The COVID19 impact on cyber security at a multinational law firm with Sunil Saale
Gar’s guest this week is Sunil Saale, Head of Cyber and Information Security at MinterEllison. Sunil comes from a heavily technical background having worked at Tata Consultancy Services as an engineer, before progressing into IT Management for PwC Australia and finally heading up cyber at MinterEllison.
Gar and Sunil discuss COVID and how it has changed the dynamics for the Minter Ellison staff, the move into mobile work forces, what the ‘new normal’ looks like, key challenges Sunil and his team faced during the various stages of COVID transition (e.g. EUBA patterns falling apart in the early stages), the balance between security and external digital collaboration, cloud as a path to resilience, end user behaviour programs and what Sunil has learned through the COVID transition.
Where to listen
The Get Cyber Resilient Show Episode #38 Transcript
Garrett O'Hara: [00:00:00] Welcome to Get Cyber Resilient Podcast, I’m Gar O’Hara and this week I'm excited to be joined by Sunil Saale head of cyber and information Security over at MinterEllison. We've met over the years on panels and events and I've always really appreciated Sunil's commentary. He comes from a heavily technical backgrounds having worked at Tata Consultancy Services as an engineer and then progressing into IT security consulting, he headed to PwC Australia as an IT security manager, and now heads up cyber over at MinterEllison.
In the episode we talk about COVID and how that has changed the dynamics for them and trails and stuff. The moving to mobile workforces, what the new normal looks like. The challenges Sunil and his team face during the various stages of COVID transition, the balance between security and external digital collaboration, cloud as a path to resilience and user behavior programs and what Sunil has learned through the COVID transition.
As always, he delivers with solid and practical insights. So over to the episode. Welcome to the Get Cyber Resilient podcast. Today I'm joined by Sunil Saale, head of cyber and information security at MinterEllison. How you doing today Sunil?
Sunil Saale: [00:01:14] Thank you. I'm doing well, thank you inviting me for the podcast. I've read so much about it on and seen it on LinkedIn. Excited to be here.
Garrett O'Hara: [00:01:20] Great to have you. We've kind of met a few times over the years. We've been on panels together and various events. I've heard you speak and kind of dig what you've got to say. And I suppose the catalyst for this conversation was seeing your commentary in I think it was IT Wire fairly recently about the experience of MinterEllison. So I was like, really keen to get Sunil on to have a chat about that experience. How's COVID been treating you so far?
Sunil Saale: [00:01:48] Oh, yeah. The going's been very different like everyone else. It's completely started off as an... It wasn't something that we planned or anyone had planned for. But yeah, it has thrown a spanner in the works and into the service and everything else but rewrote the entire book. [laughing]
Garrett O'Hara: [00:02:04] Yeah, it is crazy. And Sunil, we always kind of like to start with the guests kind of introducing themselves, getting to know them, like how did they arrive to where they are today in their career. And so I'd love to hear from you like just how did you arrive to kind of be the head of cyber and Information Security over at MinterEllison?
Sunil Saale: [00:02:23] Probably the interesting part is I didn't plan or it wasn't the goal to be the head of cyber and information security at one of the most prestigious firms. It probably happened along the way, probably with some good opportunities and it's amazing bosses and great mentoring. But probably the normal version is started out as an engineer, I started working for Tata Consulting. Tata consulting, which is an IT services major. It's a giant in India and across the world now. And I started working for Nortel Networks, both in Mumbai, and in India and in the US. And there I started working on a couple of features... some of the telecom features called Caleer, which is wiretapping basically. So that sort of, sort of kicked off my interest in security, per se. And then after I did that for about five years, and then I quit my job, and I did my IP management, did my MBA from SPJ. There I it gave me a good perspective and an understanding of what is IP operations, what do we mean by value and ROI, and what is the meaning of no IP management per se as a business.
And then finding out my own employer, they hired me back into the security consulting practice. And the consulting was pretty interesting, because it gave me a very good overview on the different domains. Went to a lot of clients and then it helped me understand the different domains of security and got me started in the deep dive into the security journey. Then I joined PwC as the Internal IT Security Manager, and after five years I joined Minters, and it feels like yesterday, but it's been five years now. Been really exciting, yeah, it still feels like there's a lot lot lot more to go [laughing].
Garrett O'Hara: [00:04:20] Yeah, it's It is amazing how quickly time goes. Yeah, five years. Yeah, it seems like it should feel like a long time. And yeah, it can happen in the blink of an eye. Especially I think in cybersecurity because things change so quickly. Is it such a fast paced environment that um, yeah, it feels like every time you blink, it's like, it's like a whole new landscape out there.
