The growing professionalization of cyber crime and what you can do

hello welcome thank you very much for joining us my name is katieans I'm a security consultant within our attack service management team but more importantly I am joined by Jack Fowler from Harris Federation Jack for anyone that doesn't already know you on the call please give us a little intro about yourself hi yeah so Jack Fowler Harris Federation I've been there for a year now previously at the open University for eight years at the Harris Federation I lead on Cyber and information security we're a brand new team so we're growing quite quickly First Security team at the Federation but we support over 40 000 students almost one in every 52 students in London go to one of our schools 6 000 staff so we're pretty big organization and growing at PACE amazing thanks Jack we've also got Stephen Robinson here from Arthur intelligence team please can you give us a quick intro uh yeah so I'm Stephen Robinson I'm a senior threat intelligence analyst in our threat intelligence team and so what my job is is to really keep my eyes on the horizon of the the threats and trends that are coming along as well as getting right in there when one of those big news stories or big cyber incidents kicks off and uh and just really trying to make sure that us and our customers are as informed as we can be and that we know what's going on yeah exactly thanks very much Stephen so it all started with selling various hacking tools online but now as time has passed it's obviously include included a lot more now and is selling a lot more online cyber criminals have now adapted their techniques and we're now seeing these types of service scales to include compromises initial access and various types of attack so in this discussion we're going to be looking at what this actually means for us we're going to look at ways in which we can protect against these types of attack and we're also going to be discussing ways in which one organization based in the education sector protected against these types of attack so jumping straight in with Stephen how have adversaries and their behaviors changed over this time well what's really kicked this off and kicked off this this change that's occurred is over the last few years there have been billions of dollars of profits from ransomware and with such huge profits there for the taking these groups have been able to evolve and invest and what they've done when they've got such a huge real-time profit is uh pursue efficiency because those small percentage efficiency gains result in large real-time increase increases in profit and so we have these groups who have a lot of money and they want to become more efficient and effective and they've really uh emulated whether intentionally or just through uh you know naturally they've emulated the you know Tech ecosystem that we're aware of so they seek to Outsource and subcontract they want uh Services they want to Outsource those complex functions that they've got they hire Freelancers they haven't always gig economy of freelance operators and because they've got all this money to spend and services they want to buy they have kind of created a demand and service providers have sprung up to these service providers are then selling tools access infrastructure even all of these things and this then means we have a supply and the more people they can sell to the better so they then start advertising their services selling these to anybody who wants them so it then moves outside of that ransomware industry into the wider e-crime industry and it works there because the the first step for any cyber crime attacker is to gain access to to get a victim and and that's a certain set of methods and tools that they can use yeah absolutely and Jack how would you say this behavioral change is going to impact the education sector yeah so I think it's really interesting I think not just the education sector but perhaps all sectors and you know I'm I'm the result where the Federation to put it bluntly of quite a serious attack a couple of years ago um and you know still frequently sometimes the CEO come down the office and say to me right jack what are you doing with your new team to stop this happening again uh we're not going to get hacked again are we and I sort of say well maybe tactfully you know it's not you know it's maybe not if but when I think you know we still need to adopt that mentality but with this changing landscape I think what it's what it's made even more clear to me is that perhaps those more opportunistic attackers that are much easier to spot detect and prevent from happening in the first place and you know the sort of things we're trying to do on mass you know the 95 plus percent of attacks um has a sort of blurred between that and the more sophisticated threat groups because let's be honest right Harris Federation education albeit large in size if a dedicated threat actor with infinite resources or lots of resources wants to get in they're going to get in so as we see this learn line blur between highly sophisticated groups with lots of knowledge lots of tooling you're more opportunistic amateurish attacker who now has access to this pool of resources that threat landscape for me changes quite drastically and that's something we've got to communicate and manage now the tricky the tricky thing in in my field in education is that what does that mean for me the whole thing becomes more complex attack surface increases um but you know how do I resource that when you know education is not full of full of money um you know we've got to make a balance between do I invest in more security Personnel or resourcing tooling whatever for for me and my team or do we go buy more books or teachers for us for our schools so this is something we're trying to balance up but it's a you know it's a real interest in evolution unless you're saying you know where wherever the money is people will flock whether that be good and Security Solutions or underground in in the sort of you know the not so um the not so um friendly areas of the web so yeah it's really interesting for