When the Federal Government introduced the Secure Internet Gateway (SIG) program in 2010, it was a great leap forward in cyber security. The program allowed agencies to easily assess and procure a range of ASD accredited SIG packages, with the ASD’s ‘stamp of approval’ providing assurance that the solution was robust and up to all applicable standards.
But the situation since has greatly changed. The DTA noted in 2019 that the program had “fallen into decline” and that “The current lead agency policy does not align well with agency needs, and inhibits market contestability”.
Worse still, SIGs have been unable to prevent major cyber attacks, including two in Parliament House (with the most recent in March 2021). It’s hardly surprising, as much SIG service provision has ceased to be about preventing cyber attacks and has become a “tick-box” exercise, lacking innovation. This is a fatal trait when considering the Advanced Persistent Threats (APTs) increasingly posed by highly-innovative state-based actors.
In addition, SIGs are generally far too costly, absorbing significant portions of agency cyber budgets that could be spent on more innovative security solutions.
Only a small part of a SIG is mandatory, which is centered on the Firewall components and DDOS Measures. Beyond this, some discerning judgement on cyber security choices is needed for best practice in the context of any individual agency.
The dangers of ‘big SIG’ packages
Big SIGs generate enormous logs that can become resource-intensive and difficult to manage. Many of these big logs add little value, as smaller, more targeted logs allow Cyber Ops teams to be more agile and responsive.
The sharp increase of sophisticated cyber attacks has rendered Big SIG business models inadequate and most CISOs know a new framework is needed.
The Big SIGs could be compared to the Space Shuttle; a solution so complex that it is both unreliable and prohibitively expensive. While the Space Shuttle was an impressive solution, it was destined to be bested by Russian rockets that were simpler and more effective, accomplishing what they were designed to do, but no more.
Vault has an innovative new approach to SIG that takes its cues from the DTAs observations and learns from the errors of Big SIGs. We have thought deeply about these problems and have built what we think is a better way.
The Vault SIG is fully ASD compliant but is deliberately minimalist. Rather than attempt to package dozens of cyber solutions into a single SIG package, we have just included the ‘must-haves’ to achieve compliance, which is exactly the DTA Blueprint.
This allows CISOs and CIOs to actively design real and effective packages of cyber solutions to meet specific threat profile and context. It takes “tickboxing” out of the equation and paves the way for a deeper level of thinking about what threats an agency is likely to face. This is, we think, the only effective way to succeed against Advanced persistent Threats.
Constant revision, agility and tactical adjustment are needed to repel cyber adversaries and a fixed Big SIG is like a ‘medieval castle’ which has the walls to defend but lacks that agility to adapt as it’s fixed with little flexibility. The useful life of any cyber tool decreases with time as state actors find ways to defeat them.
Only by constantly removing underperforming tools – and replacing them with better ones – can we build an armory of cyber weaponry that can also meet budget requirements. A Big SIG takes that process of creative destruction out of the hands of the agency, which suits Big SIG providers, as a rapid turnover of tools isn’t in a vendor’s commercial interests.
Here at Vault we support our SIG clients to build their unique cyber framework “a-la-carte”, as this delivers the tactical agility needed in the fast-paced cyber environment of 2021. We don’t lock up your budgets with tools or make you buy into a Big SIG package that adds little value. Rather, we are focussed on maintaining maximum cyber choice and agility for our clients.
