Database Consultants Australia (DCA) provides a wide range of services: from parking management software to loyalty programmes to lead generation and more. The theme of these is the same: a significant amount of data flows through the organisation.
DCA handles millions of records every month. This means DCA needs to proactively protect potential Threat Actors.
DCA takes security seriously. To offer their customers the best protection DCA’s approach is, proactive rather than reactive.
As their business expanded, it wasn’t enough to have the capacity to respond to issues. By then, it might be too late. Rather, DCA needed visibility over potential entry points into their system before Threat Actors found them. That way, they could fix potential problems before they turned into breaches, rather than wait for them to be exploited.
Triskele Labs implemented the ISO27001 certified Security Operations Centre (SOC) for DCA. This is a 24x7, 365 days a year service that monitors the entire organisation and flags potential security breaches.
“It’s not like your anti-virus software,” said DCA Director Steve Toal. “It’s behaviour-based.”
The difference is that anti-virus software looks for viruses. It’s reactive. The SOC is proactive. Rather than scan for breaches, the SOC scans for behaviours outside the baseline of normal behaviour that may indicate a breach or a potential breach. This is a critical difference because sophisticated attackers figure out ways around traditional endpoint security solutions. Antivirus software, for an organisation the size of DCA, isn’t sufficient because it is such a significant target.
The SOC works by establishing a baseline of normal behaviour, such as which accounts typically log into which machines. From there, the SOC flags any behaviour that falls outside of the baseline - such as an admin account logging in to a machine it has never logged into before.
The SOC then triages behaviours and escalates things to the DCA team as needed. It’s similar to systems that banks use to monitor credit cards. If a banking customer goes on holiday and swipes their card in a foreign country, they are likely to get a confirmation phone call from their bank to make sure it’s a legitimate transaction. The SOC follows a similar protocol: identifying the baseline, then investigating behaviour outside of that baseline.
“There were lots of false positives in the beginning,” Steve said, “but this showed how powerful the service was - it was reassuring.”
Over time, the number of false positives reduced as the SOC figured out the baseline behaviour.
The SOC provides a level of visibility that was not possible before. Now, DCA can see and respond to potential weaknesses in their system before Threat Actors find them.
“99.9% of it is benign - like a network administrator logging in from a different location because they’re on holiday. But these events deserve investigation.”
By triaging and informing the DCA team about events outside of the baseline level of activity, Triskele Labs has effectively created a “moat” for DCA. Now, they can stay on top of their network in a way that wasn’t previously possible - by knowing about, investigating, and potentially responding to every irregular behaviour.
The key benefit of this approach is that it depends on a baseline of behaviour that is specific to DCA. This specificity means it is very difficult - if not impossible - for Threat Actors to know and mimic. The constant monitoring relative to a baseline gives the high level of security that an organisation with a footprint like DCA’s needs.
Need incident response or Cyber Security advice? Reach out to understand why we are the only Cyber Security experts you'll ever need to talk to.