us and we've got we've got an interesting challenge to try and solve it yeah absolutely and you touched on it a little bit about around the blurred line that we're now see and I think thinking from a security operations perspective it's going to be much harder for us to sort of attribute those different types of ttps back to an actual threat group and obviously like the less sophisticated the types of attackers are now using the same ttps that are coming from the ransomware groups so like in terms of what sort of motivations we've got there it's going to be much harder for us to see what type of attack that we're being targeted by as well yeah it's definitely something we've observed with actors multiple actors using very similar techniques for completely different end goals and that's you know in the past maybe you could look at what someone was doing in the first kind of few hours on a network and have some idea but now we could be looking at a Handover between actors you could be looking at something that's going to evolve and change quite rapidly yeah absolutely and what do you think this means for csos and organizations that are looking to prevent this kind of a different approaches well it's definitely going to increase the challenge because that kind of polymorphic nature to an incident you no longer can can really rest on your laurels almost if you have say a compromised email account or a compromised Edge server you might have someone's just going to use it to send spam emails to mailing lists or you might have someone to store files on your file server or something like this but these days those people could then sell on that access you could suddenly have a different actor with a different goal and you may start getting you know spear phishing emails sent internally you could have someone start to suddenly move laterally from that server and things can all change so you don't necessarily know what you're dealing with and so that challenge is to to to be prepared for all of those different things that may come and and the fact that these actors can be using really effective high-end tools even if their goals are not particularly high-end yeah absolutely and Jack what sort of advice would you give to people in a similar sort of position to yourself yeah I mean firstly I think I would Echo that the whole IR piece has become increasingly more complex and I think you know if we step through the incident cycle you know you know have you truly eradicated do you truly understand the extent of the attack does your containment have you really contained you know are you going to recover before it's safe to do so because you know if you if you like you say rest on your laurels and you think you understand the attack vector and the motive you know you secure it you move on you return to business as usual and then two days later something else happens you know different different reactor using the same initial access broker so you didn't notice it you didn't respond to it you didn't contain it whatever so it makes it more complex um and for me as an organization you know for me with a with a very small internal team albeit growing I have to say do I have access to those resource I touched on it um when I need them um you know I can't you know we can't afford an education um speaking personally to go out and hire you know the Fri you know forensics malware I haven't got time to spend doing this so we need trusted Partners in that realm to help us and obviously that's why we've you know we've learned on with secure to help us do that um more broadly to your question I think it's been really interesting coming into the Harris Federation you know when I come into the organization the first thing I try and do to help me understand where we are right now is look at our maturity in those sort of key pillars you know identify detect protect respond recover you know in an Ideal World you know I would love to invest as much as possible in that prevent piece you know kind of obvious to say let's just stop these things happening in the first place how great does that sound um but I also understand that that's not albeit sometimes the easiest Journey that takes time these aren't just technical controls just thrown into an organization there's business change you can't change too much at once you need to consider you know who your customers are I can't just go and enforce 14 character password complexity when I've got five-year-olds in primary schools for example so however so there's a journey to go on we need to invest in all these different areas but what do I do and how do I give Assurance to the rest of the the c-suite and the director and the board that if something happened like the attack we had a couple years ago happens again are we going to be ready are we going to prepare to respond and for me what that's meant is how do I buy myself time tweaking plainly to build our maturity out in those other areas whilst also having confidence and assurance that I've got safety around me and I've got that resource and at an odd ad hoc nature to draw on so you know I I appreciate there's a bit of a meaning you come into an organization you over invest in that detect and respond piece but to be honest that's kind of what I see happening and that's what I've had to do in this place to give myself Comfort to buy myself time as we go on that security Journey so that's kind of how I see it shifting you almost need that safety net now the the difficulty and I think maybe we'll come on to this later is can everybody afford that luxury in particular within education I think I've been really lucky to come into organization who recognizes the importance of cyber hence bringing me in and subsequenting the team but we've got the economies of scale right 52 schools what if you're a really small Mac with three or four schools what if you're one school what if you're a local Council or you know a small Medical Institute or any other public or or SME business do you afford that luxury and if so what else can you do in that sphere um which would make up until later so so yeah that's what that's what I've done