Automation Down Under: Cythera's Approach to Cyber Defense

Summary

Craig from Cythera, an Australian MSP provider, discusses the Australian Essential Eight and the adoption of cybersecurity strategies in the Australian business community. He highlights the importance of multi-factor authentication, patching, application control, and email filtering as key components of the Essential Eight. 

Craig also emphasizes the role of automation in improving cybersecurity and reducing operational risks. He shares how Scythera uses automation to streamline operations, enhance incident response, and save time. The conversation concludes with a discussion on the benefits of automation and the value of government directives like the Essential Eight.

Transcript

Ashley Smith: Welcome to the Heroes of IT podcast where we at Automox interview people who we consider to be our IT heroes. Today we are joined by Craig from an Australian MSP provider called Cythera. Welcome, Craig.

Craig Joyce: Hi Ashley.

Ashley Smith: Awesome to have you here today. Before we dive into all of our chatting points, why don't you give us a little bit of background on what Cythera does and what you do at Cythera.

Craig Joyce: Sure, so I'm one of the founders and also directors at Cythera. We're a managed security services provider with office locations in Melbourne, Sydney, Brisbane and Perth in Australia. We service about 250 customers across Australia, New Zealand and into Singapore and Hong Kong as well. As a business, our focus is around delivering turnkey solutions to customers in that small to medium enterprise space, typically the 200 to 2,000 seat range. And we cover everything from things like ISO journeys, as well as also rolling out a range of protection and also detection capabilities through our SOC. And outside of that, we also provide a range of assurance-based services to our customers. And everything we deliver is based on shore with Australian resources and we have a complete 24/7 operation located in this country.

Ashley Smith: Well, let's jump into it. Today we are going to start off talking about the Australian Essential Eight. And for those of us who aren't familiar with Australia, Craig, why don't you explain to us what the Essential Eight are?

Craig Joyce: Yeah, sure. So some time back, the Australian government through the Australian Cyber Security Centre worked with an internal Australian government entity known as the Australian Signals Directorate. So think of that as like your NSA over in the US. And they came up with a series of strategies that they thought were good for businesses to adopt to protect themselves from cyber incidents. They came up with a list of 37 strategies back then, and they then went through and they actually took out the top eight of those strategies and they created what's called the essential eight.

And the belief is from the government that if you deploy those eight strategies effectively, you remove a better part of 95% of your sort of risk profile from cyber incidents and threats in a traditional sort of enterprise environment. And that's been in place for some time. There's been a number of iterations over it. I think the latest one was just in October or November of last year. So it is sort of keeping pace with the changing threat landscape. But it creates a bit of a sort of a guardrail for businesses to look at how they can assess themselves against a framework where they might not actually have the capabilities to go down something like a you know a NIST or an ISO 27001 type framework to actually put some effective guard rails in for their business and to also protect their users from you know cyber threats.

Ashley Smith: Yeah, that's super interesting. How has the Australian business community reacted to that set of guardrails? I mean, is it something that many find easy to adopt? Is there, you know, some resistance met to the layout of those eight?

Craig Joyce: Yeah, I would probably consider it to be something that took off slowly, but it's actually gaining pace pretty rapidly now. For the longest time, the Australian government has been very much less inclined to actually prosecute, less inclined to fine organizations for not doing the right thing on a cyber dimension. And we've had some pretty significant breaches here over the last few years, which I think is pretty much half of the country's lost their personal data through some of these breaches at different points in time from the statistics I've seen.

That's actually put a lot more focus on what big businesses do around cyber, what they do to actually protect their businesses. But they've also made board member level executives also accountable for the investments in cyber and also the governance around those. So there's been a lot more focus placed around it. Now, the ASD Essential Eight being an Australian based framework is something we can all talk about at a domestic level when we all sort of understand the moving parts of it, which has been helpful for being able to create almost a mechanism.

Where you can actually assess how one business might compare against another in terms of their preparedness. But I think it's at the same time, there are a lot of things outside of that Essential Eight piece that we consider really important for businesses to adopt. So things like having a 24/7 monitoring operation or, you know, putting in place things like cyber awareness training for your staff, they're not inside the ASD Essential Eight. So you know, there's a little bit of conjecture amongst some of the people in the industry as to, you know, just how well shaped it is to actually deal with, you know, what are these days.

Ashley Smith: Yeah, I can imagine that would be a difficult middle ground to find of, you know, what is the bare minimum that everyone should aspire to and, okay, but what is really the gold standard in IT and IT operations and security.

