Evolving cybersecurity threats are putting constant pressure on state, local, tribal, and territorial (SLTT) organizations, which must shore up their defenses despite limited resources. In a recent interview, Kateri Gill, Director of CIS Services at the Center for Internet Security (CIS), provides critical insight into navigating today’s cyber landscape, drawing on CIS’s experience in helping thousands of SLTT entities across the United States enhance their security postures. From leveraging community-based threat intelligence to implementing a defense-in-depth strategy, Gill highlights practical solutions that empower SLTTs to stay ahead of emerging cyber threats.
MeriTalk: What are the top cybersecurity concerns for state and local organizations, and how do their concerns differ from other organizations?
Gill: Quite frankly, the core concerns around cybersecurity are similar for everyone – state and local governments included. Phishing and social engineering were the number one attack vector last year, and the vast majority of incidents stem from them. Even ransomware often infiltrates networks from an attack originating through these methods. In addition, generative AI (GenAI) can lead to more sophisticated phishing and social engineering attacks, and it’s being used to write malicious code. Using technical controls to address the ever-expanding threat landscape is a significant challenge for organizations everywhere.
What really sets state and local organizations apart is how they address cybersecurity concerns. While large corporations can purchase what they need and hire who they want, state and local governments struggle to compete for talent and often have constricted budgets and different procurement requirements.
MeriTalk: Security requirements are constantly changing in response to evolving threats. How can state and local organizations ensure their network systems are protected against the latest threats, given their limited staffing and resources?
Gill: Basically, there are two main approaches to threat detection and response: signature-based and heuristic-based. While signature-based – comparing network traffic against a database of known attack patterns, or signatures – is the classic method, we’ve moved more into heuristic-based detection in recent years. This involves looking at user and equipment behavior to spot malicious activity. You won’t always know what IP addresses are malicious or what to look for in subject lines, but you can detect unusual behavior, such as a user exfiltrating large amounts of data. I encourage anybody who is developing, enhancing, or evaluating a cybersecurity program to ensure they include heuristics analysis.
Also, state and local organizations should take a community-based approach. This means joining an Information Sharing and Analysis Center (ISAC) to share information and get early indicators of compromise. Interfacing with others in your community who are facing similar challenges is crucial. Our Security Operations Center (SOC) is part of this community-based approach, providing 24/7, 365-day monitoring and analysis to 18,000 SLTT organizations across the nation – at a fraction of the cost of hiring dedicated staff. It’s a very effective approach to managing budgets and providing expertise.
MeriTalk: What are the core components of a defense-in-depth approach for state and local entities?
Gill: Defense-in-depth is a strategic approach to cybersecurity that prevents against single points of failure, creates barriers to cyber intrusions, and provides multiple opportunities for cyber response. A defense-in-depth program includes six facets, reflecting the philosophy that no single silver bullet can stop an attack. First, there’s community, which involves sharing threat data with organizations that have similar risk profiles. Second is best practices – like implementing good cyber hygiene. Next is risk management, a continuous process of understanding the risk environment around your network. The next three are more technical: ensuring network, device, and data security. It’s vital to guard your attack surface from all of those perspectives. Even if we’re looking for the same types of behavior, having the capacity to identify threats at various levels of your environment is crucial for early detection and response.
MeriTalk: How does CIS help state and local organizations develop their defense-in-depth strategies?
Gill: We have our Multi-State Information Sharing and Analysis Center (MS-ISAC), which aims to improve the overall SLTT cybersecurity posture through coordination and collaboration. Joining the MS-ISAC is free, and members get access to a community and intelligence sharing. We also offer Albert Network Monitoring and Management – an intrusion detection system designed for SLTTs that helps them monitor for malicious traffic and augment their limited staff – and Endpoint Security Services (ESS). That’s a cyber solution, in partnership with CrowdStrike, that is deployed on endpoint devices to detect and respond to security incidents and alerts. Both services are very low cost and provide security benefits to all entities we support – even if they aren’t using these services.
For example, the more Alberts that we have out there, the more networks we’re monitoring, and the better we understand the overall SLTT threat landscape. When we communicate with our membership about an attack or a trend we’re seeing, it goes to all 18,000 members, so everybody benefits from every Albert sensor. There are a lot of vendors that do network monitoring, but there really isn’t anybody else who can bring that holistic view of the SLTT threat landscape.
MeriTalk: How does the CIS SOC prioritize and triage alerts from ESS and Albert to ensure timely response to state and local-specific threats?
Gill: Our SOC operates around the clock, with an analyst reviewing every alert and taking a first-in, first-out approach. The result is that our average time from notification to escalation is well under 10 minutes – a fraction of the industry average response times. A senior security analyst who has focused on SOC operations for nearly 20 years described the CIS SOC as the only SOC he has encountered that measures response time in minutes, as opposed to hours. He remarked that the next lowest time to notification he has seen is four hours and that most SOCs average between 12 and 24 hours.
If there’s a large spike in events for a single entity, we dedicate a SOC analyst and supervisor to it. If we see a large spike across the nation, we will also handle that as a single large incident. In that case, a lot of folks may need assistance from our cyber incident response team, CIRT, which is free for anyone whether they have Albert or ESS or not. We also send out critical guidance to our entire community and do regular internal tabletop exercises to test our readiness for major incidents.
MeriTalk: What are some best practices for state and local organizations as they develop their SOC approach?
Gill: First, make sure you understand your capabilities and limitations. Take an inventory of your assets – software, hardware, and capabilities, and be realistic about what you can achieve and what you need to outsource. Too often, organizations try to take on too much, too fast, and things wind up slipping through the cracks. Another best practice is to find someone in a similar environment who is going through a similar journey but may be a few steps ahead of you – a kind of buddy system. Learn from each other rather than everyone learning the same difficult lessons on their own. Joining an ISAC, like the MS-ISAC, allows you to be part of a community that shares not just threat information, but also information around cybersecurity maturation journeys. This enables all SLTTs to develop more mature approaches to cybersecurity.
MeriTalk: Can you share a couple of success stories about how CIS has helped state and local organizations address cyber threats?
Gill: One recent example is our custom signature creation. We had an analyst write a signature to identify corrupted PNG files at the network level. It was something no one else had, and the early detection immediately benefited one of our local government customers by uncovering pre-ransomware activity that would have otherwise gone undetected. Another example involves ESS, where we contained an endpoint for a school district over a weekend, preventing an infection from spreading when nobody from the district was available for response. We’ve also had cases where our cyber incident response helped organizations get to the root cause of infections after other response efforts failed. These are just some of the ways that we help with early detection, containment, and remediation for state and local organizations.