State and local governments need a robust and holistic approach in order to effectively protect their digital assets and critical data. They need defense in depth, a layered and comprehensive set of tools and policies that work together in support of cybersecurity.
To get a better understanding of defense in depth – what it is, how it works and its implications for SLTT governments – GovLoop talked to Randy Rose, Senior Director of Operations and Intelligence with CIS.
Let’s start with a definition.
What is defense in depth for state and local government?
It’s a layered approach to security. It means building successive layers so that when one is bypassed or potentially bypassed, something else kicks in.
In defense in depth, there are opportunities to prevent attacks and detect attacks at multiple layers. If an attack is in progress, if somebody is successful in penetrating that base, there are other ways to intercept
and prevent that.
You want to have a layer where you’re actually preventing attacks or potential attacks in progress. Detection is a must. You have to be able to detect – even if it’s after the fact. You have to have logs, and you have to have network telemetry. And it also includes communication, sharing information with the broader community – out to the incident responders, to law enforcement, to key stakeholders.
What challenges do SLTT agencies face in trying to take this approach?
The biggest challenge in the state and local community is resourcing. There’s a problem in terms of financial resourcing and also in terms of training and education. There are a lot of local government leaders who are just not aware of why cybersecurity is something that they need to prioritize.
There’s also resourcing issues in terms of getting the people that you need into place. State and local governments are competing against for-profit organizations that can pay people massive salaries to work
from home. In SLTTs, we can’t necessarily pay them a competitive salary, and we also can’t necessarily offer them the benefits that these other organizations can offer them.
You also have the government acquisition cycles, which are often slow and laborious. That can prevent organizations that are really trying to do the right thing from getting the tools, the resources and the capabilities in place in a timely fashion.
How does CIS’s community-focused model help SLTT address those challenges?
The biggest thing that state and local government can do is to leverage the resources that they can get through the Multi-State Information Sharing and Analysis Center, or MS-ISAC, and the Elections
Infrastructure Information Sharing and Analysis Center, the EI-ISAC. There are a ton of resources that we provide at no cost to them, including 24-7-365 security monitoring of their network.
We have no-cost security solutions that can be inserted at every layer – at the community layer, at the network layer, at the device layer. We have tools and resources that they can implement starting today that will get them closer to a true defense-in-depth model.
SLTTs often ask: “What should I spend my money on?” That’s a determination they have to make at a local level. But what I can tell them is: If you can get something from us for free, then don’t spend a single dime on it externally. Use that money to fill the gaps and seams.
How can SLTTs address some of the organizational or cultural hurdles that get in the way of cybersecurity?
A lot of them are facing a cultural issue. I won’t call it defiance, but there is a pushback because cybersecurity and cyberspace in general is such a fuzzy concept. It’s so ephemeral, people can’t reach out and touch it.
It shouldn’t be up to the IT administrator alone to change the culture of the organization. When they join an organization like the MS-ISAC, we can help to carry that burden. We have data no other organization has related to cybersecurity in the SLTT community, and we can use that to help you elevate that whole discussion.
How does that work?
Being a member of an organization like an ISAC puts resources at your fingertips that you might not otherwise have. And we put it into a language that is beneficial for leadership. It’s not purely technical
information. We speak in terms of risk and impact, and we can also work with the executives in local governments to understand the cost of doing nothing.
Managed-service solutions can help. For example, CIS Endpoint Security Services (ESS) monitors deployed endpoints 24-7-365, with a Cyber Incident Response Team (CIRT) available to assist in responding to and remediating cyberattacks. As a community-centric approach, this strategy leverages the talents of skilled experts to analyze network and endpoint security alerts, conduct cyber incident triage and deliver vulnerability analyses.
This article first appeared in our playbook, “How to Take a Community-Driven Approach to Cybersecurity.”