The state of Indiana successfully consolidated the IT operations of more than 100 state agencies roughly 13 years ago — consolidating six or seven data centers into one while also combining more than 10 email systems and 13 domains, Indiana State CIO Dewand Neely said at the Cyber Threat Intelligence Forum, presented by FireEye and produced by FedScoop and CyberScoop, on May 31 in Washington, D.C.
But the state discovered challenges in establishing a cybersecurity operations center (CSOC) to defend the unified enterprise.
“We realized efficiencies for the government…, but we increased the complexity in a number of different profiles we have to protect,” Neely said. For example, individual agencies previously segmented their networks with their own cyberdefenses, but now they all were under one roof. Therefore, the remaining enterprise became more complex to secure.
10 Strategies of a World-Class Cybersecurity Operations Center
After initially standing up an Indiana state CSOC, the CIO learned some lessons and revised the operation following “Ten Strategies of a World-Class Cybersecurity Operations Center,” published by Mitre in 2014.
Of the 10 Mitre strategies, Neely determined Indiana “failed” to adhere to three of them in the early years of its CSOC.
The strategies are:
- Consolidate functions of incident monitoring, detection, response, coordination, and computer network defense tool engineering, operation, and maintenance under one organization: the CSOC.
- Achieve balance between size and visibility/agility, so that the CSOC can execute its mission effectively.
- Give the CSOC the authority to do its job through effective organizational placement and appropriate policies and procedures.
- Focus on a few activities that the CSOC practices well and avoid the ones it cannot or should not do.
- Favor staff quality over quantity, employing professionals who are passionate about their jobs, provide a balance of soft and hard skills, and pursue opportunities for growth.
- Realize the full potential of each technology through careful investment and keen awareness of—and compensation for — each tool’s limitations.
- Exercise great care in the placement of sensors and collection of data, maximizing signal and minimizing noise.
- Carefully protect CSOC systems, infrastructure, and data while providing transparency and effective communication with constituents.
- Be a sophisticated consumer and producer of cyber threat intelligence, by creating and trading in cyber threat reporting, incident tips and signatures with other CSOCs.
- Respond to incidents in a calm, calculated, and professional manner.
Indiana Sures Up Its Cybersecurity Strategy
Indiana sought remediation in meeting the requirements of the fifth, sixth and seventh strategies. First off: staff quality. “We failed at this one pretty miserably,” Neely said.
Indiana IT leaders once thought to move people from operations to security and teach them things about security, thinking more people were better. “We had more hands, but we had no way to prioritize or even identify what work they should be doing,” Neely said. “We realized very quickly we were favoring quantity over quality.”
And then Neely heard something he hadn’t heard previously. A security operations employee complimented a cybersecurity tool, saying it was like adding another engineer to the team.
“When you hear something like that from your practitioners, you get a little bit excited,” Neely said, reflecting on a maxim from Mitre: “With the right tools, one good analyst can do the job of 100 mediocre ones.”
Second, Indiana learned to maximize the value of its technology purchases. The state’s initial approach was to buy a whole suite of tools and throw them against the challenge.
“We would have been better off buying one piece of that and putting efforts into tweaking that and getting that to where it needs to be,” Neely said. “Instead, we found we got caught up in trying to make all of these things work together.”
IT leaders took a more strategic approach to maximize value. They adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework and carefully focused on implanting one piece of it before doing something else.
Finally, Indiana learned to exercise discrimination in the data it gathered, Neely said. Security information and event management (SIEM) “promised to be our savior,” he added, but Indiana spent too much time and effort trying to make the technology work.
Among the challenges confronting the state with SIEM:
- Analysts collected everything and fed it into the system.
- Analysts faced issues with ongoing maintenance and tuning.
- The state determined it could not use SIEM software for both compliance and tactical defense. “It cannot be both; don’t believe the hype,” Neely said.
- Storage limitations confounded the state. Massive storage was required for compliance; not nearly as much for defense or monitoring.
Once Indiana addressed these issues, its CSOC became much more effective, Neely said.