That's a wrap: AusCERT2021

Celebrating the 20th anniversary of Australia's oldest and premier cyber security conference "SOARing with Cyber"

By Laura Jiew

As a not-for-profit information security group based at The University of Queensland, AusCERT delivers 24/7 service to its members alongside a range of comprehensive tools to strengthen their cyber security strategy.

AusCERT is also host to Australia’s oldest and premier annual cyber security conference.

This year, the conference was delivered in a hybrid format for the very first time and focussed on the theme of "SOARing with Cyber" - Security Orchestration, Automation, and Response .

The conference featured 3 outstanding keynotes, over 70 speakers and 30 plus sponsors. The event was delivered across 4-days (11th to 14th May, 2021) at The Star Gold Coast - AND virtually through the OnAIR by EventsAIR platform.

The conference was split into 2 parts; tutorials and presentations with a Welcome Reception held on the evening of Wednesday 12th May which was kindly sponsored by Tessian.

In total, the conference saw over 800pax registrations (inclusive of all delegates, speakers, sponsors, staff, media etc.)

Onsite, AusCERT hosted over 460pax (inclusive of all delegates, speakers, sponsors and staff) and in virtual-land, close to 300pax delegates tuned in via the OnAIR platform.

A common theme throughout the week was just how much delegates enjoyed and celebrated the ability to re-connect with their network of industry peers after the circumstances faced by everyone last year.

Keynote 1:
What does a security transformation strategy look like and how can SOAR help

Left to right: Moderator Mike Holm from AusCERT, Casey Ellis from Bugcrowd, James Young from Splunk, Jess Dodson from Microsoft, Tony Kitzelmann from Airservices Australia and MC Adam Spencer

To celebrate the return of in-person events, AusCERT2021 opened on Thursday morning 13th May with a panel discussion.

Hosted by MC Adam Spencer and moderated by AusCERT Senior Manager Mike Holm, panellists include Casey Ellis (Bugcrowd), James Young (Splunk), Jess Dodson (Microsoft) and Anthony Kitzelmann (Airservices Australia).

SOAR is a broad term used to describe three software capabilities; threat and vulnerability management, security incident response and security operations automation.

Automation is currently viewed as the solution to cope with an ever-increasing number of alerts which will continue to rise as more IoT devices are deployed. Panellists warned that not adopting orchestration and automation could pose staff retention problems.

"You run the bigger risk of losing good people because they're having to deal with [rubbish] alerts day in and day out," Kitzelmann says.

Meanwhile, according to Young, "Organisations need to first understand the process behind automating a particular function."

This can involve creating a mind map of what the process may look like and then building that into an automation capability with SOAR tools.

Casey Ellis, CEO and founder of Bugcrowd, says the industry has realised it needs to shift to capability-based programs, including the use of automation for classification.

He notes, however: "There's this element of human creativity that you can never fully remove from what we're doing in our work."

Talented SOC operators and analysts are still very much needed, Dodson says. "They fill the gap by spotting things that the computers do not!"

"Your organisational knowledge, your knowledge of the infrastructure - AI and machine learning can help with that, but it can't replace you," added Dodson - "It can't replace knowledge you have about your users and your systems."

Overall, panellists agreed that to be effective, tools and the orchestration protocols need to be delivered in a consolidated system - what's left after automation are the difficult problems that require the specialised skills of analysts, making SOAR and humans the “perfect” security team.

Keynote 2:
Cyber threats: what is a normal organisation with a normal budget and other priorities to do?

Opening his afternoon keynote by referring to the recent Colonial Pipelines ransomware attack in the USA, former NCSC UK chief, now a Professor at The University of Oxford, Ciaran Martin noted that what's been observed currently in our sector is something much more prosaic than the trope of the “winged ninja cyber monkeys”.

When he left the NCSC UK, Martin produced a simple taxonomy of cyber harms, based on observations during his tenure there.

It boiled down to 3 simple categories:

  1. Getting robbed for cash, intellectual property, or other data;
  2. Getting weakened by espionage, political interference, or pre-positioning for a later attack; and
  3. Getting hurt
"This is the reality of cyber harms. It's not glamorous. It's not individual catastrophes. It's all sorts of nebulous, pernicious, nasty little incidents, exploiting basic weaknesses to add up to a big, big social problem."
Ciaran Martin, Founding CEO of NCSC UK

Martin’s closing message was simple, organisations must treat cyber threats as an ordinary business risk.  “Hype, fear, uncertainty, doubt, that is our enemy,” - methodically build resiliency, work towards understanding the harms, and work with partners, “We can get on top of this!”.  

Troy Hunt, a former AusCERT keynote speaker and the AusCERT2018 Information Security Excellence winner spoke directly after Martin's afternoon keynote and sat down for an AMA (Ask Me Anything) session with MC Adam Spencer.

On this session, Troy discussed everything from working with the FBI, to legal threats from sharing his findings on his HIBP blog, to the weirdest data breaches he’s had to deal with.

