In technology circles, the attempts by governments to introduce legislation to affect the internet, cybersecurity, privacy, and IT policy are laughably behind the times or hopelessly misguided. In the last couple of years, policies from the Australian government are arguably something of an exception. The re-classification of broad swathes of industry as comprising “critical infrastructure”, for instance, makes good sense to anyone aware of the power and reach of the internet’s bad actors.

Whatever your opinion of any government’s efforts to protect its people and economy, it’s undeniable that the threats are out there in a connected world. Protecting key systems from breach needs to be the focus. When successful attacks make mainstream headlines (Colonial Pipeline, Solar Winds et al.), it’s confirmation that attacks can lead to more than a mere disruption to an organisation’s operations. Real and present dangers threaten to disrupt networks of power, food, communications, and basic amenities.

Supplying electricity to over 1.7 million Australians in 900 homes and businesses in the country’s south, SA Power Networks is surely one to be categorised as “critical infrastructure.” Thankfully, it’s taking that role seriously, investing in what Lindbergh Caldeira, the company’s cybersecurity operations manager, terms a “proactive and threat-informed capability” that will help the company protect itself and the essential services it provides many customers.

Cybersecurity professionals will easily recognise many of the problems that Caldeira and his team were experiencing from an operational point of view. “SOC focus areas like log management incident response, vulnerability management did not get the required attention. And there were security incidents that flew under the radar,” he told an audience at Spotlight21, a cybersecurity conference organised by Exabeam (available to view on demand here).

In addition to the increased frequency of cyber incidents, the SA Power security team had operational difficulties knitting together the different elements of the team’s responses to track a problem’s root causes. “If it was a high severity incident, we usually put a timeline together which showed preceding events. However, that was very time consuming and required a lot of creative writing,” Lindbergh said. Additionally, every team member found they were wearing multiple hats: “In the past, we’d spend heaps of time being system resource management, troubleshooting issues, […] and [on] app updates.”

The answer was to look for a fully managed SaaS platform to reclaim and realign analysts’ time and focus better on detection and response.

SA Power Networks road-tested Exabeam’s self-learning DR platform in an eight-week exercise to see firsthand its capabilities, running a simulated attack during that period using pen-test tools. “Alerts triggered in one really concise, sequential timeline view,” Lindbergh reported.

During the proof-of-value period, “the data sources expanded much beyond just the Windows and Linux logs, and included network VPN detection and response logs just to name a few. This use case mapping not only gave us this holistic visibility and coverage across our data sources, but also the mapping to mitigate attack tactics, techniques and procedures.”

Exabeam’s smart system quickly builds a self-improving picture of normal user and system behaviour patterns, even using relatively limited sources taken from a cross-section of logs. From there, abnormal activity can be flagged, and a coherent and human-readable timeline of an incident can be built quickly. When armed, even tier-one response teams can pinpoint issues and see how to ameliorate them.

SA Power Network’s hiring policy has altered after running with Exabeam, Lindbergh said. “We are looking for recent graduates or people new to cyber as a way to build cyber skills. […] The ease of use makes the job of bringing in new analysts much easier. With some basic training they can hit the ground running.”

Having investigated the possibility of using outside agencies to fill their initial cybersecurity gaps in staffing and capability, SA Power has instead used Exabeam’s technology to alleviate some of the common problems caused by the current shortage of skilled security personnel. It’s also able to report more quickly and clearly to stakeholders in the company using the current platform of choice, Microsoft Power BI. “Incorporating our reporting into a service [stakeholders] would daily use definitely increases engagement, which we have seen evidenced from our initiatives,” Lindbergh said.

“It was a really easy decision to go with Exabeam,” Caldeira said early in the presentation that explained the company’s adherence to the Australian energy sector’s cybersecurity framework (based on the US Department of Energy’s Capability Maturity Model). With infrastructure a clear target for malicious actors, Exabeam’s detection and response SaaS helps protect businesses and people in South Australia, allowing them to continue their lives without fear of critical infrastructure shutting down due to attack.

To learn more about Exabeam, get a demo to see how the platform can extend your cybersecurity detection and response stack. There’s also an interview with two SecOps pros from the company in our very own Tech Means Business podcast right here.