Two years after an internal security assessment showed the state didn’t have a clear idea what devices were connected to its network, Utah’s chief information security officer says his office now knows precisely what devices are connected.
Phil Bates told StateScoop that a visibility platform his office installed last year, giving him a glimpse at every device connected to the network he oversees, has made a “huge” difference in the state’s security management.
State records show the department has spent nearly $1.2 million on the technology, which was produced by the cybersecurity software firm Forescout. Bates said the product allows for faster incident response and saves time through the automation of security and compliance processes across the state’s approximately 60,000 devices, which range from building controls to smartphones.
“The main benefit is it makes the state more secure,” he said. “The secondary benefit is we’re saving a lot of man hours because we used to do a lot of this manually.”
The software’s interface provides security personnel a list of all devices connected to the state’s network, which can be sorted by device type, software version, malware signature and other filters, Bates said. If malware is detected on a device, the Forescout platform can boot it off the network within one minute and proceed to search for other devices with the same infection.
Before Forescout, he said it could take four or five hours to take a device offline, because the only information his staff would have initially was an IP address. Bates’ staff would have to contact the state’s network operation center, which then might spend an hour locating the signal before work disconnecting the device could begin.
“That is especially true if I have wireless devices moving from building to building,” Bates said.
For something like a ransomware infection, Bates said acting fast is essential because an organization might be able to remove the malware before it can talk to the control server and begin encrypting data.
Beyond incident response, Bates said the tool is saving the state countless hours in managing its security compliance. A complex and sometimes conflicting array of federal regulations can occupy agencies’ security teams for thousands of hours each year. Bates said much of that compliance work is now automated because every device registered in the state’s inventory is deemed compliant before it’s allowed online. The process of patching and updating device software can be largely automated, too.
“Now we have a really good inventory, because if you’re not in that system, you’re not in our network,” he said.
The state installed the new platform after conducting a security assessment based on a set of “basic controls” recommended by the Center for Internet Security, the first of which is the inventory and control of hardware assets. The other controls include software inventory, vulnerability management, controlled use of administrative privileges and secure hardware and software configurations.
“It’s been a great tool for us,” Bates said. “A lot of them fall short, but this one has actually worked for us.”