Probably like, the biggest thing and obviously everybody's talking about it is the COVA, uh, sorry, COVID. And that's kind of impacted so many organizations around the world and dramatically impacted them. And as I was reading your commentary, and your words were that COVID has completely changed the dynamics for how the two and half thousand MinterEllison staff work. And, and I kind of wonder then like, when did you realize how big the change ahead of you was going to be?
Sunil Saale: [00:05:08] Um, that's that's a good question. I would be, I'd say after we, after we got the announcement that everyone has to work from home, that's when sort of the reality hit home, saying about "We're not ready for this is." Minter has always had a flexible work policy. So I used to work from home one day a week, even before COVID. And we had a lot of our staff working from home in a couple of days a week, and flexible policy was always there. And we were actively promoting that as well. But there wasn't as much uptake and the infrastructure wasn't ready for that. In fact, generally, it only was only right sized at that point of time. But we didn't plan for two and a half thousand staff to work remotely, at the same time. So when when it was an announced that the entire firm has to work remotely, that's when we have to upgrade our Citrix infrastructure, we have to buy new remote RSA tokens particularly if you want to log in remotely, we have to buy additional hardware, laptops and everything else and set up our staff to enable them to work remotely.
It kicked off a lot of activities, and to look back, and it's quite amazing what we have achieved as a firm to enable everyone to work remotely within a week. But it's completely changed the way we think about what's required to what are the most valuable things for us to enable our staff to work?
Garrett O'Hara: [00:06:33] Yeah. And what were those things like when you think about the productivity side of things? Because I think that's the challenge, you know, there's this, you security versus productivity is, you know, it's the age old conversation we have in this industry. Perfect security means no one can do anything. But you know, with that transition into working from home, what were your priorities? Or what were the things that you saw, I suppose as kind of key security requirements without getting in the way of people actually being productive and being able to do their jobs.
Sunil Saale: [00:07:02] So when we, when we had the announcement that we all had to work remotely, we had to reset our strategy and revisit our strategy to see what solutions we already had on our endpoints. And what additional solutions do we need to look at to enable our staff to work remotely and in a secure manner as well. Again, comes back to the question on balancing productivity and, and security. And one of the key things we had was that, for example, we use Mimecast. And that from an email security perspective, we were covered. From a continuity perspective, again we were covered, because all archives again, we use Uncaster. We have good confidence from an email perspective. COVID helps helped us understand what are the key things that we need to look at what are the key things that we need to look at look at from a client servicing and enabling a user perspective, right. So that's where we started looking at VPN is one of the core infrastructure or core technologies that we have to enable. And we can't put any security policy to sort of block someone from logging on. Or we have technologies to isolate a particular laptop, but we have to look at ways to to bring it back onto the network, password resets and all those things came to the forefront.
COVID in some ways highlighted some of our weak spots. If someone's working remotely, how do we enable them to work remotely in a secure manner as well? So we had to rewrite some of our policies. But overall, it turned out well, because it gave us a more robust strategy and also more thinking towards resilience as well.
Garrett O'Hara: [00:08:36] Yeah, definitely get that. You raised an interesting point around with things like password resets, but even worse would be machine rebuilds, you know, if something really dramatic goes wrong. And I've actually been through this, not because of a security issue, but just because essentially a hardware failure on my laptop. And, you know, it was it was fine, it was able to get a turnaround time very quickly and get a new one sent out. But that when you think about the way, we could just walk over to the it desk and say hey, you know this, this problem is happening. And they could say, well, let me just go fix it for you, you know, physically, they were able to do what was required. Have you guys figured out that? Or are you shipping laptops and spending money on DHL to send equipment around?
Sunil Saale: [00:09:20] It's interesting you asked that. I mean, we had the exact same issue for a couple of laptops where it had a blue screen noted, and not during when we were transitioning to the code scenario but post that on August or July and August timeframes. So when we deployed a particular windows patch just did the blue screen of death in a couple of laptops, and the users were in Melbourne as well, where there was complete lockdown.
So we have to rely on couriers to send them the actual laptops and collect their own laptops and it again, it triggered a whole set of requirements for us to see this, this model doesn't work. If there is a blue screen of death we want to make sure that the user can continue working. So the remote working, the support model isn't designed for remote workers. So we have to redesign that and make sure that our users who are working remotely, they can still continue working. We have Citrix and everything else. But Citrix doesn't give the same level of experience.
