Lancashire & South Cumbria NHS Foundation Trust
zED with zED to the MAx
Briefly describe the initiative/ project/service; please include your aims and objectives
Based on the work zED the email scanner by Bruce Thompson from CTAG (and of course the work by Matt Smith to visualise that data for WARP consumption) we have developed extra functionality which is automated. In the vein of zED this is freely available to the public and third sector.
Our aim was to look at a better way to help staff of who might safe to send to at OFFICIAL-SENSITIVE using email as previous allow lists using Enforced Encryption had become unusable due to various email migrations in our region and of course NCSC had published new guidelines based around opportunistic encryption, anti-spoofing technology and MTA-STS.
Out of this there was a simple idea, zED already has all of this information and we could use it to help our staff determine who was safe to send to and improve our supply chain security as well.
Essentially we have a scheduled script which;
- – collects the zED report each week
- – creates a file for the Outlook button to reference, this has two fields, domain name and whether this is Trustworthy or Unsafe
- – gets a 7 day report of delivered email from Exchange Online
- – determines new domains to add to zED validates them and sends to zED
- – creates a domain breakdown report which adds zED Trust Rating and score to each email sent.
With this script output we can create;
- – a button in Outlook that can inform whether recipient domains are Trustworthy or Unsafe, just before sending.
- – a website that can do the same in bulk, but will also inform if the domain is Unknown
- – another website (set of tooling ) to help with creating content for supply chain investigations
- – analysis of all email sent in terms of number of emails sent by domain, safety and recipient type.
- – We currently have two websites for this the rolling 7 day analysis and one that holds all (all time) breakdown reports.
What are the key achievements?
Our staff now have an easy (button) much wider dynamic range of domains they can now send to under the NCSC guidance based around Opportunistic encryption with the attached anti-spoofing technology and MTA-STS. This cuts down our reliance on further encrytion products and minimises the pushback which always comes from these clunky solutions. It is a major boost to performance for staff that have something right inside Outlook to instantly understand whether their recipients are Trustworthy or Unsafe.
Our teams are already utilising the domain checker website to look at the posture of groups of domains for possible new services which is being well received. We also use this to help with our withdrawal from NHS.net. This is also used for assurance that new domains to add to zED as mentioned above have actually landed in the latest report.
We have a new way to engage our supply chain which is meaningful way which grabs their attention with all of the other information security questions during DPIA etc. This is not usually a part of things like Cyber Essentials plus (working on that) and other requirements like DSP Toolkit.
In this respect we are making a difference we have the evidence to show of good engagement and several domains have moved from Unsafe to Trustworthy because of this work. Of course this helps everyone everywhere, once a domain becomes Trustworthy for everyone that UK is a little more safe to live and work online.
To tell a short story, we have a leaderboard (from the analysis domain breakdown system) for Trusted and Unsafe domains based on the number of emails sent to them, at the top of our Unsafe chart is an organisation that when confronted on a Teams call, clearly were not happy to see themselves at number one that week and did admire all that we had put together for them . . . because . . . they had tried to get to Trustworthy but it broke an internal system so leadership told them to leave it alone. But, we were their first partner to confront them and we did need the partnership so I had given them leverage to go back to leadership ask for the resource to get to a Trustworthy state and they thanked us for this. There are other similar stories.
The analysis websites have been hugely popular by many groups as a quick way to see where we are from the many metrics put in there particularly those in leadership roles.
How Innovative is your initiative?
No one else from what I can see does any of this, I have shown Egress and they will certainly be taking lessons from it; No one is looking at the supply chain posture based on the NCSC secure email guidance, this based on feedback from suppliers is the first time they have been asked to look at email security particularly in the anti-spoofing technology area.
Most organisations have safe lists of domains to send to, I don’t know of anyone else using dynamic systems like this, certainly made free of charge without extra appliances.
NCSC have seen this and are looking at the Outlook button as something they could make and offer to all in the same vein as the phishing button already offered.
The fact that we have built this for no licensing cost in house between three of us and that this is so simple useful and innovative to so many exceeding original objectives is very satisfying to us all.
What are the key learning points?
We now have a wider range of domains we can send OFFICIAL-SENSITIVE email to. Actually it can prevent harm, previously we might have used “encryption of the body” email which often gets pushback from staff at both ends of the system. It is simple to use and could be used differently dependant on different organisations encrytion licensing could be automated.
There is a gap in supply chain assurance that this can effectively fill, our hope would be that organisations many take on this challenge, used across the sectors we can really get our supply chain in line with regard to public sector.
We have already rolled this out at another hospital, we are currently engaged with roll out to a housing association and councils. We have other interested organisations that want this but have not started the full engagement process.
There is a ‘lite’ version available for those organisations that do not use Exchange Online.
Additional Comments
One of the private sector companies we have shown this too describe it as “very powerful” another wanted to know how they buy it for themselves.