Keeping the UK safe from attack in an era of heightened international threats requires Ministry of Defence (MOD) ICT infrastructures to continuously adapt to emerging threat sources and attack vectors. These include disaffected staff, foreign intelligence services, terrorist organisations, investigative journalists, computer hackers, and criminals (including organised criminal groups). Each may attempt to breach MOD security using a range of mechanisms and methods, potentially compromising UK defence capabilities.
Such attempts are becoming more complex, co-ordinated, and difficult to detect. Defence against them needs to focus on, and be capable of countering, several attack vectors at once.
With different ICT systems, the MOD lacked a cohesive response to actual or attempted network intrusion or disruption. An additional layer of protection was required to bring together an already formidable armoury of security mechanisms. The need was to integrate existing system security information sources to create a centralised security capacity and expand its situational awareness. Detection and protection, as well as monitoring and analysis, were all equally crucial.
BT designed and deployed a COTS (commercial off the shelf) based cyber defence solution called eCND (enhanced computer network defence). A fully accredited solution, it delivers round-the-clock support to users.
The use of COTS technology improves interoperability and can enable government departments to improve efficiency and provide increased functionality. Yet its open nature means COTS technology can be vulnerable to the unique risks faced by defence systems. A close relationship with the MOD means that BT is ideally positioned to maximise the advantages of a COTS-based approach, while ensuring that all components meet exacting national and MOD security and safety criteria.
BT worked closely with all stakeholders including the MOD user community, service providers, and delivery partners to assure integration with existing MOD systems. Spanning multiple security domains, eCND maintains separation which allows it to be security accredited up to IL5.
Delivering a holistic view of the configuration and security postures of multiple ICT infrastructures, eCND enables management of threats and threat sources, including a combined multi-domain view where appropriate. This is realised through centralised monitoring and correlation of security event feeds from many different systems, including known vulnerabilities, to identify anomalous behaviour.
All the information is collated and presented to the user to enable a real time view of the MOD ICT estate. Risk analysis and modelling is used to evaluate identified vulnerabilities within ICT systems, and the likely ability of threats to exploit them.
By providing an incident archive, eCND helps the MOD to learn from previous cases. Events can be replayed to better understand risk management decisions and actions taken during the mitigation process, enabling decision-making to evolve. In addition, such data can be searched and linked to new cases exhibiting similar characteristics.
BT has integrated a range of approved COTS products and combined security information feeds into a coherent overarching environment. Information from all MOD security systems is now integrated, correlated, and accessible from a centralised control centre. The centre provides users with the functionality to exploit live and historic data via a common user interface. It also enables risk management-based and fully informed decision-making; ensuring responses are based on comprehensive situational awareness.
This proactive problem management approach is one of the most powerful features of eCND. It means we no longer have to waste time fire-fighting because we’re always continuously learning.
Proactive planning and scenario modelling is now widely used to reduce MOD operational risk. The MOD is able to identify vulnerabilities within its ICT estate far more effectively. It can react more accurately and quickly to reduce the window of exploitation open to threat sources. Meanwhile, decisions are based on a comprehensive up-to-date view. Mitigation strategies can be planned and rehearsed in advance – reducing or eliminating the need for reactive responses.