don’t think people have relaxed.
Cris Bailiff: 10:17
I think I would agree if you’re suggesting there’s a bit of fear, uncertainty and doubt used in marketing. Absolutely Anybody who’s selling you on a horror story probably treat with some care. But if you’re having a long-term two-way relationship with your service provider, you’re both adapting to the changing landscape. You’re hoping to be ahead of the curve. There are new attack types, new threats, basically daily. Only some of them make the headlines and I think that’s partly almost just fatigue. There are so many crypto locker data breach stories that they don’t make page one anymore, In the sock.
Cris Bailiff: 11:06
we hear about them almost daily. But we actually lead to then look into exactly what occurred. Are those controls that would have stopped it in place at existing customers? But you can’t rely just on the stories in the newspaper anymore.
Michael van Rooyen: 11:20
Yes.
Cris Bailiff: 11:21
Yes, you know so many that we fed up hearing about them. Yes, I think it’s interesting that the Medibank breach that was a lot of very sensitive, very personal information. Yes, and it was, you know, breached, and Medibank did, definitely, my opinion, the right thing to not not even consider paying the ransom, and that’s you know, led to legislative changes and there’ll be further ones, I’m sure. I think people realise the world didn’t end that. We dealt with that threat. Yes, that’s probably a worst-case scenario until in terms of data breach as opposed to IoT and systems, and I think that that’s probably a useful calibration point, as that was terrible. But the world carried on?
Michael van Rooyen: 12:14
Yeah, sure, and for those people listening, you mentioned the SOC and it’s you know. Obviously you live in a completely different world to most people. Your whole life is around and the analysts that work with us are dealing with these instances all the time. It’s an interesting point. You touch on, You’re hearing about them every day and for people you know, the SOC is a security operations centre where all these analysts live and they share and collaborate on. You know the customers who are dealing with this pain. We know that that landscape has become more competitive. We know that more and more customers partners are talking to, more and more service providers who are trying to build this capability, and we’ve got a long heritage. But I’m curious from your perspective as CTO of the cyber practice theories. You know what are we doing as an organisation to ensure we’re remaining at the forefront? You know of cybersecurity solutions defences. It’s a never-ending game, right?
Cris Bailiff: 13:06
Absolutely. There’s a mixture of drivers for the technology that we use. The first one is it effective? Is that technology working? Nobody should really be selling you an antivirus product anymore. If that’s what you’ve got as your cyber defence, you’re in big trouble. The world has moved on. So end point detection and response is the buzzword. That’s a fairly broad field as well, but that’s a key security control, modern cyber defence you have to have a working EDR and it’s a technology and a services problem. People process technology.
Michael van Rooyen: 13:42
So, with that consideration and what you’ve just touched on there, what challenges are we facing when we have to protect, you know, multiple customers? We do have a varied range, you know, with different infrastructure needs. Is that in process? What’s it? How do you handle it?
Cris Bailiff: 13:56
Partly, yeah, having consistent process, no matter what the technology, fitting all the technologies into a streamlined workflow so that everything gets looked at and meets the SLA and is investigated properly. The big challenge is really scaling in a situation where you have we call them, used to call them false positives. It’s a certain term I really dislike, but if you know, 5% of your alerts are false positives, let’s be real, 50% of your alerts are false positives. That is a serious drain as you start to double, triple, raise your number of alerts by an order of magnitude. It’s wasted effort, it’s draining.
Cris Bailiff: 14:36
Alert fatigue is a biggest problem in SOC staff retention. It’s very hard to keep people motivated when what they see is basically noise and they’re just investigating the same thing. So that’s our number one priority in SOC technology development is streamlining the workflow and aggressively tuning. We call them inactionable alerts. We distinguish that from false positive. It may be perfectly accurate from the technology side, but it’s something that’s actually normal for this customer. You can tell an immature MSP in this space in that what they do is send you a never-ending stream of the same alert which you’ve already said is inaccurate or is normal or is acceptable in our scenario and they’re unable to tune that because the rule is applied globally.
Cris Bailiff: 15:29
That’s really a key focus of our engineering and technology is getting to root cause for those inactionable alerts and driving that volume down constantly. Maybe AI has got a place in that kind of thing. Looking at trends and patterns. We certainly use the machine learning and the automation to help classify those alerts as far as we can. By the nature of it, it’s those undecided cases that come to a human. If it was easy to decide, if this is a definitely a security attack, it would have been blocked in the first place. Yes, idr knows this is a definite attack. Yes, it will be blocked. Yes, we would investigate. But preventing is better than detecting.
Michael van Rooyen: 16:13
Yeah, yeah, if I have a look at the time you’ve been doing this ride, you’ve seen a lot of life-cycle, a lot of change from topologies and connectivity. What are you seeing in relation to threats or our customers? How are we helping them? In relation to the continuous growth of remote work, obviously off the back of COVID, IOT and cloud, is that really a different approach or really similar just to different ways where the data is stored?
Cris Bailiff: 16:44
I think it’s accelerated the understanding that the perimeter model of the network was dead and buried.
Cris Bailiff: 16:52
15, 20 years ago which has been waiting for everybody to agree.
Cris Bailiff: 16:57
So, yeah, covid, sending everyone home really accelerated that, and we did have a burst of people asking for VPNs and testing of remote access and what can we do about BYOD devices, because we couldn’t buy enough PCs for all our staff.
