The City of Montreal is in the process of setting up a security practice that will determine how it will respond to malicious attacks, software bugs or other problems detected by a third-party monitoring service.
Above Security, which is based just outside the city, has been awarded a three-year contract to set up a system that will include intrusion detection mechanisms, vulnerability management, component analyses and log centralization. The system includes detection sensors that automatically consolidate, analyze and correlate security data from heterogeneous security devices into a central repository that feeds into a Web-based management console. IT assets to be monitored under the contract include its municipal enterprise resource planning system, the city’s E-Portal and other back office administration systems.
In an e-mail interview, Claudia Thibault, a spokeswoman for the city’s IT department, said setting up a round-the-clock security operations centre would have meant scheduling staff in three different shifts with one backup person. Creating a mature security solution, she added, was estimated to take about 18 months. Above Security, in contrast, was ready to go almost immediately.
“(We looked at) the effort required to configure and maintain the hardware and software infrastructure vs. a firm that has the specialists capable of minimizing false positive alarms, which is the main issue with this kind of technology,” she said. “Over time, we should be able to notice a ‘time to respond’ reduction regarding cyber attacks, which will limit productivity losses on our side.”
Daniel Gaudreau, Above Security’s vice-president of technology and operations, said the city’s security practice will work with Above Security to develop what he called an “escalation metrix,” or an “intervention grid.” This would identify the specific actions Above Security should take depending upon the nature of the event. Minor incidents might simply be logged or compiled in a monthly report, while more serious issues would be reported to a specific city employee.
“They’ve always had people assigned to security concerns, but now it’s just a matter of putting together a proper incident handling process,” he said. “I think that people have been doing this naturally, without really thinking about it.”
System and application logs will be kept off-line and revised systematically by an independent third party to pinpoint security anomalies, Thibault said. This information will be protected and available, if needed, to support legal procedures, such as the repudiation of an electronic transaction.
“(It should) improve our system security position and reliability,” she said.
Gaudreau said managed security providers who do their job well are challenged to demonstrate a measurable return on investment, a situation he likened to the insurance industry.
“It’s hard to say, ‘We’ve been well protected,’” he said. “What are the different risks that just went by, what firewalls were well-configured and what were the different machines that were patched? It’s something you know you need to pay for as an expense.”
Above Security employs analysts who monitor the system console for suspicious traffic, such as software that might scan one of the city’s machines for open ports. The key to providing surveillance in a public sector environment is covering all the points of vulnerability inside city hall and beyond, Gaudreau said.
“It’s like your home. If you want to put in an alarm system at home, you’ll try to protect your entrance – the front door, the windows,” he said. “Within a network, it’s the same thing. In the case of a city, libraries need to be protected, because their door is open to the Internet too.”
Montreal’s network includes more than 25,000 computers users, 900 of whom access the network remotely. Besides its contract with Above Security, the municipality has also used security tools from Check Point Software.