personally and and some of that has been driven by this evolution in the sort of threat landscape that we're discussing today yeah absolutely and I think coming from my personal experience as well from the more of the attack surface management side of things obviously this is a bit more in-depth example but we can also look at the various types of like initial access that we're seeing from these types of service which actual initial access services are being targeted for ransomware groups and things like that making sure those services are really like hardened and anything that could be targeted is absolutely as secure as it could be and obviously patrons comes into that as well we've seen so many examples recently where like ransomware actors have gained access through like unpatched systems and like we say over and over again but it is actually really important especially from an external perspective that things are patched and you know we're not providing an easy way for them to get in in the first place yeah and and in a way it's kind of an easy win it's an opportunity that you kind of have from this convergence of behavior is that if if you've got a lot of people copying the same methods the effective methods it does mean that you know in a way why of your your wins are going to be and I think what you've said about about detection like it is really key because you've got to you've got to be able to to either to do that or to know where your blind spots are so if you have an incident happening you know where to look you know maybe where you're going to be going to be struggling yeah really easy quick wins I think will really help so we did mention it previously very very quickly but say for example we have a smaller company smaller than Harris Federation where would you advise that they focus their their resources I guess in terms of preventing these types of attack I think so I think it's twofold there's what should they do as an organization and I'm a big believer that you've got to look out for yourself you know we understand that unless you're you're cni are you really going to get the help externally ad hoc as you need an incident probably not to be honest so like I say what can you do for your own organization there is resources out there so ntsc publish information for small organizations you know top five or top 10 checklist that people should work through but then again there's a they need to understand that resource exists um do I have I own a you know small coffee shop do I understand that this is even something I need to care about maybe not so there's an awareness piece the other way to make sure people know that resource exists in the first place you know and then there's those other con you know those other Frameworks and standards Etc cyber Essentials is not cyber centers Plus or cyber Central is supposed to lean people into that Journey so the resources exist absolutely but but like I say it takes somebody to go through them and it you know even if they're they're supposed to be user friendly someone needs to be able to digest and interpret that and then convince the leadership in their organization that they should go on this journey now in education that's tricky because they might not have a cyber team or person they might have an I.T manager or OR technician who works for the school who's also the facilities manager who looks after aircon and now all of a sudden they're going and say right also in our cyber security and here's all these checklists we need to work through but but organizations small medium large have to go on that Journey it's where it starts but there's an awareness piece to sort of make them aware that these things exist in the first place now so that's what you can do for yourself but I also think there's probably a responsibility on on Partners um to sort of understand that you know education or or more widely don't have infinite resources um you know if we think back to cyber UK Defenders won't prosperous prosperous one you know what can a supplier do for an organization to make it make their services more attainable whether that be with secure or anybody in the space um you know not not price them like they're a bank understand that you know we might have 500 endpoints but 400 are off for 90 of the day because students aren't using them so there's things to be done and you know like you know if you're not you're not in a large amount is there are there other schools in your area you can partner with to approach a potentially a vendor and have that economies of scale approach a local Council because there's other people that be crying out for access to these services to buy them that peace of mind while they go on that transformative Journey that I talked about um but it requires people getting together but it also requires people on on the other side you know people providing these services to be mindful of the constraints I think that's a really important um two-way conversation that needs to be had I know we live in a sort of in a commercial world but it's it's important that we work together if we truly want to get behind that sort of cyber UK theme of um you know Defenders one prosperous one yeah really interesting point actually and Stephen how do you think organizations should adapt so it's it's a changing landscape but I think there is still you know we talked about some of these easy wins I think that detection is key but also having having a plan um having an idea of how to uh to deal with an incident and it's not it's not necessarily going to be that you've got a clear cut right you know exactly what you're going to do but knowing that the problems that you're going to face from your own unique situation you know so obviously in an educational institute you've got a large number of people who are not paying to follow your policy and you've got in any any organization you've got people who need to be doing their jobs and so you've got as you said balance those policies and and balance security and usability um and I think being aware of that it's it's just possibly thinking about an advance right if this happens what