Shared SIEM helps 3 UK local governments avoid outsourcing security

Local governments can find cybersecurity challenging. Without the scale and resources of central government, they can often be left vulnerable to attackers. In recent years towns and cities across the U.S. and Europe have been hit by attacks such as ransomware that have brought services down.

While it can provide a level of scale and technical sophistication harder to achieve alone, outsourcing can be costly and introduce a new risk vector into your organization, as recently seen with the attack on Wipro and other providers that lead to some customers being targeted for gift card scams.

Via a partnership, three UK councils recently standardized on one security information and event management (SIEM) tool to lower costs, improve efficiency and compliance efforts, and foster collaboration among the three authorities.

Orbis swaps outsourcing for combined resources

Orbis is a partnership of three local councils in the southeast of England: Surrey County, East Sussex County and Brighton and Hove City Councils. Originally started as a procurement sharing arrangement between East Sussex and Surrey County Councils in 2012, today Orbis provides backend services including IT, finance, procurement and human resources to local schools, healthcare providers, town councils, blue light services and non-profits across the areas it serves and is the largest local government shared service partnership of its kind in the UK. The goal is to share resources and deliver efficiencies at scale around people and technology without the need to rely on outsourcing and therefore keep the spending of public money to a minimum.

As well as helping to secure its own 2,000 staff and the 20,000-plus service users across more than 550 sites, the Orbis security team is also tasked with securing data on the three council’s combined population of almost 2 million people. “We secure all of the councils’ data,” says Morgan Rees, technical delivery manager at Orbis. “Being local authorities, we deal with a broad range of business and hold sensitive personal data on a lot of the residents to be able to deliver those services.”

“Both the network and security team are a shared resource across the Orbis partnership,” says Rees, “so having a centralized and single tool that gives us visibility across our entire IT infrastructure allows for prompt action if any issues get flagged.”

Although Orbis doesn’t have a dedicated CISO, its CIO,  Matthew Scott, has been listed on IDG UK’s CIO 100 list for both 2017 and 2018. The partnership has an IT team of around 375 and around a dozen people working in security across the three councils who are regularly combatting phishing attacks, “bogus boss” scams and ransomware attempts. While Rees says Orbis is constantly concerned about the threat of nation-state attacks, they are rare against local governments. The team is also tasked with ensuring compliance with regulations around Public Services Network (PSN), the National Health Service (NHS) and GDPR.

“The same as most other organizations, we want to minimize security breaches and make sure that the data that we’re holding is secured from malicious attack or accidental user error,” says Rees. “Those tend to be the more common issues we see.”

One example where Orbis proved useful was during the WannaCry ransomware scare. “Working closely with the NHS, there were concerns that the WannaCry outbreak they suffered would spread into the councils’ infrastructure, too. We used Splunk to closely monitor for any signs of infection,” says Rees.

Measured consolidation rather than rip-and-replace

As it is a partnership among the three councils and not an official legal entity, Orbis faces its own challenges in that each council and its data must remain separate, even if backend operations are unified.  “As a partnership, Orbis can’t actually own anything,” says Rees. “Everything has to be owned by one of the local authorities.”

Having such diverged and disparate infrastructures mean it can be hard for the security and networking teams to obtain an overarching view of what’s going on. To help with this, Orbis recently underwent a standardization project to deploy Splunk Enterprise as its SIEM tool across the three authorities.

“We’ve never went in with the philosophy that we were just going to strip everything out and replace it and standardize all those things,” explains Rees. “That’s not efficient, that’s not cost effective, and that wouldn’t be good for public finances. But when items come up with for renewal, we look at which technology serves the best purpose in the partnership then standardize on that. Splunk was deemed to be a very good tool; it seemed to work very well and meet requirements.”

Surrey originally started as a Novell house, but after moving to a Microsoft environment the council decided to switch to Splunk to go with that environment. As SIEM contracts at the other two authorities came to an end, the decision was made to standardize on Splunk.

“Some suppliers get it, some don’t, and they’ll only deal directly with the specific legal entity,” says Rees. “Spunk have allowed us to share that license between the three organizations, and that ability to understand the partnership and understand how we work has really benefited.”

A shared SIEM allows Orbis to retain separate data ownership but present a single operational view across all its environments. “We can actually get that visibility across all three organizations without being a legal entity. They’ve allowed us to have a single search head that allows us to look across all three organizations; each organization has its data but then they have a common view across the top.”

Standardization has also helped drive deeper collaboration within the Orbis partnership, sharing machine data and associated insights with multiple departments to speed up escalations and address the root cause of any issues.

Benefits beyond an SIEM

As well as being used as an SIEM tool, the shared solution is used for operational and service elements for fault diagnosis across IT services, which has a multiplying effect as there are more eyes watching glass. “It’s got bigger benefits than just the SIEM piece. A lot of SIEM tools can sit there and just be the black box in the corner; unless it has some benefit nobody ever touches it,” says Rees.

“Whereas using it as an operational tool, people are in there looking at this and then they see alerts in there instead of just an alert arriving in their mailbox. They respond to them quickly and as it’s a tool that people use and are familiar with, they know it and can work with it quickly.”

Standardization has also helped Orbis’s compliance efforts, as collection, search, alerts and reporting of logs and machine data has all been automated, which makes it easier to build a full audit trail.

Though he says measurable outcomes are difficult to provide, Rees says Orbis is very pleased with the tool. “It works well. It does what it says on the tin.”