Garrett O'Hara: [00:10:15] Yeah, so yeah, sort of differing. Yeah, I think it's like, like so many of us, we're all kind of figuring it out. And it definitely does feel like COVID, it's really been a catalyst for things that we're training anyway. Right? Do you mean working on was, it was on the uptick? Most organizations were looking at flexible work arrangements, it was a big requirement for you know, hiring good talent and being attractive to like the top end of talent in any organization, they tended to want some version of flexible work arrangements. And it says like, was MinterEllison kind of moving towards that anyway, like mobile working remote working. Was that, was that a trend for you guys?
Sunil Saale: [00:10:53] That that that was that. So we have flexible work policy, but there was no push to work from home, it was more as a policy, as an additional benefit for us to work from home. There was no push start energy, you have to have, or you can only walk into office couple of days a week sort of thing. So it was an additional benefit of you know, you can work from home anytime you want. But with COVID now it's it's become a mandate. It's not a mandate. It's more, saying that you only come into office if you need to be in office. And many of our staff and like many other organization, they love working from home, because you know, their work life balance is much more, I think it's much more real now, rather than in an earlier that you have to jump on the train, and sit on the train for an hour reach office, and then come back home, and then rush home to pick up kids and things like that. Now you can use all the time to spend more time in with your kids, and also spend less time on train with strangers, right? [laughing]
Garrett O'Hara: [00:11:49] Yep.
Yeah, 100%. The Australian Bureau of Statistics where they do these surveys around COVID and they kind of ask Australian citizens, you know, various questions around the COVID experience. And one of the questions is, post COVID, you know, what are the things that you want to continue? Like, what do you... Like the changes that have happened, what do you want to see stay in place? And wouldn't for Australians all kind of say, like, actually working remote, you know, work from home is it just makes my life better? And I've certainly seen plenty of coverage in many of the kind of larger newspapers in Australia talking about this thing, where, for many people exactly what you said, you know, they're spending 2, 3, 4 hours a day sitting on trains going places to often do what we're doing right now, which is sit on a Zoom session to somebody who's remote anyway.
Sunil Saale: [00:12:38] Exactly, yes. [laughing]
Garrett O'Hara: [00:12:39] Which is quite a quite astonishing.
Sunil Saale: [00:12:41] Yeah. I think the other aspect and this was heading, it will be very heavy towards the cloud first approach anyway. But, so we've COVID it, VPN was sort of a bottleneck for us in some ways, because all the data is still hosted on prem. So there it highlighted that, that need that sort of a shortfall from our strategy perspective that if at work, or if someone's working remotely, we have to enable them, we have to enable them to get access to the data they need, at the time they need it. So, we can't really have this VPN as a bottleneck. So, the entire strategy is sort realising when do we, how do we process data? Where do we process data and things like that? It's more about enabling our remote workers and giving them access to data they need at the time they need it as well. And with the cloud first approach, that's that sort of supercharged us.
Garrett O'Hara: [00:13:36] Yeah.
Sunil Saale: [00:13:37] So every, every solution that we look at, the first question is, is it hosted on the cloud? And what IDM, identity access management solutions are supported by that platform? And can we give access to a remote worker without VPN? And using conditional access and things like that?
Garrett O'Hara: [00:13:56] It's completely changed. I've been I've been trying to think about how I quite a visual person, and you know that like, I think pre COVID, in a way, and it's nothing novel, kind of saw a perimeter. You know, even though everyone says the perimeters is kind of going away, blah, blah, blah. We've been saying that for years. But there was a kind of mental picture I had of some version of a castle, a moat. And it was a gate where things like VPN would let stuff in, let stuff out. And your company was in the walls, and it feels like it's almost like a membrane, where there's like your company and not your company, but there's a membrane that sort of letting things through and various different places at worker levels and data levels, across the membrane, but doing it securely. It's Yeah, it's such a different world. It feels like compared to Yeah, this time last year. Yeah.
Sunil Saale: [00:14:40] And it's also, when you think about it, say we have courts using BlueJeans and in some cases, they want to use WhatsApp. So it sort of in all the consumer apps, there are collaboration apps, they are coming to the forefront now. So we had these these teams from WebEx, and we are using teams internally now. And BlueJeans, Zoom and everything else that wasn't heavily used. And even our staff if it wasn't, if we had to meet our client and go to their office, so uh, or I really invite them to our office, so that was the norm before COVID. Now we sit in meetings pretty much all day, our WebEx meetings has gone through the roof, right? So pretty much every day everyone's sitting in meetings throughout the day, at the night or evenings or late night, they're working.