can we do and maybe you're not going to end up with a with a a policy or a plan out of that but just if you can stop and think about it first before before you're put in that position it will make things easier when you get there I think that's that's really important and I do think that that you know the managed detection that is is now kind of a real product in the an or service in the in the marketplace is something really useful because yeah you can't run a team of analysts for every organized you know every organization not only do we not have that many analysts but it costs and and hopefully those people are going to spend a lot of their time going no that's not a problem um but you need them for the time when they go okay that is a problem so yeah and I guess it's about understanding what the key things are that you should address first understanding what the problems are and answering those questions before it's like effectively too too late yeah absolutely and what do you think how do you think this affects your end users do yeah so just to Echo your point as well so access the resource right in the sort of MDI xci space that's growing significantly right as we can see is is often we need that resource at certain point in time ad hoc when you maybe when you're internal function doesn't understand an alert or they want some more help and they can go and lean on that that additional resource or you know God forbid you do have a major incident you can bring in the you can bring in the Cavalry so to speak but you don't necessarily want those people if we if we put it plainly on your books all year round because you can't afford to do that so it's a model that works um but but but also um you know speaking speaking to to my experience with with secure so far you know when when there's not an incident you're getting that um you're getting that sort of peacetime value and understanding like well what can we do to harden your environment right so let's learn about your environment whilst there's not an attack on and let's work with you to harden it so we're looking at more of those preventative controls because you know again if I speak plainly if if if if we're working together to make ourselves harder or more resilient as organization the likelihood of that attack and therefore the deployment of lots of resource becomes less for both of us so we kind of wind whilst we go on that Journey um you know as an end user I would Echo I read through the report and I thought it was fascinating um but the some of the key takeaways later on were very much like most of these incidents started from credentials breached on the dark web and we still know that these threat groups are are exploiting known patchable vulnerabilities um but again you know mature organ not not all organizations have a mature vulnerability or patch Management program in place but having someone tell you through peacetime value or whatever Services you're you're looking at tell you look here's something quite serious we're seeing it being exploited by this threat group or these threat groups and we've got evidence to suggest it Go and Patch It whilst you build out that mature incapability um we focused a lot since joining at the Federation on those pieces in particular right Patrick vulnerability management and also looking at how we secure the identity which is no small feat in an organization of 52 schools where you know every school has a principal and different socioeconomic backgrounds and have different needs and how do you standardize supply chain security and reduce how much things you bring into the environment it's not an easy problem to solve right but um but but it but it and these things take time but having a partner there to support you is is been really valuable for us um so yeah so you know the obvious thing maybe that everybody always says is you know focus on focus on the basics and the fundamentals but but the reason the reason everybody says it I guess is because they work and if you look at those you know those guidance and Frameworks published for small Enterprises I think they also apply to large Enterprises right get your identity sorted good good MFA coverage hygiene which I know that makes people skin crawl cyber hygiene patchy things probably you know if it's honorable patch it so you know those are the things that that I would do and things that we are doing but I guess the comfort is in having someone by your side helping you on that journey is quite comforting not just for for me as the security person and my team knowing that they've got ad hoc you know access to that resource but also like I say my peers teachers in our schools our students right we communicate that we've gone on to this partnership and look all the things we're doing to keep you safe keep your students safe parents want their students to feel you know secure in our schools um so so it's something that everybody benefits from whilst we go on this transformation which we're very transparent about and I think organizations should be there's absolutely no shame in going on a journey to get better as an organization and and sort of when you when you've got um you know when you're lacking maturity in a certain area you know you don't have to sing about it and make it public obviously but you you highlight it you you you make a risk for it and then you work towards you know you work towards improving it and that takes time and these things don't change overnight and having people in your corner to help you on that journey is has been really valuable for us with the limited resources that we have yeah that's really interesting and do you think we should be doing more as a norm as a industry I guess to sort of share experiences and Lessons Learned because I feel like in the past you know incidents have happened and people are like oh this this company that's bad like a again that shame aspect of it do you think we should be sharing more experiences and like how other organizations can learn from from each other I guess absolutely yes I mean transparency is is so important uh ransomware statistics that we've got at