The Department of Social Welfare and Development (DSWD), as the lead agency for social welfare in the Philippines, is dedicated to enhance its social protection services across the country.
The Department’s mission is “to lead in the formulation, implementation, and coordination of social welfare and development policies and programs for and with the poor, vulnerable and disadvantaged.”
Under the visionary leadership of Secretary Rex Gatchalian, the DSWD has embarked on a significant digital transformation (DX) initiative. This initiative is a response to President Ferdinand R. Marcos Jr’s directive to digitize government services, aiming to provide more accessible, efficient, and reliable services to both the beneficiaries and social workers involved in these programs.
Secretary Gatchalian shared, “As part of the national agenda, cybersecurity is a cornerstone within our DX efforts. We realized it was critical that as we expand our services digitally, we also safeguard the integrity and privacy of the data entrusted to us.”
The Department turned to Palo Alto Networks to help the agency better manage and protect its network, staff, people, and communities it serves, and to carry out the transformational work for Filipinos.
Frequent cyber incidents trigger cybersecurity consolidation
In 2023, the need for a dedicated and capable cybersecurity team became a priority, with an escalation in the number and severity of cyberattacks on government agencies such as the Philippine Health Insurance Corporation (PhilHealth), Department of Education (DepEd), House of Representatives, the Philippine National Police (PNP), among others.
The DSWD was contending with fragmented cybersecurity policies and a lack of comprehensive response playbooks. Compounding that challenge, the Department was faced with inadequate visibility and legacy security tools, which made the Department vulnerable to attacks that disrupted service delivery and compromised beneficiary data.
The agency’s existing IT infrastructure included firewalls that were not centrally managed, leading to inconsistencies in security protocols across different offices, making it difficult to enforce uniform security measures and respond promptly to threats.
The Department’s reliance on off-the-shelf enterprise antivirus solutions proved inadequate against more sophisticated cyberthreats. To modernize operations and improve service delivery, the DSWD embarked on a DX initiative.
Assistant Secretary Julius Gorospe, who serves as the Department’s Chief Information Officer (CIO), reflected on the challenges faced: “We lacked visibility within DSWD’s network as there were no adequate monitoring tools or dashboards in place to detect anomalies or malicious activities promptly.”
This hindered DSWD’s ability to respond effectively to potential threats and manage their network security.
The chief information officer added, “Rapid DX and cloud adoption meant that IT infrastructure, assets, data and users were exposed to attacks more than ever.”
The Department recognised that cybersecurity was the bedrock to a successful digital transformation journey and to safeguard the underprivileged communities it serves.
In 2023, the DSWD faced multiple server outages, severely hampering their ability to deliver continuous social protection services, leading to minor data losses. The risk of data privacy breaches posed a substantial challenge, since the beneficiaries trust the department with their information, but also because the beneficiaries could become the target of phishing attacks and identity theft.
Establishing a new frontier of robust cybersecurity
The DSWD faced repeated server outages that were restored only temporarily, until the next attack. When there was another security incident, the Department ensured that the report was filed with the National Privacy Commission (NPC) and law enforcement agencies, and that all other required protocol was followed.
“Given the frequency of attacks, the DSWD needed to take steps to conduct a proper investigation and identify if threat actors were still within our infrastructure,” Asst. Secretary Gorospe said.
In addressing the cybersecurity challenges for the DSWD, the agency needed to consider the physical offices, field workers, smaller offices, cloud assets, and high-value targets such as key executives and ICT personnel, each with its unique set of challenges.
The Department took steps to define key goals and metrics for DSWD’s security, centered around data loss prevention, which enabled new social protection services and established a new frontier for innovative online services. They aimed to:
- Focus on data loss prevention (DLP) due to business interruptions.
- Use automation to reduce alert fatigue and false positives, allowing their SOC team time to focus on critical issues.
- Achieve single-pane-of-glass visibility of their IT infrastructure, from end users to the network and cloud, all in one platform.
- Have comprehensive reporting tools to capture security incidents and ensure regulatory compliance.
"Given the frequency and severity of cyberattacks presently, the DSWD needed to take steps to conduct a proper investigation and discover if threat actors were still within our infrastructure.”"
–Julius Gorospe
Assistant Secretary and Chief Information Officer, DSWD
Integrated security platform and Unit 42 IR to secure against future threats
The DSWD had been using Next-Generation Firewalls (NGFWs) from Palo Alto Networks and relied on Palo Alto Networks as a trusted vendor. Prior to engaging Unit 42, the agency faced an ongoing cyber incident. Based on his past experiences working with Palo Alto Networks, CIO Gorospe knew he could rely on their trusted team to investigate the incident, secure the infrastructure, and prevent any escalation of the threat at hand.
At this stage, the Department selected Unit 42 Incident Response Services to investigate further. This partnership would enable the Department to leverage trusted threat intelligence, incident response expertise, and best-in-class tools to respond to the threat and limit further exposure.
On the advice of Unit 42, Cortex XDR was deployed to provide the necessary visibility and extract more information about the incident.
“Unit 42 showcased their capabilities by pinpointing the cyber-attack chain, and provided us with comprehensive visibility and insights that we did not have previously,” the DSWD official said.
Palo Alto Networks has stood by the DSWD as a trusted partner, helping them every step of the way, from the time of the incident and even after the incident, to draw up the best-suited cybersecurity strategy.
