Solving a Years-Old Problem in Hours: State CISO Gains Security for Unmanaged Devices and ICSs

Twitter:@SecurityMonahan

Using network visibility and segmentation helps a government agency avoid potential security exposure

State governments are under constant attack from outside entities. These attacks come in the form of both direct and indirect assaults on operating systems, applications, authentication systems and users. Regardless of the attack method used, states must be ready to detect and effectively deal with incidents as early in their lifecycles as possible.

One state's team that supports 14 departments across 100+ locations estimated they had around 30,000 devices attached to their network at any given time. Recognizing the risk the state was exposed to with this volume of devices and a lack of visibility and control, the Chief Information Security Officer (CISO) conducted a compliance audit to identify how many devices were actually connected and their level of compliance with the state's documented device security policies. However, this initiative was thwarted before it got off the ground when the plan to leverage the platform with the state's current infrastructure vendor failed due to a lack of flexibility and solutions maturity. Thus, unable to use their existing infrastructure to gain an accurate inventory of connected devices and unable to determine the level of security policy compliance those devices attained, the CISO directed the security staff to find a solution to these problems.

The team was able to install ForeScout CounterACT^® within hours and collect a full report of connected devices and their level of policy compliance within days. Several surprises were brought to light during those first few days. First, they found that they were supporting over 30 percent more devices than originally expected, exceeding just over 40,000 devices with a hodgepodge of operating systems, configurations, patch levels and security policies. Second, they discovered numerous industrial control systems (ICSs) such as (Heating Ventilation and Air Conditioning), security and building automation systems to which they had previously been blind. These devices had embedded OSes (Operating Systems) with little embedded security and no vendor patches available. Third was the plethora of unmanaged personal devices that the department did not have control over, which were never intended to be managed and should not have been connected to start with.

The CISO did not want to end up in the news with a breach, so his initial thought was to implement a segmented security plan to deal with each of these categories of devices, and to deliver the level of services each needed. First, the authorized devices that could be patched had to be updated to meet security policy as they accessed the state's network. Second, the industrial devices had to be allowed to communicate with their vendor partners but had to be segregated so no other devices or networks could talk to them, thus avoiding becoming a news story similar to a major retailer that experienced a breach through its systems into its payment systems back in 2013. Third, the unmanaged and unauthorized devices had to have some controls placed around them. The CISO realized that while these devices had not been previously authorized, some of them belonged to influential people in the state government and were being used as business tools. In other words, the CISO could not flatly refuse to provide these devices with access to resources. So, he devised a plan in which certain devices did not have to be managed but did have to meet a level of security policy compliance to gain access to various resources within the state's network.

To learn more about the challenges the state faced and how its team enabled high levels of access while enforcing security policies using CounterACT, click here.