CPA Australia is one of the world’s largest professional accounting bodies, serving over 164,000 members. As part of the International Federation of Accounting Companies, the organisation offers Certified Practicing Accountant (CPA) qualifications to global practitioners in 20 countries. It works not only to provide training, technical support, and advocacy to members, but it also represents the profession to governments, regulators, academia and the general public. Founded in Australia in 1886, CPA Australia boasts 19 offices across APAC and the UK.
The firm uses modern email and collaboration platforms hosted in the cloud, and has also invested in a multi-cloud strategy for back-end cloud infrastructure in a hybrid cloud setup. Given the volume of lucrative and highly regulated personal, financial, and business data the organization holds on members, Head of Information Security, Nigel Hedges, faces a series of challenges.
From the start, Nigel wanted the cybersecurity function to work as an enabler, supporting governance, risk, and compliance requirements without being a block on user productivity. This is especially important given the growing trend for remote and flexible working practices that has rendered traditional network perimeter and firewalls far less effective. It’s a trend that has accelerated in recent months due to the COVID-19 pandemic, reminding businesses of the importance of building “collaborative security ecosystems,” says Hedges.
“Good security is like brakes on a car. It's designed not to necessarily slow you down, but to give you the confidence to go faster,” he adds. “So that was the whole point of my strategy is putting things in there that allow the business to make good, calculated steps and move forward.”
With 15 IT staff members working on some part of the security program across projects and security operations, Hedges also wanted to automate as much as possible in order to improve security outcomes, enhance IT productivity, and build the team’s skills in threat and vulnerability analysis. With a requirement for multiple capabilities—application security testing, SIEM, vulnerability management and security orchestration—the priority was also on consolidating onto a single vendor.
“What's really, really important is that we're using, as much as possible, centralized tools, because if you have 12 tools, it's 12 skill sets, 12 different ways of using a UI, and 12 different people to deal with support,” explains Hedges.
Hedges first came across Rapid7 after proposing the idea of bringing application security testing in-house.
“We were doing an annual penetration test on our organization and getting a list of remediation activities, and then going away and fixing that. For me, that felt like a really long time to wait for finding problems,” he says. “So what I proposed was using a technology ourselves in-house where whenever we want, we can target any web application or API and scan it and I can also give the [security and development] teams access to the product.”
He chose InsightAppSec, Rapid7’s dynamic, scalable application security testing product designed to automate the process of scanning for vulnerabilities, fast-tracking fixes, and supporting compliance. InsightAppSec is designed to help integrate security earlier in the software development lifecycle (SDLC), and play nicely with CI/CD and ticketing tools developers are already used to. It worked well in supporting Hedges’ desire to drive security as an enabler for developer teams, who have now integrated it into their way of working.
“Now, I don't have to go to them and ask them to kick this off. They do it as part of their process and I get the results,” he explains. “So I see on InsightAppSec stuff that's in there and I'll get visibility of it all. I'm out of their way, they can move fast, and we don't have to spend money on third parties. It's really good.”
Incident detection and response was another major requirement for CPA Australia. Hedges wanted a tool capable of collecting and interpreting “rich security information” to provide greater visibility into threats across the IT environment, and support better decision-making. He describes effective security monitoring as “like a nervous system for finding problems… then providing automation and workflow.”
Hedges was also keen to avoid the operational problems associated with incumbent vendor McAfee, and previous experience with other solutions that required heavy hygiene and negatively impacted user productivity.
“I'd probably say 50% of the time was spent on just making sure that it was running. Which meant 50% less time for us actually sifting through the gold and finding problems,” he says.
He chose InsightIDR, Rapid7’s flagship cloud SIEM solution, which uses rich user and attacker behavior analytics, automation, and threat intelligence to detect attacks early and accelerate incident response.
The tool has already enabled CPA Australia to “significantly improve” mean time to detect and respond, reducing risk and supporting compliance requirements more effectively.
“One of the biggest values is that immediately I could see the alerts coming into Rapid7, and I was able to action them a lot quicker than the organization used to,” says Hedges. “The power of automation is that, as soon as an event happens, you have something like InsightIDR to provide that immediate action rather than waiting for four days for it to happen.”
InsightIDR has also empowered Hedges in board-level meetings, such as the bimonthly audit and risk committee, via its intuitive dashboard functionality. Dashboards have been set up at CPA Australia to provide insight into Active Directory accounts, endpoints security, gateway security, networks, privileged accounts, and VPN usage.
“A picture tells a thousand words. The note I got afterwards from the CEO is that he felt confident we had security under control,” says Hedges.
The value of InsightIDR and InsightAppSec was enhanced by CPA Australia’s investment in InsightConnect, Rapid7’s security orchestration and automation response (SOAR) solution. InsightConnect is designed to accelerate, streamline, and integrate manual security processes with little or no coding required. Hedges has used the tool to build out automated workflows leveraging InsightConnect’s prebuilt integrations with third-party platforms, including CrowdStrike (endpoint protection), Okta (identity and access management), firewalls, and ServiceNow.
Going forward, Hedges plans to leverage the Insight Agent for both InsightIDR and InsightVM, Rapid7’s leading vulnerability risk management solution, for prioritized remediation and risk management. Deployed to 95% of the IT estate in just a few months, the shared agent will enable CPA Australia to hit the ground running.
Hedges sees this as the next piece in the puzzle for the security function, in helping to complete the circle with other teams.
“We were doing vulnerability management but no one was really looking at the results. One of the big drivers was to have a process where there’s more of a connection between IT and development teams to improve remediation,” he explains. “So that’s why InsightVM was critical. And to provide the context behind threats on our assets versus the vulnerabilities that we’re seeing on those assets.”
Once InsightVM is in place, CPA Australia will see the full benefits of consolidating multiple security capabilities onto a single Rapid7 platform. It’s not only making for more effective security, but is also helping Hedges upskill his small team quicker, so they can add value sooner.