Officials at the North Dakota Information Technology Department this week announced they’ve published a cybersecurity automation tool they hope will help other states and local governments protect against attacks.
The agency published a “playbook” — a set of rules for automating cybersecurity workflows — that others can plug into their security, orchestration, automation and response, or SOAR, platforms. The playbook automatically provides the state’s security analysts with additional information when one of their network monitors provides the IP address of a potential threat.
The state’s network monitors — Albert sensors provided by the Center for Internet Security — typically warn of threats by sending an email containing an IP address, leaving analysts to conduct further research, said Michael Gregg, North Dakota’s chief information security officer. But with the new playbook loaded into the state’s response platform, an Albert sensor ping now automatically displays for analysts additional details, such as the address’ country of origin and whether it’s associated with past phishing, spam or other cyberattacks, he said.
“We developed this internally because one of the big pushes that we’ve really moved toward is to automate as much of our security operations as we can,” Gregg said. “It gives our analysts more information and helps them respond faster, but we wanted to share this out with any other state or local entity that also has Albert sensors or is potentially there getting these alerts to make this lift a little easier for them.”
North Dakota’s playbook was designed for the Cortex XSOAR platform, which is developed by Palo Alto Networks, and can be found on that company’s marketplace, but Gregg said agencies using other platforms can still use the playbook with a little modification.
Gregg said the state is pushing for greater automation to keep up with the great number of threats it must field. North Dakota has an especially large attack area because its network, STAGEnet, has roughly 250,000 users across state government, local government, public universities and law enforcement across the state. Gregg said his department wants to automate low-priority tasks and threats so its analysts can focus on serving customers and protecting against major threats.
“It’s not only ransomware,” Gregg said. “You think of cryptominers and just even the supply chain things we’ve seen with SolarWinds, Hafnium, Log4j, so there’s been a multitude of attacks over the past year that states and other entities have had to deal with.”