Eric Brumm, Chief IT Architect for Glendale, Calif., shares threat information reports generated by his security software.

Feb 05 2020

Apps Collect Threat Intelligence for Government IT Managers to Share

Security software often gathers information that empowers a manager to disseminate tips to stakeholders.

Eric Brumm recently deployed next-generation endpoint security software to better protect the city of Glendale, Calif., from malware, ransomware and other exploits. It gives him an added bonus: visibility into trends and other potential threats.

Brumm, the city’s chief IT architect, implemented Palo Alto NetworksTraps endpoint security on the city’s servers and computers last year. Through a Traps weekly report this summer, he discovered that an employee with administrative rights disabled Traps enforcement from the employee’s own computer.

Traps reported an exploit, prompting Brumm and his staff to investigate further. They discovered the employee deactivated Traps to run an extension that makes newer versions of Microsoft Office look like an older version. Brumm alerted the employee’s supervisor and resolved the situation by enforcing Traps.

“We told the supervisor that no one should be exempt from enforcement in our environment, and that if the exploit was really something bad, it could cause major issues,” says Brumm.

Local and state government agencies are deploying security tools that increasingly use behavioral analytics and machine learning to automatically stop cyberthreats. But the tools also provide visibility and actionable insight into their overall security posture, which helps them further protect their IT infrastructure.

These tools can uncover security vulnerabilities and other problems existing inside networks, but some security vendors offer threat intelligence services, which provide information on global threats in nearly real time and share details on how organizations can protect their internal systems.

Government IT leaders in charge of security say they review the security information from their tools and threat intelligence reports, and if something warrants attention, they share it with others on the IT team. If necessary, they collaborate and coordinate across departments to fix security issues.

Analysts say that’s a sound strategy. Too many alerts from tools can cause information overload. So, to be effective, organizations should only share relevant, high-quality alerts.

“It’s about sharing smartly,” says IDC analyst Frank Dickson. “The critical resource is people, so when we share intelligence, we need to make it relevant and actionable.”

Glendale, Calif., Gains Insights on Potential Threats

In Glendale, Brumm uses Palo Alto Networks next-generation firewalls to protect the city’s network perimeter, and recently standardized on Traps cloud-based endpoint security software.

For added protection, the city subscribes to Palo Alto Networks’ WildFire service, which discovers global threats in real time and then automatically sets new defenses.

“With Palo Alto Networks firewalls and Traps coupled together, we’ve got a pretty solid framework in place for security,” Brumm says.

Brumm checks a weekly Traps report to get an overview on the malware and exploits that were discovered and blocked. It also provides information on the top targeted users, the most prevalent malware and most exploited processes.

When necessary, he shares information with his team to investigate threats.

Eric Brumm, Chief IT Architect, Glendale, Calif.
With Palo Alto Networks firewalls and Traps coupled together, we’ve got a pretty solid framework in place for security.”

Eric Brumm Chief IT Architect, Glendale, Calif.

“I will send notes to key administrators who are running an environment and ask, ‘Is this indicative of a problem?’” he says. “What we do is analyze it more deeply and ask, ‘What is the user doing that is causing it to go off?’”

Brumm recently subscribed to a new Palo Alto Networks cloud service that saves all the logging information from the city’s Traps implementation and its firewalls. Before, the city could only save a few weeks of data. Now that the city can save data for up to a year or more, he can analyze the logs comprehensively.

In the future, Brumm plans to install intrusion prevention systems and a security information and event management tool to provide a central dashboard for security data, which will improve threat detection and response.

VIDEO: These are the cybersecurity threats that keep state CISOs up at night. 

New Orleans Gets Security Visibility via Threat Intelligence 

Central to New Orleans’ security strategy are FireEye’s cybersecurity appliances and threat intelligence feed, says Freud Alexandre, the city’s enterprise architect and security manager.

For the past nine years, New Orleans has deployed a FireEye email security appliance and FireEye network security appliance to protect the city’s network and computers. Alexandre uses a FireEye central management appliance to manage both systems and view a dashboard that provides real-time data on the threat landscape.

“It does a great job detecting and preventing malware from entering our environment, and provides me visibility and insight to do my job better and more effectively,” he says.

FireEye’s technology analyzes files and suspicious network traffic in a virtual sandbox and blocks malicious code. While doing so, it prioritizes critical threats. It also allows Alexandre to drill down for more information and to identify potential mitigation strategies.

2,204

Number of endpoints protected after Glendale, Calif., implemented Palo Alto Networks’ Traps next-generation endpoint security software in 2019

Source: Glendale, Calif.

If FireEye email security blocks a new type of malware, Alexandre shares the information with every operating manager in his group. That way, they can use the intelligence gleaned from FireEye to update the city’s other security devices.

The city also subscribes to a FireEye threat intelligence feed that provides it with actionable information on how to stop the latest global threats. “Through that feed, we can gain valuable information to prevent the next attack,” Alexandre says. “It provides enough information for us to take actionable steps.”

MORE FROM STATETECH: What are some of the top anti-phishing best practices for state and local governments?

Rancho California Water District Deploys Multilayered Defenses

Back on the West Coast, the Rancho California Water District manages water for 45,000 residential and commercial customers. It also runs multilayered defenses, which include Palo Alto Networks firewalls and Traps endpoint security, plus Extreme Networks’ Extreme Management Center.

Together, they secure two redundant data centers, key enterprise applications that include billing software and a wireless network that grabs customer water usage information from automated meters, says Dale Badore, data center operations supervisor for the special district in Temecula, Calif.

The Extreme Networks software monitors network traffic and application performance and seeks out behavioral anomalies; if it spots them, it sends alerts, Badore says. Meanwhile, he can log in to a dashboard to check real-time threat activity, including top threats and top high-risk applications.

“We look at the top applications and decide whether we need to focus on certain issues to lower that risk factor,” he says.

The Traps dashboard alerts him to security events, which are color coded for severity. Yellow is a medium threat; red is critical. If Traps spots something significant, it will email him.

Badore also subscribes to threat intelligence reports from the Department of Homeland Security, the Multi-State Information Sharing and Analysis Center, the San Diego Law Enforcement Coordination Center, FireEye and others.

He gets daily emails on the latest threats, and if a threat affects a product the district uses, he forwards the information to his team.

Overall, Badore says, the security tools and the threat intelligence reports allow him to be proactive. “It’s building the foundation, having the tools in place and reacting to the threat reports, then applying fixes or some type of mechanism to make sure we are protected and mitigating threats,” he says.

Photography by John Davis