Cyber security managers in local authorities have their hands full trying to ensure their organisation doesn’t become yet another headline-grabbing example of a damaging cyber-attack. It’s an uphill battle and judging from the rapidly growing number of victims, it’s a battle many are not winning. The London Borough of Bexley provides an insight into the cyber security gaps which led them to seek a major change of strategy, and how the team overcame these challenges and significantly raised its level of cyber security.
Local authorities across the UK face millions of cyber attacks every year. Cyber security professionals perform impressive balancing acts on a daily basis, carefully spinning the plates of time, money and risk to protect vital data and keep organisations going.
Unfortunately maintaining cyber security for a large London Borough has limited entertainment value when the risks are so high and there comes a point when a major change of strategy becomes unavoidable. Therefore the London
Borough of Bexley had to adopt a change of approach.
The tipping point between the old and the new security regimes was the result of coinciding Cyber Essentials and PCI DSS (Payment Card Industry Data Security Standard) audit reports. From both of these it became clear that there were gaps in areas such as intrusion detection and log management.
It was also recognised that what was being undertaken at the time, wasn’t good enough and a new system was required. However budget restrictions, availability of in-house skills and the time needed to set up and run a SoC tool, all created challenges.
The London Borough of Bexley relied on a Security Incident and Event Management (SIEM) tool to manage security, this was initially purchased for compliance and used for vulnerability scanning. The SIEM tool was particularly weak around log and event management and difficulties with initial configuration and day-to-day use meant that it wasn’t producing the data that Bexley needed and was not being updated.
In fact the challenges faced were significant even for someone with considerable skills in cyber security. The Borough needed something that dealt with the logs in a better way as the tool at the time was just sending raw data and it was difficult to understand what was going on.
There was no real visibility and the logs were not helping; a tool was needed to produce better logs and alert our team to anything that was high priority.
Our team was getting flooded with alerts and getting to the point where the old product wasn’t getting used. Although our team would dip into it every now and again, they would be staring at a screen with lots of logs that were pretty much meaningless and it was very difficult to drill down into those logs and find anything that was of any use. So the only benefit from having the SIEM tool was to be able to put a tick in the ‘have you got a SIEM tool?’ box!
We always considered that the responsibility for managing cyber security should be owned by the authority and as such was never outsourced. However there comes a point when a major change of strategy becomes unavoidable. We therefore selected a comprehensive, best in breed managed cyber security service from Hytec. The service addresses the very particular set of issues faced by local authorities; it significantly enhances the protection of systems and data, helps achieve compliance requirements and ensures appropriate security mechanisms are in place.
Our partnership approach to cyber security has significantly raised levels of cyber security, and this has proved invaluable.
Bexley’s managed security service from Hytec is made up of five core areas including: activity detection; threat intelligence; protective monitoring; asset ID and management; and vulnerability scanning.
Our service partner managed the entire council network and now have access to the same “single pane” one-window view of the security posture of the entire estate.
Both our service partner and our internal team also have the same view of the infrastructure and this has improved reporting and strengthened the working relationship.
The implementation process was very smooth and straight-forward. We just fired up a couple of virtual servers and Hytec did the configuration work and it was pretty much dealt with, then it was working and we were receiving information and filtered alerts about events that we never knew were happening.
It did not take long before a high priority alert came through from the Hytec team. Essentially, we were aware of an external facing service that was in place which had minimal use and would be phased out at some stage. But we had no visibility of how often it was getting attacked or how vulnerable it was. The alarms that started coming through quickly made it clear to us that the risk to the organisation was far higher than we realised. It gave me the knowledge I needed to take the business decision to shut the service down immediately. Which potentially saved us from a compromised situation.
Today new security protocols are being introduced, facilitated by the Hytec service. Compliance is giving more impetus to some areas than others. File integrity monitoring is the latest service to be implemented. Initially, file integrity monitoring looked like a bit of a minefield and the team thought that it was going to be really difficult to implement. It turned out not to be too difficult, as our managed cyber security service sent the logs and the output needed and they made it really easy for the team.
The security landscape can be a confusing and frustrating area where hidden costs can quickly escalate and IT tools often do not deliver their promised gains. However through our partnership with Hytec, our experience has been very different.
The impact has been outstanding. Through access to a complete service (people, process, technology, intelligence and compliance), we have ensured that our council's security ambitions are realised.
The service addresses the very particular set of issues faced by local authorities, and without the managed service we could have had something on the network that we would never have known about.
It has been possible to reduce the likelihood of serious security incidents to a minimum. Taking a managed security service approach has supported our in-house ICT team’s incident response procedures and informs them of the necessary corrective actions should an incident occur. Bexley has strengthened its cyber defenses considerably.
We are also able to check the accounts in use in Bexley, and from other non-UK territories at the same time, there is often a rational explanation for this, but before deployment of the managed security service Bexley had no view of this.
In a recent typical month, there were some 18 million possible security events, and from this about 2,000 alarms have been generated of which around six have been escalated via email and other means for further investigation, keeping Bexley cyber-safe.
From the above, we can see the challenges of sifting the wheat from the chaff in terms of the noise of digital work, and what warrants an investigation or urgent remedial action, the managed security service has been key to the delivery here.
How is the new approach being sustained?
Integration of workstation agent technologies so that more/better real-time data can be obtained, as well as further work on vulnerability management.
The service is a continually improving process with several modules that we are planning to bring on board. The next step is to start to integrate our firewalls to enable easier visibility from the logs produced. We’ve also started to look at the dark web monitoring capabilities which will help to identify if any Bexley credentials have started to appear on the dark web.