the moment you know I said earlier billions of dollars of ransomed paid and the statistics that we have are from the ransomware groups and they are strangely not reliable reporters but it's the best that we've got and really with with more transparency about you know okay incidents that have happened you know how they happened what's you know what what these threats are what what these actors are doing it allows everybody to be to be more prepared and to learn from other people's experiences um and to learn from the the information gathering that other people have managed to do and I think that's that that's a really important thing that I think uh the the cyber security industry needs to focus on and but also just if you are if you are using you know if you are running networks and things you're going to have these things happen and making sure that information you know is shared with your your peers and having that support network really yeah absolutely so thinking ahead into the future where do you see this going what's the the long-term view of these types of service well this is the thing of ransomware is not going to go anywhere as as long as it's profitable they're going to keep doing it as long as it's high profit and low risk that's going to happen and there's been reporting that the the volume of Ransom paid have gone down this year there's been some reports suggesting that but even if you take that you know as an accurate statistic there's still a large amount of money we can extrapolate that's being paid in ransoms and so that's going to keep happen uh happening then these service providers and the actors who are using them they're going to keep going because they've got this kind of virtuous cycle of malice going on and so we're going to see them carrying on in this way it's making sense it's working for them and you know they're operating in this hostile environment that we've created so they're going to take every Advantage they can and and that environment they're in uh is is going to push them towards kind of convergent evolutionary it is pushing them towards it and so that convergent evolution is that they're going to keep you know they're going to do what works and if what they're doing stops working they will change just enough to to get back to the efficiency to the effectiveness that they need and we do have from there some opportunities because as they keep converging we're going to have really a kind of better idea of what we're what we're going to have to face if not necessarily what you know in individual cases what the end goal is going to be so comes back to that transparency and sharing of telling us telling each other what we're seeing um you know we're going to be facing this same threat we need that transparency and uh there's kind of an overarching uh overarching thing for somebody to hopefully try and address is it's going to happen as long as it's profitable and low risk so logically if you can reduce the profits and if you can increase the risk then we're going to have have a change in that so yeah definitely and I think sometimes we're too focused on what this means for the Cyber industry but it's also a benefit to think about how this compares to like broader criminal like groups and things like that so I think like obviously the ransomware groups are quite similar to how organized criminal groups act obviously both for financial gain in terms of the motivation but both acting as like big like businesses and very like like we've said like professional in terms of how they work and um like the the setups of the the organization if you like so I wonder if eventually in the long term we'll see more of the more traditional types of organized crime groups move towards the more sort of cyber criminal ransomware as a service initial access broker type type crimes I guess I mean the the tools that the the Cyber criminals are using are are of use to to all of the others as well if you've got Anonymous pay payment systems cryptocurrency and so on and being able to move money around and hold it anonymously and Anonymous communication and movement of information you know those are both useful to anybody who who needs to hide those things from from other people yeah if we abstract the sort of cyber element from this right if you are if you are a criminal Enterprise what are your motives you know largely going to be Financial if not you know disruptive or or whatever and if there is money to be made and they know there is money to be made why would they not why would they not leverage this new you know professionalized environment to you know introduce another Revenue stream for them so I think you know I think it's a given that even people that aren't sort of technically or cyber-minded I will flock to this I think you know Money Talks right when there is money to be made in a in an industry whether you're a good guy or or a bad one people will flock um if you know nothing about the industry you know if you're one of the good guys you'll learn about it to get into it they'll be they'll be a career invest yeah exactly that and I think the same is true for for the sort of the criminal market so I think there's absolute parallels between sort of cyber and your traditional sort of you know organized crime group yeah and much harder to police as well like obviously there's like different organizations that look to try and prevent traditional organized crime groups but do you think we're going to be able to police ransomware as a service and initial access programs I mean there have been some there have been some you know some successes on it uh recently with the FBI's Hive ransomware operation um and so that there have been successes in law enforcement you know directly going up against these groups but one of the one of the interesting things we've seen which was really well illustrated by the fall of the Conti rental group was that that group you know that group dissolve is a result of a lot of things including the Russia Ukraine war and then instead of reducing the amount of malicious activity performed by you know the Conti ttps it it sort of