Microsoft Sentinel strengthens Salford Councils cyber security and reduces corporate risk

“Cyber security is an integral part of local government’s wider work to digitalise services and support the most vulnerable in our society,” says Salford’s City Mayor, Paul Dennett. “It’s crucial to ensuring services are kept up and running and to keeping the public’s trust in councils with their information. It takes years to build a reputation and a few minutes of cyber incident to ruin it – the knock-on effect of a data breach can be devastating for a local authority and the residents it serves. Healthy cyber security is key to the efficient and productive running of every council.”  

Putting cyber security front and centre

“This isn’t just about the financial risk for me – although that is substantial. It’s about protecting the communities we serve, because we’re public servants at the end of the day,” confirms Steven Fry, Chief Digital Officer at Salford City Council, “Cyber security is at the top of our corporate risk register which means everyone in the organisation has some sort of responsibility for cyber awareness and cyber security. The pivot to homeworking during the pandemic created a need for additional cyber security diligence.” 

Prior to COVID-19, Salford’s IT estate had been predominantly desktop-based with users accessing network resources behind Salford firewalls and security. “We had to pivot our approach fast,” continues Steven Fry, “and that meant upgrading to the Microsoft 365 E5 licencing.” 

Microsoft 365 E5 is Microsoft’s premium enterprise bundle of cloud-based suite of productivity apps and it includes advanced voice, analytics, security, and compliance services. Pre-pandemic, Salford City Council’s 'My Work' digital workforce programme had been focused on becoming a more agile and mobile-first organisation that could deliver services most appropriately and impactfully for residents. This initiative was fast-tracked almost overnight. As well as investing in the right kit, this meant having the right security standards in place. 

Digitalisation heightens the need for a cyber security focus

“Now we’re seeing our workforce use the tools available in Microsoft 365 E5 – like Power Apps and Power Automate – to create their own workflows and their own applications,” Steven Fry explains, “We’re starting to see that upskilling naturally. Microsoft 365 E5 allowed us not to stifle that workforce development; it allows us to enable staff to be next-generation workers in local government.”  

Salford City Council recognised that the next-generation of digital workers would require next-generation approaches to cyber security. 

“We knew that with a strategy of digital enablement would come more security risks,” continues Steven Fry. “Microsoft Defender for Endpoint security was at the top of our list in terms of making sure devices were secure from the moment they were unboxed. The E5 upgrade meant we got Microsoft Defender for Endpoint and access to all of Microsoft’s security and advanced threat protection packages. It allows us to really maximise our Microsoft licencing. We were able to work with Microsoft to develop a cyber strategy, including developing a security operations centre using Microsoft Sentinel.” 

Choosing Microsoft Sentinel

Salford City Council assessed a number of security information and event management (SIEM) tools before choosing Microsoft Sentinel. Steven Fry explains, “We assessed them in terms of cost and integration but, in terms of interoperability, Microsoft Sentinel was better. Having moved to E5, the ingestion of data from Microsoft 365 is at no charge. And we were also impressed by the investment Microsoft are making in the solution and its road map.” 

Furthermore, as a cloud-native SIEM, Microsoft Sentinel is 48 percent less expensive and 67 percent faster to deploy than legacy on-premises SIEMs. 

“Microsoft Sentinel provides us with a single pane of glass across our estate. Its interoperability out of the box with Microsoft 365 is brilliant. The choice of Microsoft Sentinel really enabled my team to spin this up fast. Of course, the risks we face meant we knew this wasn’t enough, hence the need for a security operations centre.” 

Building a security operations centre for the North West

The Security Operations Centre (SOC) was established in partnership with HOST at MediaCityUK. Steven Fry explains, “It’s a 24/7, 365 security operations centre that uses Microsoft Sentinel across the Salford landscape to monitor, detect and respond.” 

Salford City Council has been partnering with In4.0, a local digital transformation services provider, to establish a new centre for innovation support in MediaCityUK. HOST, the Home of Skills & Technology, is an innovation hub in Salford that supports start-ups, SMEs and established businesses in the North West with labs, R&D and prototyping environments, affordable workspace, specialist advice and technology training.  

For the Salford City Council team, it seemed like a logical progression to site the new SOC at HOST. From this base, the SOC could eventually offer its expertise to other regional public sector organisations and SMEs. 

