States Might Want to Consider Advanced Analytics for Cybersecurity. Here’s Why.

As state governments confront increasingly sophisticated cyber-attacks and manage rapidly growing amounts of data, attention is shifting toward how they can use advanced analytics to detect hacking and other malicious activity on their computer networks.

“There’s just too much data to look at,” said Eric Sweden, program director for enterprise architecture and governance with the National Association of State Chief Information Officers. “So where do we bring in the analyst? Where do we bring in the human intervention?”

Advanced analytics, he said, provide a way for cybersecurity teams to vet and prioritize what they spend time on, shedding light on emerging or recurring threats. This can help state governments better decide where to direct limited staff and scarce budget dollars.

By collecting and processing a wide range of data from both inside and outside state IT networks, and feeding it into specialized software, it becomes possible to identify suspicious patterns of activity that it could take analysts much longer to find using less automated means—like reviewing log files that show the events taking place on computer systems.

In addition to data showing what’s happening on state computers, information that gets analyzed might include intelligence from law enforcement. For example, IP addresses—the strings of numbers that identify computers on the internet—that are affiliated with threats.

Providing a foundation for cyber analytics are statistical and predictive models, and ways of visualizing data, that are akin to those used to drive decision-making in some business sectors.

A key reason for using advanced analytics for cybersecurity is that it can help to detect cyberattacks and other risks to computer networks quickly, so that they can be contained and quashed before they blow up into major problems.

The consequences of overlooking a threat can be high. For instance, social security numbers and other personal information for upwards of one million people were compromised in a 2014 breach of state health records in Montana. And, in 2012, hackers stole millions of South Carolina taxpayer records, including thousands of credit and debit card numbers.

More recently, ransomware attacks, those that involve locking computer systems until a ransom is paid, have hit hospitals and other healthcare facilities, as noted in a March 31 U.S. Computer Emergency Readiness Team alert. In a January letter to the Senate Homeland Security and Governmental Affairs Committee, the Department of Homeland Security recognized 40 incidents associated with ransomware that had affected state, local, tribal and territorial governments.

On top of data breaches and ransomware, cybersecurity risks for states are legion: “hacktivists” seeking to crash websites, scammers trying to trick employees into divulging information, current or former workers looking to access or take data that should be off limits to them.

“We can't possibly hire enough people,” Sweden said.

Implementing a cyber analytics program can help states deal with the multitude of threats. But building one out takes more than throwing money at new software. It requires a re-thinking of the state’s overall approach to cybersecurity. Agencies might need to manage or share data in new ways. A state might need to forge fresh partnerships with other government entities, or private firms. “It’s bigger than just tools,” Sweden said. “It’s a whole strategy.”

Advanced analytics programs can also require hiring new staff members, such as data scientists, a tough proposition in places with tight budgets. Sweden said one future possibility could be to share these specialized employees across jurisdictions. “Data scientists are quite expensive and hard to acquire,” he noted. “Industry wants that talent as well.”

Pennsylvania began the transition toward using more advanced cybersecurity analytics in 2014.

The state’s Office for Information Technology now relies on platform called Splunk, which “ingests” and sifts through large amounts of information to help illuminate possible threats.

“You’ve got analysts now that don’t have to scour through days and days of logs,” the state’s chief information security officer, Erik Avakian, said last week. “They can actually let the technology do most of that work for them. So from a cost-savings perspective it’s really helped.”

Data streaming into the state’s analytics system comes from places like the firewalls protecting networks, antivirus tools, and computer programs used by agencies. The Keystone State’s analytics platform also incorporates intelligence data and feeds from sources such as the Federal Bureau of Investigation and private vendors like McAfee, FireEye and Fidelis.

Splunk features dashboards that display analyzed information in real-time.

“At the end of the day, the goal is to correlate, identify information from all those sources, to have one actionable alert that goes to the right person, to say: ‘here's what’s going on, investigate,” Avakian said. He added: “With analytics, it’s not so much about prevention, but detecting quick, detecting early enough, so that if something is going on on the network, or there’s an intrusion or whatever, it can be investigated quickly, eradicated quickly.”

NASCIO published a report on April 21 that makes a case that states should develop advanced cyber analytics capabilities. Among other calls to action, it recommends that state governments take steps to craft a strategic plan in this area, create a cyber analytics team, aggregate data in one place, and establish ways to share threat intelligence in real time.

Asked what tips he had for states looking to start or beef up their analytics programs, Avakian emphasized the importance of locking down a sound strategy. “What are you trying to do?” he said. “What are we trying to either prevent, detect, deter?”

It can also help, Avakian believes, to do a cost-benefit analysis to show policymakers the value of investing in analytics.

“After implementing a tool like this and a process like this,” he said, “you can then see immediate cost savings, because you’re then making really good effective use of your human resources because you’ve automated a lot of stuff that was not automated before.”