1st Line Cyber Defence Team

Executive Summary

C3IA Solutions was approached by an embedded Programme Manager who had worked alongside the C3IA Security Director whilst supporting a previous Government Cyber and Digital Security contract. The client was in the process of establishing a Governance focused approach to Risk Management but it was apparent that they required additional capability to deliver the 1st Line Cyber Support to manage incidents and events as they were occurring.

C3IA Solutions was initially tasked with establishing a team of 3 National Cyber Security Centre (NCSC) Certified Professionals (CCP) to develop, monitor and deliver security operations procedures, standards, testing plans and technical baselines aligned to the new security Target Operating Model (TOM).  The team’s role was to deliver continuous improvement to mitigate cyber risks aligned with IT Divisional strategy and industry best practice.  Additionally, the team was required to develop management consoles, security incident and event management, correlation tools, and other analysis mechanisms to assess trends and risks in collaboration with service providers. They were also required to assess and interpret threats, vulnerabilities and environmental changes that affect cyber risk within the company framework and investigate to successful resolution Cyber-attacks and incident impact analysis.

Secuirty Management

Challenges and Goals

The client organisation had embarked on a governance improvement programme across all business areas to address departmental stove pipes and ensure that all security-required Policy and Process was in place and fit for purpose but this was at an early stage as C3IA Solutions started to deliver consultancy support. Attempts had been made to initiate a Security Incident and Event Management (SIEM) capability but this had stalled. The client had put out to tender the delivery of a Managed Security Service (MSS) although a defined understanding as to how the MSS was going to be integrated into the wider business requirements and support the client’s enterprise needs was immature.

Our goal was therefore to establish an effective SIEM capability that would identify and manage incidents as they occurred and deliver a robust and effective reporting regime through the implementation of policies and procedures. Once established this service was to run in parallel with the proposed MSS service and feed into the client’s enterprise requirements.

Our Approach

C3IA Solutions engaged directly with the Programme Lead and offered a Security Managed Service (SMS). This was to take ownership of the client’s high level support requirements whilst waiting for the MSS contract winner to establish the Security Operating Centre (SOC), monitoring procedures and incident management plans. The C3IA Team provided the client with defined procedures and formed the 1st Line Cyber Incident Response team. The team consisted of a Team Manager providing advice and guidance to the client on security related issues and high level strategic direction, a SOC Analyst looking at security logs and incidents as they evolved establishing the impacts and resolution plans and a Security Architect whose role is to review the client’s Network Architectural designs, establish hardware security configuration best practice, and action cyber incidents as they occurred.

Whilst the contract was initially for a 6-month period the expertise provided by the C3IA team has warranted a contract extension for a further 6 months with the team being increased to 4 with the addition of another Security Analyst.

Audit and compliance

Results and Benefits

The C3IA Solutions team were able to address the client’s Cyber Security programme delivery concerns. The team quickly established a good working relationship with the client’s Senior Leadership Team (SLT), demonstrating not only security and service delivery capability but also supporting in the wider programme and project management needs. The delay in the delivery of the MSS services by the MSS competition winner has enabled the client to still have a 1st line cyber incident response capability during the transition period.

“The challenges faced within the organisation were significant, the initial understanding of Information and Cyber Security risk was unclear. Furthermore, internally how best to progress to the Cyber and Digital Security Target Operating Model was yet to be defined. It was great to be able to make such a significant difference to the client’s approach and understanding of the risks they were operating under.  In addition my team were able to deliver demonstrable evidence that we were capturing attacks and mitigating them as they occurred, assuring the client that their Information Assurance Maturity was improving and Threats were being addressed”

C3IA Solutions Ltd – 1st Line Cyber Defence team leader