Being a public agency, every decision taken by the Department is subject to scrutiny and debate. Through the partnership with Palo Alto Networks, CIO Gorospe feels that they have been able to contain incidents, meet regulatory requirements, and stay ahead of threats faced, and in his words, “no value can be put to that!”
In-progress ransomware attacks stopped, adding significant improvements to cybersecurity posture
During the ongoing Unit 42 investigations, there was a secondary attack attempt via Trigona ransomware, which was promptly thwarted. This would not have been possible without the Cortex XDR agents with prevention policy set to block.
“We were fortunate that we had engaged Unit 42 from the initial incident, as there could have been dire consequences had the second attack unfolded,” Asst. Secretary Gorospe elaborated.
Additional endpoints were secured with Cortex XDR as the DSWD wanted to be more aggressive in their proactive security approach and relied on Palo Alto Networks to implement a more robust infrastructure since the attack revealed endpoint and network security gaps.
The cyber incidents highlighted the gaps in the DSWD’s cybersecurity posture as there were numerous threats that evaded detection by previous security tools. Under Unit 42’s guidance, the DSWD has not only strengthened the agency’s endpoint protection but has made changes to its cybersecurity strategy and policies to better address threats.
The integrated solution from Palo Alto Networks has given the Department single-pane-of-glass visibility across different platforms, without having to deal with multiple vendors and different overlapping technologies.
Unit 42 brings in threat researchers who help consolidate threat intelligence and information in a comprehensive manner. The threat intel reports helped the DSWD team understand adversary intent and attribution. As a government agency, the DSWD needs to comply with stringent cybersecurity and regulatory requirements. In the event of any incidents, the Unit 42 Incident Response reports not only provides actionable intelligence but also ensures that the reporting requirements are met.
Additionally, post incident, the Unit 42 team provided the DSWD with a list of recommendations, sorted by importance level, to help the DSWD further enhance their cybersecurity posture. This allows the Department to prioritise and make an action plan to tackle incidents based on the order of severity and deal with them in a timely manner. It simplifies the management of security protocols and ensures that all components, from perimeter defences to endpoint security and incident response, are working in harmony.
Minutes to block threats and incident response experts on call 24/7
Unit 42 created custom BIOC rules using Cortex XDR to spot genuine remote application tools leveraged by threat actors. Within minutes of activating these rules across the entire network, these threats were immediately blocked. Further, threat actors were detected trying to move laterally in the network, which was resolved in a timely manner as a result of NGFWs, Unit 42 Incident Response, and the support of the local team.
With the escalation in cyberattacks on Philippine government agencies, the DSWD wanted to take a proactive approach to cybersecurity, as they were cognizant that an improper response to an attack can exacerbate the damage, potentially leading to prolonged service disruptions and loss of trust in the digital services being provided.
For that reason, the DSWD has a Unit 42 Retainer in place, which enables them to have incident response experts on call any hour of the day in case of an incident.
As CIO Gorospe has said, “With Unit 42’s involvement, any security incidents are dealt with swiftly and effectively, minimising the impact on the DSWD’s operations, staff, and the people and communities that we serve.”
With a huge talent shortage in cybersecurity, the DSWD was on the lookout for individuals with the required skill sets and competence. Under Gatchalian’s and Gorospe’s guidance, the DSWD has been able to build a team of 30 for their SOC. Partnering with a company like Palo Alto Networks has meant that these individuals interact with the best in the industry, giving them unparallelled insights into industry trends and better practice recommendations.
To continue to strengthen their security posture, the DSWD is applying their Unit 42 Retainer credits toward a SOC Assessment and Incident Response Plan Development and Review. These proactive assessments will provide guidance to the team for security capability uplift and help ensure they are prepared should another attack occur.
Identified and eliminated a threat actor undetected by prior security tools for 1-2 years
Cortex XDR was deployed to provide visibility and enable the Unit 42 investigators to glean additional insights from the various incidents.
Tracing the attack path was crucial as it helped the DSWD understand how the attack unfolded and the Unit 42 investigators were able to provide actionable intelligence to the Department.
With the support and assistance of Palo Alto Networks, the DSWD is confident that their current security tools will be able to support their mission and future plans.
"Unit 42’s involvement ensured that any security incidents were dealt with swiftly and effectively, minimising their impact on DSWD’s operations and the people they serve.”"
–Julius Gorospe
Assistant Secretary and Chief Information Officer, DSWD
An evolving partnership that wards off emerging threats
The series of incidents indicated that undetected threat actors are persistent and will lay dormant to cause greater damage, should they not be detected and weeded out in a timely manner. The incidents also ignited a deeper discussion with the DSWD’s leadership about their ability to deal with cyberthreats with the existing infrastructure. This led the Department to have a rethink about the additional technologies such as Cortex XSIAM® to further uplift the DSWD’s security operations center (SOC) and overcome the cybersecurity talent shortage.
Through the ongoing digital transformation, the DSWD is committed to becoming a model of innovation and efficiency in service delivery, especially for the public sector. By integrating advanced digital solutions and strengthening their cybersecurity framework, they are setting new standards for how social welfare services can be delivered in the digital age, as they continue to meet the needs of the Filipino people. The partnership with Palo Alto Networks is instrumental in ensuring that cybersecurity measures are not static but evolve in line with both technological advancements and emerging threats. The goal is to create a robust cybersecurity infrastructure that not only defends against current threats but is also proactive in its approach to future risks.
Find out more about how Palo Alto Networks Network Security Platform and Unit 42 Incident Response can protect your entire network and stay ahead of threats.