Overwatch

Protecting valuable business information…

What is Overwatch?

Hereford InfoSec’s Overwatch service provides organisations with the monitoring and alerting services needed to address governance, risk management and compliance needs for organisations with on-premises IT system which store and process the sort of highly sensitive information that could never be entrusted to someone else’s IT.

In modern warfare, Overwatch is a force protection tactic: the state of one small unit or military vehicle supporting another unit, while they are executing fire and movement tactics. An overwatching or supporting unit has taken a position where it can observe the terrain ahead, especially enemy positions. 

Protective Monitoring Service

What and Why?

Not many days go by without cyber security breaches being reported at some of the country’s biggest and most well resourced organisations but how are these breaches detected? Unfortunately, and all too often, the effects of the breach are noted by third parties, including law enforcement, the media and customers, long before the organisations themselves see any indication of anomalous system activity, in fact many investigations into detection delays put the mean time to detect such breaches at months whilst the mean time to exploit these systems, after new attack vectors are discovered, lie in the range of hours or days at most; this ‘arms race’ is being lost without proactive and effective system monitoring (aka ‘protective monitoring’) and, given the complexities of modern IT, and its constituent components, delivering ‘effective’ is far from easy.

For those dealing with sensitive information, be that personal data subject to the Data Protection Act, 2018, including GDPR implications, with regulatory needs for assurance, such as Financial Conduct Authority and Solicitors Regulation Authority, or contractual needs such as those in MoD’s DefStan 05-138 (and associated Defence Cyber Protection Partnership compliance) or ISO 27001, the means to address breach detection are a vital part of an organization’s cyber defence posture if these organsiations are not to wind up as the next headline in a daily newspaper or on the receiving end of sanctions from statutory or regulatory bodies.

The Complexities

Whilst the importance of proactive monitoring is self evident to most, the complexities of effective and affordable implementation are more subtle given the nature of heterogeneous IT systems, employing numerous types of technologies, the paucity of cyber security skills, the ever evolving legislative and regularity landscape pertaining to the protection of information borne on cyber systems and the baseline costs to build-out a protective monitoring function. As observed by HMG’s National Cyber Security Centre (NCSC), in its Effective Log Management paper, the right combination of people, process and tools is hard to achieve with staff involved in cyber security needing technical, investigative and forensic knowledge, processes needing to be agile, speedy and tailored, and tools needing to keep pace with the ‘arms race’ between attackers and defenders. It may be tempting to dual-role existing IT support specialists to effect protective monitoring but there are conflicting drivers for support staff when a balance might need to be struck between cyber security and service delivery needs, especially when such staff may be ‘marking their own homework’ in circumstances of insider threat.

Overwatch

Hereford InfoSec’s Overwatch service is designed to provide organisations with the monitoring and alerting services needed to address governance, risk management and compliance needs for organisations with on-premises IT system which store and process the sort of highly sensitive information that would never be entrusted to someone else’s IT, especially so when such data may include personal data which might otherwise be hosted at unknown sites when entrusted to cloud services.

The range of available services covers network traffic crossing the Internet boundary point, internal network traffic, endpoint monitoring, user activity on endpoints and Cyber Situational Awareness which meet the needs outlined in NCSC’s 10 Steps to Cyber Security in respect of Cyber Security Operations Centres and Monitoring.

In order to field an assured and fully trusted monitoring service, Hereford InfoSec maintains its Cyber Security Operations Centre in an HMG approved and evaluated, secure facility, with CSOC analysts holding HMG Personal Security Clearances. This ensures that your sensitive network security data is entrusted to the highest levels of HMG accredited physical and personnel security measures commensurate with HMG’s guidance on Protective Monitoring and NCSC web site advice.

Use of the Overwatch service obviates many of the complexities observed by NCSC’s Effective Log Management paper through the exploitation of our cyber expertise and experience, gleaned from involvement in HMG projects, whilst providing manageable, fixed costs through a subscription-based model of service delivery.

DCPP Requirements

Since 2017, UK MoD has had the Defence Cyber Protection Partnership (DCPP) cyber security requirements as part of its contractual terms, for defence suppliers, under Defence Standard 05-138 (DEFSTAN 05-138). The DEFSTAN, stipulated in Defence Condition 658 (DEFCON 658), mandates the implementation of control measures, throughout the supply chain, according to the MoD-assessed risk profile for MoD Identifiable Information (MII). Control measures cover a diverse range of cyber security areas, building on the Cyber Essentials Scheme, including matters of cyber security governance, culture & awareness, asset security, systems security, personnel security and incident management, including mandatory incident reporting requirements akin to those recently introduced under GDPR. The DEFCON further requires compliance with cyber relevant Industry Security Notices (ISNs) including ISN2017/01 (describing DART) which requires use of appropriately qualified ICT security expertise, and ISN2017/03 in respect of incident reporting. It is important to note that control measures are expected to be implemented irrespective of contract value or supplier organisation size as DCPP views these measures as best practice and notes that small companies are as likely to be targeted as larger companies within the defence supply chain.