Craig Joyce: Yeah.

Yeah, and there's a lot of nuance around it as well. So the essential aid is very Microsoft centric. So if you're running a Google shop, it's really difficult to sort of map those things across for some businesses as well.

Ashley Smith: Well, which components of the Essential Eight do you think are most important? Which are the best practices that no matter where you live, this is what you should adopt?

Craig Joyce: Yeah, sure. So I think there's some real no-brainers in there. Things like enabling multi-factor authentication for all your public facing services is, you know, an absolute no-brainer these days. Outside of that, things like patching of operating systems and patching of applications on hosts, that's something we use Automox extensively within our customer base to deliver an outcome around. And they're really, you know, becoming more and more important every day, you know, understanding where you have software deployed, understanding what kind of state that's in, what version you've got, you're exposed to and getting a full inventory of your software out there is really important. Outside of that, there are some additional controls around things like hardening of applications, standard applications, things like Java that might be on workstations, and streamlining that hardening. They're very prescriptive inside the essential aid around what the expectations are around that hardening. 

Then another one that we're actually seeing quite a lot of customers struggling to understand how they deal with is controlling the in their environment. And that's something that is a pretty common sort of access vector or threat vector from the bad guys trying to get into customers' environments where they'll attach these things to emails. And they can actually be quite useful in terms of dropping malicious code on endpoints. So the last four I've just spoken about there, the macro controls the hardening and patching of operating systems and the patching of applications. 

They're just no-brainers for us to actually deploy very quickly with Automox and we use a fairly extensive suite of Worklets to actually make sure that we're actually aligned with the various maturity levels of the ASD Essential Eight to actually make sure that we're ticking off the compliance requirements there for our customers. So when they come for an audit it's really simple for us to demonstrate they're actually doing the right thing.

Ashley Smith: I think that actually brings us to our next point really well. You've obviously been brought into so many different companies, IT units to help manage, IT, IT operations, security. Is there a piece of the Essential Eight or IT operations in general that you find that people really struggle with?

Craig Joyce: In the Essential Eight, one of the controls is around what used to be called application whitelisting, but these days it's called application control. And that's probably the most problematic one in the sense that a lot of customers don't really have a great level of control over the kinds of software they have out there and a lot of control around what applications they want to run. As well as that, there is also the potential for applications to run without actually being installed. So that could also create a threat inside their environment.

Customers are all looking at what the best tool is available to actually perform that function, whether you're using something at Windows Defender Application Control. But then once you actually start getting outside of the Microsoft ecosystem, expecting to have the same control on a Mac or a Linux device becomes more challenging as well. So that's really probably, I think, out of those eight controls, the one that we get the biggest sort of pushback and the most sticking points on. If I was a cyber insurer, I'd imagine if I had looked at the ASD Essential Eight surveys that I send out prior to actually someone insurance that would be the one with the biggest gaps.

Ashley Smith: Interesting. So would you say that that's a visibility and reporting issue?

Craig Joyce: I think it's a complex solution that hasn't been elegantly delivered by anyone in terms of a software manufacturer. We see a lot of our customers going towards more powerful EDR, next-gen AV with identity integrated solutions as opposed to down the application control path just because they head off most of those kinds of concerns, but it does so in a way that's less invasive to the end user experience.

Ashley Smith: So I'll talk to our guys and see what they can whip up on that.

Craig Joyce: Hahaha

Ashley Smith: Awesome. Well, this month at Automox, we've been talking a lot about safe and accessible automation. It's kind of our theme of the month around here. I'd like to get your take on that. In your opinion, can automation be safe?

Craig Joyce: Absolutely, and it has to be safe. But automation is in a lot of ways actually a way of actually making things safer. In the sense that if you actually take a capability, you build a playbook or build some sort of workflow and you've actually tested that, being able to deliver that each time with surety really actually drives down the risk of someone fat fingering something or miskeying something or doing something wrong when they're actually trying to perform operational works. 

As an MSSP, we rely on automation very, very extensively, not just for the purposes of actually making things happen, but also for the purposes of actually helping us build triage benches for incidents, being able to actually take lots of telemetry out of different platforms all at the same time to get a single source of truth. And those kind of capabilities also allow us to actually make sure our analysts don't need to actually play swivel chair across eight different consoles at the same time. They get everything into a single source of truth. So automation is incredibly powerful and incredibly important to us.

