How a council consolidated security tools and saved 40%

Savings came from lower licencing costs and fewer training and service requirements

How a council consolidated security tools and saved 40%

Image:
How a council consolidated security tools and saved 40%

Before consolidating its security tools, Falkirk Council had difficulty knowing what software was on its systems, which had been patched successfully, and even how many of each type of laptop, PC and server were operational.

"I'd ask how many Google assets we have, and the answer would depend on what day it was and who I asked," said Murat Dilek, enterprise network & cybersecurity team leader at Falkirk Council in Scotland.

Now he knows the exact answer to that question: 5,555, on the day of his interview with Computing at least.

In all, his small team manages around 600 servers (Windows and Linux), and 9,000 end user devices (5,000 desktops and 4,000 laptops) – 5,555 of which run Chrome browser - in 55 primary schools, nine secondary schools and 35 remote offices.

It was not that the information was unavailable, but it was siloed. There were different systems for vulnerability scanning and patching, the endpoint protection (EPP) tool lacked discovery and response capabilities, and the tools weren't deployed uniformly. Moreover, some tools required managed services, adding to the complexity and subtracting from transparency.

The crunch point came with the attack on the Scottish Environment Protection Agency (SEPA) in 2021, which saw criminals publish more than 4,000 stolen files and which burned through £800,000 in recovery costs. "That created a lot of noise within the chief exec community, we needed to do something different," said Dilek.

Dilek started to think about what would be required in order to respond rapidly to a similar attack, presuming a breach had already taken place. The first thing he needed, he decided, was accurate data on all the assets he was responsible for at his fingertips. "I need to know all those points so I can just react."

To be able to "just react", he would require additional tools too, including endpoint detection and response (EDR) that could protect local and cloud assets (the existing EPP was on premises) and integrated patch management.

As part of the procurement process, Dilek organised proofs of concept to see about joining individual services together. He tried Qualys' SaaS patch management and asset management tools, and was able to show his manager exactly what assets were where using a dashboard. Later, he was able to patch a Chrome zero-day flaw remotely from an iPad while watching his daughter at the Highland Games.

"So my boss says to me on Monday morning, what are you going to do now Google's got a patch available? I said I'm not going to do anything, because that's yesterday's news. I've done it."

After gaining confidence that the automated patching could be staged and rolled back in a controlled fashion, including on servers, Dilek's team started to look at all the other applications that could be automatically patched in this way, integrating this activity into the regime established for updating Microsoft software.

The need for faster patching

As of February, NCSC recommends organisations patch all external facing systems within five days of a patch becoming available, or seven days for internal systems, to minimise the window in which attackers can develop exploits. This is challenging, said Dilek, representing a halving of the current mean time for remediation (MTTR) at the council, but automating the regime for third-party as well as Microsoft software is a vital step to achieving it.

As well as streamlining the update regime, the team was also able to deploy patches to endpoints sitting on different VLANs (another source of silos) much more easily, developing a PowerShell script to wake up machines that had been suspended, and greatly increasing the patching rate.

Ultimately, Dilek's team adopted Qualys' platform for risk management, endpoint protection and remediation and automated patch management, adding modules as they went. In doing so, it was able to retire several point solutions and cut costs by 40%. In part this was due to simpler licencing, but ditching the managed services and reduced training needs were factors too.

Consolidating tools also helped with staffing. The council had been seeking good support engineers for a while, "But we couldn't employ anybody because there's a skills shortage and we don't pay good enough wages, being in the public sector."

The council has now hired two infrastructure generalists and plans to "skill them up" with tools that, in combination, have less of a learning curve.

Of course, a platform approach comes with risks of its own, including vendor lock-in, but for Dilek this is more than outweighed by having all the tools in one place, and a single unified asset inventory that puts all the information on one dashboard. The council renews its contracts every three years and may make changes then. If so, having a set of tools from one vendor rather than separate solutions and services providers gives it a strong negotiating hand, he told Computing.