So similarly, when the courts push WhatsApp or BlueJeans and other collaboration apps, it becomes from a data perspective and security perspective, those are additional consumer apps we need to assess and understand that in, how do we how do we keep a record of those calls? How do we keep a record of the instructions exchanged on WhatsApp? It all adds on to the archiving process as well. So, we're looking at different solutions saying, how do we look at you know, archiving WhatsApp messages?
If a client messages us, you know, sends us instruction on WhatsApp, how do we keep a copy of that? And how do we keep a copy of BlueJeans of, you know, someone chats on Zoom? How do we keep a copy of that when we file that, because we got to maintain a copy of pretty much every conversation that we do with a client.
Garrett O'Hara: [00:16:16] That, that generates a massive amount of data, doesn't it? And when you think about it, and then yeah. And so, you've raised a really interesting, really interesting point around that operational use of Shadow IT because we talk about it from a security perspective quite a lot. But it's, it's not a great thing to be dropping potentially confidential files in like Dropbox, for example. And, but you've raised a really interesting kind of point around the data governance side of things, if it's end-to-end encrypted, you know, a consumer grade communications application. What is the mechanism for doing that other than policies that you have to say, hey, look, you just can't use WhatsApp to interact with clients? And would that even work? Have you, sorry, have you guys come up with a solution, you've just. I've got my brain is firing here now, just trying to pull through what you've just said.
Sunil Saale: [00:17:06] No that's. That's spot on. I mean, that's that that's a problem that we are working through right now. So we have a data governance issue, not an issue. It's a data governance group that we set up internally. And we're looking at all the different types of data we store, the data we... the instructions we get from our clients, how do we get them? Is it just through emails, that we get from WhatsApp, WhatsApp was one of the cases that one of the courts wanted to use WhatsApp? And how do we store it? And how long can we store it? And how do we, all the retention policies in those ones? So uh, what are the core concepts that that that we're thinking of is, if we can't see data, we can't protect it.
So from our user perspective, our laws are pretty good. So they understand this properly said. As soon as someone, a client says can be exchanged instructions on WhatsApp, they send a note to our risk team and saying, is it okay to use? That's when we get involved? And say, yes, that's fine to use. But how do we know how do we keep a copy of it? And what terms do we have with our clients? So, it becomes an issue where we are entering into the consumer grade solutions, and also sort of consumer apps where it could have their own privacy data. So, it becomes a bit difficult. We can write a policy but again, policy is only as good as how much can you enforce it. The consumer apps it's a, when we look at shadow IT, policies as good as, until the point where we can see data and see the information. As soon as we go into the consumer or privacy space, it becomes really blurred and it becomes quite serious as well. It's privacy data.
Garrett O'Hara: [00:18:42] Yeah, 100%. Zoom is like a pretty good example of that. I think we're, excuse me at the like, as COVID hit, you know, we were users of Zoom. And, you know, many organizations were, but I think it was largely, it wasn't really ready for what happened, which was all of a sudden, very large organizations were using it for very confidential communications. And my personal take it was the, despite the what's a nice way to put this the interesting marketing language that was used during some of your encryption, like the interpretation of end to end encryption, for example was air quotes, interesting.
Sunil Saale: [00:19:21] Yeah.
Garrett O'Hara: [00:19:22] But the, I would say the panic over things like Zoom bombing. I mean, that was easily fixed. You know, it was really just, it wasn't set up the way it should have been. But, and I think I mean, personally think Zoom has come a long way but I think there's probably better options, there's things like Deco Secure, which is a local organization, I'm not sure if they're on you radar.
Sunil Saale: [00:19:41] Yes. I've heard of them. Yeah.
Garrett O'Hara: [00:19:43] They're doing some like really good stuff. And I've used their VC a couple times and really liked it. Um, but I guess the point is when it comes to Zoom that's controllable by the folks like your teams. But something like WhatsApp, they're you know, there's no you know, [crosstalk 00:19:58] for WhatsApp. There's no access to that, it's literally a black hole.
Sunil Saale: [00:20:03] Yes.
Yeah, and that's the issue right now. If we have any sort of communication with a client, or if the client talks to us on WhatsApp, as soon as the staff if they leave the firm, we have no record of it.
Garrett O'Hara: [00:20:19] Yep.
Sunil Saale: [00:20:20] So unless, you know, we actually ask the staff to file it somewhere to keep a record of it, we just don't have a copy of it. It's a, it is a tricky area.
Garrett O'Hara: [00:20:28] Very, very, very interesting. So, here's a probably a fairly big question. But, you know, given all these changes, all the sort of the stuff that you've worked through, and I'm sure you put in some very long hours to get to where MinterEllison sort of is now. And but what do you see as the new normal? You know, if you if you kind of imagine a year from now or two years from now, what do you think it's going to look like for, for the staff that you look after?
