TAFE Queensland is a large, diverse and geographically dispersed organisation with almost 4,000 staff and around 125,000 students each year working from more than 60 campus locations throughout Queensland, from Thursday Island in the North, to Coolangatta in the South East, and as far west as Mount Isa. It prides itself on delivering vocational education and training that changes people’s lives.
Director of Cyber Security, Neil Sullivan, is tasked with lifting TAFE’s cyber security posture.
It’s a massive challenge for any large organisation – particularly for tertiary education, where any prolonged downtime caused by a security breach could be devastating.
Sullivan says ransomware is one of the major concerns. It’s the same for most organisations; Microsoft’s most recent Digital Defense Report – the result of analysis of more than 8 trillion daily signals – reveals that in some cases, cybercriminals have been able to transition from gaining entry to ransoming an entire organisational network in 45 minutes.
Prior to Sullivan joining TAFE Queensland almost two years ago, the training provider relied on third-party cyber security providers alerting them to problems or incidents – in most cases after the event and with minimal capability to investigate or respond appropriately. Sullivan immediately looked to implement a more proactive approach.
While user education is important, Sullivan notes that many attacks are now sophisticated enough that general user awareness about cyber risks won’t deliver sufficient protection. “Security has evolved into an accepted position where (you know) incidents are going to happen – but how prepared are you to defend against them when it happens, find out what went wrong and deal with it?” he says.
With that front of mind, Sullivan undertook a review of the existing security and technology landscape at TAFE Queensland and developed a risk-based security management strategy with enhancements across technology, governance, policy and process that met with Executive and Board level support.
Microsoft caught up with Sullivan to learn more.
Microsoft (MS): Can you outline the challenge you faced?
Neil Sullivan (NS): I’ve been in the industry a fair while and have seen the development of SIEM (security information and event management) solutions. If you don’t get it right, it can be a costly exercise. I have witnessed heavy network inspection type security solutions but I’m not convinced that’s the right way to go about things, as you are very much looking for that elusive needle in a haystack. It’s got a place, but the future of security is identity-based and using identities to gain context around interactions with applications and the wider environment, and leveraging automation where possible to provide that rapid response capability.
With such pervasive network encryption these days, we need to know who the person is and what they are doing inside these applications when they are accessing them – it’s no longer acceptable for these to be black holes.
I was looking for a different approach to ‘let’s sniff every packet on the network and store it forever’. I wanted to go down a more intelligent path than that.
MS: You have an A5 Licence for Microsoft 365 and have deployed Sentinel?
NS: I wanted a highly automatable solution so that tasks that have previously taken two weeks to execute are now done in seconds. In the past, if someone reported a phishing email – that would typically go to the service provider who would forward it onto their security team, who would then analyse it and make a recommendation back to the messaging team who would put a block in place for an event that happened two weeks ago.
These are fleeting things – the horse has already bolted, and we needed a timelier response to triage the incident. Now with the automation we have in place in Sentinel, we receive that same phishing email, it gets analysed, tagged, creates a service ticket, executes the change, closes the ticket and it’s done in under a minute. This lets us free up our analysts for higher value add activities, such as threat hunting.
One aspect we have developed that I really like is how we have integrated Teams into the solution, so that any member of our team can invoke routine changes such as a website block simply by asking Sentinel to do it via plain English in a Teams chat. This automation ensures technical controls are implemented consistently, no matter who does it, and removes that technical barrier.
MS: This security upgrade all happened while the pandemic was raging?
NS: Shifting TAFE Queensland’s workforce to home was a moving feast – but the pandemic played in our favour a bit. Many organisations are quite hesitant of change, but change was forced on people during the pandemic and it afforded us the opportunity to implement new technologies faster. We implemented Always On VPN (virtual private network) and rapidly deployed that, as well as rolling out MFA (Multi Factor Authentication) which were both fantastic from a security point of view. As humans, we all have a tendency of being scared of change at times, but I think we sometimes underestimate people’s ability to embrace it, and in our case our staff were really great at that.
MS: You’ve also built an internal cyber security team?
NS: The key to a lot of this is the right people. I was very clear on the type of people I wanted in the team. I didn’t want old school analysts who have grown up managing firewalls – a modern analyst is a programmer and that’s what I’ve got. Sentinel operates on Kusto, the query language used throughout Azure – and I needed analysts who could natively jump in and be productive quickly.
In parallel with this, we rolled out Windows Defender with ATP – that’s where a lot of telemetry was coming from, and started really leveraging other technologies in the stack, such as Cloud App Security and Exchange Online Protection, as well as integrating third party products.
MS: What about organisational governance?
NS: TAFE Queensland has a cyber security steering committee at the executive level that meets quarterly and helps support the program delivery. We have been able to demonstrate to them a significant increase in our situational awareness of the environment, as well as a demonstrated reduction in the number of incidents occurring since we deployed Defender along with other controls and improvements, leveraging Sentinel to give us that high level visibility. This reduction allows us to clearly show return on investment.
MS: How do you feel you’ve improved your security posture overall?
NS: We can influence our own destiny now – in the past, either your vendor does it for you or doesn’t. Now with an EDR (endpoint detection and response) solution on the endpoints we have a lot more capability to tailor the defenses and get the telemetry back so we can see the impact very quickly. Having Sentinel in place also allows us to bring in multiple threat feeds (both open source and private), allowing us to block a range of IOCs (Indicators of Compromise) automatically before malicious actors have the chance to attempt the attacks on our environment. Suppose we were the first target or none of our intelligence partners detected the IOCs at the time of attack. In that case, Sentinel can alert us with its lookback functionality giving us a promising starting point for investigation and all the information we will need to assess scope and reduce impact.
One aspect that I hadn’t really expected through the Defender and Sentinel pairing to be so useful is the transparency we now get across the fleet, such as operating system and security patch status, application inventory and vulnerabilities, misconfigurations etc. this all allows us to have independent data driven conversations with our various vendors and suppliers.
When you are doing security right, it begins to be an enabler. We’re at the point now where we have to say ‘this is how we do things and this is where you can access data’, but as our wider security program progresses and the environment matures further, and we add Azure information protection and data loss protection solution, we can start getting more relaxed.
We’re ring-fencing the data a little bit now – I’d like to say ‘sure, access your data from anywhere anytime anyhow because we know the data is securing itself.’ That’s the next big leap for us.