What seemed inconceivable a few years ago – that a pandemic would test New York City’s cyber resilience as workers were forced home – has become a successful test of the strategic and operational plans that led to the creation of New York Cyber Command, NYC Secure and the Cyber Critical Services and Infrastructure program.
“One advantage we had was a green field and highest level support,” Colin Ahern, deputy chief information security officer at NYC Cyber Command, said at a webinar moderated by Global Cyber Alliance President and CEO Philip Reitinger.
Indeed, New York City's approach to security amid COVID-19 stands as a powerful case study for organizations across public and private sector, anchored in a posture that treated infrastructure as code and used a zero trust model that started with using FIDO keys to identify users.
“In the cloud we treated security as a software problem,” he said, pointing to a strategy that let computers and robots “do computer stuff and people do people stuff.”
The dual response is key when moving to the cloud, according to Quiessence Phillips, deputy CISO of the NYC Cyber Command. Organizations, she said, should “focus on building the right security structure” while incorporating automation and orchestration, which is “a huge part” of Cyber Command’s operation.
“Human resources are finite” but threats to the city and attacks continue to grow, she said. “We use automation and orchestration through threat management,” so that the security team can “move with speed.”
NYC Cyber Command, like the rest of New York and much of the country, got a notice from City Hall on March 12 to start transitioning employees to work from home . “That same day we moved 100-plus employees to remote work with no reconfiguration and no degradation in security,” said Ahern. “One hundred people picked up their laptops and left.”
Because it was prepared, Cyber Command was able to essentially “move from a centralized SOC to a managed, distributed environment, Phillips said. “We had to think about the attack surface growing, the sheer volume" of adversaries looking to take advantage of a new and lucrative opportunity, and “deal with new devices coming online” and the resultant uptick in activity from those devices.
Cyber Command had to expand visibility in excess of sevenfold to accommodate the whole of the city’s endpoint stack. “You can’t defend what you can’t see,” said Ahern, who explained the number of devices that needed securing increased by volume and type “by orders of magnitude.”
Having visibility and the data needed to safeguard assets was only a part of the equation, though. “Once you have everything you have, what do you do with it?” said Phillips. Cyber Command turned its focus to coordinating with every agency in the city so they’d know the tools at their disposal. The group also developed playbooks to support a quicker, more nimble response. “Not that we wouldn’t have a challenging time, but it would be very thought out,” she said.
The difference was like moving from a client-server environment to a publish and subscribe model, added Ahern.
Acknowledging that people are a difficult part of the security equation in the best of circumstances but particularly during the pandemic when they don’t have security support sitting right down the hall, Phillips said she thought a lot about resiliency as it related to the human element. “What do people need? How long can they operate at X level?” she said. “We were able to identify the gaps in our remote response.”
Instead of traveling to New York’s out boroughs to collect devices that may have been compromised, Cyber Command has in place the ability to collect data from them remotely to ensure a deeper, quicker response.
Phillips shied away from saying New York is completely resilient, but said in the quest to be the most resilient city in the world, “we’ve made a lot of progress.”
The next step for NYC Cyber Command? “Getting the whole city on board,” said Phillips. The challenge? “Changing culture,” said Ahern.
“We’d like New York to be the gold standard for a cyber resilient city,” said Geoff Brown, head of NYC Cyber Command.