Every organisation has vulnerabilities in its digital infrastructure, including in its Domain Name System (DNS). In the Protecting Public Sector Domains team in the Central Digital and Data Office (CDDO) we work to identify and fix those vulnerabilities before our adversaries find them. We’d also like to do that for other kinds of vulnerabilities, related to email and web services. This isn’t easy, but it’s a goal we’re working towards.
Our monitoring tools find misconfiguration and vulnerability data from a variety of services, and we’re gradually expanding our scope and capability. Once we have the data, we have found the hardest part is getting the information into the hands of the person who can fix it.
To that end we are running a Domain Data Sharing programme to send the vulnerability data we collect directly to public sector organisations via their SIEM (Security Information and Event Management) or other systems.
SIEM on the rise, tracking is hard: what we learnt during discovery
Last year, we ran a discovery programme to look for a way to share all our vulnerability data, not just the biggest and most urgent problems. We talked to people in public sector organisations who manage and fix domain issues, or operate vulnerability management or other teams that work every day to fix these kinds of problems. We found that:
- knowing what domains an organisation has and who controls them is surprisingly hard
- it can take longer to find the person who can fix the vulnerability, than it does to fix the vulnerability itself
- lots of organisations lack a consistent approach to handling vulnerabilities - they come in different formats and from different sources, and different parts of the organisation need to fix them depending on what they are
- some processes for managing vulnerabilities are new, or more informal, and the process can be hard to track
- lots of people like the National Cyber Security Centre’s Active Cyber Defence (ACD) services, and that is where they expect to go to find out about misconfigurations and vulnerabilities
- lots of people also like someone to get in touch and tell them directly when something is wrong
We also found that SIEM adoption is growing. These are systems that collect and analyse data from different sources like network devices or servers, and external feeds like ours, and use them to spot security issues. These are toolsets that can handle the volume of data we offer in a way that’s useful to our users.
Launching our Domain Data Sharing beta programme
In light of our learnings during the discovery phase, we've got a Domain Data Sharing beta programme running right now that will:
- set up SIEM integrations, so we can get data to where it can be acted on most quickly
- set up DNS hosting integrations, so we know what domains you have, and make sure we're monitoring everything
- work with your organisation to map out the business processes used to handle vulnerabilities, and help you improve them if needed
We’re also working with NCSC to include our data in ACD services in the future.
Join our beta and explore your organisation’s domain vulnerabilities
So if you have struggled with the kind of problems we found in our discovery, or you'd just like to get a free feed of domain, web, and email vulnerabilities for your public sector organisation, we’d like you to join our Domain Data Sharing beta programme. Get in touch with us at support@domains.gov.uk to sign up.
Leave a comment