Augmented government network security supports mass remote work

When Shannon Lawson arrived in Phoenix as CISO in 2019, the city was using endpoint protection products he had never even heard of.

On the recommendation of other cybersecurity professionals, Lawson decided to test CrowdStrike products and services in the city environment. These included the CrowdStrike Falcon platform, CrowdStrike Falcon Complete, and an incident response mandate from the company. “While deploying these products, we witnessed a keyboard attack on one of our external HR systems,” Lawson said. “Our other tools didn’t alert us to the attack at all. That’s what sealed the deal for us.

Already a top concern for government IT stores, network security became even more important when many cities, states, and counties sent employees home in March 2020 in response to the COVID-19 pandemic. In addition to robust endpoint security and remote authentication tools, many organizations have adopted continuous monitoring solutions and practices that allow IT security managers to keep a constant eye on remote machines, says Eric Hanselman, chief analyst at 451 Research.

“In the rush to simply make remote work possible, many normal security reviews were initially postponed,” Hanselman says.

“What’s happened over time is that agencies have started to understand their exposure again, and they’re trying to reimplement security controls to work in a hybrid environment,” he adds. “The continuous monitoring element means monitoring the state of the user’s identity, the device they are logging in from, and their actions throughout the lifecycle of their connection in real time.”

“I brought in salespeople, and the first thing they said to me was that they could give me a lot on the product,” he says. “They didn’t even talk about abilities. You need to talk to other CISOs and ask deep questions about what worked and what didn’t. Even then, you need to test it, because what works in your environment might not work in someone else’s, and vice versa.

The introduction of MFA was particularly important to prevent the Microsoft Office 365 credentials of remote employees from being compromised.

Ongoing monitoring practices are important, Lawson adds, to ensure systems are ready for ever-changing attacks. “I put us on a 30-day scan/patch/scan cycle,” he says. “Each month, the whole company receives a scan. We can show that we are meeting regulatory requirements and addressing threats in our environment. »

How Utah is Rethinking Cybersecurity Infrastructure

When Zachary Posner became CIO of Salt Lake County in Utah, he spent the next two years tweaking its already robust remote working and cybersecurity infrastructure. Then, when the pandemic hit, county officials asked if it was possible to support working from home on a large scale.

“We said, ‘Not only can we do it, but all we have to do is pay for the license,'” Posner recalls. “We were ready to go. We already had Fortinet devices that could handle the capacity of VPN connections. It’s great when all you have to do is write a check.

Looking ahead to 2020, Salt Lake County has deployed Fortinet’s FortiGate next-generation firewalls, FortiClient to manage VPN security, and FortiAuthenticator for MFA.

DISCOVER: Why state and local agencies lack incident response plans.

“Identity is the greatest vulnerability of any business, and especially government,” Posner says. “I need to know that the person logging in is who they say they are, and the best way to do that is through MFA.”

Salt Lake County also uses an MDR solution from another vendor. The tool, Posner says, offers threat detection, incident response and continuous monitoring that are essential with some employees still working remotely.

“There’s really no defensible physical perimeter anymore,” Posner says. “Defense takes place wherever your machine is in the world.”


The percentage of states where more than one in five employees worked remotely during the COVID-19 pandemic

Source: Deloitte and National Association of State Chief Information Officers, “2020 Deloitte–NASCIO Cybersecurity Study”, October 2020

How Illinois is transforming its approach to cybersecurity

Before the Illinois State Treasurer’s Office adopted CrowdStrike tools, the agency was receiving up to 30,000 false positives a day for alerts. At this point, the alarms essentially lose their meaning, says CIO Joseph Daniels.

“Financial code requires a very specific kind of oversight,” says Daniels. “Otherwise it lights up like a Christmas tree all day. Our previous vendor wanted 18 months to find a fix, at an additional cost. I told them we couldn’t stay safe for 18 months.

The agency has implemented the CrowdStrike Falcon platform, as well as the Falcon Complete MDR tool. “We have 24/7 support from the security operations center,” Daniels says. “Instead of hiring 30 SOC analysts, we are using their team at a fraction of the cost. They have the immediate authority to take action on our behalf for certain threat levels. This has been invaluable.

EXPLORE: How US airports defend against cyber threats.

Daniels says CrowdStrike proved crucial during a middle of the night incident at one of the agency’s disaster recovery sites. “They were able to quarantine a backup server, with no business impact,” he says. “If we didn’t have these tools in place, we would have lost all of our backups. Our agency would have been decimated. Without CrowdStrike, the question would have been, “How are we going to recover?” With CrowdStrike, that turned into “How do we investigate?”

The agency also uses a cloud management gateway, providing continuous monitoring of remote devices. “If we have a zero-day patch that we need to deploy, I don’t have to wait for someone to connect to the VPN,” Daniels says. “I can see 100% of our endpoints when connected to the internet, from anywhere.”

Kevin M. Risinger