Cris Bailiff: 17:12
So that was sort of a good thing to push the state along. It’s got all its challenges, but I don’t think all the challenges of that in terms of people using BYO and the risks from having unpatched machines and not great networks could. I think they were there, certainly before that diaspora, and I think the approach is then more packaged and repeatable and we don’t have to argue about them as much. I think the benefits of modernising that infrastructure there so the zero trust, the attack surface reduction, getting rid of the corporate backbone is basically pretty well entrenched in anybody who has attempted to improve their security. We still have the traditional model in the traditional smaller and medium enterprises and I think it’s going to take an incident for many of them to move, unfortunately, so hopefully they’re not in our current customer base or the ones that are thinking about that migration. But yes, there will be a long tail of people with that traditional model who who aren’t going to really cope with the incident.
Michael van Rooyen: 18:29
Yes, yes. And then you know, if you think about, you know a lot of. What do you think are the emerging technology from a cyber point of your tools? You know, knowing that you look at so many tools at a time that you’re most excited about in cyber.
Cris Bailiff: 18:48
Currently I’m super keen and telling anyone who listened that you’ve got to be moving to Fido2, webalthen. It really it’s what we call fish proof. I mean nothing’s proof, of course of course.
Cris Bailiff: 19:04
But basically the basic problem of users giving away their passwords is completely solved by switching to WebAlthen. It’s very buzzword, heavy, unfortunately, but you might know it as Windows Hello Passkeys. I think Apple is using that branding. Yes, yes, ub key, google Titan key. The form factors are very variable. The technology is basically a modern refresh of the old smart card idea. You have a physical thing, be it your phone, an actual key on your key ring, the TPM chip in your laptop, and that is holding your private key, never to be revealed, and that with some strong privacy controls and some new ways of deploying and enrolling those users. That credential is really going to replace passwords. It’s called passwordless. In some implementations, Microsoft is using it as passwordless. You still have a pin it’s still multi-factor or a fingerprint or a face unlock, but there are two multi-factors, yes, but once the user doesn’t have a password, no matter how many chocolate bars you give them, they just cannot give it away, no matter what they do, so you’re really excited about that.
Michael van Rooyen: 20:12
That’s an evolution, you think yeah absolutely.
Cris Bailiff: 20:15
Yeah, great, it just solves so many well, it should be easy problems. Yes, we all do all that phishing training. Yes, and we’re relying on people to not get that wrong, and we really ought to be fixing that much more with the technology, and that’s the key. If you look again in the Accentulate maturity level three, that’s really your only option for authentication is a smart card, or a security key, as we call them now, fido.
Michael van Rooyen: 20:46
Right right.
Cris Bailiff: 20:48
So that’s where the market will have to go if they want to reach.
Michael van Rooyen: 20:50
Richard, yeah.
Cris Bailiff: 20:51
Maturity level three. So yeah, it’s great, great foundational platform, excellent.
Michael van Rooyen: 20:56
Well, I’m looking forward to seeing how that plays out and certainly I’ve been hearing about it a long time. So thanks for solidifying for those who are listening. So, wrapping up some of our conversation, I guess I’m curious to understand from your perspective, you know, where do you feel? Managed service providers and managed cyber service providers. You know heading in the kind of the next five to 10 years. It’s a long way out, but is it crystal ball from your history and where we’re going?
Cris Bailiff: 21:25
Yeah, I think the successful ones will be those who can establish that relationship and survive a purchase cycle. It’s not all about the lowest cost, it’s about getting an effective service that is flexible and aligns to your changing business. So hopefully we’ve got a fairly good history of doing that and we’ll continue in the future. I think the job of the MSP is to really get ahead on the technology platforms, the threats, and be informed and ahead of the curve for you on your behalf.
Cris Bailiff: 22:03
You do not want the same service in three or five years time as you did when you signed the contract. Yes, yes. If you’re getting exactly what you’ve got in your contract SLA in five years time, you probably won’t be happy with that.
Michael van Rooyen: 22:16
Right, right, right.
Cris Bailiff: 22:17
Fair enough. So definitely look to go above and beyond the minimum service level. Should I say, yes, fair enough, fair enough.
Michael van Rooyen: 22:28
And then, as a last one, if you had to leave the listeners or viewers with one key takeaway, a piece of advice regarding cyber, what would it be? I?
Cris Bailiff: 22:37
think you have to depends on where you are in an organisation and what your decision-making capability is, but I think you have to realise that it’s always a giant responsibility and that you need to put some of your own focus and effort and understanding in to getting a good result out of whatever service or product or implementation or project you’re about to take on board. Yes, so internalise some of that security decision-making and have some opinions before you embark on that journey.
Michael van Rooyen: 23:17
Yes.
Cris Bailiff: 23:18
You can’t just give it all away to someone else. It’s shared responsibility.
Michael van Rooyen: 23:23
Yeah, good point, Chris. Thanks very much for your time today. For customers or listeners who want to have a further discussion, obviously Orro dot Group is the website to go to for our services that we provide and certainly feel to reach out at any time. Again, I appreciate your time Absolutely. Thanks.
Cris Bailiff: 23:46
No worries, have a great weekend.