cross-pollinated across that industry and you know operators went to other places all the shards set up new organizations or Brands and their tools and playbooks got spread around and suddenly all of these Cutting Edge your Leading Edge uh uh tools and methods were just being deployed by all these other groups who just suddenly got a leg up and so it's and it's difficult to to shut down a group because you can't you know you can't directly Target them there was successes I think in Ukraine as well with they managed to actually arrest specific people but as we say the international nature of it most of the time you're not going to know where an attacker is is operating from uh interestingly on on our education angle I believe there was a cyber incident in in Greece recently the last few days around the high school exams and so they all got shut down and I I have to do it my team and I read that this morning I meant I think I can guess who might have been involved in that and they wear a Greek school uniform um because that's that's something that's been seen before the Mirai botnet with someone who wanted to get out of doing their exams and that's still with us yeah that's I mean that's that's fascinating because you know working in education and you know we've got some very very smart students that we're not going into they're well motivated and they're enterprising and always on the network doing things they shouldn't be doing and you know sure we can spot and and and and and uh you know we go and speak to them and say what what on Earth you're doing for these are the sort of people that we can refocus their efforts into good and you know we've got you know boot camps planned for the summer for those students Etc but whenever I go in to speak to our students in schools regardless of the time of the year and we talk through some of the things we're seeing and we do demos or whatever and then my last slide before I go on to you know trying to convince them that cyber is the best career in the world is I plea to them please do not do any of this on on our Network because we don't need more trouble inside we've got enough coming from outside to deal with um but yeah I mean really topical and and quite and it hits home for me in education perhaps too much perhaps more than I'd like it to is that initial Panic isn't it it's like oh yeah where's this coming from who is this is it malicious no okay is that a computer science student are they supposed to be running that script on that endpoint at this time and and that's that thing we talked about about that you're not now able to know from the get-go what are you dealing with are you dealing with a student who's downloaded something off GitHub and decided to try it out on school or are you dealing with you know a an organized criminal you know Enterprise who have just found an easy in or who have found your credentials for sale on on the dark web and ever decided they can make a profit from it yeah and there's work for us to do it right you know bring it back to me selfishly and how it is what we can do to sort of tune our environment and blah blah blah blah to tune out that noise but um but it but again that takes time and investment and it's it's a journey you need to get you need to go on so so yeah and it is difficult I mean people have to use the network we have to have the students on on the network yeah the most secure computer might be one that's turned off but you've got to turn on eventually yeah I think you reference it in the report as well I mean often a you know a tool used as part of these these attacks is legitimate tooling within the organization yeah yeah right so you know if we're if we're running you know certain development tools or you know we're allowing students to execute scripts on certain endpoints you know these are things that can potentially also be abused by us through actor so we have to be mindful of that um again I you know I often have the conversation you know with my team and my my peers in infrastructure and Service delivery it's like Well Jack let me just block this it's like yeah we could block that but remember we're not in the business of just securing Harris Federation we are in the business of education and that's what needs to come first so if we're looking at any control then first of all we must consider the organization what we work from what is the impact of that so no we can't just stop the execution of five and scripts because guess what that's part of the curriculum so it's a real balance to be had and you know that's what's fun about the Joby you know but also if you do it wrong we understand that you can quite quickly get a bad rap as a security team as being this disruptive force and that is absolutely what not what you know what we're not here to do is to disrupt what we're trying to achieve as an organization in our case teaching and learning but that extends to every organization you know I think people say that security is a often you know we're an enabler we're a business enabler we actually know we're just part of the business so their objectives are our objectives um and I think that's something we need to remember as we go on that sort of that security Journey or transformation um no matter how mature you are um to not be too abrasive or not understand the business context when you're putting in controls technical or otherwise yeah absolutely and we don't want to be a burden at the same time yeah we always have the the same impact right yeah we're creating barriers to success by being a barrier Yeah by being a barrier so you know we have to be we have to be conscious yeah yeah okay great thanks guys so we're going to move on to some questions from the audience now so we've got one question from Kelvin K uh for security teams that are under resource where do you think they should focus their efforts as far as enhancing maintaining security resilience so we did touch on this briefly but Jack do you want to yeah yeah and I guess you know speaking kind of firsthand to this so you know what what I and the team have done is we have probably over invested by intention on that detect