How LA’s security center combats cyberthreats
- By Stephanie Kanowitz
- Oct 26, 2016
In the past year, the city of Los Angeles has seen the number of cyberattacks launched against it grow by 250 percent – and that’s a good thing. Spotting so many incidents means city officials are able to detect and mitigate them before they become major problems.
This capability is largely the result of the city’s Integrated Security Operations Center. Completed on Aug. 1, 2015, ISOC is the culmination of a two-year physical and virtual project to consolidate more than 200 million log records and data every 24 hours.
“It’s a veritable needle in a haystack in which cyberattacks represent some of that information,” LA CIO Ted Ross said. “You’ve got information, you’ve got warnings and you’ve got real, significant threats hidden in all of that.”
Part of ISOC involves running a security information and event management (SIEM) solution on Amazon Web Services’ GovCloud, but managing it on a massive scale across 41 departments and involving almost 40,000 employees and 4 million city residents, Ross said.
“We’re really running big data to identify cyberthreats and cyberbreaches so that we can remediate and resolve them very quickly,” he said. With ISOC, the city now identifies and remediates on average more than 10,000 intrusions per month.
ISOC has two objectives. The first is situational awareness, or translating those millions of records into meaningful cybersecurity posture dashboards, which are shared among 300 users, Chief Information Security Officer Tim Lee said. The dashboards’ tools include SIEM that powers visual dashboards that show the type of threats and where they are coming from. A cyber alert indicator shows malicious activity in real time.
When an incident comes in, it get triaged and assigned to the proper cyber team member, who can, if necessary, escalate it and pull in help from the LA Police Department or FBI. Incidents enter as Level 1 and can move to Level 2, which is remediation and mitigation, or Level 3, which is most critical.
Different dashboards show the various levels of situational awareness, Lee said. For instance, city executives and managers will only see the time and criticality of the top 10 incidents -- a high-level look. Another dashboard offers a more detailed operational picture for all the departments’ security teams, and each department has its own screens.
Before ISOC, this kind of consolidated information wasn’t possible because cybersecurity in LA was fragmented, with different teams running different infrastructure and security. “If somebody attacked one part of the network, the other part wouldn’t even know it happened,” Ross said. ”It allowed someone to attack different parts and just kind of ooze their way along,” he said.
ISOC’s second objective is sharing meaningful threat intelligence with stakeholders, including external groups such as FBI and the Secret Service through a threat intelligence portal. “It allows us to consolidate the threat intelligence, really quickly react with precise information in regards to that threat and simultaneously share with other partners, which allows them to either assist us in that matter or else protect others,” Ross said.
ISOC is working. In a 30-day span earlier this year, the city contained 16 zero-day ransomware attacks that affected five departments.
“We were able to very quickly identify [the viruses], isolate the machine,” Ross said. “We were able to isolate them very quickly and remediate them without any loss of data.”
“We found these viruses ahead of the anti-virus companies,” Lee added.
And that’s important not only to protecting data and infrastructure, but also the bottom line. The cost of a data breach is $154 per record, according to the California Department of Justice.
“You can imagine a city as large as the city of LA with 40,000 employees and helping support services for 4 million Angelinos -- that gets to be extremely high,” Ross said. “While we may be a large city and people often look at us as [having] very deep pockets, we’re a government. We have 40 percent less staff than we did six years ago. We’ve taken a lot of reductions through the great recession,” he said. “We have to always be smarter. We can’t just throw money and people at the problem.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.