First, it co-launched a Joint Security Operations Center (JSOC), which is currently operated by New York City and state personnel. It also announced an endpoint detection and response (EDR) shared service that it would offer for free to most counties and five major cities. Since launch, the state said all five cities and more than 50 counties have adopted the offered EDR, while local partners spoke highly of support received from the JSOC.
The JSOC came in February 2022, with the state calling it a “first-of-its-kind” effort when co-launching it alongside city partners. Today, the JSOC sees state and New York City personnel co-locating in the same physical command center for easier collaboration and information sharing, state officials said. The JSOC also receives information from state, local, federal and critical private-sector partners.
The second local government cybersecurity support initiative launched soon after, in July — an EDR shared service, which is offered by state agencies and run out of the JSOC. As noted, the uptake has been strong so far. The five major non-NYC cities and more than 50 of the 57 eligible counties adopted it, with New York City and its counties already having their own EDR. The state-provided service now covers more than 40,000 computers, said New York Chief Cyber Officer Colin Ahern.
Rochester CTO Bill Boudreaux, meanwhile, said the JSOC and the offer of three years of free EDR services were promising signs of the state’s desire to take a greater role in protecting large municipalities.
“I can’t begin to tell you how quickly I wanted to jump on that [offer],” Boudreaux said.
The initiatives address a concern that often surfaces in conversations among the “Big Five” upstate municipalities.
“One of the topics that keeps coming up across all of us [in the five major upstate cities] is cybersecurity [and] the lack of standardization,” Boudreaux said. “Some of us have a chief information security officer or security team, some teams have no one dedicated, so those duties fall to the director or the CIO or the CTO.”
ENDPOINT DETECTION AND RESPONSE
The EDR service gives users 24/7 monitoring and threat alerts.
Dutchess County Office of Central and Information Services Commissioner Glenn Marchi said his county applied the EDR service to the desktop workstations for all of its nearly 2,000 employees and to the county’s infrastructure servers. The EDR service is offered for all government devices, excluding those in K-12 schools.
“Not only are we monitoring our network and our endpoints, but now the JSOC is monitoring, so we have more eyes on targets,” Marchi said.
Rochester turned to the EDR service to supplement the efforts of its three-person cyber team. Before joining the JSOC and adopting the EDR service, Rochester ran the risk that a cyber attack hitting outside the team members’ work hours might go undetected until the next business day, Boudreaux said.
“That is too late,” Boudreaux said. “If something has gotten into our system and is already branching off and going into other areas and other servers and things like that, and is just sitting and waiting and hiding, I can’t have that.”
EDR services and the JSOC, however, help cover the gap with around-the-clock monitoring. Rochester already had the same EDR solution installed on its servers, and the state’s offering allowed the city to also implement it on PCs, laptops and smaller endpoints.
Local governments that choose to adopt this shared service must also agree to let the state access their EDR logs. That information helps the state warn other potential victims about threats, better protect state networks and systems, and — if requested — assist that local government, Ahern said.
“Typically, it is time consuming to gain initial access to a system — which may be in a degraded state — to extract logs or other files and move them to a more secure area,” Ahern said. But the EDR system allows the state to continuously evaluate the systems so “when an entity elects to have the state assist in system response, the state can rapidly furnish data to appropriate personnel in order to expedite system triage, log analysis, and assist with forensic response. It makes an existing process move at machine speed, as opposed to people speed.”
The state offered the EDR solution at no price, and also sought to minimize the costs local government might accrue in adopting it, Ahern said. To this end, the state conducted check-in calls during the service’s rollout and provided resources to help with installation. Rochester’s Boudreaux said the solution vendor also connected his city with a go-to tech support contact to assist in the rollout.
New York City CISO and Cyber Command head Kelly Moan said the state picked an important service to offer.
“EDR continues to be a foundational cybersecurity value-add capability,” she said. “Really every organization should have it and benefit from it.”
The state looks to expand its EDR service both to cover any additional counties that wish to join and to cover more devices from its existing participants, as the counties and cities grow their fleets of computers, Ahern said.
JOINT SECURITY OPERATIONS CENTER
The JSOC brings together stakeholders both physically and virtually, to drive a more whole-of-state approach.
State analysts joined NYC Cyber Command on-site, sharing space in a Brooklyn-based command center, while other partners connect virtually, such as those in critical infrastructure, critical businesses and federal government. The JSOC helps stakeholders form relationships before an incident happens as well as formalize and deepen existing partnerships, NYC’s Moan said.
“The Joint Security Operations Center base in Brooklyn allows for that ability to commingle and, in times of need, also bring all our stakeholders together and an even larger format,” Moan said.
Collaborations can include, for example, running joint simulations and exercises as well as sharing playbooks and insights about threat actors’ tactics or relaying warnings about emerging threats, Moan said.
OTHER OFFERINGS, FUTURE PLANS
The state has provided other supports as well, with Marchi saying his county was the first to participate in a tabletop exercise with the state Division of Homeland Security and Emergency Services. County senior leadership and departments engaged in a four-hour exercise with the state agency.
As initiatives ramp up, Rochester’s Boudreaux hopes to see the JSOC ultimately expand to provide a more comprehensive suite of SOC services, including ones related to threat hunting and risk management. Until then, the city is looking to contract with a third-party managed SOC to supplement the JSOC’s current offerings.
“I would hope that, eventually, the Joint Security Operations Center will be able to offer most of the tools and benefits of a managed security operations center, which is what we just went out for bid on,” Boudreaux said. “… My hope is that a Joint Security Operations Center would get us 70 percent or even 80 percent closer, enabling us to just fill in a couple of gaps to get the level of security we need.”
Looking ahead, Ahern said the state is particularly interested in working with federal partners to provide local government with attack surface management. Such a service aims to advise counties and cities about vulnerabilities to prioritize.
