Shifting the cybersecurity burden for state and local governments

The public sector is a magnet for cyber criminals, as state and local governments continue to battle a wave of malware attacks every year. Adversaries understand that state and local governments, through no fault of their own, have limited budgets and overextended security teams, many of which are stressed by alert fatigue and the complexity of remote and hybrid workforce protections. Couple the resource dilemma with being a valuable target for cyber criminals, state and local governments, municipalities and school districts are being asked to do too much on their own. Furthermore, new attacker tradecraft is actively evolving, increasing the immense burden of responsibility carried by government agencies to secure their critical infrastructure and public works while safeguarding the public’s trust.

A sense of urgency is mounting as state and local agencies assess their options to prevent the next ransomware breach. But how can a government agency protect its critical assets against heavily funded adversaries without employing the level of cybersecurity solutions that only the largest global organizations can afford to employ?

A recent White House-issued cybersecurity advisory begins to describe what is needed for government agencies. As important, the advisory calls on the cyber community to share the burden and responsibility of securing government assets. Taken together, I believe these two headlines can begin to even out what is currently an unfair fight in favor of the adversary. Afterall, the attacker only needs to be right once; cybersecurity professionals must be right every single time.

Here are two key take-aways from the recent White House advisories:

• The S. 2022 Joint Cybersecurity Advisory established guidelines that recommend Managed Detection & Response (MDR)-level capabilities as a minimum security baseline. MDR must prevent initial compromise, enable monitoring and logging, and develop and exercise “Incident Response.”
• The White House 2023 National Cybersecurity Strategy says “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”

Considering these two federal advisories together when searching for a cybersecurity solution for state and local governments, the solution needs to be proactive technology that can prevent cyberattacks. But it also needs to be delivered at a price within the public sector’s budget, not the budget of a global financial institution. So, what does that mean?

MDR is a cybersecurity service and product that detects malware and suspicious attacker reconnaissance activity and responds to these threats with automated and/or human-led alerting, blocking, and attack mitigation. The “managed” element takes the task off the government agencies and puts it on a Security Operations Center (SOC) or team of expert security analysts that perform threat hunting, malware analysis and other services for full management of your security profile, for you. This is a happy marriage of 24/7 “we’ve got your back” human-led threat management, threat intel and incident response capabilities with (often automated) detection-first capabilities.

So, does MDR answer the cybersecurity question for state and local governments? Not entirely:

• First, MDR is often prohibitively expensive, especially for larger government organizations. Costs average $8 to $16 per agent per month.
• MDR’s “detection-first” strategies succeed only about 80 percent of the time on average, which can explain why so many breaches continue to occur across the globe. Approximately 20 percent of threats entering an environment are not successfully detected. Certainly, detection is not the same as protection, so it is important for you to ask for, and receive, an MDR product’s actual historical detection rate, or what’s known as its “detection track record.”
• MDR’s detection-dominant strategies cannot detect undetectable threats (aka “unknowns”). Most detection-first MDR solutions are finely tuned to detect known-good and known-bad threats, based on threat intel and established signatures and hashes. But malware and ransomware hide in the “unknown.” If these unknowns are undetected, then, by definition, you cannot protect against them. Detection is still important as a first line of defense, but detection-first MDR solutions simply lack the ability to protect against that growing unknown, no matter how big and prominent the vendor.
• Undetectable threats increase malware “dwell time.” Consider research by Forbes that revealed malware and security threats often dwell in targeted environments from “a couple of minutes to a worst case of hundreds of days.” Hundreds of days. Once malware is inside your environment, it can siphon and exfiltrate data, move laterally, and literally live deep inside your network until it is good and ready to detonate or ransom.
• Lastly, when detection-first MDR solutions fail (which they will in the face of undetectable threats), customers are then required to pay hefty incident response (IR) fees to remediate the vendor’s failed detections. Last year, government organizations averaged $213,000 in ransom pay. Oftentimes, the IR fees go to the same vendor providing the MDR service. While no vendor wants to be breached, there is some irony in additional monies going to some of the same vendors who are supposed to protect you.

Detection-first MDR solutions have significant benefits for state and local governments. But the above points demonstrate that it is not a silver bullet, and it is not inexpensive.

Alternatively, some state governments have leveraged cybersecurity solutions that prioritize protection over detection. We believe that there should be consideration of proactive, protect- first, access-prevention technologies as an integrated front-end for MDR. To elaborate, undetectable threats are deemed guilty until proven innocent, instantly, in real time, and contained right there on the endpoint. This is genuine zero trust. The contained attacks cannot access real assets, and can therefore do no damage, or interrupt users or disrupt applications, operations or productivity in any way.

As the White House 2023 National Cybersecurity Strategy suggests, it is time to shift the burden of security from small businesses and state and local governments to the security vendors. At the very least, do understand that expensive detection-first solutions are not the bedrock of effective cybersecurity. As long as this misunderstanding continues to persist, breaches and ransoms will continue.

Ken Levine is CEO at Xcitium and is a 15-year cybersecurity industry veteran. Prior to Xcitium, Levine was the CEO for microsegmentation company, ShieldX, which Fortinet newly acquired. Previous to Shield X, he was CEO of Digital Guardian which became a leader in the DLP and EDR markets. Levine was also CEO of then start-up NitroSecurity, a SIEM platform, which was acquired by McAfee in 2011. At McAfee, Levine was senior vice president and general manager of the security management business unit. He is a graduate of the University of Pennsylvania’s Wharton School of Business.