Sunil Saale: [00:20:59] I think the new normal would be [inaudible 00:21:02] computing. So, before COVID, not everyone had laptops, but now everyone had laptops, and also the acceptance of the work from home. So, even the culture change where work from home wasn't too. So, we had a flexible policy, flexible work from home policy, but it's it wasn't um, not everyone was working from home, there was a culture shift required as well. And I think COVID push that as well, when we have the COVID everyone works from home now, we could see that there is no product fit for if you're working from home. And in fact, I think so in some cases, you could see lawyers working on the weekends as well. After they got this laptop, they have access to the laptop anytime they want. And you can see VPN session, longer VPN sessions and longer hours. And, yeah, they're sort of empowered to work anytime they want as well.
And from our culture, culture shift perspective, I think that definitely the remote working is a is a massive change that that will stay even from an office perspective as well, I think from a thinking perspective we would only go to office if needed. It's not because we have to go to office and show our show our presence in office. And it's more results-oriented work. And rather than you know, you have to spend eight hours in office or seven and a half hours per day sort of thing. It's more result oriented.
Garrett O'Hara: [00:22:24] Which, to me has always just made sense. Some of the laziest people I've worked with over the decades, I've been working have been the people who have potentially been in the office for the longest amount of hours, because for them, it was a social, you know, they were they were there long hours, but they were there because they like to chat and which is, you know, not for a second saying that that's not important. You know, culture is hugely important. But um, yeah, I think time in an office has very, very little to do with output in my experience.
Sunil Saale: [00:22:51] Yes.
I think it also helps in terms of developing deeper social connections as well with everyone working remotely, you place more value when you meet someone now.
Garrett O'Hara: [00:23:01] Yes.
Sunil Saale: [00:23:02] So you develop deeper connections, whereas previously, it is more like a, I'm going to catch up with this person when the person is in office all the time. So I'll catch up when I can. There's now we plan for it and we make sure that we develop a deeper connection as well.
Garrett O'Hara: [00:23:17] Yep.
Sunil Saale: [00:23:17] Yeah.
Garrett O'Hara: [00:23:19] But you spot on, Yeah. It is so true, you know, you kind of value scarcity, and that face to face time I think will be scarce. So, 100% agree with you that yeah, it becomes more meaningful.
What um, when I've thought about COVID I've sort of mentally kind of broke it down into different stages. So, you know, the initial hit were, let's be honest, I think for most organizations, it was just panic stations, you know, how do we kind of get through this? And then the bit where there was sort of a couple of middle stages, that the changes were happening, but it feels like for many organizations now they're, they're probably not into their new normal, but they're kind of getting that direction. Do you did you see different challenges during the different stages? So, you know, that that first week versus the, you know, four months in? What were the kind of things that were going on for you and your team?
Sunil Saale: [00:24:07] Yeah, I mean, we went to the same similar phases as well. The first one was panic within the domain. I think probably a good deal was laser sharp focus on air for everyone to, in terms of the safety of staff and to get them to work from home. So, there was rested this single brain working towards a common goal, safety of staff and enabling everyone to work from home. And that picked up a lot of activities. From self-service perspective where we had to put up a lot of articles online, to make sure that our staff has taken use of self service to, for some of the common questions. And it also internally we have done a lot of solutions, e-signatures for example. When our lawyers sign on the on a medical report, say that is to be a physical signature and everyone's working remotely, we have to look at e-signatures as well.
And we had to look at a platform or internal platform to... we had a platform already, but it was only used by a couple of users. So that had to be scaled up to the entire firm. And there was a team working dedicatedly on that as well. And then we have to get the sign off from our general counsel to make sure that platform is acceptable, as well as a report as an output to our clients. Yes, for some courts it may not be acceptable. So, we have to get guidance from our general counsel, and it generate a lot of internal activities. Printing and scanning for example, as a law firm, there's some of our courts, we have to give paper printouts and some of our records management, we have to get paper printers, so.
Again those, those activities as well we had to rethink everything how do we push those printing and scanning needs. [inaudible 00:25:42] In some cases we have we have to enable home printers onto our network. So, in some cases, we have to decide on do we allow split tunneling? So, we don't allow spray tunneling, so we said no, we can't allow untrusted device in the network. So there, we have to make some calls saying that, okay, if this if this particular make, if we know about it, if we have done our assessment, that's fine to use a local printer.
