Oct 29 2021

Cyber Incident Response Requires a Mix of Tactics, IT Leaders Say

While disaster recovery is crucial, endpoint detection and response, network segmentation, and other tools are also key.

State government IT leaders see automation as a key to the future of their cybersecurity detection and response capabilities. In the meantime, state and local IT leaders say effective cyber responses require a combination of approaches.

StateTech recently conducted a poll on Twitter asking government IT professionals about the elements of cybersecurity incident response that are most important for their agencies.

The most popular response was disaster recovery tools (42.7 percent), followed by endpoint detection and response (EDR) tools (23.6 percent), network segmentation (21.3 percent), and security information and event management tools (12.4 percent).

StateTech asked several members of its 30 State and Local IT Influencers Worth a Follow list to weigh in with their thoughts on the poll responses. Washington, D.C., CTO and Assistant City Administrator for Internal Services Lindsey Parker says that government CIOs and CISOs need to take an “all of the above” approach to cyber incident response.

“I don’t think we have the luxury to choose anymore,” she says. “I think they’re all equally important to a robust cyber posture. In reality, I can’t in good conscience go to city management and prioritize one over the other.”

Click the banner below for resources on how to build an incident response plan from CDW.

The Importance of Disaster Recovery to Cyber Response

The IT Influencers stressed the importance of disaster recovery solutions in cybersecurity incident response.

Texas CIO Amanda Crawford says it’s not surprising disaster recovery was the top choice in the poll, since “disaster recovery planning is certainly very important for agencies so that they can reduce the recovery time and the associated business impacts from a cybersecurity incident.”

However, she says, it’s important for agency IT leaders to “balance or at least have the conversations around balancing disaster recovery with forensic investigation activities,” since there is sometimes a conflict between resuming service and conducting investigations into how and why incidents occurred.

Georgia CTO Steve Nichols says the focus on DR reflects that some organizations may not be “comfortable that they’ve got the strongest possible security posture, and they’re really setting up for playing defense — let’s just make sure we can recover if we do get hit with ransomware, versus trying to fend it off.”

Parker says that over the past few years, government CIOs and CISOs have often been told to implement certain vendors’ solutions because they were seen as leading cybersecurity products. However, as ransomware attacks have continued to proliferate amid the pandemic, government IT leaders have needed a “kind of reckoning to recognize that we need a multifaceted security structure in place that’s not overly reliant on one vendor over the other.”

“We also have to be continuously looking at what’s coming out and what’s new to make sure that we’re not falling behind and getting into a position that some of us have seen over the past few years,” she adds.

Click the banner below to read our IT Influencer List.

EDR, Network Segmentation Aid in Cybersecurity Protection

All of the IT influencers on the StateTech list indicated they thought a multilayered approach is needed for effective cybersecurity response.

The federal government is mandating that federal agencies deploy EDR tools and the Influencers spoke approvingly of them as a tool for state and local agencies to use. EDR tools provide visibility into threats for organizations and use machine learning tools to detect attacks.

“We all know there’s no silver bullet, but we’re trying to arm ourselves as best we can,” Crawford says. She adds that the Texas legislature has provided funding for state agencies to deploy EDR solutions. “It’s obviously something that our state leadership here in Texas thinks is important as a great way to help combat the threat.”

Nichols says the key for any EDR solution, which Georgia has been deploying for at least a decade now, is “having the ability to manage all your endpoints remotely so you can manage the EDR solution and get it pushed out.”

Network segmentation is crucial for incident response, Crawford says. She points to the widespread ransomware attack that spread across Texas in 2019. In that attack, she notes, when one particular government entity was hit, it was because its networks were not segmented.

Nichols notes that in Georgia, the state has a high degree of network segmentation, which sometimes makes changes more difficult to implement because of the more complicated network architecture. State agencies often complain about the complexity, he says.

However, if there is an incident, Nichols says, “it normally gets bottled up into a virtual LAN, and we can take the problematic assets or endpoints offline and reimage them and get back on the road pretty quickly.”

EXPLORE: Diver deeper into incident response tools for state and local agencies.

gorodenkoff/Gettty Images