Security

Breach Detection Software Keeps Cyberthreats at Bay for State and Local IT

Prevention-only has limits against modern cyberweaponry, so IT leaders turn to rapid discovery and remediation.

Kym is a freelance journalist who specializes in business technology and is a frequent contributor to the CDW family of technology magazines.

Data breaches in the U.S. are becoming more expensive: In 2017 the average cost of an incident increased for the fifth straight year, hitting $225 per stolen record, according to the Ponemon Institute. The good news? The more quickly an organization identifies and contains a breach, the lower the costs.

When an intrusion is found in less than 100 days, the average cost is $2.8 million. When detection takes longer than 100 days, the expense jumps to $3.83 million.

As more IT leaders recognize the need to discover threats quickly, they’re employing fresh security strategies with breach detection systems (BDSs). In fact, deploying threat detection and response tools was the top priority for CISOs in 2017, according to Gartner, and will be a leading investment area through 2020.

In 2015, when the IT team at Winnebago County, Ill., deployed two FireEye BDS appliances to work alongside the county’s threat prevention systems, it immediately saw results.

“Within four minutes of installation, FireEye detected Vawtrak banking malware on a financial officer’s workstation and blocked its callback attempt,” says county CIO Gus Gentner. His small IT staff supports systems across county agencies and 34 additional departments. In addition to FireEye, Winnebago’s layered security defense includes Cisco ASA IPS firewalls, Barracuda spam filtering and Symantec endpoint protection.

Breach Detection Keeps Watch Around the Clock

BDS solutions never sleep, continuously monitoring network traffic and becoming increasingly intelligent about patterns. They bolster endpoint and perimeter security by catching many threats that evade anti-virus, firewall and other policy-based systems. They can detect in-progress attacks; infections already inside the network that may be trolling systems or exfiltrating data; and anomalous behavior in users and systems. BDSs alert security teams to known and unknown threats for response and remediation. For common threat types, they can be set to automatically remove infections.

Between December 2015 and April 2017, Winnebago’s FireEye appliances detected 138 malicious infections and blocked 88 callback attempts to associated command and control servers. “We estimated a minimum cost avoidance of $256,000 over that period,” Gentner says.

Watching FireEye in action since the 2017 review, Gentner now believes that estimate was low. “I know how much it costs to clean up infections,” he says. “FireEye has been worth its weight in gold.”

Like BDS solutions, the multivendor endpoint, email and network security tools on the market also send threat alerts. As attacks on government networks increase, so do the number of notifications, overwhelming IT teams, which typically don’t have clear insight into how to proceed.

Through unified dashboards, BDS solutions cut through this clutter, aggregating event information, applying in-context threat intelligence (TI) and prioritizing responses.

BDS Lets CISOs Tune Out the Noise

When Deborah Blyth was named CISO for Colorado in 2014, deploying security technologies with these capabilities was among her priorities. The Governor’s Office of Information Technology, which supports 17 executive agencies, deals with an average of 8.4 million threat events daily.

Though OIT had a security information and event management platform and numerous security technologies in place, “we needed tools to help our security analysts prioritize investigations,” Blyth says.

In 2015, armed with a detailed cybersecurity roadmap, she went before state legislators to request additional funding for threat detection and response. “I got budget approval to buy tools that would provide us with two critical capabilities: advanced analytics and threat intelligence,” she says.

To that end, OIT is rolling out across its servers and workstations a new endpoint detection and response (EDR) product with advanced analytics and other functionality to significantly increase the team’s investigative abilities. The tool is a form of BDS focused on endpoints, and “provides much more information on anomalies in our environment, as well as forensics capabilities to investigate what happened if we’re breached,” Blyth says.

She also purchased a threat intelligence system, which aggregates TI feeds used by OIT, analyzes information and provides applicable insight. For instance, it alerts analysts to relevant indicators of compromise, so they can immediately check for instances within their network.

When OIT renewed its McAfee contract in 2015, it gained additional EDR capabilities, including the vendor’s TI engine and its Active Response product. Together, these tools give analysts the ability to detect malware within the environment and automate its cleanup, Blyth says.

Automating this process improves productivity and reduces remediation costs, which are significantly higher when technicians must go deskside to manually remove infections.

Endpoint Security Tools Simplify Cybersecurity

For its part, the city of Albany, Ore., has primarily focused detection efforts on endpoints. Two years ago, the IT department deployed Malwarebytes Endpoint Security — which detects and blocks malware, ransomware and browser-based exploits — to protect workstations and servers across the departments it supports.

The city chose Malwarebytes to replace an endpoint anti-virus tool. While the product performed well when fully enabled, administrators had to disable functionality over time to ensure application compatibility, says David Goeke, a security and network solutions engineer for Albany.

“If you have to make a lot of exceptions with endpoint protection tools, they’re significantly less effective,” he says. “We were able to roll out Malwarebytes as is, getting good protection at a very reasonable price.”

Endpoint Security continuously scans for malicious activity and automatically cleans most infections. When it discovers threats it’s not able to clean, it quarantines them, sending an alert to its management console so technicians can respond.

For threat prevention, the city uses Barracuda email filtering and a stateful firewall. As the firewall approaches end of life, IT leaders are beginning to explore affordable network security options. While they will consider a range of cloud-based and on-premises products before making a decision, Goeke points to two critical requirements.

“We’re looking for a product that provides quality threat protection at the network level,” he says. “Ideally, we’ll find a solution combining on-premises firewalls with cloud-based sandboxing functionality.”

Analytics Aid InfoSec for State CIOs

In NASCIO’s 2017 survey, state CIOs put breach detection at the top of the list of cybersecurity functions supported by analytics use. Nearly all respondents (95 percent) said their security teams use analytical tools to help confirm detected cyberthreats.

Related cyberattack activities, according to the survey, were less likely to receive analytics support. For example, with regard to breach response, considerably fewer CIOs (76 percent) said their states use analytics to support the response actions they take following intrusion detection.

Just over half of respondents said they’re applying analytics to the recovery phase, which, depending on the threat type and its targets, can be lengthy and complicated. As defined by NASCIO, recovery includes activities that maintain network and system resilience and the restoration of systems and services negatively affected by the cyberevent.

Callie Lipkin