When It Comes to Cyber Defense, Colorado Spends to Secure Its Information Resources

Believing that investing in cyber defense is cheaper than sustaining a major attack, officials in Colorado began funding the protection of state information resources through an enhanced security strategy.

Devised in 2012, Secure Colorado is the state’s first-ever cyber defense strategic improvement plan and prioritizes protecting information commensurate to its criticality to agencies, researching security solutions to outpace emerging threats, forming partnerships with the public sector and academia to share intelligence, and continually assessing legal compliance.

Based heavily around the SANS Institute’s “ Critical Security Controls for Effective Cyber Defense ,” officials hope to implement all of that cybersecurity standard’s “quick wins” in their plan’s first three years.

“We’ll mature our controls strategically based on how well they do protecting against the current threat environment, costs, the budget available and the way the business is evolving,” Deborah Blyth, the state’s chief information security officer, told Route Fifty in an interview. “Secure Colorado enabled us to get a budget approved for fiscal year 2014 that added $5 million every single year going forward to the security program.”

The goal is to have 5 percent of agencies’ IT branch budgets allocated to the program, with Blyth estimating Colorado at slightly less than 3 percent.

Establishing a statewide security program can appear overwhelming, which is why Dell Software recommends a funded approach like Colorado’s, which involved trusted vendors, suppliers and advisers and drew on a set of standards similar to the National Institute of Standards and Technology’s Cybersecurity Framework .

In response to this year’s massive U.S. Office of Personnel Management hack, federal Chief Information Officer Tony Scott issued a 30-day Cyber Sprint in July, where agencies reviewed and tightened their information security measures.

Dell suggests the Cyber Sprint highlighted four cybersecurity areas that state and local governments can strengthen: security information and event management; patch management; two-factor authentication; and tracking privileged access.

“Believe it or not, it really is not as expensive as not doing it. You can operate a car without insurance, but is the risk worth the cost of insurance?” Paul Christman, Dell’s federal sales executive director, said in an interview. “The integration of security information at these various levels described provides state governments with an advantage, especially if they’re struggling to find cybersecurity talent.”

Talent acquisition hasn’t been a problem in Colorado, which has human resources specialists actively recruiting Security Operations Center analysts using social media, partnered communications and blogs to explain why jobs in state government are making a difference.

The trick is adopting the right set of security tools so new hires have an easy time fitting in with seasoned SOC analysts.

“Our security environment grew up over time like everyone else’s, so it takes a lot of special knowledge to interact with various components of the network,” Blyth said. “We’re trying to create a simplified environment, which is much more conducive to bringing in new talent and making them productive immediately.”

Google’s suite of business productivity apps, used by 17 different executive branch agencies in Colorado, provides a singular platform around which to build security controls, but that’s just the tip of the iceberg.

In preparing for the fiscal 2017 budget cycle, the Governor’s Office of Information Technology identified two areas in need of additional funding: threat detection and response; and identity and access management.

In the past few years, Dell helped remediate cyberattacks on state government agencies like South Carolina’s Department of Social Services and Louisiana’s Department of Finance.

“The thing to keep in mind with these breaches is, usually, they were indirect, multistep attempts to access information,” Christman said. “They weren’t malware denial-of-service attacks; they were about collecting bits and pieces of data together and then being able to breach.”

Colorado sees 8.4 million security events per day, whittled down by its security incident and event manager from 600 million events across all network and security devices, work stations and servers statewide.

A security event could be something as benign as someone mistyping a password or a potential attack in progress, where someone is trying to hack in, something’s been scanned or someone mistyped a password 600 times.

“Most CIOs recognize breaches are occurring regardless of the amount of money you have invested,” Blyth said. “We need to get good at detecting incidents and being able to respond quickly.”

The only tool she’s looked at to help on that front is Click Security , advanced security event analytics filtered through defense intelligence information that identifies “weird stuff” in the environment and can map it graphically. Blyth can always issue a request for proposal (RFP) in the next month or so, describing exactly what tool she’s looking for, in order to get a better sense for what is the altogether brand new space.

As for identity and access management, OIT has already settled on an as-yet-unannounced tool for provisioning identities and detecting inactive accounts more efficiently that it hopes to implement across all agencies by 2017-18.

One key Cyber Sprint finding was that implementing two-factor identification is one of the easier things for states to do—Dell seeing a substantial increase in states investing in the embedded infrastructure for personal identity verification (PIV) cards and the common access card (CAC) since July.

Oftentimes, government accounts require only a username and password, which can be guessed, to control, so a token card adds an additional level of security prior to accessing the ID.

Encryption is “immensely valuable” but it doesn’t provide “security Nirvana,” Christman said, because it respects a valid ID, so privileged account management tracks the activity of superusers once they’re in the system—making forensics easier in the event of a breach.

A hacker becomes a superuser, a fancy word for a network or system administrator, once they’ve bypassed the identification process, so monitoring the systems accessed, commands run and time spent in systems is of critical importance.

“Security must be layered, connected and aware,” Christman said. “Most security breaches happen when layers aren’t connected, with log files for instance, and security isn’t context-aware: Should the person be doing this?”

OIT has only deployed two-factor authentication in pockets where there’s high-risk access but is looking to create an enterprise standard it can push out globally, starting with superusers then remote users then everyone.

Patch management has been around for quite awhile, but the context-aware security Dell advocates for aims to deny access to users without the proper patches—understanding context to react with the right level of security.

The Cyber Sprint target area also happens to be one of the 20 security controls Colorado seeks to implement, and OIT has tools in place to track the progress of patching across the security environment—currently 92 percent effective.

When Blyth arrived about a year ago, OIT was doing a “reasonable job patching,” but goals have been set to raise effectiveness even higher in the coming months.

"The government is supportive of this program, and more specifically executive branch leadership has supported and committed to funding this program,” Blyth said. “Executive buy-in—that has been why this program has been so successful.”