When Shannon Lawson came to Phoenix as CISO in 2019, the city was using endpoint protection products he’d never even heard of.
At the recommendation of other cybersecurity professionals, Lawson decided to test CrowdStrike products and services in the city’s environment. These included the CrowdStrike Falcon platform, CrowdStrike Falcon Complete and an incident response retainer from the company. “While we had these products deployed, we saw a hands-on keyboard attack on one of our external-facing human resources systems,” Lawson says. “Our other tools didn’t alert us to the attack at all. That’s what sealed the deal for us.”
Already a top-of-mind concern for government IT shops, network security became even more important when many cities, states and counties sent their employees home in March 2020 in response to the COVID-19 pandemic. Along with robust endpoint security and remote authentication tools, many organizations have embraced continuous monitoring solutions and practices that allow IT security leaders to keep a constant eye on remote machines, says Eric Hanselman, a chief analyst at 451 Research.
“In the rush to simply make remote work possible, a lot of the normal security reviews initially got put off,” Hanselman says.
“What’s happened over time is that agencies have gotten back to understanding their exposure, and they are trying to re-implement security controls in ways that will work in a hybrid environment,” he adds. “The continuous monitoring piece means monitoring the state of the user’s identity, the device from which they’re connecting and their actions throughout the lifecycle of their connection in real time.”
How Arizona Cities are Enhancing Their Endpoint Protection
Phoenix is using the Falcon platform for endpoint detection and response, Falcon Complete for managed detection and response (MDR), Falcon OverWatch for managed threat hunting, CrowdStrike Incident Response to handle critical security incidents and a solution from RSA for multifactor authentication (MFA). Most of the tools were either already in place or in the process of being deployed when the pandemic hit, helping to smooth the city’s transition to remote work.
Lawson says it’s important for IT departments to seek unbiased advice and test products themselves before implementing them.
“I had vendors come in, and the first thing they were telling me is what a great deal they could give me on the product,” he says. “They didn’t even talk about the capabilities. You have to talk to fellow CISOs and ask probing questions about what worked and what didn’t work. Even then, you have to test it, because what works in your environment might not work in someone else’s, and vice versa.”
The introduction of MFA was particularly important for keeping remote employees’ Microsoft Office 365 credentials from being compromised.
Continuous monitoring practices are important, Lawson adds, for ensuring that systems are ready to handle ever-evolving attacks. “I have us on a scan/patch/scan cycle of 30 days,” he says. “Every month, the entire enterprise gets a scan. We can show that we are keeping up with regulatory requirements and addressing threats in our environment.”
Shannon Lawson CISO, Phoenix
How Utah Is Rethinking Cybersecurity Infrastructure
When Zachary Posner became CIO of Salt Lake County in Utah, he spent the next two years tweaking its already robust remote work and cybersecurity infrastructure. Then, when the pandemic hit, county officials asked him whether it was possible to support work from home at scale.
“We said, ‘Not only can we do it, but all we need to do is pay for licensing,’” Posner recalls. “We were ready to go. We already had Fortinet devices that could handle the capacity of the virtual private network connections. It’s great when all you have to do is write a check.”
“Identity is the single biggest vulnerability in any business, and particularly in government,” Posner says. “I need to know that the person logging in is who they say they are, and the best way to do that is MFA.”
Salt Lake County is also using an MDR solution from another vendor. The tool, Posner says, offers the threat detection, incident response and continuous monitoring that is essential with some employees still working remotely.
“There really is no longer a defensible physical perimeter,” Posner says. “Defense takes place wherever your machine is in the world.”
The percentage of states where more than 1 in 5 employees worked remotely during the COVID-19 pandemic
How Illinois Is Transforming Its Cybersecurity Approach
Before the Illinois State Treasurer’s Office adopted CrowdStrike tools, the agency was getting hit with up to 30,000 false positives a day for alerts. At that point, the alarms essentially become meaningless, says CIO Joseph Daniels.
“Financial code needs a very specific type of monitoring,” says Daniels. “Otherwise, it lights up like a Christmas tree all day long. Our previous vendor wanted 18 months to come up with a fix, at an additional cost. I told them that we can’t go without security for 18 months.”
The agency implemented the CrowdStrike Falcon platform, as well as the Falcon Complete MDR tool. “We get 24/7 security operations center support,” Daniels says. “Instead of me hiring 30 SOC analysts, we use their team at a fraction of the cost. They have immediate authority to take action on our behalf for certain threat levels. It has been invaluable.”
Daniels says that CrowdStrike proved crucial during a middle-of-the-night incident at one of the agency’s disaster recovery sites. “They were able to quarantine a backup server, with no impact to the business,” he says. “If we didn’t have these tools in place, we would have lost all of our backups. Our agency would have been decimated. Without CrowdStrike, the question would have been, ‘How are we going to recover?’ With CrowdStrike, it turned into, ‘How can we investigate?’”
The agency also uses a cloud management gateway, providing continuous monitoring of remote devices. “If we have a zero-day patch we need to push out, I don’t need to wait for someone to connect to the VPN,” Daniels says. “I can see 100 percent of our endpoints when they’re connected to the internet, from anywhere.”