As part of this goal of visibility, the company rolled out a “bring out your debt” where different parts of the business reveal exactly what systems, software and processes they had in place, even if they weren’t part of standard company operating policy. “The attack enabled Maersk to uncover how things actually operated, as opposed to how things were supposed to operate, and see the processes and the data supporting those processes that run beneath the radar,” said Powell.
“Suddenly, we understand how the whole company actually operates, where the data actually flows, and [we can] actually map and architect that. We realize what we've now got to do in terms of mitigations. We've not shot anyone, I would have liked to, but you smile and go, ‘fantastic! Let's work together on not doing that again.’ Adopt that open mentality, find out how things actually work, map those processes, and then you know where to protect.”
Identity, vulnerabilities and hybrid SOCs
Identity and access was an area Maersk decided it need to address. After working out who had access to what systems, the company reduced that number and introduced controls to manage and monitor the usage of those privileged accounts. “It is amazing how many people have got privileged access to everything in your company,” said Powell. "It's like giving them the all the keys to every single book. We immediately went after that and reduced that massively.”
As with many companies, Maersk has to tackle vulnerability management across a large and complex estate on an ongoing basis. “You can't fix all your applications. On average, a Microsoft-based application has about 120 vulnerabilities that are killers,” Powell continued. “You need to be constantly having a vulnerability system to assess that and fix that on a rolling basis. Otherwise, you're exposed.”
Thanks to the mapping of business flows, the company was able to focus its priorities, and from those 1,200 applications Banks said were critical, Maersk identified the 50 that it classes as business killers and fixed those first.
On the security operations side, Powell affirms a good hybrid SOC capability that combines on-premises with cloud-based is important. “Trust me, you need people who understand the business on prem.”
Powell is keen on validation of these changes. The company’s security posture has been audited 13 times in the last 17 months, with eight of those audits being external.
Post-cyberattack openness is important
Powell was at Capgemini at the time of the NotPetya attack and saw other organizations suffer damage. “Anybody who thinks that Maersk is the singular biggest example of what was going on is wrong. There are a lot of companies that were bigger than Maersk that were suffering, probably even worse but were not as transparent.”
Not only did being more transparent about its response and recovery progress allow Maersk to lean on partners and customers to provide the company with help it might not have otherwise received, but the company’s share price actually went up in the aftermath of the attack. Powell said that open attitude around its cybersecurity continues to pay dividends.
“Transparency is everything. Our clients at Maersk loved the fact that we told them on day one what was going on, and we included them throughout in what we were doing,” said Powell. “I'll tell you now that we've retained contracts with our customers by proving that we can look after their data better than others. It's a business winner.”