The Montana State Capitol in Helena. 

May 13 2021

Montana Focuses on Ransomware Defense, Shifting to Zero Trust

Montana CISO Andy Hanks details the state’s key cybersecurity priorities for 2021 and beyond.

As the recent ransomware attack against a vital oil and gas pipeline operator, Colonial Pipeline, makes clear, such attacks are not going away and are becoming more persistent and targeting higher-profile entities. The FBI has attributed the attack to a criminal group, DarkSide.

And as the Wall Street Journal reports, it is “a ransomware-as-a-service variant, meaning that other criminal groups can purchase it to carry out attacks and then share the proceeds with the hackers who developed it,” attributing the assessment to Anne Neuberger, deputy national security adviser for cyber and emerging technology.

Even before the attack, Montana CISO Andy Hanks worried about precisely this kind of a ransomware attack targeting the state’s data and systems. Continuing to combat ransomware remains one of Montana’s top cybersecurity objectives, since his team is squarely focused on protecting citizens’ data.

In addition to taking steps to guard against ransomware, Montana is also moving toward a zero-trust cybersecurity architecture and implementing an enterprise governance, risk and compliance approach.

Ransomware Remains a Top Issue for Montana

Despite its pervasiveness and the attention it has received over the past several years, ransomware remains a key cybersecurity risk for Montana, Hanks says. That is why the state has implemented behavior-based anti-virus software on government endpoints and enhanced its logging and digital forensic capabilities.

State and local governments still remain top targets for ransomware attacks, Hanks says. In the past, conducting successful ransomware attacks took some level of technical skill, he notes, but now there are “products out there that don’t require a lot of technical skill to implement a ransomware attack.” Those are the kinds of Ransomware as a Service payloads that DarkSide provides to attackers for a price.

“I think that’s one of the differences in the pervasiveness of it, of the actual ransomware and its ability to probe across your network — it’s getting better and better each year,” he says. “Putting in controls to help identify that is very important.”

In 2018, Montana started deploying behavior-based anti-virus tools from SentinelOne, which, as StateTech has reported, use artificial intelligence and machine learning “to not only examine traffic and identify threats” but also “to automatically perform remediation, allowing the state to reallocate its staff time to other IT projects.” Behavior-based anti-virus tools scout for abnormal behavior in the systems themselves instead of looking for suspicious file types and attack signatures.

“We think some ransomware attacks could have been prevented if the target was running behavior-based anti-virus instead of signature-based anti-virus,” Hanks argues.

EXPLORE: How does next-generation endpoint protection helps secure agencies?

Montana Starts Moving to a Zero-Trust Architecture

Although there have been indications recently that state and local governments are interested in adopting a zero-trust approach to cybersecurity, it is much more widely discussed (and deployed) at the federal level right now.

Zero-trust cybersecurity departs from traditional network-centric security, in which users are trusted once they have gained access to an agency’s network. In a zero-trust architecture, which is based on data security, no user or endpoint is trusted, access controls are granular and users and devices are continuously required to authenticate themselves — enabling a motto of “never trust, always verify.”

Montana has been “slowly putting the people, processes and technology in place that will help us achieve zero trust or get as close to zero trust as you can,” Hanks says, over the next three to four years.

The state is exploring the different pillars of a zero trust, including users, devices, networks, applications, automation and analytics. Montana is considering adopting new governance and management practices to protect the data, including continuous authentication.

That boils down to authenticating every access request, Hanks says. “Just because somebody is authenticated to one data store doesn’t mean that they can automatically access another one,” he says.

With continuous authentication, organizations can look at consolidating their identity management and also at segmenting their access management, creating different trust zones. Users would need to reauthenticate to enter each zone each time they made requests, Hanks says. It also includes using multifactor authentication.

Hanks notes that zero-trust implementations will vary from state to state, since it is a concept and not a singular technology. “A lot of what organizations already have in place can be used for zero trust, but one of the things that most organizations are going need to add to is logging,” he says. “There’s a substantial amount of more logging required for zero trust. Then, the continuous authentication mechanisms are something else that is really important.”

MORE FROM STATETECH: Learn how centralizing logs enhances security visibility.

The Role of Enterprise Governance, Risk and Compliance

Another key priority for Hanks this year is finishing the deployment of an enterprise governance, risk and compliance program for the state. In 2019, the state legislature allocated $6.3 million to enhance Montana’s cybersecurity posture.

One of the initiatives in that project was to implement an enterprise GRC approach. In state government, Hanks notes, each agency has its mission and business objectives and processes. They also have technology in place to support those objectives, and they need to secure that technology.

GRC, Hanks explains, allows Montana to “view a real-time, holistic risk posture at the agency level and at the state level.” For example, the CIO of a particular state agency can log in to the GRC solution and view his or her agency to see which vulnerabilities exist, Hanks says, as well as any compliance issues and residual risk.

The state CIO can also log in to the GRC tool and get a statewide view of all agencies. “The real value of this investment comes from being able to prioritize risk and prioritize risk management applications to address risk,” Hanks says. “Seeing what your current risk is and knowing if you can accept any more risk is a key feature of it as well.”

Montana is about 95 percent complete on its enterprise GRC implementation, Hanks says. Most, but not all, of the state’s systems are in the solution, and most of the dashboards have been created. “What it’s about is giving the agencies more control and visibility of the risk,” he says.

DIVE DEEPER: New forms of ransomware could target state and local governments.

Cheri Alguire/Getty Images