Endpoint Security , Open XDR

Intrusion Detection: Analyzing Data Proves Valuable

Michigan Chief Information Office Kenneth Theis doesn't see the main benefit of secure, cloud computing as saving the state money.

"Everybody talks about cloud computing and about saving a ton of money," Theis said in an interview with GovInfoSecurity.com (transcript below). "I don't think it saves the amount of money that most people think it does."

But cloud computing can address a major complaint an IT organization hears from its customers: speed to deploy new applications. "The greatest advantage of cloud computing is the agility, our ability to meet their needs, put solutions in place in a timelier fashion that meets their needs."

Though it provides agility, Theis said the state has created a cloud computing framework aimed, in part, to assure providers furnish the security necessary to safeguard data and systems. "What we have with our cloud computing framework is actually a formal document so when we go to cloud, we're going to the cloud consistently," Theis said. "We're asking those providers to meet our requirements, not the other way around."

In the interview, the second of two parts, Theis also addressed Michigan's deployment of Einstein 2. Michigan is the first state to implement the federal Department of Homeland Security's intrusion detection system. "What Einstein has taught us is that even if you think you're good, there are always opportunities to get a lot better, and I think Einstein has taken us up a couple of notches because it's really providing us with a vision into a whole other level of threats that current processes in our current systems aren't capable," Theis said.

In Part 1 of the interview, Theis addressed the creation of a new state data center that will host cloud computing applications for not only state agencies but other governments and businesses in Michigan.

ERIC CHABROW: We'll discuss Michigan's approach to cloud computing in a moment. But first, please speak about Michigan's deployment of Einstein, the federal government's intrusion detection system.

KEN THEIS: We feel very honored. We are the first state in the country to work with the Department of Homeland Security and actually moving, not only piloting the Einstein product, but actually moving forward in production. So earlier this year, in the January time frame, we went in production with the Einstein program. Obviously, as you know, Einstein is used throughout the entire federal government to really monitor and analyze ... threats throughout the federal network. We feel honored because we are the first state in the country where they have expanded that network to include a state. So we've been under the benefit of that program since January of this year.

CHABROW: This will be Einstein 2 intrusion detection?

THEIS: Einstein 2, that's correct.

CHABROW: Tell what you've found so far?

THEIS: The analytics of that the Department of Homeland Security has been able to provide to us has been tremendous. To give you an idea of you know what we see in Michigan on a daily basis, I'll throw some stats out there to give you an idea of what we see come through our networks every single day.

On a daily basis, we block 195,000 e-mail and spam messages. We block over 25,000 of web defacement attempt. We block about 12,000 scanning attempts, about 18,000 Internet browser compromise attempts and about 17,000 IPS blocks.

What this has really done is highlighted a number of those e-mails or web attempts, defacement attempts or scanning attempts, so really what it has done we have obviously some great systems in Michigan, but this is really providing us state of the art, not only technology but analytics to be able to find those things that maybe our current systems and current processors haven't been able to find.

CHABROW: You have these numbers; can you give me an example to what you do with these numbers to tighten up security?

THEIS: The bottom line is we look at these numbers on a monthly basis, obviously, to try to analyze the numbers and figure out what these numbers mean to us. We're looking for classification of threats that maybe we haven't seen before and we're trying to get in front of it. Obviously, the numbers when you take a look at it, these numbers are typically all after the fact. The big issue around security is predictive analysis, right? Predicting based on these numbers, what type of threats we've seen and how do we get in front of it? The big issue for us is in looking at the trends of these numbers.

CHABROW: Anything about these numbers that surprised you?

THEIS: No. I think the overall thing that I think that Einstein has taught us, to be very frank with you; I think we believe we are one of the best in the country as it relates to our intense security program. I think what Einstein has taught us is that even if you think you're good, there are always opportunities to get a lot better and I think the Einstein has just taken us up a couple of notches because it is really providing us vision into a whole number of level of threats that current processors and our current systems aren't capable.

