A SIEMless security answer for Surrey Council

Profile picture for user gflood By Gary Flood May 22, 2019
Summary:
Surrey County Council says a ‘SIEM’ - standardised security information and event management - approach is both saving it money and improving delivery of services

security-lock-in-cloud

Here’s a bit of a tricky one: you’re a local authority that wants to share services and back-end systems between yourselves and new neighbour partners - but you all have incompatible security infrastructure. How do you create the joint systems you need, but as safely as possible?

This isn’t just a thought experiment - it was precisely the situation faced by Morgan Rees, Technical Delivery Manager at Surrey County Council. That’s because Surrey is one of the original two members of The Orbis Partnership - a public sector partnership formally created between East Sussex County Council and Surrey County Council in April 2015, with Brighton & Hove City Council joining as the final founding partner, in May 2017. Its purpose: deliver greater value to the partner councils, residents and customers by generating efficiencies and exploiting the benefits of sharing people, resources and technology.

Spanning across 550 sites, Orbis delivers services such as finance, IT, procurement and HR to over 20,000 users, and has around 2,000 staff in its own right. Great - but the problem is that putting together all that IT is just not easy. As Rees put it to diginomica/government:

The three councils within the Orbis partnership deliver local government services to end-users at various locations, ranging from corporate management offices and fire stations to youth centres. Shrinking budgets had caused us all to look at blending back office systems as a way to improve efficiencies and reduce costs.

However, diverged and disparate infrastructures made it hard for the security and networking teams to obtain an overarching view of compliance and IT operational needs.

Combining such a vast infrastructure meant a standardised security information and event management (SIEM) solution was essential to improve efficiencies and security.

Rees says he was able to fix his problem by going down this SIEM route with technology from a company called Splunk, specifically  Splunk Enterprise and Splunk Enterprise Security (ES). Essentially, by automating the collection, search, alerts and reporting of logs and machine data via this technique, it’s become easier than ever to build a full audit trail, Rees told diginomica/government, while a SIEM provides his team with both confidence and flexibility when handling the general public’s personal data, or interacting with other government bodies such as the Public Services Network and NHS.

We asked how this journey started. Rees said: 

We’d already chosen this software as part of our own IT infrastructure modernisation effort. Following a recommendation, we saw it as a natural fit to offer a standardised SIEM solution across all three councils, replacing existing products as they reached end of life or were deemed no longer fit for purpose.

So this has been a key part to Surrey County Council’s infrastructure upgrade and modernisation, which kick-started the whole SIEM replacement process.

What, then does SIEM look like in practice? Rees says it’s all about unified security visibility across multiple locations, better information governance and compliance and much faster identification and resolution of faults and incidents. That, in turn, is being delivered via a centralised view of all the Orbis partners security, compliance and IT operational needs - but at the same time granting each council ownership and control over its own data.

That independence aspect is actually a key value for the three councils, as Rees explains:

In Orbis, we want to put everything on a converging basis, but always make sure that it’s fit for purpose for each individual council. For example, East Sussex was using a technology that was coming up to end of life, so it looked at what was on the market and what Surrey was doing and saw that Splunk was the best fit.

Protection from big security events - like WannaCry

We asked if Rees could offer some detail into how this new approach to security was helping in more specific terms. He told us,

By creating a single-pane-of-glass view across three councils, one of the biggest benefits is improved collaboration. So Orbis members can respond to faults and incidents a lot faster, which dramatically improves customer service. Moreover, we’re better able to meet compliance requirements and have secured information governance, which is critical to operating in the public sector.

Which is important - but what about actual residents of the three councils, who are after all the presumed eventual beneficiaries of all this back-room work? He had a great answer for us there, luckily:

Using SIEM has been instrumental in speeding up fault diagnosis throughout IT services including social care, waste and road management. Cost avoidance through tool consolidation was an unforeseen, but greatly valued, additional benefit to the original SIEM replacement work, and using the indexed data we can now gather, the network team has been able to reduce the time taken to identify and respond to incidents, ensuring improved customer service. 

There is a also cost avoidance benefit by identifying security issues and incidents early and quickly, that meant when events like WannaCry hit the NHS we could quickly identify where there were issues and remove the offending device from the network to prevent it spreading further.

We have gained greater efficiency of services at scale and improved operational visibility. With public sector finances coming under increasing pressure, the partnership will continue to look for ways to capitalise on collaboration and sharing of information and services. So regardless of whether it is a security alert or troubleshooting website issues, multiple teams can now identify and resolve faults - limiting downtime and disruption, as there is no need to go through multiple departments for escalations and root cause.

He is also adamant that SIEM is a core part of the on-going digital transformation work that Orbis is also a believer in:

As more and more services are delivered digitally, is it important to ensure that they are delivered securely. This is a key building block in ensuring that.

Editor’s note: we last covered Orbis in January, when we talked about what’s been happening at Brighton and Hove City Council, another one of the three Orbis partners.