But probably after that, we after the initial phase, in the mid phase, we started looking at different solutions, which, from a longer term perspective, say it's not a short term, [inaudible 00:26:20] we'll finish this all COVID pandemic stage and then revert back to the normal. So, it was more of everyone had accepted this is going to stay, this work model is going to stay. And our thinking was more focused in the longer term, saying if this is going to, remote working is here to stay? How do we look at in a different way of enabling printouts, printers and scanning? Is it really required? Do we need to have this massive printers in office or when someone's working from home they'd probably won't be using the office printer.
Garrett O'Hara: [00:26:50] Hm. Yeah.
And I like that you sort of had that longer-term view, kind of using COVID to, you know, as a catalyst for change. It was probably going to happen anyway and looking at ways to, I suppose, rationalize and do things better. So that feels kind of smart approach. One of the, one of the things that's probably a little bit different, I would say for many organizations for you guys, is things like the federal and state courts. And you know, when we were chatting before the interview, you kind of mentioned that some of the times they were pushing Zoom, BlueJeans, inTEAMs and different kind of collaboration platforms, and was kind of wondering what kind of complexity does balancing the needs of outside organizations for communication with like your internal requirements for security? It seems like a little bit of a different situation that you would be in, versus many organizations.
Sunil Saale: [00:27:39] Yeah, it always comes down to risk as well, right? So, from Minter's perspective, we don't initiate any Zoom or WhatsApp or so. Our instructions are pretty clear. So, we tell our staff, we can't have we can't initiate any calls in Zoom, free Zoom and those WhatsApp, just not acceptable. So, if a client is using those, if courts are using Zoom, or in TEAMs or anything else, we ask the question on the due diligence done by the courts or by our clients. And in some cases, you know, if they would have done the due diligence already, and they invite us as a participant. In those cases, we are fine to use it. But again, we have some reservations on what files do we share using Zoom or BlueJeans or TEAMs. If it's extremely confidential, our staff won't share the files on Zoom, they'll just want to use email. And if it's if it's us initiating a particular telecon or collaboration platform, its views our corporate WebEx platform. And that's used for all the time comms and everything else. But in terms of using it as personal or any of the free collaboration platform, that's a strict no, no, we don't use any of those.
If a client is using that we might, [inaudible 00:28:52] the risk assessment would have happened on the client's side already. And we're just joining them as a as a as a participant.
Garrett O'Hara: [00:29:01] Yeah, understood. And we sort of talked about this a little bit earlier I suppose. But one of the things we've seen a fair bit is with the COVID kind of epidemic and sort of pandemic, for a lot of organizations, they've looked at, you know, being less kind of location dependent. And, you know, you've kind of mentioned that that's something that you guys are kind of working towards, and the ability to scale as well. And you kind of mentioned you've got a more of a cloud first approach now. And I'm just wondering, like, how is that playing it? Like, is there a lot of workflows? [crosstalk 00:29:32]
Sunil Saale: [00:29:35] Yeah, the COVID did, like you said, it highlighted some of our weak spots as well and it also validated some of our approaches. For example, Mimecast archiving. That was, that was a really good example for us because all of our cards are online, so we didn't have to worry about getting this new access to our staff or working remotely. It was just that they could just go to their Mimecast portal and access that.
And in terms of, say, our security monitoring, most of the solutions are also online. Which means we didn't have to worry about, even though we have a lot of network-based controls, we just had to change a few things to start monitoring our endpoints as well. Of course, our IDS and the active directory-based controls and UEBA didn't, it did, they gave us a lot of false and that's during the shift. But now they're been practice. But now it's slowly scaling up. Because everyone's working remotely, that model has been changed slightly. So, we are cutting out all the false, false positives and looking at the real this one for longer term view as well. We're getting the DLLs for a longer-term view and everyone's working remotely.
Garrett O'Hara: [00:30:46] Yeah, that's phenomenal. I actually loved that you're, I think that was part of your commentary in the article that I read about the end user behavior analysis. And I hadn't actually thought about, like, how many patterns would break, and you know with all the infection with COVID. I'm guessing there was a lot of dashboards around the world just lining up with, you know, impossible travelers and weird work hours and all sorts of all sorts of stuff.
Sunil Saale: [00:31:10] And even the IP based alerting as well, for example, all the IP from our lab shifted to VPN IP, VPN IPS, because that there again, our alerting was completely off. Because we get all these alerts from VPN IPS, and we're thinking of, we've got so many uses for VPN. And that's, that's normally in COVID. Right? Whereas pre-COVID it is only a few users we expect.