and respond piece for for that safety net whether that might be you know if you've got the luxury of reaching out to a partner great I you know I would kind of do that maybe you've got your own in-house security stack you maybe you don't want to buy into a proprietary service or sensor that requires a custom endpoint but maybe you already invested in I don't know the defender suite and you want some you know an MSP or provider to sit on top of that stack and help you respond to those alerts and fine-tune that environment whilst you go on that Journey so there's all different types of things you can be doing that's what we've done but but again then I would reflect on right where are we in terms of maturity in our other pillars those core pillars that I referred to earlier and start ticking off those those big ticket items that we always see when we look at attacks right how has your identity being controlled how are you managing your known vulnerabilities are you patching in good time what does that look like so you know that would be my advice is get your detection response sorted whether that be for a partner that also means having a plan that you've tested and rehearsed and then look at those big ticket items you know password management identity management MFA coverage things we always talk about yeah always come up in every single big instant um training awareness social engineering phishing that sort of thing so you know that would be that would be my advice um and that's the approach that we're taking at the Federation as we go on this journey and I I would say if you're talking about you know you you don't have or you feel you don't have the resources for security um a lot of it is it good practice you know we know we should be applying security updates we know that knowing what your configuration is staying on top of these things um what the worst thing is seeing a malicious actor getting an easy win you know when when a large percentage of these opportunistic attacks are going around can be can be you know defeated by you know patching 2fa you know and maybe just a bit of user awareness yeah absolutely and again drawing on the attack service management side of things um I think this all really helps if you've got good visibility of what you've got as well both internally and externally so obviously you can't patch if you don't know what's unless they're in the first place yes I think that's yeah you can't you can't defend it if you don't know if you got it and you can't fight what you can't see exactly yeah so just increase visibility obviously asset management is really hard for a lot of organizations the bigger the harder it is I guess but like increased visibility is definitely going to help in the long run for for any organization I guess it's having that continuous process to to add to that inventory as in as and when you've got new things being spun up as well listen Okay so we've got a question for Jack how can single schools have the same level of visibility as the Harris Federation like having one of you and the staff and tools at each School so this is what I drew on earlier and this is where I think the education sector's got a lot of work to do and I don't think that the education sector to take that entire burden on themselves I think that's maybe unfair is not the right word um so it's it's it's I've not really got a good answer for you other than it's going to be quite tricky um to your point I think if you're if you are that I.T person or that single point of contact who manages all things I.T security maybe facilities I think you need to First have that conversation with the leadership within the school and put forward the evidence you know put forward some tangible you know you can just you can pull up the amount of attacks on education and they'll be aware of them going on and say look we need to invest in this area now the trouble bit is what if there's no money to invest where do you start and again I refer back to what we said you know take off those big ticket items now the next part of my question is well how do we address the fact that schools should be doing more but they don't potentially have the the access to funding to do so well this is where I think we need to be doing Partnerships are at a local level geographically with you know other schools in your area you know you're sure you might be competing for student numbers but if you all get you will get attacked then it's going to be no good for any of you you know so get together with other schools get together with your local Council and then speak to vendors quite transparently and openly about the you know there's no shame in saying right we need this service we want this service but we can't afford it we don't think we can afford it nine times out of ten they'll try and work with you to find a solution that works so I think you just need to be you know you know a really cliche saying is sort of be the change and sort of go and have those tricky conversations speak to school speak to the leadership and then speak to some partners and see what you can go on together but there is no real I think this thing that really is a good answer to that I think I would really struggle if I got brought into the Harris Federation say we were one school or two schools and we didn't have access to the economies of scale that we do I think it would be extremely hard to go on that security Journey um so so yeah I'm sort of sympathy sympathetic to the to the situation but I think it's a two-prong thing we need to do more ourselves we need to come up with Solutions but we also need to sort of Lobby a bit and get the help externally whether it be through government Council or suppliers to see what they can do for us yeah so um we've got the next question as a supplier or it Management Services to clients massively invested in msft through Microsoft 365 there are specific areas um to concentrate MFA is covered ought to use dark web monitoring tools to check compromised usernames do you have any other ideas yeah so MFA is important um obviously make sure that your users are aware of the whole MFA fatigue