Protecting Policing's IT estate with the National Management Centre
It is no secret that police forces have access to extensive data and information. Such access supports forces in understanding the community they protect, and helps them assess potential risks and threats to that community. But with great access comes great responsibility to protect this data, especially in a time where the cyber threat landscape is constantly and dramatically changing. To find out how the National Management Centre (NMC) will support Policing by protecting force IT estates, we sat down [virtually] with the new NMC director Stephen Reid.
Providing a 24/7 specialist capability for Policing
"Within the National Management Centre, there are a number of services being provided. The first one and very much the baseline element is called Protective Monitoring. With Protective Monitoring, we are actively monitoring the networks from both an insider threat and also an external threat perspective for each police force. We're going to be using a Security Information and Event Management (SIEM) tool to create signatures and align those to the inherent risks around Policing. All of the rules and signatures that flag up alerts to the analysts are very much based on the risk to national Policing. This is the foundation of the NMC if you like - you have to understand what's going on in your network to be able to protect against it."
"There are numerous other services which are coming on board shortly, for example Threat Hunting. Threat Hunting is looking for those threats that the SIEM isn't necessarily picking up. It's going to be looking at any anomalous activity going on within force networks. Another service is Malware Analysis. We're able to look at any suspected malware that's been identified, whether it came in through email, or if it's been brought in via a device like a pen drive or a memory stick, and run a sample through our toolsets to see if it is actually malicious, and from there we can support the force in dealing with the output.
Another one is Threat Intelligence. Now although Threat Intelligence is very much a service deliverable from the NMC, I want Threat Intelligence to be a culture and a behaviour across Policing. I very much want to link in with every individual force to see what's important to them, what’s worrying them, see what keeps them awake at night and to be able to start tailoring Threat Intelligence to that force. In terms of other services, there's a Vulnerability Assessment. We'd like to be able to do Vulnerability Assessments on each force to work with them and help them plug those gaps to ensure that any vulnerabilities aren't exploited. And I think that's the whole idea around the NMC, it’s that we can utilize all of these services as one and create that defence in depth. We have recruited people into one ‘state of the art’ facility; we’ll have a Malware Analyst who can work with a Threat Hunter, who can work with a Threat Intelligence analyst to be able to implement rules for the Protective Monitoring, and it will all very much work as one cohesive team."
Adopting a national approach to cyber security
"First of all, cyber security is certainly not local, it is very much a global operation. Over the last number of years our adversaries and our threats have become global in scale. It’s not just a kid down the road who's just finished school, and wants to mess around with some IP addresses. It's now become a global scale of nation state type adversaries who very much want to get something out of other governments."
"I think having a centre that's looking at UK Policing on a national scale, it allows us to see what's going on all over the country and to see what kind of threats are out there. It also helps us get ahead of the game, so if we were to start seeing some sort of reconnaissance going on in one force, the likelihood is that they're going to start doing it to numerous forces. If we can see one force getting some sort of attack or unwanted activity, we can pre-emptively support all the other forces to prevent any other attacks from happening."
Protecting against malicious behaviour
"Even during a global pandemic, there are people out there trying very hard to exploit those with an online presence, and unfortunately, they are very, very good at doing so. An example of this may be an email about COVID 19 using a link which looks totally legitimate. These people will always be there, which is why I think it goes back to creating this threat intelligence culture. There's a lot of examples we can share with forces to say ‘be careful because we are aware of new campaigns exploiting certain email addresses, and this is what the email looks like’. It is that proactive approach to say ‘here's what threat intelligence is telling us, we know it's bad for your force because you have these vulnerabilities/systems/tools, and we recommend you take this course of action’."
Sharing threat intelligence across forces
"What’s key is that it's the same people in the NMC looking after numerous forces across the UK, so what we're able to do is take information or intelligence from one force, and disseminate it across all the others. As the NMC develops, and with permission from a force, we want to have the analysts proactively implement changes or blocks in all relevant forces based on the intelligence they have received. I want to be able to use the information, act upon it and then tell forces 'don't worry, you’re protected'."
"The National Support Team (NST) is the main interface for forces within the NMC, made up incident responders, incident managers, threat intelligence specialists and force liaison officers. Part of their job is to have a ‘Policing’ conversation and add contextualisation to the incidents and intelligence; ‘here’s what it means to you as a police force, and this is how it might impact your business’."
The next steps for the NMC
"So as of now we've onboarded a lot of the cloud-based products like Office 365, and they’re great for getting information into an analyst, but you cannot beat getting some of the on premise logs. If I'm an analyst, I want to be able to see what's going on in that network. I want to be able to see what's going through that firewall or that IDS/IPS, and even some endpoints as well. The more data we can give an analyst, the better view we have of the threats that are out there.
What I want to do is start building a relationship with police forces and I want to be able to introduce my team and start building that relationship to begin to understand what forces want from us. Because at the end of the day, the NMC is there to support forces. Security should be supportive, not a hinderance to the operation. The next steps for us is to start reaching out to individual police forces and find out for those people who have been onboarded how can we improve the service, and for those people who haven't been onboarded, what do they want from us and how can we get them on board?"
During COVID-19, work has continued with forces to support them in onboarding to the NMC. With over half of the forces in England and Wales now live with the cloud adoption, we are beginning to get clearer picture of the threats being posed to Policing across the UK. If you have any questions around the NMC or your force's onboarding progress, please reach out to your technical representatives from the programme, and we will be happy to help.