Steve Rivers, International Technical Director, ThreatQuotient, discusses how government organisations can strengthen their cyber defences with the right tools and threat intelligence.
2019 saw a significant rise in ransomware attacks on public sector targets. Specifically, these attacks have been targeting local government departments. With this insight the Home Office has published a series of recommendations for cybersecurity teams to utilise on relevant threats. These guides cover threat intelligence, threat hunting and digital risk and intelligence, deriving from a series of conversations with stakeholders in government and industry around their current capabilities. One of these guides highlights a recommendation to use a security operation centre to reduce risk, along with investing in the development of people involved in the effort, and ensuring essential data is visible. But, as the rate of attack is increasing and, unfortunately, government cyber defences are still struggling to keep pace, it is important to explore more thoroughly the key challenges being faced.
One of the most significant risk areas identified by the public sector generally is internal resources – people, technology and funding. These resource limitations mean that government departments do not have the capability to combat the current threat environment. Unfortunately, the prospect of significant hiring to augment this resource shortage is bleak, given a widening skills gap issue. Government IT and security teams are doing their best to establish situational awareness by combining raw threat feeds with existing security information and event management (SIEM) and log management tools. However, this approach fails to achieve this objective and ultimately drives up alert fatigue for an already overwhelmed staff. Eliminating alert fatigue and accelerating situational awareness requires prioritised, contextually relevant, real-time threat intelligence that seamlessly integrates with existing tools and practices. A threat intelligence platform (TIP) facilitates this integration. The result is the optimisation of limited resources.
Sensitivity to Breach
Local councils and government face the continual challenge of balancing access and transparency against protecting sensitive information. Doing this requires a level of openness that makes it impossible to prevent all intrusions. Complicating matters, most of the emphasis to date for government security has been on preventive tools, techniques and procedures. This is where government departments and local councils must shift their focus beyond prevention to include detection, response and recovery. Actionable threat intelligence, integrated with existing preventive tools via a TIP, is the best means to quickly detect, respond and recover from a malicious intrusion.
The public sector is facing an ever-expanding threat landscape driven by two factors. First, the abundance of legacy IT provides a broad target for malicious actors due to the persistence of unpatched, unprotected and even unsupported operating systems and applications. Second, the public sector is moving to the cloud and adopting mobile and Internet of Things (IoT) devices at an accelerating rate. These technologies, whilst critical to delivering new levels of government service and constituent responsiveness, significantly increase the attack surface. Maintaining current visibility into the entire infrastructure and continually re-evaluating and reprioritising threat intelligence helps government agencies protect an expanding digital environment against a growing threat landscape.
Addressing the Sector Challenge
This is where situational awareness and response is key to the public sector in addressing the challenge. The first action necessary to address cybersecurity risk is to “increase cybersecurity threat awareness”. A robust threat intelligence platform gives government agencies the prioritisation, contextual awareness and real-time insight necessary to accelerate detection, collaborate on response, accelerate recovery and achieve a rapid response. Utilising fully integrated platforms with already-in-place threat feeds and SIEM systems ensures that the sector is able to maximise existing resources such as staff and technology. As the threat environment continues to intensify, prioritising protection against ransomware and other disruptive cyber-attacks will be critical to keeping public sector services operational.