DCPP Implementation

Whilst the baseline requirements of the Cyber Essentials Scheme Plus (CES+), needed at the DCPP Low risk profile and above, are comparatively easy to achieve, being based on 5, high-level security controls, DCPP controls are more demanding, especially more so at higher levels of assessed risk to MII. At the Low risk profile level, there are 16 specific controls, across the 6 main headings, with implementation likely to be within the in-house abilities of many organisations with minimal support from cyber security specialists. At the Moderate risk profile, the above 16 are supplemented by a further 15 whilst the High risk profile adds yet another 12 controls, with implementation costs and complexities increasing at each risk profile level. Implementation at Moderate and High risk profile levels will require some cyberspecific expertise as fairly technical cyber capabilities are involved at this level such as vulnerability assessment, network behavior monitoring and security log analysis. These matters are further complicated in that they must be undertaken in accordance with legal requirements, relating to electronic evidence and privacy, in order to comply with relevant legislation, as well as addressing the insider threat when it may sometimes appear expedient to dual-role in-house or existing, third party IT support for security monitoring.

DCPP Support Services

As a specialist, cyber security consultancy practice, with a proven track record supporting defence industry supply chain security needs, Hereford InfoSec is well placed to support companies in attaining and maintaining DCPP compliance at all Risk Profiles. Our CCP qualified security personnel are able to provide advice and guidance in developing a suitable security posture, compliant with ISN2017/01 needs for qualified ICT security expertise, whilst our Overwatch protective monitoring service provides a subscription-based service, protected to exacting MoD physical, personnel and cyber security standards, addressing the more technical DCPP requirements at Moderate and High risk profile for network, endpoint and user behavior analytics as well as providing routine vulnerability assessment to ensure patch-state maintenance. This subscription based service provides for known, fixed costs whilst obviating the need to recruit and retain costly, inhouse cyber expertise, a scarcity under current market conditions, or deploy hard-to-maintain cyber security tools. The outsourcing of such security services also helps meet HMG guidance relating to segregation of duties and independence in auditing functions. Specific DCPP requirements (indicated in brackets below for Low, Medium and High risks DCPP profiles) met by the service include:-

  • Provision of cyber expertise (L.03)
  • Scope of IT estate (L.11, H.12)
  • Vulnerability status of IT estate (M.07, H.01)
  • Monitor usage (M.01, M.09, H.05, H.07, H.09)
  • Incident Detection (L.16, M.08, H.03, H.10)

Defence Cyber Protection Partnership Compliance Support

General Data Protection Regulations Compliance Support

GDPR Requirements

As many organisations processing or storing personal data will be aware, the Data Protection Act, 2018 (DPA18) achieved Royal Assent in May 2018, enshrining the principles of the European General Data Protection Regulations (GDPR) into UK legislation. The act places requirements on data controllers and processors to employ suitable security measures, physical, personnel and cyber as necessary, to protect the confidentiality, integrity and availability of data. Key areas for data controllers/processors to consider includes:-

  • Implementation of “appropriate technical and organisational
    measures” (per Article 24)
  • Undertaking “regularly testing, assessing and evaluating
    the effectiveness of technical and organisational
    measures “ (per Article 32)
  • Be in a position to “notify [a] personal data
    breach” (per Article 33)

The above considerations need to be taken within a risk management context with due regard to industry best practice, cost of controls, data being processed and the rights and freedoms of data subjects. In short, the onus it put on data controllers and processors to determine how to secure data with the oft-touted sanctions for failure to comply.

GDPR Implementation

Whilst the controls needed to satisfy both DPA18 and GDPR should be determined by data controllers/processors in response to risk analysis, there is some useful guidance from the Information Commissioners Office (ICO) which largely refers-out to the National Cyber Security Centre (NCSC) and its ‘10 Steps to Cyber Security’ and the Cyber Essentials Scheme. Specific bullet points from ICO guidance addresses tracking accesses to personal data, actively managing software vulnerabilities, hardening computer systems against attack, system monitoring, control of removable media and use of encryption. Whilst many of these controls can be put in-place by in-house ICT support staff, where such staff don’t exist, or the option to roll out further, security-specific technologies is beyond the organization’s appetite, external assistance can and should be sought, particularly when risks associated with insider threat need to be considered.

GDPR Support Services

As a specialist, cyber security consultancy practice, with a proven track record, Hereford InfoSec is well placed to support companies in attaining and maintaining GDPR compliance. Our NCSC CCP qualified cybersecurity personnel are able to provide advice and support in conducting risk assessments as well as providing consultancy in the implementation of effective cyber security controls. In respect of monitoring system usage, and proving the effectiveness of controls, our Overwatch protective monitoring service provides a subscription- based service, protected itself to exacting HMG physical, personnel and cyber security standards, addressing more technical requirements for network, endpoint and user behavior analytics as well as providing routine vulnerability assessments to assure your security posture. This subscription-based service benefits subscribers by:-

  • supports implementation of Monitoring and Incident Response aspects of ‘10 Steps to Cyber Security’ and Operations Security (A.12) and Incident Management (A.16) aspects of ISO 27001
  • fixing monthly costs at an affordable level for even micro businesses
  • obviating the need to recruit and retain costly, in-house cyber expertise, a scarcity under current market conditions
  • obviating the cost, often running to 6 figures, to acquire, build, operate and maintain complex monitoring platforms, consistent with evidential needs
  • obviating any conflict of interest risks introduced though the use of in-house or third party IT support personnel in conducting security activities
  • obviating the risks associated with hosting sensitive security data in cloud services where server locations are often unknown