Overview

UK GCSx, also known as Government Connect Secure Extranet, is a compliance requirement established by the UK government. It sets the standards for secure communication between public sector organizations and government bodies. Compliance with UK GCSx ensures the confidentiality, integrity, and availability of sensitive government data transmitted over public networks. 

Netsurion Managed XDR for UK GCSx Compliance 

Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in GCSx requirements. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents. 

By partnering with Netsurion, public sector organizations can strengthen their security posture, protect sensitive government data, and achieve compliance with UK GCSx. This helps ensure secure communication and maintain the confidentiality and integrity of data transmitted over public networks. 

Using Netsurion Managed XDR to meet GCSx CoCo Requirements

CESG Memo 22

CESG memo 22 states that logs should record the following for users on your network.

  • Successful login / logout
  • Unsuccessful login / logout
  • Unauthorized application access (where applicable)
  • File access attempts to protectively marked information (e.g. RESTRICTED /PROTECTED data)
  • Privileged system changes (e.g. account management, policy changes, device configuration)

Logs should be kept for a minimum of 6 months. They should form part of your incident response policy, as well as help with a wider CESG investigation.

Netsurion Open XDR alerting capability can detect and notify individuals of activity that may constitute an incident. Netsurion Open XDR notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. Netsurion Open XDR reports provide summary and detailed level reporting of incident based alerts. Netsurion Open XDR completely automates the process and requirement of collecting and retaining audit logs. Netsurion Open XDR retains logs in compressed archive files for cost effective, easy-to-manage, long term storage. Log archives can be restored quickly and easily, months or years later in support of after-the fact investigations. Using Netsurion Open XDR can identify authentication failures and successes across the infrastructure.


Reveal a unique identification (ID), e.g. the ID of the individual or process performing a function (this may be an anonymous or default account, or an automated ID, e.g. database process).

Netsurion Open XDR captures log-in details for individuals or processes accessing information or executing commands within a company’s asset base. This information can be searched, reported and alerted on.


Reveal the date and time of an event or function or series of related functions.

Netsurion Open XDR preserves original date and timestamps for received logs, and by using the system it is possible to correlate and aggregate activity across a wide range of servers/devices and databases within the estate.


Identify the physical or logical address (or both) where the function took place (this could be a terminal address, boundary device port address or similar).

Netsurion Open XDR receives log information across multiple platforms and it preserves the physical and logical information about activity on the network or servers, desktops, etc.


Reveal the type of service being executed, e.g. logon or logoff, boundary proxy service, address resolution, but particularly unsupported services or protocols, or services not approved within the terms of a security policy.

Reports can be established to mirror a client’s security policy and to alert when behavior is identified outside the norm. New services started for instance, is a predefined report present on.


Identify the execution of privileged commands, e.g. to extend access rights, assume additional privileges, password changes, adjust boundary device configuration, backup and restore or archive operations.

Netsurion Open XDR provides detailed reporting, analysis and real-time monitoring on privileged command execution across network device, servers, databases and applications including, but not limited to, extended access rights, access granted, and password changes, backup and restore operations, etc.

Subscription Process

4.5 Supply User Details

Each LA must provide details of GCSx Users in accordance with the GC Directory User Template for initial population of the GC Directory. The template will be accompanied by appropriate guidance notes.

Netsurion Open XDR can be a valuable tool in discovering and documenting the user base and provide this information in an easily exportable format. Simply providing the Active Directory list may not satisfy the GCSx requirement as it would not detail active users nor users who need the specific GCSx access.

5.3 Configure Server Equipment

The LA is responsible for the configuration of their internal equipment (including router(s), firewall(s) and mail server(s)). The GCSx Pre-Connection Take On Guide provides an overview of the required configuration information. The technical information specific to each LA will be provided directly to each LA under separate cover. This information will be classified RESTRICTED and must be handled accordingly.

Netsurion Open XDR can help to discover and document the asset base and identify all systems passing traffic through the network, and assist with transition to GCSx. Netsurion Open XDR can also track configuration changes on internal equipment and hence detect when changes may have occurred that may compromise the GCSx connection requirements.

6.2 Re-submit (annually) CoCo Statement of Compliance

GC will be responsible for auditing a percentage of LAs regarding CoCo compliance. CESG will be responsible for auditing the GC Process in this regard. CESG & OGC buying solutions will have access to any and all Documentation in this regard at any time.

