District cities, as well as small towns and municipalities across the country, are using digital technologies to improve their services, increase efficiency and reduce costs. At the same time, they do not have enough capital to counter the growing threat from cyber criminals.
However, municipalities can also apply for various financial contributions and subsidies within the framework of the calls of the Ministry of Investment, Regional Development and Informatisation aimed at support in the field of cyber and information security. In most cases, it is this opportunity to obtain additional funding that is the impetus for cities to decide to deal with cybersecurity more intensively.
This is confirmed by our project manager, Michal Šimkovič:
“Over the years, we have already implemented several successful projects that clients have financed with such grants. They have also had good results because customers are not only aware of cyber threats and want to address them, but with a reasonable budget and commitment, a project of this complexity can improve their security levels by leaps and bounds.”
This is a case of one of them.
Customer: small district town
Due to the sensitive nature of the project, the customer remains anonymous. However, it is a district town, which we will call Svitany in this case study.
Svitany: baseline situation
There are cities where we find at least basic cybersecurity policies, classification or risk analysis. Svitany was similarly situated, but lacked most of the measures that would have helped them eliminate or reduce the identified risks.
They assessed their situation as follows:
“We are aware that the solutions and tools we use are outdated and no longer meet today’s needs or capabilities. But we simply did not have the human or financial capacity to upgrade them or deploy new ones.”
Svitany used at least basic antivirus software on workstations and servers, and a simple static firewall took care of network security. As it is usual in such cases, one person was in charge of the entire operation of the IT systems of the municipal office and the established organisations.
The IT administrator managed the entire infrastructure – two dozen virtual Linux and Windows servers running on two different platforms, 150 workstations and users, wired and wireless network elements, databases, applications…
Implementation: how we set up the collection and evaluation of security events
In terms of cyber incident preparedness, we started from scratch in Svitany. We mapped and analyzed the current situation, conducted workshops with the cybersecurity manager, IT administrator and representatives of the city management. The result was a concept document that clearly described how security incident collection, assessment, and detection would work.
“The agreed concept paper helped us to set up from which systems and how relevant data will be collected, where it will be stored, and how it will be evaluated and processed further,” says Peter, cybersecurity manager of Svitany.
Based on our recommendations, the configuration of the source systems has been amended so that they correctly generate exactly the events we need to know about.
“Svitany thus had in their hands a detailed technical solution for collecting events from already existing systems and tools,” says our technical director, Marek Madžo, describing the situation.
Technology: endpoint, network and data protection
However, Svitany missed the whole area of threat detection on client stations, which we addressed in the project by deploying EDR and DLP technologies. We replaced outdated antivirus solutions with modern solutions to protect against ransomware, advanced threats, while protecting sensitive data (such as citizen, tax or fee information) from leakage or theft.
We also addressed another weakness in network security. “We understood that our old firewall did not provide protection against new threats, so void SOC deployed a new generation firewall,” says Milan, IT administrator at Svitany, describing the situation.
In addition to filtering network traffic between segments, the new firewall also provides IPS services, secure remote access to the internal network via VPN with multi-factor authentication (MFA). Controlled web access is provided by web filtering.
The next step was to deploy a log management solution. This ensured that events collected from both existing systems and newly deployed solutions were securely stored centrally, and accessible for potential investigation and forensic analysis as needed.
They will also serve for further detection of security incidents, which is taken care of by the SIEM, also implemented in the framework of this project.
With SIEM, the customer always has a choice – they can decide whether to use our own flexible SOCulus_SIEM solution or one of the commercial solutions (e.g. IBM QRadar, Rapid7 or others). For Svitany, the most effective solution was to deploy a SIEM based on open-source technologies as part of our own next-generation detection platform – SOCulus.
Services and processes: real-time incident resolution
The implemented systems initially generate a number of alerts as well as a SIEM in the basic setup. Our SOC team, composed of experienced analysts, will thoroughly review these events and consult with the customer. If it is confirmed to be a real incident, we will prepare and propose a recommended response. If it is a feature of the monitored environment, we will modify the detection rules to filter out “normal traffic” from suspicious/malicious activity.
This entire process is done within guaranteed SLA times, ensuring fast and reliable protection. In addition, Svitany also has the option to report any suspicions directly – by phone, email or via the ticketing system.
How Svitany handled the cyber incident
Svitany was the target of a cyber-attack that affected the workstations of the municipal office and led to the encryption of the servers. As a result, city services were significantly disrupted. After a thorough analysis, it turned out that the cause was a visit to a malicious website by one of the city officials. This human error triggered the spread of malware that crippled the city’s systems and made data inaccessible.
In response to the incident, we immediately began working with the city – together we designed steps to restore systems and data and secure operations. As part of the solution, we minimized the scope of the compromised devices and users, and put in place preventative measures to prevent similar attacks in the future.
“Our goal is to minimize material and non-material damage, and protect sensitive data from further attack,” explains Michal Šimkovič.
Open communication as the basis for an effective response
One of the key success factors was a transparent approach to incident analysis.
“We very much appreciate that when a security incident was confirmed, the analysis of its scope, causes and also the impact on our environment did not happen behind closed doors, but everything was addressed with void SOC team members together. So we had detailed information and understood what was happening,” says the mayor of Svitany.
After the analysis was done, we provided the city with a detailed report with recommended steps. Svitany decided to continue working together to further implement security measures to reduce the risk of future incidents.
Crisis communication in practice
With a cyber attack disrupting city services, it was necessary to coordinate communications quickly and efficiently toward the public. Svitany utilized our crisis support services: “void SOC became part of our crisis team,” describes the city’s mayor.
Our specialists coordinated contractors and city representatives to ensure smooth and efficient communication. “We leveraged our systems and communication channels to do this. The goal was to ensure that all relevant parties were well and timely informed,” adds Michal Šimkovič.
Such assistance contributed to the rapid management of the aftermath and the restoration of city services.
The result? A stronger and more resilient city
As a provider of basic services, the City of Svitany has a legal obligation to ensure the availability of its services to its citizens. Failure to do so could result in a fine. However, as our technical director Marek Madžo points out, “cities should be concerned with cyber security not only to meet legislative requirements, but above all because it is important and right.”
Thanks to the cooperation with void SOC, Svitany has a high degree of security. However, the greatest benefit will be felt by citizens who can now rely on the functionality and availability of city services.
Additionally, by leveraging our state-of-the-art detection platform, SOCulus, the city will have access to advanced tools to detect anomalies and unknown threats, strengthening the protection of the personal data of its residents and employees.