We use a lot of the inbuilt policy-based engines and things to actually make sure that across our customers we have commonality in terms of the way patching is being deployed, it's meeting the ASD targets and those sorts of things. But outside of that, we also do have a number of small platforms we use under the hood to actually deliver our services. And we use them for a range of purposes, not only just automating complex tasks, but also at the same time streamlining operations, really looking for how we can actually reduce the cost to serve each user.

in each customer. And what that really gives us is the ability to actually scale our analyst team across more customers with the same level of service. It's been really interesting. We've actually put a number of controls in our SOAR platform to actually measure that optimization and the benefits we actually get out of each workflow. And we're tracking over a couple hundred thousand dollars of saved time each month, just in terms of those automation workflows. So it's very significant and it's definitely worth investing in.

Ashley Smith: Yeah, that's incredible, especially around.

Putting it into numbers, I feel like a lot of people have a really hard time doing that and quantifying hours saved, hours spent working on something. I think automation is something that can be very overwhelming to start on and seems very time consuming at first, but definitely has power when it comes to iterations and that repetitive nature that ends up saving time.

Craig Joyce: Yeah, and we've got a sort of an ethos inside the business. If you do something three times, you gotta figure out how you can automate it. And it's really that simple, because if you think about bringing new people into the business, training them up on the way we do things, it's so much better if we can just point them into workflow and they just know what they need to execute against that. And at the same time, the level of surety we get, the ability for us to actually test it, execute it properly, the ability to roll back if need be, all that stuff's built into it. So in the event that we actually have an incident, we can move really, really rapidly within our customers.

environments to contain a threat actor and to actually get them back on their feet.

Ashley Smith: that three times. That's a new role that everyone listening to this is going to have to institute on their on their own environments.

Craig Joyce: It's definitely an important place. Automation for us is really key. And one of the reasons we love the Automox platform is just the ability we actually have not only inside the platform, but also via the API access we get to the platform to actually do intelligent things with it. And we've abstracted away some of your reporting console into our reporting console. There's a range of different things we've done with the platform that if you're not deep in the weeds playing with automation, looking at DevSecOps coding and those sorts of things, it might seem a little bit bewildering.

in the first instance, but it's actually really powerful and enabling.

Ashley Smith: Yeah, definitely. I've actually heard that a lot from different MSPs companies that act as MSPs for, you know, their children companies that have that parent child relationship. And I think that's so interesting, the amount of creativity that goes into taking a piece of the reporting dashboard and making it work for your own environment and pulling out like those salient pieces that you need to know at all times across different parts of the business.

I think that's really interesting.

Craig Joyce: Yeah, it's quite important for us. Some of the consoles we deal with might have 300 windows that you can actually pull useful information from, but it's not all consolidated in one place. The other thing is customers have their own important views. What matters to them? So we create those dashboards to actually replicate what their exec expect to be able to report upon.

Ashley Smith: Anything to reduce the amount of clicks.

Craig Joyce: Yeah, absolutely.

Ashley Smith: Awesome.

Well, for those of you who have been listening along, we are going to have our community manager, Sophia, post a discussion question in our Automox community. And for this month's podcast, it is going to be, "Do you wish that your federal government, wherever you're located, had a similar directive to the Australian Essential Eight? Why or why not?" I know we have customers all over the world, so super interesting to hear everyone chime in on.

that. If your country does have something similar, we'd love to hear about that. Sharing the wealth of knowledge there. And if you aren't a member of the Automox community, you can go ahead and join. It is open to all. You do not have to be an Automox customer. And you can find that at comm

I think that brings us to the end of our time together, Craig. This has been a really great conversation. I've loved hearing about Cythera, about automation, about the essential aid. This has been awesome, and I think a lot of listeners are going to get a lot about you from this.

Craig Joyce: Great, thanks Ashley, really appreciate being a part of this.

Takeaways

• The Australian Essential Eight is a set of cybersecurity strategies developed by the Australian government to protect businesses from cyber incidents.

• Key components of the Essential Eight include multi-factor authentication, patching of operating systems and applications, application control, and email filtering.

• Automation plays a crucial role in improving cybersecurity by reducing operational risks and ensuring consistent and efficient execution of tasks.

• Automation can save time, enhance incident response, and enable scalability in managed security services.

• Government directives like the Essential Eight provide a framework for businesses to assess their cybersecurity readiness and protect against cyber threats.