Protective monitoring is an essential part of cyber security as traditional approaches are no longer enough, says Pankaj Mistry, head of IT security at the Department for Work and Pensions (DWP).
“Protective monitoring provides the means of overlying and augmenting traditional defences with critical sources of information,” he told Whitehall Media’s Govsec 2014 conference in London.
Although he admitted that protective monitoring is “complicated”, Mistry said it enabled the DWP to collect information on threats, vulnerabilities, incidents, alerts and threat intelligence in one place.
This is useful in helping the DWP defend its 700 critical systems, which contain millions of data records that have to be managed securely through their lifecycle.
But Mistry warned that introducing protective monitoring typically requires changes to business models and processes because it forces greater accountability for information assurance.
However, the GCHQ’s information assurance arm CESG is in the process of finalising framework documents and guidance to help understand what is involved, he said.
“We are now able to tell when authorised users are accessing systems at unusual times from unusual places, which has increased our ability to detect credential theft or insider threats,” said Mistry.
DWP security teams have also for the first time realised that authorised users sometimes log in from outside the UK in emergencies while they are on leave.
More on security monitoring
- Continuous monitoring key to retail cyber security, says Ponemon
- Qualys security metrics project focuses on continuous monitoring
- The case for NAC-based continuous monitoring for attack detection
- Continuous monitoring, maintenance needed to maintain cybersecurity
- Continuous security monitoring: What enterprises can learn from CDM
- Continuous monitoring has great promise, says IA specialist
- Adapt continuous monitoring of data to benefit compliance controls
- Developing a continuous security monitoring program for 24/7 security
- Strict monitoring keeps mission-critical apps out of trouble
Previously, these logins from outside the UK would have been interpreted as attackers using stolen credentials. DWP has been able to modify its processes to allow for emergency logins.
“One of the biggest benefits is that we are now able to see exactly how the department's IT systems are used and assure accountability for their use,” said Mistry.
“Protective monitoring also makes it easier to conduct policy-based risk assessments, but if it is well designed it can help in other areas too,” he said.
These areas include managing home working, security incidents – which can be used to fine-tune monitoring, managing user privileges and ensuring anti-malware protection is up to date.
“Finally, we have a fact base for our risk-management processes, which is helping move people away from a focus on security events to focus instead on risk,” said Mistry.
The DWP has opted for a hybrid model, which means the in-house team can respond to alerts and mitigate threats without having to worry about the analysis of data, which is handled by the service provider.
“Protecting monitoring is important, but the value is in your ability to respond to the output rather than carrying out the monitoring and analysis of the data,” said Mistry.
“Greater situational awareness, combined with threat intelligence, enables us to make more informed decisions regarding the security posture of big IT estates,” he said.
The DWP plans to work towards transactional-level monitoring for even greater visibility of what is going on in its networks in real time.
Mistry said the DWP was adding security capabilities “layer by layer” and was concentrating on ensuring all the basics are being covered correctly before moving on to the next layer.
Looking ahead, the DWP is adding big data analytics capability as one of its strategic goals.
“We need to embrace big data analytics because we cannot afford not to understand what is going on in the infrastructure we rely on,” said Mistry.