Using technology to keep intruders out and data safe
How one CISO is helping rebuild a company that lost billions due to a malicious insider
Noble Group CISO Shane Read has spent the past five years helping his company recover from a cyber security incident that had an enormous impact on the business.
A rogue insider wiped billions off the company’s value in 2015 through unauthorised exfiltration of data from the company. The share price of what was once a 5,000-strong company collapsed and the company’s value dropped from $12 billion to around $300 million.
“Sadly, the reason I joined Noble was following this event,” he says. “We were taken out by a former employee who used internal documents to then short sell to market. He augmented the data, we collapsed and we've been trying to repair ourselves since then.”
Read has been central to this process. He’s drawn on his 20 years of public and private sector cyber security experience to help Asia-based commodities trading firm Noble create a fresh approach to its technology defences. In many ways, the repair work that Read has undertaken on behalf of the C-suite team at Noble means he’s very much a modern cyber security leader.
“A new-world CISO is a business executive that looks up and supports the management and the board,” he says. “They wanted me to come in and identify what was happening in this traditional bricks and mortar house and then establish a formal cyber security programme.”
What Read discovered on joining Noble was a company that required the establishment of a much tighter relationship between business users and their access privileges. He points in particular to use of the Active Directory, the Microsoft system that grants permissions to users to access files and data.
Read describes the Active Directory as a tree across the organisation – different branches cover different regions of the business. When he joined Noble, he took charge of a sprawling Active Directory that included 14,000 accounts and only 5,000 real users. People had left the organisation, yet their accounts on Active Directory had not been removed.
“So all of a sudden, you've got a very large tree. Inherited permissions are floating all over the tree – and some of these haven't been used in several years, but still have the original credentials that own the keys to the castle that you're actually running,” he says.
Read says an individual who holds privileged credentials on the Active Directory owns the network. The potential cyber security threat of an errant individual holding the keys to the network – as Noble discovered to its significant cost back in 2015 – is potentially huge.
“That's game over – if somebody gets into your Active Directory, you've lost. You hear about breaches where they couldn't find insiders for months or years. Sometimes that means they've taken control of very serious inherited accounts off the Active Directory,” he says.
“Whenever you work in a company, the one thing you want to control more than anything is the Active Directory – it’s the crown jewels of an organisation: If you own that, you own everything. So that's why it was a focus for me when I first started.”
Read was keen to help Noble move away from its manual approach to identity access on the Active Directory. Checking the attributes of workers meant manually sifting through thousands of records. He knew this laborious process wasn’t helping the board feel confident about its cyber security processes and decided to harden Noble’s Active Directory strategy.
That’s when Read started talking with technology specialist Alsid, which helps firms manage their Active Directory more effectively. The Alsid solution hooks into an organisation’s Active Directory and shows potential points of weakness.
“For us to go through a list of 5,000 people one by one might take weeks; it might take months,” says Read. “But now we have a tool that knows and understands the principles of these vulnerabilities. It sifts through everything and it says, ‘yes, here is a problem’.”
Rather than a traditional security tool – such as an antivirus product, which might respond to threats reactively – Read says Alsid is proactive and goes and actually looks for potential threats. “It says, for example, ‘if someone was to compromise this environment, they would see this account and this would allow them to elevate their permissions’,” he says.
The IT Pro Podcast: How hackers steal your password
How does password compromise happen, and how can you prevent it?Listen now
“It's a risk-reduction journey. There's a lot of unknown unknowns in cyber security. And when you install a tool like this, you have a bunch of known unknowns – you know it's there. Alsid exposes everything, so you know that there’s this potential cyber risk and that you need to reduce your exposure.”
Read says Alsid is best-thought of as a tool that shows his team how an attacker would escalate and elevate any privileges they happen to gain. The benefits of this exposure mean that Noble’s board has been able to see how the technology is helping to reduce the risk of another incident similar to the one that impacted the business five years ago.
“Alsid gives a qualitative risk assessment, not quantitative – it shows critical, high, medium, and low risks. From that, we can make the best decisions moving forward. Last year, we had a list of sleeper accounts that hadn't been touched in a long time that we could remove. And that was a quick win,” he says, before explaining how the technology boosts existing processes.
“My staff members and I are a tight-knit group, and we know who gets given privileges through our manual processes. Alsid happens automatically – our alarm goes off and tells us, for example, that somebody is trying to get themselves into a domain admin group and then we can deal with it.”
Noble learnt its lessons about cyber security and data access in the hardest way possible. But through Read’s leadership, the company is now working to establish proactive governance around who can access data and when. It’s a lesson that other digital leaders could do well to heed.
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Evidence from the recent annual CIO survey from recruiter Harvey Nash and consultant KPMG shows that more than four in ten (41%) IT leaders have experienced security incidents in the past 12 months. Read encourages other digital leaders to pay close attention to how their IT defences are set up.
“The reason why companies are compromised is because of configuration issues. Organisations get breached – and then, when you go back into the wrap up, it always comes down to these misconfigurations,” he says.