Minnesota CISO Aaron Call sees more cyberattacks detected and deleted before they hit state networks with advanced endpoint security.

Jan 21 2019

States Thwart Cyberthreats Farther from Their Targets

With advanced endpoint protection, states deploy AI to gain greater visibility into cyberattacks.

Until recently, employees at Minnesota’s executive agencies were using dozens of different devices. Departments were choosing what to deploy on their own, buying laptops on clearance at big-box stores. When Minnesota CISO Aaron Call started with Minnesota IT Services more than four years ago, one of his first big initiatives was to simplify and modernize the device environment, an effort that included a fresh look at endpoint security tools

“When we started, we used to joke that if an anti-virus company existed, then we probably had its software installed somewhere in the state,” Call says. “We wanted something that could catch more zero-day attacks.” 

The state is in the process of ridding itself of most traditional anti-virus solutions, although it continues to rely on Windows Defender to catch signature-based threats. In their place, MNIT rolled out CylancePROTECT, a next-generation anti-virus tool that uses artificial intelligence to identify and block known and unknown malware from running on endpoints. 

State and local governments continue to shift away from traditional anti-virus tools and toward more proactive endpoint security solutions to protect against ransomware, malware, malicious documents and other threats.

“A lot of organizations are searching for answers that don’t just look at particular file types, but look at processes that are running and abnormal behavior of the system itself,” says Robert Westervelt, a research director within IDC’s security products group. “We’re starting to see those types of tools deployed more often.” 


Minnesota, Montana Get More Proactive with Cybersecurity 

With the new tool, Call says, his agency sees multiple attacks each month detected and deleted before they hit the system. The new solution also provides increased visibility when attacks occur. 

“There are a lot more capabilities in there than there ever were in traditional anti-virus,” Call says. “We’re now able to see who the last logged-in user was on a workstation. Should that workstation become compromised, we can see which accounts were logged in during that period, so we can see the potential breadth of compromised accounts.”

Montana deployed behavior-based next-generation endpoint protection from SentinelOne last year. “As the bad actors started evolving their tools and technologies, we realized we needed to step up our game to protect the state’s network,” says Andy Hanks, the state’s CISO. The tool uses machine learning and AI to not only examine traffic and identify threats, Hanks says, but also to automatically perform remediation, allowing the state to reallocate its staff time to other IT projects.

“Before, you would manually pull logs from systems and go through them and develop a timeline of events,” says James Zito, incident response and technical security supervisor for the Montana Department of Administration. “SentinelOne does that for you. It cuts investigation time by 50 to 70 percent.” 

MORE FROM STATETECH: Find out about the network and IT security solutions needed to defend smart cities. 

Wyoming Gets a Dramatic Improvement in IT Security Capabilities

In 2016, the state of Wyoming replaced its traditional anti-virus tools with CrowdStrike Falcon and quickly saw an “exponential jump” in its ability to identify and contain threats, says Wyoming CIO Tony Young. 

In one instance, the tool helped identify a live attacker that was using legitimate tools to run suspicious commands on a machine. “The machine was being prepared to be kind of a beachhead to attack our network, but none of the attacker’s actions could have been caught by any signature-based anti-virus,” Young says. In another instance, when the state’s governor made a trip to China with a sterile laptop, CrowdStrike actually called state officials to make sure they knew one of their machines was being used abroad. 

In perhaps the most dramatic illustration of the new tool’s value, Young watched as neighboring Colorado struggled to contain a massive ransomware attack. Colorado was in the process of deploying next-generation anti-virus tools at the time, but the rollout was still underway when the attack hit. More than 2,000 machines were affected, and the state’s governor called in the National Guard for remediation help. 

Within a day, Wyoming was hit with a similar attack.

“It was automatically quarantined,” Young says. “We had to reimage one machine, and we were done.” “It was a matter of a couple of hours. We felt like we dodged a bullet. I knock on wood every day about this stuff. That’s the kind of thing that keeps me up at night,” Young adds.

MORE FROM STATETECH: Discover why cybersecurity planning should be a top priority for local agencies. 

Fine-Tuning the Tools

Advanced endpoint protection tools may require some tinkering to ensure that they protect agencies without clamping down on legitimate user behavior, Westervelt notes. 

“It’s best practice not to turn all the features on,” he says. “They are very specific capabilities. If you look at the data sheets and look at the advanced features, 9 times out of 10, they’re not turned on by default, and whoever’s implementing the tool has to turn them on over time to see whether they will have some sort of disruptive behavior.” 

Montana officials introduced SentinelOne in phases to help prevent problems.

Aaron Call, Minnesota CISO
We’ve gotten a lot better at knowing what’s out there, making sure we’re not causing impact to any users.”

Aaron Call Minnesota CISO

“A lot of people will balk at false positives,” says Hanks. “I would disagree with that. You’re introducing this tool into a new environment. You need to teach it. With the intelligence it adds and resources it saves you, it becomes worth it.” 

The state initially deployed an on-premises version of the tool, but later switched to the cloud version to gain access to the deep-visibility forensic module, new features as they are released and the multitenancy capability, which eased adoption by agencies. 

During deployment, MNIT initially faced some struggles figuring out what sort of baseline traffic to expect at various agencies, but has since improved its sampling processes, Call says. 

“We’ve gotten a lot better at knowing what’s out there, making sure we’re not causing impact to any users,” he says. “Tuning was a significant investment, and it continues to be an ongoing effort.”

Photography by Chris Bohnhoff

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.