Vicky Briant of the Australian Defence Signals Directorate receiving the award with White House Cyber Coordinator Howard Schmidt and SANS Director of Research Alan Paller, at the National Cybersecurity Innovation Conference in Washington, DC.
Washington DC, October 24, 2011
The SANS Institute announced today that the Australian Defence Signals Directorate has won the 2011 U.S. National Cybersecurity Innovation Award for its ground-breaking innovation in finding and implementing the four key security controls that stop the spread of infection from targeted intrusions.
With limited budgets and shortages of skilled people, senior executives are asking, "What do we need to do to protect our systems, and how much is enough?" Most answers they get are unhelpful, consisting of thick books of ill-defined controls that require far more money and time to implement than organizations can spend. A team at the Australian Defence Signals Directorate (DSD), led by Steve Mcleod and Chris Brookes, took on the task of studying all known targeted intrusions against government systems - both civilian and military - and determining what would have stopped the infections from spreading. They found that 35 controls would be valuable, but that four specific controls, alone, are the only ones that must be implemented across all Cabinet-level organizations if they are to have any hope of defending their systems against targeted intrusions The Australian DSD recognized that once those four have been implemented, additional risk reduction may be gained using additional controls, but those four must be done first. The National Cybersecurity Innovation Award for effective security management goes to DSD for showing the way and to Dr Ian Watt, in particular, for his extraordinary leadership as Australian Secretary of Defence, in advocating that all Cabinet agencies in Australia should implement the four controls (nicknamed the "sweet spot") and making sure they are doing it. The Australian Defence Signals Directorate supported the program first by identifying the 35 key mitigations for targeted intrusions and defining four of those as the ones that had to be implemented first before even considering the other thirty-one. They also developed and posted detailed explanations of the mitigations and provided expert support for the agencies as they systematically implemented all four key mitigations. In the agencies that have completed the task, the spread of targeted attacks is no longer a significant problem. Although these controls will not stop the most sophisticated attackers, they do stop the targeted attackers with medium and low sophistication, the ones that cause the greatest amount of information loss.
The cost of implementing these four controls is a tiny fraction of the cost of implementing the average U.S. federal government agency cybersecurity program. Since the impact of this low-cost approach is much better security than what U.S. agencies are experiencing, the Australian innovation changes the game.
The four controls as well as the remaining 31 and valuable supporting guidance are all posted at http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies that have developed and deployed innovative processes or technologies that (1) is innovative in that it has not been deployed effectively before, (2) can show a significant impact on reducing cyber risk, (3) can be scaled quickly to serve large numbers of people, and (4) should be adopted quickly by many other organizations. Nominators for the include most of the senior government officials involved with cybersecurity as well as those from the major Cybersecurity Information Sharing and Analysis Centers (ISACs). Corporations and individuals, including SANS instructors also nominated innovations. Each nomination was tested by SANS research department against the criteria; those that met *all* four were recognized. More than 50 nominations were received; 14 were selected.
Established in 1989 as a cooperative research and education organization, SANS' programs reach more than 400,000 security professionals, auditors, system administrators, and network administrators who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. (www.sans.org)