because that's been a big way recently that people have gotten past it just repeatedly hammering the MFA until someone clicks yes to make those notifications go away um so dark web monitoring tools possibly uh I don't know you necessarily have to go uh as as far as as far as that but there are obviously various leak sites database sites in the in the nature of you know have a bimponed etc where you can check you know just for that kind of thing I think a bit of of that dark group brand monitoring stuff can be useful um just to be just to have that awareness but what are you going to do about it it's and knowing it's out there it's a risk um but it doesn't mean you know you've got an attack going on necessarily uh yeah it's yeah I mean it's to add to that I think um you know we're a you know we're a Microsoft house at the Federation and I see a lot of value in that in that security stack that Microsoft brings I think actually out of the box I don't I don't know if if this person who asks a question is using ms365 or they're supporting clients that are but actually as part of as part of that Suite you know if you logged into an administrator they've got the secure score for endpoint secure score for identity secure score for cloud and these are really really thought to thought you know put well put together resources that sort of demonstrate how making a change within the environment from a configuration perspective can have a tangible Improvement on your score but sure that score translates to something so so you can look at that um so there's all sorts of things you could be doing in this in this Arena um you know we've you know we've invested in in Defender for endpoint and we've configured all the tax surface reduction I think it's right acronym stuff you know albeit you need to do that carefully put things in audit mode before you put them in enforce um don't be too brave but there's so much to do but I think yeah I actually I do think the secure secure sort of metrics Within These environments are a good place to start if you've got nowhere else to look because I do also appreciate there's a lot in there if you invested in that you know depending on licensing there's a huge amount you could be doing the question is where do we start so have a look at them because they do give you some insights um into where where you can best increase your sort of security posture and how that would impact your score it's also really nice to see that little line going up over the weeks and months and it's quite nice um dashboard candy for your leadership team to prove that you are going on that Journey so I think I think as well you could dig into this one for ages couldn't you but um for any cloud service uh the the key thing at the moment it seems to me with Cloud security is configuration like so much of it is okay something misconfigured and somebody got in and like Cloud configuration can be complex all the different Cloud providers are you know have different ways and acronyms and it's architectures and structures of doing things uh so it's it's difficult having monitored them before uh yeah it's a hard one but make sure you've got your configuration set down and if there's something in there that you as the owner of the cloud environment don't understand you should you know if it's weird look at it funny yeah okay and there are obviously a lot of Frameworks out there that can help organizations prevent against different types of attack and particularly the ones they've been speaking about today but do you think they give a false sense of security to some organizations so I can I can speak to this so that's two different ways I think Frameworks are a helpful resource you know standards Frameworks you know they're there to help you put together a security program which is deemed you know Best in Class through experts through you know lots of communication and collaboration blah blah blah blah you know that's that's not kid ourselves that now if we're talking let's say we're you know certified 27001 organization doesn't mean anything you can still be breached you can get certified and say you know I just don't oh this is not relevant to us this is why and I'm therefore I'm ignoring all these controls for this reason you can still get certified so you know accreditation or whatever does not equal good security and I think that's that's something we absolutely need to hammer hone and think often a misconception when you look at sort of supply chain security and you go right oh this vendor's 27001 we don't have to worry about anything with them just on board and off we go it's not the case so to answer the question succinctly no uh I think no we can't we it's not it does not equal good security however they are absolutely useful tools and resources but you need to put them in the context of your organization you know like I said to my example you know once framework might say go put in this password complexity requirement and we could go off and do it and then have a huge impact on the organizations running business so their tools their resources like anything that need to be considered and thought through and how they fit in with your organization absolutely it's it's the it's I know an answer for the for the ages when it comes to it and Frameworks like whatever the framework is about is it good is it good to have it well if it works for you it's good and if it fits what you need to do you know what you need to achieve and what you're doing great but if you've got to can talk to yourself to fit a framework that someone else has come up with it may not be the right one for you yeah absolutely okay thanks very much guys we're going to wrap up there a quick thanks to Jack and Stephen for giving some really useful insights to us as well today um in terms of what's next for us so you'll you'll receive a replay link so you can watch this webinar back at any time and also if you want to read more about the types of things we've discussed today we've also linked to the report and our monthly threat highlights report as well um to to the links in this So yeah thank you very much thank you