Providing responses to external audit is extremely challenging, particularly when the system to gather the information is home-grown and does not have a preconfigured reporting engine. Intelligent reporting system that can rapidly (if not automatically) report on audit requirements as specified by GCSx, it can classify your events and incidents to align to Section 2.3 of the CoCo so that the reports generates are ready for submission to the auditors.

General Technical Requirements

Use of Group Logins Should be Restricted

The key requirement here is for individual accountability, which of course can be weakened by the use of group logins. If a secondary login is required as part of established business process, you would be advised to investigate whether sufficient accountability is still offered. If this is in doubt, you should look at alternative means of enabling access to the required service that offers sufficient accountability.

Netsurion Open XDR provides detailed analysis, reporting and monitoring of log-in activity. If the individual is not identifiable through the use of a group ID on a server, Event Tracker may be able to identify the individual through information captured via the application log.


Information classified as “PROTECT and RESTRICTED” must have access to it logged. (Source- GC- Operational Support Guide).

Netsurion Open XDR can align to a client’s Information Classification policy and can monitor access to those documents in real-time. Specific alerts can be created to inform administrators or auditors of access to these files and the access must be logged and reported upon.


Identify the physical or logical address (or both) where the function took place (this could be a terminal address, boundary device port address or similar)

Netsurion Open XDR receives log information across multiple platforms and it is possible to capture physical and logical information about activity on the network or servers, desktops, etc. In addition to the information contained in the original log message, Netsurion Open XDR adds meta-data such as site, priority, direction, overall message description, etc

NISCC Recommends a Default Deny Policy

Any network service that is not a business requirement should be blocked. This applies to all of the IP and TCP header fields that are subject to filtering, but to IP addresses and port numbers in particular. Logging all denied traffic is also recommended.

Netsurion Open XDR can take logging messages from all forms of network and security devices and can report on all denied traffic. EventTracker can also be configured to monitor for traffic that should be denied, thereby ensuring effective firewall policies are in place.


Auditing and logging (including CDRs) must be enabled on the server. These logs should be reviewed regularly for security and access violations. Should the need arise to investigate an intrusion or abuse; logs should be stored for a period of time in accordance with an Organization security policy. Logs should be saved on a hardened logging server and backed up regularly, because the integrity of the logs stored on the source server cannot be guaranteed if there is an intrusion. The log server should only accept log entries from authorized machines. Enable system logging and logging of call detail records (CDRs). Regularly review logs for discrepancies. (Source- 15. NIST Security Guidance for VoIP Systems).

Netsurion Open XDR can act as the centralized logging solution for VoIP logs. Netsurion Open XDR can automate the review process and proactively monitor for access violations. Netsurion Open XDR also provides an automated investigation (forensics) feature to detect and analyses intrusion or abuse; logs can be stored for a period of time in accordance with an organization’s security policy. Logs are saved in a tamper-proof hardened logging which can be backed up regularly.

CoCo Section 2.3

Both the term ‘event’ and ‘incident’ are used in section 2.3 of the CoCo, but the term ‘incident’ is what is important in this section. An event is an observable change to the normal expected behavior of a system, whereas an incident is an event attributable to a human course and signifies malicious intent. To better understand the area of security incident management, refer to BS ISO /IEC 27002 (formerly 17799).

Netsurion Open XDR can classify your events and incidents to align to Section 2.3 of the CoCo so that real-time alerts may be generated based on the risk to identify incident response occurrences. Reports automatically generated by Netsurion Open XDR are ready for submission to the auditors.

IT Health Check Requirement

Scope of a typical ITHC includes:

  • Network summary that will identify all IP addressable devices
  • Network Analysis, exploitable switches, gateways
  • Vulnerability analysis, patch levels, poor passwords, services used
  • Exploitation (Optional), next step after a, b & c but LA should be aware of the danger of potentially crashing / making the system Unstable
  • Summary Report with recommendations

Netsurion Open XDR can capture log information from all devices within a network, identify the devices within that network, and provide this in an easily exportable format.

GCSx Operational Support Guide

Electronic files (including databases) must be protected against illicit internal use or intrusion by external parties through a judicious selection of two or more of the following mechanisms:

  • User challenge and authentication
  • (username/password or digital ID/Certificate)
  • Logging use at level of individual
  • Firewalls and intrusion-detection systems and procedures; server authentication
  • OS-specific/application-specific security measures.

Netsurion Open XDR can split up tasks and keep log information organized through restricted analysts and alarm viewers. Netsurion Open XDR can track an alarm status, delegate it to someone, change its current state (working, escalated), and add comments.