Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco
Shining A Flashlight On The Insider Threat

Network Visibility for State and Local Governments

Ashley Harper

It’s difficult to understand how influential state and local governments are to the average citizen. In addition to housing critical information on its citizens, these agencies may also offer important services online, maintain critical infrastructure such as public utilities, and share confidential information with federal networks. It’s crucial that these government agencies are properly prepared to defend against advanced threats.

But significant cybersecurity gaps remain in every state. According to The Pell Center, no state is cyber ready, though there are several states that are making great strides. State governments play a fundamental role in addressing cybersecurity for their communities and positioning themselves as leaders where security responsibility must be shared with other stakeholders, such as infrastructure operators, law enforcement, and educational institutions.

Given the trove of vital information and services that state and local governments are responsible for, they can be an alluring target for cybercriminals. For example, last year a variant of ransomware dubbed MarsJoke was discovered to be targeting state and local governments and K-12 education institutions. Though the encryption methods for MarsJoke were eventually cracked by security researchers, it illustrates the kind of threats state and local governments are facing.

One way agencies can help shore up their security preparedness and incident response capabilities is by gaining visibility into internal network traffic. Real-time situational awareness of what is happening on the network can help security operators identify signs of threat activity early enough to respond before damage is done.

NetFlow gives you eyes and ears on the network

Collecting NetFlow, a context-rich and common form of network traffic metadata, can give security and network operators an understanding of what is happening on the network. NetFlow is garnered directly from network infrastructure devices such as routers, switches, and firewalls. This effectively transforms the network into a powerful security sensor, capable of detecting threat activity as it takes place.

You can think of NetFlow as similar to a phone bill. It doesn’t record the contents of conversation, but rather details surrounding it, such as:

  • Sender and receiver IP addresses
  • Sender and receiver port numbers
  • Time
  • Duration
  • Bytes transferred

This allows agencies to track every network conversation, while avoiding some of the problems that come from storing entire packets. For instance, NetFlow can be stored for months or even years at a time, making it a vital resource for forensic investigations, and the data can be queried relatively quickly, which helps speed up incident response.

Stealthwatch provides analysis, threat detection

Cisco Stealthwatch transforms the raw network telemetry provided by NetFlow into actionable intelligence and situational awareness. Stealthwatch relies on behavioral analysis to quickly identify anomalous activity and behavior associated with known threats.

As NetFlow is collected, Stealthwatch builds a baseline of normal network activity. When a host, group of hosts, or the network as whole exceeds the thresholds of expected behavior, an alarm is triggered. For instance, if a user in human resources usually interacts with only a few megabytes of network resources a day, but suddenly collects gigabytes of data from a critical engineering data center, it could be a sign of a threat actor preparing to exfiltrate data. Stealthwatch can detect this activity quickly enough to respond before data is lost.

Likewise, Stealthwatch can identify behavior associated with known threats such as command-and-control activity, malware propagation, and data exfiltration. The ability to quickly detect this behavior gives security personnel a crucial window of opportunity to take action before significant damage is done.

Network visibility is crucial to state and local agencies

To properly serve its citizens, state and local government must protect its data and services from a myriad of threats. Meanwhile networks are becoming more complex as organizations offer more services via the Internet and embrace trends such as cloud computing. As technology and the threat landscape continue to evolve, agencies need a way to understand what is happening on their network.

The visibility and security analytics provided by Cisco Stealthwatch can help agencies detect threats in real-time, regardless of how they gained entry to the network in the first place. By using the network as a security sensor, Stealthwatch leaves no place for threat actors to hide.

To learn more about how network visibility helps protect state and local governments, click here.


More from this contributor:

Don’t Stretch SIEM Beyond its Capabilities for Contextual Security Analytics
Many security professionals are familiar with the feeling of constantly putting fires out. Many organizations have an under-staffed and under-funded...