Western Australian Government continues to improve its cybersecurity posture after building first-of-its-kind Security Operations Centre
Microsoft News Center
As cyberattacks become more frequent and sophisticated, it’s crucial that governments are well-equipped to not only respond to threats, but prevent them from happening in the first place.
Everyone needs to be on the same page in taking reactive and proactive cybersecurity measures, and when you’re the size of the WA Government – which has a total of 131 government organisations – a significant investment in technology and training is required to achieve this outcome.
It’s a journey that WA’s Office of Digital Government (DGov) embarked on in September 2020, when it signed a Memorandum of Understanding (MoU) with Microsoft to enhance the public sector’s ability to identify and eliminate cybercrime. This security focus was aligned with State Government Procurement who negotiated a significant uplift in the security products in the State Government Microsoft agreements.
According to the WA Government’s Chief Information Security Officer, Peter Bouhlas, phishing is the most common type of cyberattack threatening its networks and information.
“Those phishing attacks come from a variety of sources, either homegrown or overseas-based,” he says. “Why those attacks occur can vary as well – they could be politically charged, or just a cash grab.
“But whatever the reason, phishing preys on people. With the diversity and amount of technology each individual uses, the pathways to compromise someone’s information or steal their identity are significantly more than they used to be. And because we’ve been working remotely more often during the COVID-19 pandemic, that exposure has increased.
So, we’ve had to pivot and ensure that we don’t allow cybersecurity to become an obstacle in working in the way that’s needed.
A world first for cybersecurity
Bouhlas joined DGov in July 2018, when it replaced the Office of the Government Chief Information Officer and became a discrete business unit within the WA Department of the Premier and Cabinet.
“When I first came into the job, one of the first things we had to do is establish a capability to have visibility over networks across the sector,” he says.
“I went to market to see what SIEM [security information and event management] products were out there and to gather quotes from vendors, but nothing really fitted us in terms of what we wanted to do and how we wanted to do it. The general feedback from vendors was that it would take me 10 years and cost tens of millions of dollars to build a government security operations centre (SOC).”
However, with the support of Microsoft, DGov arrived at a design that was achievable in just six months with a state budget allocation of $1.8 million. It created the whole-of-government security design using Microsoft 365 E3 and E5 security capabilities, Microsoft Defender for Cloud to secure infrastructure regardless of its location, and Microsoft Sentinel.
“Aligned with State Government Procurement, we partnered with Microsoft to find a licensing approach that would allow every government agency access to the more advanced security solutions including Sentinel, as well as Defender and other Microsoft Azure security services, in the most cost-effective way,” Bouhlas explains.
“That meant that we were all afforded a SIEM at a good price, rather than having to go and find out what one might cost, and then the services to run it and so forth.
In a period of six months, we stood up a security operations centre that was capable of ingesting information and monitoring a network, which was quite phenomenal.
The whole-of-government Cyber SOC launched in September 2020 and is the first of its kind globally. By leveraging Azure Lighthouse, the SOC enables each WA Government agency to run its own SIEM solution in Sentinel.
“That’s a game changer across government because all of a sudden, we were able to train people in the WA public sector in Sentinel. And if everyone’s using the same SIEM solution, it could scale up very quickly,” Bouhlas says.
“That meant that people coming out of tertiary education and TAFEs who were trained in Sentinel could jump in and be level one analysts. So, there were quite a lot of benefits from using this model. And your data ingestion costs from the cloud were kept to a minimum.”
DGov has plugged Microsoft Dynamics 365 into the SOC to automatically generate cybersecurity incident tickets for agencies. It also uses Microsoft Teams to create virtual rooms for active incidents.
There are now 20 agencies connected to the WA Government’s SOC, and DGov plans to hit 30 agencies by the end of June 2022.
It’s part of an expansion that will also include the relocation of the SOC to a new purpose-built facility and the recruitment of 25 cybersecurity professionals.
“We have a range of entry-level to senior-level roles available across technical and non-technical specialties, including penetration testing, threat hunting, incident response, security operations and intelligence, governance, risk and compliance,” Bouhlas says.
“This is a great opportunity to be at the forefront of WA’s cybersecurity landscape and help protect the WA Government from cybercriminals.”
Mastering the basics
DGov has invested heavily in cybersecurity training and awareness programs at various levels across WA’s public sector over the last two years, with Microsoft delivering the bulk of it.
“We’ve had more than 8,000 people attend training sessions that have been facilitated from this office,” Bouhlas says.
“What was really obvious was the sector wasn’t fully utilising the services and solutions that we had procured, so that’s where the training and awareness discussion started with Microsoft. We’d bought all these goods and services, but weren’t trained on how to use them, so we need some support in that way.
“I also think there was a lack of trained cybersecurity professionals who understood the cybersecurity language and the business context, as opposed to a technology person or an IT person whose experience is to deploy and support the business in its endeavours and objectives, and not really think about risks to the business.
“Our approach is focused on doing the basics and doing them well.”
Microsoft has created a skills plan to support all agencies as part of WA’s whole-of-government cybersecurity movement. The skills plan includes ‘snackable’ events where agencies can learn about Microsoft’s security fundamentals, with an emphasis on the Essential Eight guidelines and Zero Trust principles; free on-demand digital skills training; instructor-led training via the Microsoft Security Academy; and free Microsoft certifications to validate their knowledge.
Microsoft has also written a whitepaper explaining how agencies can use solutions within their security stack to meet the Essential Eight cybersecurity requirements as part of a new WA government policy.
Bouhlas says the WA Government’s MoU with Microsoft has not only had a significant effect on cyber resiliency in the public sector – it has also affected the private sector.
Whether you look at it from a perspective of training, upskilling people, just raising awareness, or the technical implementation of controls, deployment of applications and solutions, we have certainly ticked off some huge milestones in cybersecurity as a result of the working relationship.
“If we didn’t sign the MoU, I’m not sure whether we’d be any different, as there is a strong cybersecurity collaboration in the WA Government that DGov are leading. The MoU just made it tangible that we’re able to put our hands up and say, ‘This is how we’re going to work together’, and we’ve honoured the MoU to the full extent.
“In the very near future, we need to look at it and ask ourselves, ‘Is there anything more that we could do as we move on from this point today?'”
