How State, Local Agencies Can Augment Their Cyber Operations

State, local, tribal and territorial (SLTT) governments face increasing pressure to raise the bar on their cybersecurity efforts. The rising pace and severity of attacks, coupled with an increased threat from Russia, has brought the issue to the fore.

In 2020, for example, U.S. city and county organizations reported 79 ransomware attacks, potentially impacting 71 million people and costing an estimated $18.88 billion in downtime and recovery. Agencies may have a range of partial cyber solutions in place, but they typically lack the funding and staffing levels needed to effectively support more comprehensive defenses.

Managed security services (MSS) offer a path forward. In general, a managed security service (also known as a monitored security service) refers to a solution in which a third party reviews operational data in real time to identify threats and elevate alarms.

The immediate impact of this is to ease the burden on overtaxed IT professionals who might be wearing multiple hats — trying to address cyber threats, providing tech support to end users and managing the care and feeding of labor-intensive legacy systems.

“By acting as the front line in cyber defense, an MSS can free up IT to focus on those other tasks,” said Lee Myers, Director of the Security Operations Center at the Center for Internet Security (CIS).

The MSS will centrally log data coming in from the government’s various systems and pipe it into a “correlation engine,” a piece of software designed to understand relationships. The system looks for things that are out of place, activity that is suspicious or shouldn’t be there.

The MSS will catalog those events, labeling them according to their likely severity. Depending on the MSS model, this information may then roll back to the IT team for further action, or in the case of some MSS providers, it may go to the provider’s own team for further analysis.

In the latter case, “that team of analysts will apply human intelligence to that event and incident data, going beyond what the automated processes can achieve,” Myers said. “You get the automated correlation, and you also benefit from this manual analyst intervention.”

This MSS model goes even further toward alleviating the IT burden and raising the security bar, since it eliminates most of the false positives and gives security teams the information they need to take quick and decisive action on likely threats, Myers said.

The nonprofit Center for Internet Security offers this type of human-informed MSS in support of the agency mission. Its services monitor agency devices for signs of malicious or anomalous activity, eliminating false positives and escalating alerts on just the actionable items.

By having analysts review the correlated events, this approach cuts down on the noise, removing up to 75 percent of total identified incidents. Analysts can note, for example, that certain potentially suspect traffic is in fact authorized, based on known rules within the agency.

“Now, IT teams don’t have to waste time chasing down those incidents, and can instead focus attention where it’s needed most,” Myers said.

All this is akin to triage in the medical world, where the success of the response often comes down to a matter of time. “A lot of the attacks that are happening these days are multistage attacks, where the method that an attacker uses to gain access to the environment is not necessarily the method that they’ll use to attack it — that comes later,” Myers said.

Thus, the faster an agency can respond to that initial access attempt, the more likely it is to prevent that next-stage attack.

With an MSS parsing events and incidents around the clock and putting human eyes on the outcomes, the security team has the ability to respond in real time and head off potential attacks before they launch. This saves staff time and effort, and also heightens cyber resilience, protecting agencies from potential data loss as well as from the catastrophic operational and economic impacts of a cyber incursion.

CIS is uniquely positioned to deliver this service, having supported SLTT monitoring operations for over 15 years and leveraging the largest SLTT-specific threat database. A lead player in the national cyber defense apparatus, CIS operates the Multistate Information Sharing and Analysis Center (MS-ISAC), a voluntary and collaborative effort designated by the U.S. Department of Homeland Security to be the key resource for cyber threat prevention, protection, response and recovery for SLTT governments.

CIS is offering a discount on MSS through June 30.

Leave a Comment

Leave a comment

Leave a Reply