Garrett O'Hara: [00:31:35] Yeah, I get you. And you know, we've talked a lot about the technology side of things, but like end users security awareness stuff, behavior change pieces, you know, something that for most organizations now has just become critical, because it's your point, no people are sitting at home. Yes, they've got endpoints and a variety of kind of protections in place. But also, there's just there's massive uptake in terms of volume and sophistication of phishing emails, and, you know, website lures and all of that stuff. What, like, has stuff changed for you in terms of how you've approached that? Or like, What's COVID meant for you in terms of the end user security awareness training?
Sunil Saale: [00:32:10] Yeah, at Minters we have a heavy focus on end user training. For example, they've got monthly newsletters, and we have annual security week, we also do monthly phishing emails. With COVID we, we use the same platform Mimecast, but also, we started changing the flavors of topics. So, we started focusing more on code base camps. The recent one we are running is donations, right? For recovering from COVID, or family’s impact on COVID. Then all this CAM donation, donations happening online. So, we modified our awareness just to make, make our staff, our staff aware of those things, and phishing emails as well, we ran a few codes based themes, code theme-based phishing. And there were some interesting results in there. But it taken adds on to the user education. Then we also in our newsletters, we spoke about, you know, public Wi-Fi, issues with shared Wi-Fi, and keeping their laptops and mobile devices up to date. So, all those things when if they are in office, we send our teams emails, and we tell them keeping laptops on we're pushing out a particular update, or now update your mobile phones. And people are working remotely at different times of the day, it's it becomes very difficult to to get their attention and to tell them or keep your laptop on during this time. And you have to be connected to VPN.
So, we have to change the change, using awareness up the topic slightly. But yeah, but overall, I think we, I don't think we could have carried on the old topics even during COVID. We had to modify. And we could see the trends in our Mimecast portal. The number of spam emails they just shut up during COVID and post COVID. We saw almost I think four to five percent increase in the blocked emails.
Garrett O'Hara: [00:34:06] Yeah, it was it was it was quite incredible and looked at was their sales recorded future, there was a few organizations where they were looking at the just the data in terms of volume and things like Corona, or COVID related domains that were spun up that were definitely and obviously malicious, and then a number of spam messages, phishing messages, COVID related you lures was just, it was amazing.
One of the things I really liked your commentary on was the use of real examples. And I think that's something that is so insightful. And I know we talked about this prerecording, but you know that that is good to get cut through. Like has that been your experience?
Sunil Saale: [00:34:48] Yeah, absolutely. And so, what we do is be referred to watch this spot online, and also run a search on the internet for real phishing emails, then put that into test in our phishing simulations every month. And that sort of gives us an understanding of if it was not a phishing simulation, we could have had this many person actually click on that. It could be a ransomware. It could be anything. So, it gives us a real feel of, you know, how resilient are we? And what's the user, you know, user awareness levels.
Garrett O'Hara: [00:35:22] Yeah. Which is just so critical. And the phrase human firewall gets, you know, kind of thrown around a lot. But you know, it really is that right? I mean, if they, if you if you don't have users that are bought into it, you know, the importance of security?
Sunil Saale: [00:35:34] Yes.
Garrett O'Hara: [00:35:35] Like, it's Yeah, it's all for naught.
Sunil Saale: [00:35:38] And working remotely also add on to the pressure that everyone's dealing with. So, they get this email, and they just want to get through it there. So, it's just that one microsecond, dip their attention to that one microseconds and don't click on it.
Garrett O'Hara: [00:35:52] Yup. Yeah, and that sort of distraction that happens when you're working from home? You know, everyone's been talking about that, you know, pets and partners, and school runs and all that sort of stuff. Yeah, it is definitely huge. I'm very conscious of time here. And I really wanted to finish with one question, which is probably another kind of big one. And it's really what's the what's been your biggest learning? Like, what's your biggest takeaway from kind of working through this kind of COVID transition?
Sunil Saale: [00:36:21] Probably the first one, our biggest learning is that is embracing uncertainty. So the strategy week, we no longer plan for three or four years strategy as such, it's more, it can be a certain weekend, doesn't matter what strategy or, you know, what the what sort of a longer term plan we have, we have to be... that has to take into factor all the uncertainty or any scenario that could happen. And the focus would be on continuity of services. If we have, I don't know, COVID-like situation, remote walking, or flood, or anything else, we have to have the focus on continuity of services. So that is the biggest learning for us. Probably the other learning was, was getting... when you look at solutions or technology platforms, ensuring that that platform coexist with other platforms and plays nice with other platforms. So, some of the solutions that we had, was just very, very bespoke. And it only it only was in its own bubble. And when we when we have COVID-like situation, when it is working remotely, we get all these 20,000 alerts. We want to make sure that, you know, we spend less time in sort of removing the false alerts.
