JACKSON, Wyo. — Defense in depth takes many forms, but for Nic Penning, a security engineer working for the state of South Dakota, that’s meant taking a deeper look at the threats hidden within emails moving across the state’s network.
For the past five months, Penning has been building a set of metrics off the data surrounding the state’s email traffic. Penning, whose interest in cybersecurity forensics led to a stint in the U.S. government-sponsored CyberCorps program and eventually his current job, has been studying the nature and frequency of phishing attacks, widespread spamming activity and the presence of malware riding along with email.
Using an IBM security intelligence platform called QRadar, the state “can grab a lot of data off our email, and see how long [a variety of] threats have been there,” Penning said during the National Association of State Technology Directors Western Region conference Thursday. “So we have really good, real-world data just looking at email as a threat vector.”
The data is part of a broader process, using log files and other data capturing tools, to identify and mitigate the growing number of threats, many of which begin unwittingly through the email activity of state employees.
Employees are helping to fight back, Penning said. “We have an email address where people can report suspicious or malicious emails.” Those incidents are then assessed, using a prescribed designed to quickly gauge the severity of the threat and remove malicious email statewide if necessary.
Penning acknowledged that using security information and event management systems and log files is one thing, but “it’s another thing to have people who can look at those logs and know what they’re looking at.”
That’s a challenge he, and state technology leaders from Wyoming, North Dakota and Colorado, agreed remains an ongoing issue for state IT shops.
For Curt Wahl, a network architect for North Dakota, that challenge is compounded by the diversity of network activity his team must support. It includes not only state agency traffic, but also network services to schools throughout the state, all the way to the jacks in the walls of school classrooms.
Because the state can’t control all the users or devices connecting to the state’s network, it has tried instead to apply advance packet inspection and network protection systems, from Palo Alto Networks, to monitor and deter malicious traffic moving across the network.
“We’re working toward a zero-trust model,” he said. “You have inside users and outside users,” and with the volume of activity, it has become more important than ever to have automated systems, and the personnel to make sure those systems are operating correctly.
“You have to have a way to conduct your triage and analysis efficiently,” agreed Rick Imbrogno, Wyoming’s chief information security officer.
Wyoming, which has made significant strides moving the state’s IT operations to the cloud, has been able to adopt a variety of security controls, including moving to two-factor authentication for all the state’s email users, as well as conduct vulnerability audits across state agencies.
He added, however, “We recognize there still has to be a balance between cybersecurity and making [data and services] available to make the user more productive.”
Colorado, meanwhile, has taken a multi-prong approach to improving the state’s IT security measure, dubbed Secure Colorado, according to Deborah Blyth, the state’s chief information security officer.
As recently as 2013, barely $6,000 a year was set aside within line item budgets. That has grown to $5 million a year, or about 2.5 percent of the state’s total IT budget, and will likely climb to $6 million next fiscal year.
Indeed, with the state experiencing 8.4 million security incidents a day, Blyth said “it’s not a number anyone of us can deal with. So we need tools that can highlight anomalies.”
Her office is currently soliciting recommendations from vendors and hopes to issue a formal request for proposals later this year. Additionally, Colorado’s Office of Information Technology is rolling out an identity and access management initiative, which will automate provisioning and account auditing aimed at supporting the state’s 17 major agencies in 1,300 locations.
Blyth, however, outlined a number of accomplishments the state’s IT office has made over the past couple of years, including gains in risk management measures, increased implementation of 20 commonly used critical security controls, and a reduction of malware attacks.
“We’ve haven’t had a major malware incident since moving toward layered approach,” she said.