Protecting HMG from damaging cyberattacks
The Department is the UK’s biggest public service department, administering services to around 20 million citizens. With 24/7 reliance on its IT Infrastructure – the largest network of systems in Europe - protection from cyberattack is a top priority.
In May 2017, the global WannaCry ransomware1 attack caused billions of pounds of damage to over 200,000 computers including the UK National Health Service. The disruption rightly triggered the UK Government to task every department minister with making their systems safe.
1 Ransomware is software that encrypts a computer, rendering it useless unless the user pays a cryptocurrency ransom for the decryption key. Ransomware is triggered by a user inadvertently installing it via an email link or USB stick.
Impressed by the experience and specialism of the team.
WannaCry exploited a weakness in out-of-date Microsoft Windows based hosts, highlighting the importance of regular operating system patch updates. The Department's boundary defence prevented WannaCry getting in, but alarm bells were ringing. What if future ransomware successfully breached the Department's strong boundary defences, reached its target ‘endpoint’ and was triggered by a user?
With over 50,000 servers and 100,000 laptops running crucial citizen services, the Department could not afford to take the risk. They turned to Pionen, experts in endpoint security, to find a solution.
First, Pionen needed to understand the Department's business requirements – both the functional elements (what the solution would do) and the non-functional elements (how the solution would work with other capabilities). Working collaboratively with the Department's Security Monitoring Teams, they documented a series of use cases – an effective way to capture the functional requirements by describing the step-by-step process each user would go through to achieve a goal.
Pionen then worked through their checklist of standard non-functional requirements to determine the technical constraints, and based on this work, Pionen was confident a commercial off-the-shelf endpoint security solution would be suitable for the Department.
After assessing available products against the requirements, Pionen compiled a comprehensive compliance matrix with strengths and weaknesses, where the Department's buying team ran a competitive procurement to select from the top three identified vendor platform products. Pionen sat on the evaluation panel, which chose Tanium, a complete endpoint security and management platform.
Pionen then completed the complex design to allow security monitoring across hundreds of segmented networks including different classification levels. The design successfully met all the Department's strict governance standards (based on the Government Security Policy Framework) and was approved by the Design Authority.
In parallel with design, Pionen ran a Business Change Programme. They developed a Future Operating Model, creating and updating all operating processes and initiating training for each identified platform priority user group:
- The Security Monitoring Team responsible for providing assurance overwatch of the Department's infrastructure estate, and administration of their security tooling platforms.
- Digital engineers responsible for providing the IT infrastructure access, and support, for the platform deployment.
- Digital managers providing approval for operational decisions, where stakeholder support is vital to ensuring success in any deployment at scale across critical national infrastructure systems.
The first phase of implementation (Version 1) ran to January 2021, covering over 10,000 servers and critical systems hosted on premises and other large business applications running on Amazon Web Services (AWS). Pionen supported the Digital engineers to resolve technical challenges requiring supplier liaison and design amendment including negotiation with the Design Authority.
Version 2 is underway until December 2022 covering all the Department's AWS and Microsoft Azure services hosted endpoint systems.
We are very happy with the team's delivery of our projects.
The endpoint security project has been a great success within the Department. Tanium now monitors and manages 100% of the on-premises servers and the highest profile cloud hosted business applications, spotting unusual activity through behavioural heuristics, such as unusually high system resource usage, or suspicious application/executables connectivity, invoking potential indicator of compromise rulesets. Response measures are invoked if certain conditions are met, such as invoking response measures if certain conditions are met, such as “quarantine every laptop with x file installed.”
The implementation roll-out is on schedule and the Department has not experienced any success-at-scale ransomware or zero-day attacks, including the December 2021 vulnerability in the widely used Java logging library Apache Log4j.
The Department is now considering Version 3, which will provide full coverage of every Departmental laptop and tablet.