So, we are looking at solutions where it can integrate with other existing solutions and reduce the amount of time it takes for our team in terms of incident response. Because incidents, it's not a question of if it will happen, it is when it when is it going to happen and what's the damage? Right. So, all the solutions that we've covered, the biggest learning for us is to focus on continuity. And, again, the technology that we have been putting in it has to coexist and work nice with other solutions.
Garrett O'Hara: [00:38:06] Yeah, I get you. I've sort of done a little bit of research into the, I don't know what you call it, the problem of the false positive in, you know, security teams where I think and forgive me because I'm pulling stuff from about a year ago, but it was something like two thirds of the alerts in the average stock were false positives. And the average time spent, depending was somewhere around totally gets me here, but I think was around eight or nine minutes. But it's a huge, huge amount of time for an average security analyst to spend chasing stuff that actually isn't really anything that needs investigation.
Sunil Saale: [00:38:42] And that's sort of the times we live in, we can't really discount any false positives, as soon as we get alert, for example we got an alert probably about a month ago where a partner was working on his laptop and they saw the mouse move on its own. When they saw the cursor more on its own, they shut down the laptop and they said that the cursor is moving on its own. And we shared the IR straight up and within about an hour, the laptop was off the network and we initiated an IR and we couldn't see anything malicious with the laptop. And we did some more investigations and everything and there's no malicious activities at all. Then we found out because it was not a Bluetooth dongle, it was paired to another.
But it's the times we live in right. We can't take anything lightly. It's just that we are all hyper vigilant. And if you can't take anything lightly, it's just not the time. So, we ended up reimaging the laptop and you know the partner didn't have a laptop for three days. We gave him a spare laptop and said sorry we just can't take chances [laughing].
Garrett O'Hara: [00:39:48] Yeah, but there's so much good in that story apart from it's you know, it's obviously sort of funny but the fact that they were diligent enough to notice it and report it immediately and like shut down their laptop that that to me, as a security practitioner that must make you feel a little bit less stressed because you've got people out there who are that switched on and that reactive to something that could be, I mean when you think about it, that could be a pretty big deal if it was compromised machine.
Sunil Saale: [00:40:12] Yeah. Absolutely, yep, yep.
And that's part of the false positives. In many cases it's a, it is a nuisance, but we can't really block it out completely. And it's, every time we close a false positive, we have to stop in the back of mind saying, is it really a false positive?
Garrett O'Hara: [00:40:30] Yeah, and I think you've kind of said it already, like the fidelity of the signal for security analysts, has just become, I suppose so, yeah, so important, you know, where that those feeds, the telemetry is coming from. And the quality of that signal, you know, if you've got platforms that are generating false positives, like that's not a really great thing to be experiencing.
Sunil Saale: [00:40:53] And one of the things we are working on [inaudible 00:40:55] to the fidelity of alerts as well is that we are looking at, at the coverage, security solutions coverage and their effectiveness. For example, we've got so many security platforms. And we want to make sure that we cover every platform, because every SPC right, when we roll out new laptops and new servers, we don't want to have any blind spots. So that's where as soon as we have a blind spot, we might miss an alert. We might miss, we might miss that particular mark in that particular server or workstation.
So, as we had, so we are looking at this platform to add more coverage in terms of security blind spots. So that also adds us another source to enrich all the alerts we get. So if we get a lot from an endpoint, we run a direct look up into this this platform and see, is it covered from other security solutions? And if it is coming from other securities, what are the signals from those solutions. And if it's not covered, then we have a bigger problem there. That's a blind spot.
Garrett O'Hara: [00:41:54] Yeah.
Yeah, so much to do there. So much to do. So, we have well and truly run over SNL. But I've really enjoyed the conversation. So, it was an absolute pleasure to talk to you. And to be on panels with you. I don't know when we'll get to do that again, hopefully sometime soon. But I'm, yeah, just really wanted to thank you for your insights. And thank you for your time. It's been an absolute pleasure.
Sunil Saale: [00:42:17] No, no. Thank you. Thank you for the opportunity. It's pretty exciting to be doing a podcast the first time doing it as well. So, um.
Garrett O'Hara: [00:42:23] I think you're a natural so yeah, it's definitely, it's been awesome. So, thank you so much Sunil.
Sunil Saale: [00:42:29] No, no. Thank you.
Garrett O'Hara: [00:42:38] Big thanks again to Sunil for the conversation. I really do always enjoy chatting to him. As always, thank you for listening to the Get Cyber Resilient Podcast. We have a back catalogue of episodes, so please do have a listen to those. For now. I look forward to catching you on the next episode.