New Approaches for the “New Normal” in State and Local Government Cyber Defense

Adjusting to the new normal, state and local governments need to be more vigilant and streamlined in protecting their environments against cyber predators. What tactics can help provide high levels of security while also meeting restrictive budget and resource requirements?

Even before the COVID-19 pandemic struck, state and local governments were struggling to secure a quickly expanding cyberattack surface with available resources. Now, ransomware purveyors and other cyber hackers are licking their chops to take advantage of any signs of weakness as governments react to this worldwide crisis. They will not let up once the storm has passed. In such a dangerous environment, business as usual is not an option. Implementing a new approach that enables governments to “do more with less” is imperative. 

We examine two approaches that have the potential – whether implemented together or separately – to deliver greater security across all levels of government while decreasing the cost and workload required to achieve that goal. 

Approach #1: A new focus on teamwork – taking a “whole of state” approach 

Every government organization has unique characteristics and requirements, but if they can come together on a common security approach to achieve a common objective, with the flexibility to tailor that approach to meet unique needs, they can all reap benefits in lower costs and improved cybersecurity posture.

Over the past seven years, the U.S. federal government has been moving in that direction through its Continuous Diagnostics and Mitigation (CDM) program, which brings the entire federal .gov domain together. There have been lessons learned along the way that have driven program improvements. As a result, significant benefits are starting to emerge. For example:

• Economies of scale have enabled enterprise licensing and other creative purchasing options to lower software and hardware costs to participating agencies.
• An “Approved Product List” process and standards have simplified the process of selecting cybersecurity tools, enabled new technology options to be added efficiently and provided assurance that tools selected will meet requirements.
• A flexible services contracting approach has allowed government agencies to select the tools, and design the cybersecurity solution, that best meet their unique needs – and implement those solutions expeditiously. 

CDM aside, the more a state can take a team approach, get buy-in at all levels to the concept of collective defense, and even go a step further to include academia and the private sector, the better all organizations within that state can defend against cyberattacks to any one of them. As ransomware and other cyber threats continue to attack state and local governments, a “circling the wagons” approach that brings state, local and private sector partners together to fight common enemies will become increasingly essential.

States that look to approach cyber defense from a team perspective will also find an increasing amount of federal resources and support dedicated to helping them on their cyber journey as part of a collective defense approach.

Approach #2: A new risk-based approach to vulnerability management 

Moving to a “whole of state” approach is a long-term undertaking. The benefits, though potentially significant, will not be fully realized for some years in the future. Taking a risk-based approach to vulnerability management, however, can deliver immediate and significant benefits in security, efficiency and communication of cyber risk to non-cyber leaders.

Focus first on what matters most

One of the key elements in basic cyber hygiene is doing timely updates – patching software vulnerabilities. The problem is that more connections – and connections are exploding since COVID-19 created an entirely new remote workforce, teleworking and remotely accessing sensitive systems – mean more vulnerabilities to patch.

Even in the best of times, patching every vulnerability in every network device is an impossible dream. In the current environment, with networks expanding and resources being strained to the breaking point, many vulnerabilities are likely to remain unpatched for prolonged periods of time. But, here’s the good news: You don’t have to patch every vulnerability to secure your network. You just need to patch the vulnerabilities that matter.

Predictive Prioritization can help you become more secure by guiding you to the small percentage of vulnerabilities that matter most. Predictive Prioritization is a data science–based process that goes beyond CVSS and reprioritizes each vulnerability based on the likelihood it will be leveraged in a cyberattack. Predictive Prioritization assigns a vulnerability priority rating (VPR) to every vulnerability, including vulnerabilities that have yet to be published in the U.S. National Vulnerability Database (NVD), and updates the ratings daily based on threat intelligence and other data inputs.

The Tenable data science team estimates that, on average, only 3% of vulnerabilities are actually exploited. Putting this into perspective, the NVD reported approximately 17,300 new vulnerabilities in 2019, of which 56%, or about 9,700 were rated “critical” or “high.” If you based your patching on CVSS scoring, you would have a major patching requirement with no assurance that you were actually lowering the risk of an exploit. If, however, you were guided by VPR to the 3% that truly posed a risk, you would only need to patch about 500 of those 17,300 to eliminate all vulnerabilities that posed a risk of exploit. 

Deliver actionable cyber risk data to enable informed decision-making

Through the CDM dashboard ecosystem, the federal government is seeking to deliver its version of what Tenable provides through Predictive Prioritization. The CDM program is also building on that capability to deliver actionable risk-scoring information through the dashboard’s AWARE (Agency-Wide Adaptive Risk Enumeration) algorithm. AWARE scores agencies’ risk postures numerically and provides guidance to agencies on steps to improve AWARE scores. Each federal agency sees its own AWARE score and a federal average score, providing a benchmark for measuring effectiveness. 

While something on the scale of a CDM dashboard ecosystem might seem out of reach for most state or local governments, implementing a solution that delivers actionable risk-scoring data does not require such a massive undertaking. Any government agency can do it today with the Tenable Risk-Based Vulnerability Management Solution, which builds on Predictive Prioritization to deliver measurable data to support effective risk-based decisions. 

In addition to VPR, which prioritizes vulnerabilities based on external criteria, the Tenable Risk-Based Vulnerability Management Solution adds an asset criticality rating (ACR), which provides organizational context by taking more of an internal look to derive the criticality of an asset. ACR is based on several factors/rules derived from scan output. The ACR is derived by an algorithm that pulls from scan data, but the result can also be customized based on particular organizational priorities. The ACR algorithm scores each asset based on:

• Where the asset is located and its exposure to the internet
• The type of device for a given asset
• Device functionality

Tenable’s Risk-Based Vulnerability Management Solution combines VPR and ACR scoring to calculate a Cyber Exposure Score, which provides an objective measure of an asset, business unit or whole organization’s cyber risk, depending on the desired view. This measure enables organizational decision-makers to make informed decisions on risk acceptance and reduction. Vulnerabilities are a part of the equation, to be sure, but the scoring the Tenable solution presents is a comprehensive picture of cyber risk that informs decisions about how to reduce risk and measures progress in reducing risk against meaningful internal and external benchmarks.

Get more info

• Visit our solution page to learn more about risk-based vulnerability management.
• Read about North Carolina’s state-level adoption of the DHS CDM model.