SAI Global is a world-renowned risk management, standards, and assurance firm headquartered in Australia and employing roughly 2,600 staff around the world. Although a big part of the business is physical auditing of client businesses, it also boasts 300 developers and is one of the largest risk management software providers in the world.
Its flagship platform SAI360, comprises environmental health and safety (EHS360), compliance (GRC) management (C360, Bwise), digital and operational risk (DM360). The firm is currently migrating to multiple cloud platforms, including Microsoft Azure and Amazon Web Services (AWS), and runs other infrastructure on VMware in its data centres.
Given the nature of SAI Global’s business, it handles and stores highly sensitive and regulated data for clients. It’s the kind of data that could be at risk of compromise by both financially motivated cyber-criminals, criminals seeking sensitive data about individuals, and potentially even nation state actors hunting for strategically important information on specific organisations.
As CISO, Peter Macarthur-King and his team have the job of keeping such threats at bay and continually enhancing the global organisation’s IT resilience. Complicating matters for them is a perfect storm of complexity: ongoing cloud migration efforts, business-critical in-house applications to support, employees spread across the globe.
“The globally dispersed sales and developer employees were a particular headache from a threat intelligence perspective, especially globe-trotting sales executives”, says Macarthur-King. “But so too, was the vulnerability management solution SAI Global had been using for several years before Rapid7”.
On the recommendation of a colleague, Macarthur-King decided to look at Rapid7’s InsightIDR and InsightVM. As a leader in Gartner’s Magic Quadrant for SIEM, InsightIDR helps organisations make better and faster decisions across the incident detection and response lifecycle. Recognised as a leader in the Forrester Wave™ Vulnerability Risk Management, InsightVM automatically assesses and understands risk across your entire infrastructure. It proved to be the perfect combination for SAI Global.
A proof-of-concept project ran seamlessly, with the Rapid7 Insight Agent deployed rapidly across 300 servers. With that, Macarthur-King decided to scale up and deploy the Insight Agent to every PC and server in the organisation.
“In what felt like almost overnight, it was across our entire organisation. I think within a month, we'd gone from zero to the best part of 4,000 assets,” he explains. “The rapid deployment and scalability of the solutions was second to none, not to mention the capabilities it now provided us.”
The first thing Macarthur-King discovered with InsightVM was that he had broader visibility into his environment and the way the system identified and brought into clear focus risk was more effective than simply counting common vulnerabilities and exposures.
“In general, the vulnerability status is significantly reduced when compared to where we were when we started this exercise, around 11 months ago. So, I'm really pleased about it,” says Macarthur-King.
Even better, the product is easily managed by a small team, and the visibility it has provided via the Top 25 Remediations Reports has enabled Macarthur-King to improve accountability, ensuring siloed teams take responsibility for patching and remediation.
“Allowing the product teams to take ownership of their own apps has created a security culture within the organisation,” he reveals. “And so, we're getting the product teams to now follow through to resolve the problems. They can now work with the systems guys to get patching or updates done. And that's been working really well.”
On the InsightIDR side, SAI Global has been able to generate “amazing amounts of information” every day to keep the organisation safer, says Macarthur-King. These range from ensuring passwords aren’t compromised by an unauthorised third party, to picking up malicious Covid-19-themed emails for example.
During the coronavirus pandemic, SAI Global, like many organisations, was forced to support home working for all staff, putting extra pressure on the security team. But InsightIDR has helped reduce risk, by analysing the behaviours of users connecting with and without the VPN and providing transparency into Office 365 connections.
Beyond this, InsightIDR has helped Macarthur-King to “democratise” responsibility for security out to the wider organisation.
“This allows us now to make it not just my or my team's responsibility, but a global organisational responsibility,” he adds. “I'm now able to provide information and clear reports to distributed teams, which allows me to maintain the momentum of improving security awareness across diverse divisions, and the product has made this possible if not easy.”
“Rapid7 makes it extremely clear where you stand. So, if I'm telling a peer what they will get out of the product suite, it would be that it has sufficient information, presented in an extremely clear manner which shows them that there’s an issue and that action needs to be taken.”