As the founder of the iconic data breach blog Have I Been Pwned (HIBP), Troy has seen it grown from a simple idea to a website that now hosts billions of pieces of data and can inform you in an instant if your personal data has been swept up in any recent malfeasance on the Internet.

Troy testified before the US Congress in 2017 about the prevalence and impact of data breaches in the USA and worldwide.

Read about Troy's congressional testimony here. The AMA session was a hit with the delegate audience.

Item 1 of 3

Following the various keynotes and presentations delivered on Thursday 13th May, AusCERT hosted its annual conference Gala Dinner and Awards ceremony that evening.

Sponsored by CyberCX, it was a wonderful opportunity for delegates to come together and network in a more relaxed environment.

The entertainment component of the evening was delivered by local Brisbane band, Lagerstein - who paid a lovely homage to Rachel Tobac's infosec sea shanty.

The highlight of the Gala Dinner however, was the annual AusCERT Awards. To mark the special 20th anniversary occasion, the team introduced a NEW award category this year - the "Diversity & Inclusion Champion."

Congratulations again to the list of winners below!

Member Organisation of the Year: Australian Taxation Office, for their tremendous work in sharing threat intelligence and phishing analysis with the AusCERT team, benefitting the entire AusCERT membership community.

Member Individual of the Year: Simon Coggins from Central Queensland University. An active member in the AusCERT membership Slack instance, Simon can be found regularly helping others with their questions about technological challenges and contributes regularly to documentation processes - all without asking for anything in return.

Individual Excellence in Information Security: Jacqui Loustau, Founder and Exec. Manager of the AWSN - Australian Women in Security Network (AWSN) - an open network of people aiming to grow the number of women and female-identifying professionals in the cyber security community. Kudos to Jacqui for her tireless work in building the AWSN to where it is today, a national group of close to 1000 members across Australia with linkages to a number of prominent sponsors.

(Inaugural Award) Diversity & Inclusion Champion: Phillip "Pip" Jenkinson, pictured with Jack Reis from Baidam Solutions. At AusCERT, we believe that Diversity & Inclusion champions are leaders who take responsibility for instilling a diverse and inclusive workplace culture.  Pip's work at Baidam emphasises the importance of partnerships with some of Australia’s largest employers to create job opportunities and funding for cybersecurity certification training. Baidam gives a significant percentage of the company’s profits to providing pathways to employment in the IT sector for Indigenous and First Nations people. A deserving win for Pip and team Baidam!

Keynote 3: A World where 0day is Hard

On Friday morning 14th May, Maddie Stone, a lead security researcher with Google's Project Zero bug hunting team closed the conference with her insights into 0day vulnerabilities; a term used to describe a software security flaw that is unknown to those who should be interested in its mitigation (including the vendor of the target software), and doesn't have a patch in place to fix the flaw.

The key in battling against 0day exploits, Stone says, is to raise defensive barriers and use new techniques that require exploit writers to work harder.

"0-days are a challenging problem, but I believe they're also an exciting & tractable problem!"
Maddie Stone, Google’s bug-hunting "badass"

Use memory-safe languages, write better patches and create mitigations within seven days. “This is a giant opportunity.

We don't have to come up with new ways to solve this!” Certainly a thought provoking one for software vendors.

In keeping with tradition, the conference week ended with a Speed Debate session, a crowd favourite of the program line-up!

9 panellists, 6 motions - this year also guest featured a last-minute visit by Kevin Mitnick; a well-known security consultant, public speaker & author. The motions discussed were as follows:

  1. “The supply chain is out of scope for my risk management process – it’s someone else’s problem!”
  2. “There is no cyber security skills gap.”  
  3. “It’s the government’s responsibility to remove webshells, kudos to the FBI.”
  4. “It’s not a ‘breach’, it’s a ‘scrape’.”
  5. “Inserting malicious code, it’s not a hack – it’s a prank, bro!”
  6. “I don’t need a SOC, I’ve got a SIEM!”

A unique AusCERT conference tradition, Kevin was joined by a number of prominent and witty fellow infosec and cyber security professionals (L-R as pictured above): Eric Pinkerton from Trustwave, Anthony Caruana from Media-Wize, Jess Dodson, Mike Holm, Casey Ellis, Troy Hunt, Colby Prior from Suncorp and Daisy Wong from Victorian Government, DPC.

We can't wait to share the recording of this session via our YouTube channel.

As we wrap up another year of the AusCERT conference, we would like to take this opportunity to thank all our colleagues, delivery partners (Orange Digital, Con-Sol, GEMS Events and Pyramid Displays), delegates, speakers and sponsors who came along to support our very first hybrid endeavour - THANK YOU from the bottom of our hearts.

The AusCERT team may be small, but our spirit is almighty and we couldn't have pulled this off without your support!

In writing this article, we would also like to thank journalists Jeremy Kirk from ISMG Corp and Stilgherrian from The Full Tilt via ZDNet for covering the AusCERT2021 conference.

TopBuilt with Shorthand