The State of Arizona Enterprise Security team undertook a proof of concept to increase the automation and reporting capabilities of its risk assessment and threat intelligence process. The goal is to analyze large amounts of data using Elastic to produce more accurate risk assessments with prevention, detection, response capabilities, and accurately model the cybersecurity threats the state is facing. This enables the State of Arizona to validate its security posture, be agile to continuously improve and respond to evolving cyber threats, and improve the cost effectiveness of security tools.
4. THE STATE OF ARIZONA AT A GLANCE
10+ regulatory frameworks
3
45,000+ State Employees 90+ State Agencies
Here we have the State of Arizona at a glance. Because Arizona is a federated environment we have
numerous tools, machines, and domains that we need to be able to secure while pulling data from a lot
of different environments and normalizing it at scale. Various State agencies have to comply with most
regulatory compliance bodies that exist such as HIPAA, PCI, PUB 1075, CJIS, etc
5. Understanding our risks
At the State of Arizona we needed to be able to evaluate our
security posture and validate we were making good security
choices while staying true to our mission, objectives, and
obligations which include:
● Improve Statewide Security
● Improve Cost Effectiveness of Security Tools
● Consolidate Vendors
● Increase Statewide Accountability
● Enhance Public Safety
● Foster Innovation
● Leverage Partnerships
https://espac.az.gov/
2
6. The Budget Cycle
Which Tools Provide a good
value?
Because our budget is set 1-2 years in advance, we need to
understand how to plan for future threats and which tools are
providing a good value
● Budgets must be made over a year in advance
● Any changes need to be done a full fiscal year ahead
● We need to have a toolset which allows us to be able to mitigate
the known and unknown threats
4
7. TOOL EFFECTIVENESS
How do you plan for threats
years in advance?
Being able to effectively plan for security threats years in
advance means you must be able to effectively adapt to your
new threat landscape
● Covid-19
● Supply Chain Compromise
● Ransomware
● Zero Day Exploits
5
8. RISK ANALYSIS
Typical Problem with Risk
Analysis
One of the biggest issues with risk assessments is typically
how subjective the assessment is
● How likely is a threat?
● How effective are safeguards?
● How many machines are actually at risk?
6
9. RISK ANALYSIS
What is the rigor put in to
evaluate our risks?
To combat this we are using larger data sets. More data points
should leave less room for subjective interpretations and
provide more objective based results.
● Attack Path Modeling
● System Configurations
● Tools installed
● Policies applied within the tools
7
10. Elastic Overview
Flow Overview
1
Data is visualized and aggregated into
dashboards and reports
All of the different data sources are brought
into a single place where it is mapped
accordingly
Alerts and machine learning jobs are run to
help reduce “noise” and prioritize security
issues and risk
Data is brought into
Elastic and shipped to the
cloud being normalized
through the ingest
pipelines with ECS
DATA SOURCES
11. TOOL EFFECTIVENESS
Mapping the Data
Large volumes of data are used from hundreds of thousands
of data points to generate accurate mapping indexes
1
1 2 3 4 5
Threats are mapped
to the Mitre Att&ck
model
Tactic and Techniques
are mapped to the
Controls
Controls are mapped
to the Tools/
Safeguards
Safeguards are
mapped to devices
Devices are mapped
with configuration
information
12. THREAT INTELLIGENCE
Operationalizing threat
intelligence
After mapping the Safeguards to the ATT&CK Model, we can
now look at the data to determine the security value of the
Controls. We started by looking at different data sources to
find the top attacks, or most frequently occurring, that the
state should defend against. Then, we leveraged the ATT&CK
Model by creating attack patterns which allowed us to
determine the effectiveness of the Safeguards to defend
against top attack types.
● Understanding what systems can be impacted
● Can the systems actually be exploited?
● What threats can we detect, prevent, or respond to?
8
13. Operationalizing Risk
Operationalizing Risk
Results
Now that we understand where our risk lies we can
operationalize this data
● Which risks can be further mitigated automatically
○ This is where Security Orchestration and Automation can
be used to automatically reduce these risks
● We can identify new and emerging threats and understand what
risks they will pose at the device level automatically
● We are able to accurately gauge the effectiveness of our security
tools to stop threats
9
14. Reducing Costs
Understanding the Value
We now have a full view of the effectiveness of the tools we
have deployed. We can now calculate the utility to cost ratio of
our tools
● We can now see which tools reduce what risks and how effectively
they do it
● We can identify tools that are costing more but are not actually
effectively mitigating threats and reducing risk
● We now have valid evidence for justifying the budget of some tools
while looking for other solutions to more effectively reduce risk
10
15. Going Forward
Constantly adapting
We continue to change which data we give value to and identify trends
● Identifying which threat data sources are providing threats we actually see
● How long does it take us to identify threats and risks and how long to action on them?
● Adjusting our implementations to reduce costs and provide better accountability to the
citizens of Arizona
11
Expanding information sharing network
The State of Arizona continues to expand the Arizona Cybersecurity Information
Program (ACIP)
● Sharing our threat intelling in real time at machine speeds
● Enriching and validating our threat information
● If you are interested in becoming a sharing partner, please feel free to reach out
ACIP@AZDPS.GOV
16. Thank You
Please feel free to email us with questions or for more information
Adam.Pena@azdoa.gov
Blaine.Stubstad@azdoa.gov