A directive from Gov. Brian Sandoval allowed the state's IT department to gain control of an escalating problem with information security, which led to a reduction in security incidents -- from 155 to 30 per month.
When Nevada CIO David Gustafson joined the state's Enterprise IT Services as a deputy CIO in 2009, security was not seen as a priority, but he quickly set out to change that. "I learned early on that threats [were] increasing at an alarming rate -- so fast that we can barely keep up."
By 2012, Nevada's cyberproblem had grown to millions of daily attacks, with a peak of 155 monthly security incidents, including failures of standard security components to keep out threats of all kinds. By this time, the state began a more in-depth monitoring for intrusions into the state's network.
"What we found was that we were doing OK, nothing great, nothing groundbreaking and nothing newsworthy," Gustafson said. "But as we continued to monitor some key metrics, we learned that the security threats were evolving and our controls would no longer be as effective."
A particularly challenging security issue for the state was accessing information from disparate systems or endpoints. "From our experience, most security infractions are not server or network related, but endpoints," Gustafson said. "More specifically, users clicking on malicious or compromised email links."
With security problems continuing to grow, Gustafson proposed that Gov. Brian Sandoval shift Nevada’s information security focus to the enterprise level; the governor then issued a directive to the state's cabinet to consolidate and integrate security under Enterprise IT Services.
The governor’s mandate helped sell the idea of an enterprise solution to agencies that had dealt with the issue separately up until then. Still, there were hold-outs.
"We have had issues with agency architectures integrating into the enterprise solution, agency 'stone-walling,' which required additional effort on behalf of the CIO, and resource constraints, to name a few," Gustafson said.
After an inventory of state assets, Gustafson and CISO Christopher Ipsen narrowed their consolidation efforts by addressing four of the most pressing 20 Critical Security Controls from the SANS Institute, including application whitelisting, patching applications, patching operating system vulnerabilities and restricting administrative privileges. In addition, the state was able to secure inventory management and inventory of software in the new enterprise system, Ipsen said.
"If we could focus in on the most important controls, we realized we could reduce risk and at least get the situation to a point where we might be able to manage it," Ipsen explained.
The state used Symantec’s integrated security tools to manage endpoint security, according to Ipsen. Other reasons for selecting the tools included their scalability for evolving requirements and the ability of the system to automate workflows, consolidate reporting and layer the security approach across endpoints.
Today the state has deployed the centralized security system to more than 50 percent of state agencies in record time and at a lower cost. "We saved money, improved security and increased business efficiencies by taking an enterprise approach," said Ipsen.
Enterprise IT Services can now continuously monitor endpoint controls and attempted virus intrusions on its network, as well as understand and use this information with event correlation, trending and analysis.
Nevada has improved security and reduced risk by increasing visibility and management of its assets for patching and IT life cycle purposes, while reducing expenses and increasing functionality to users, Ipsen said. The state, which experiences 2 million attempted intrusions on its firewalls per hour, has reduced the number of monthly security incidents from 155 to 30 -- an 80 percent decrease.
"What it's giving us is a standardized configuration and visibility into what's happening in our environment," Ipsen said. "That, combined with managed security services, is giving us a toehold from which to evaluate what the posture of the state is and also what remedies and/or actions need to be taken in order to continue to reduce risk."
Agencies can use the upgraded security tools and enterprisewide anti-virus at less than the cost of what the state was paying before for anti-virus alone. In all, the state paid $1.1 million to deploy the security technology on 17,000 endpoints over three years. By purchasing an enterprise solution, the state was able to avoid about $3.5 million in costs if they had purchased it using the standard, agency-by-agency procurement method, Ipsen said. Helping with the cost of the bundle, he said, was the fact that the state purchased it near the company's yearend.
Keys to the project's success included the involvement of state leadership, an understanding of the solution's business value and doing a few things well, Ipsen said.
Now the state is developing consistent compliance reports with its standardized reporting tools, looking at enterprise-grade tools around configuration validation and expanding its managed security services to look at more endpoints in the enterprise.
Going forward, Nevada has also enacted a law to extend the enterprisewide security solution to its counties and cities so that they can also benefit from it.
"What we're hoping to do in the next level is to really bring in sort of the state template pilot solution ... to local communities -- the counties and the cities -- to really help them increase their security and bring some transparency to their network," Gustafson said.