“Getting the people, processes and playbooks in place to understand what isn’t a false positive and what needs to be acted upon is very bespoke – and that isn’t covered in people’s day jobs; that is the job of a SOC,” explains Steven Fry, “I’m in a very lucky position that my teams have the skills to manage this, but other organisations might not. And that’s why we set up HOST cyber. To share those skills.” 

Committing to a digital journey with Microsoft

One of the compelling reasons for choosing Microsoft Sentinel as its SIEM tool was the interoperability out of the box with Microsoft 365, so it ingests a large part of activity automatically. Steven Fry has found that standardised interoperability extends across a large part of the Salford IT estate.  

“It’s not just the Microsoft estate that’s in there – it’s all the other applications and infrastructure we use,” confirms Steven Fry. “Interoperability out of the box with most of these big vendors is another attractive feature of Microsoft Sentinel for us. We have a single pane of glass so we can monitor, detect and respond.” 

The Salford City Council team has now migrated over 90 percent of its mixed technology estate to Microsoft Sentinel for cyber risk detection and response. Microsoft Sentinel has replaced multiple bespoke network logging tools so that all cyber security monitoring can be undertaken using a single tool.  

Early benefits achieved

Ease of use and comprehension of scope means that the team can be much more proactive. Steven Fry says, “We’re now in a proactive state, rather than a reactive state. We’ve got analysts who are actively hunting across the estate, so we can detect and respond and prevent attacks before they even start.” 

“We thought we were really on top with our cyber security monitoring but, since we’ve put Microsoft Sentinel in, some of the things we’ve discovered have been eye opening! The team are now actively hunting threats down and we are getting on top of them on day one,” adds Steven Fry.  

“Microsoft Defender for Endpoint and the rest of the Microsoft Defender suite have shown us where staff are downloading applications that we wouldn’t have picked up before. The whole package has strengthened our security posture, reduced corporate risk and lets us sleep at night.” 

Operating a SIEM tool: lessons learnt

Since its launch at the beginning of 2021, the SOC team at HOST has already doubled in size. “And it’s not just those six people,” emphasises Steven Fry, “They have the backup of the whole of Salford’s digital, data and technology team, which is 100 people deep.” 

To develop the specialist skills in Microsoft Azure and Microsoft Sentinel within the team, Salford City Council leveraged the skills and learning resources of the Microsoft Enterprise Skills initiative.  

“I’m lucky because Salford has a great digital, data and technology team. In our infrastructure team, our security team, there’s a vast array of knowledge. It was just about channelling all that knowledge into this new, modern SIEM tool,” says Steven Fry. “That’s something Microsoft has really helped us with. It’s appealing to the team to learn Microsoft. They have picked up new skills and some are pivoting into a different career path focusing solely on security – which are skills for the future. If that’s the way the technology is moving, then that’s the way the workforce has to move.” 

A digital city

Investing in developing digital skills is something Salford City Council is keen to do beyond its own workforce, both to address the national skills shortage and to improve the quality of life and wealth of the region. Its partnership with HOST is part of this vision. It is backed up with a digital inclusion team working with communities across the city. 

“This is an ecosystem we’re creating,” emphasises Steven Fry. “It’s not just plugging in a SIEM tool. It starts with basic skills in schools all the way up to growing our digital economy. If you think about the way the pandemic has forced businesses to shift to ecommerce, then there’s an onus on us, as a public sector, to make sure that businesses are equipped and understand the implications of moving into that digital world.”  

A security operations centre for the whole region

“What we’ve created in Salford is a unique opportunity. We can use this model to allow other local authorities – and SMEs in the region, from a social value perspective – to use our expertise in cyber,” continues Steven Fry. “With our public-private partnership at HOST we have created a commercial SOC run on public sector platforms. Our USP is the skills we have in monitoring environments to detect and respond. Our vision is linking up across Greater Manchester to deliver more opportunity for the region.” 

Salford’s City Mayor, Paul Dennett, concludes: “We’re proud to be part of Cyber Salford, an innovation blueprint that aims to make the city a national leader as one of the most enabled places in the UK. We recently launched this initiative in association with IN4 Group, the Cyber Resilience Centre and partners Raytheon Technologies. Cyber Salford will bring the best in class of public and private sector knowledge to help businesses, residents, sole traders and learners from across the city to become more aware and secure. This will mean more trust and confidence in an increasingly digital world.”