And with that, to what we try to do is not only understand that, but we're trying to understand how can we continue to enhance the technology tools and the solutions and some of our predictive analytic toolsets to be able to close that gap, to get us to where we're operating at a higher level on a daily basis. Because, as you know, the threats don't go away, the bad guys just get smarter, and we have to continue to up our game like they are upping their game.

CHABROW: Can you provide me an example or two of changes in processes or deployment of resources, employees that you've done since getting this data and analyzing the data from Einstein?

THEIS: Probably not a very specific one, but I can tell you that the things that we're finding with Einstein just are not things that we're finding with our current tool sets. Unfortunately, I'm not close enough to it to probably give you a specific example, but he bottom line is today we're finding things because of that Einstein toolset and because more importantly of the analytics that the Department of Homeland Security does. Things that we're not seeing here, but then in their technology that we're starting to see some of those trends come into our organization. So not only trying to see what is going on in our networks and getting a better glimpse of what is happening, but it is also understanding from DHS what's happening throughout the country, what they're seeing, and making sure our tools our processes and our people are in front of those challenges before they get here.

CHABROW: Anything else you would like to add?

THEIS: A lot of people talk about cloud computing as a way to save money, and I would tell you that is true. But for Michigan, it really isn't our key driver. For Michigan, it's about agility. It's about meeting our customer demands quicker and faster.

A great example, I'll talk to you about is you know, we recently worked with our civil service commission. In looking a human resource recruitment tool, how do we recruit new employees? Our teams looked at that and said, 'You know, yeah, we could do that project and it would probably be $4 million to $5 million and we could probably do it over a two- to three-year time frame.' And, we looked at that. But then we also looked at the cloud and saw that there was a provider out. Today that system is in place. We identified that system. We secured it and we implemented it in a third less time and probably a third less money than would we have done if we would have built in house.

Yes, we saved a little bit of money, but the real issue is, rather than taking three years to deliver our solution for our key customers, the Civil Service Commission, it literally took us six to eight months to implement that solution. Our big thing here in Michigan is about agility, using the cloud to get solutions to our clients faster and our Michigan government cloud computing framework says we're going to do this in a way consistently throughout our entire state government. We're dealing with the cloud computing technology providers in a consistent and stable way.

We're doing cloud computing efficiently, but we're also doing it in a way that's going to allow it to be a stable and secure environment. And, Eric, the reason why I bring that up, everybody talks about cloud computing and about saving a ton of money. I'm going to save it does save some money. It doesn't, I don't think, it saves the amount of money that most people think it does. But the real issue, I mean what most people don't want to talk about is that information technology organizations, seen by most of the customers seem to be slow in meeting their needs. That is the greatest advantage of cloud computing is the agility, our ability to meet their needs, put solutions in place in a much quicker in a timelier fashion that meets their needs versus a two- to three-year time frame.

CHABROW: And how would you rate the security of these kinds of services that you've been building?

THEIS: Well I think the bottom line is that is the real issue. I mean cloud computing providers all have completely a different set of requirements in those five key areas that we talked about. They all define those things that we talked about earlier differently. They all define ownership and security and some of the legal issues, and location issues and SLAs (service-level agreements). They all define those in their own very unique way. What we have with our cloud computing framework is actually a formal document so when we go to cloud, we're going to the cloud consistently. We're asking those providers to meet our requirements, not the other way around.

CHABROW: This criteria that you're establishing, these five areas, how are you working with other states so there are certain conformity whether it's through NASCIO, the National Association of State CIOs, or some other kinds of organizations?

THEIS: It's a great question, because at the end of the day, all the states operate the same way. The Michigan cloud computing framework could correlates throughout the country. It's a great question and it's one that NASCIO is collaborating on in making sure that there is some level of standardization.

As it relates to our specific cloud computing framework, we just published that and we have had a number of states that have asked us that. But one of the key things that NASCIO is going to be doing as we move forward, is working with another other couple documents that other states have done in coming up with a standard that is out there that states can decide whether or not they want to leverage or not. On NASCIO typically, as it provides advice, but it does not typically come out with an overall standard. So we're looking to leverage that. There are some other components of a framework together so there is a baseline when states do want to look at the cloud, how they do it in a consistent and stable manner.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.