Anomali Threat Day: Building OK-ISAC - Cyber Threat Intelligence Sharing with the State of Oklahoma, Presented by the State of Oklahoma

- All right, guys. It is my pleasure to introduce you to Chance Grubb Senior Officer over at the State of Oklahoma Cyber Command team. He is going to talk to us today about the state of Oklahoma's OK-ISAC program, and I'm really excited here. So, Chance, if you would, go ahead and tell us a little bit about yourself, and where are you coming from, and maybe a little bit about the Cyber Command team. .

- Yeah, so just a quick mic check and make sure my slides are displaying. .

- You are good. You're good. .

- Yeah. So thanks to Anomali for bringing me on today. Also, it's great hearing from other speakers, very informative session. And thanks to everybody in attendance. So-- yes, my name is Chance Grubb. I'm the Senior Staff Officer for Oklahoma Cyber Command. Oklahoma Cyber Command, we are the cybersecurity unit for the state of Oklahoma. I've been in this role for approximately two years. When it comes to working in state civil service, I have about 17 years experience in that, in the higher ed-- majority higher ed-- and now with Cyber Command. And so, with that said, I'll go ahead and get started.

So with all of our presentations, being a true cybersecurity person, we have a TLP, traffic light protocol. TLP white, feel free to post it, any publicly available forms. TLP green, just a little bit more restriction where you share in the community. We will not get into any sensitive information. So TLP AMBER and RED do not apply to this. .

And so I kind of give-- I'll start with the high-level overview of what Oklahoma Cyber Command is. And then we'll kind of dive into how that led to the genesis of the OK-ISAC. When our CISO Matt Singleton was approached about taking a position in July 2019, he was handed down four major objectives from our state leadership. 

And so the first one is-- obviously being cybersecurity-- protect Oklahoma's information assets and maximize access to data. Looking at that bullet point, it might sound a little counterintuitive that you have to maximize the access but also secure it. And so that's one approach that we've really taken. And that's led to the development of that second bullet point, develop a robust and collaborative risk reduction/management and strategies.

So cybersecurity-- kind of boil it down-- it's risk management. It's looking at your risk, seeing how to mitigate it, and effectively approach it with, basically, enterprise approach in mind. And so that leads to the third, advance a statewide approach to cybersecurity, privacy, and compliance.

As part of Matt Singleton taking the position in July 2019, he was tasked with standing up a statewide and statewide approach to privacy, so protect the data of our citizens. That's one of our greatest assets. So the privacy of that data is very important to our citizens. And so we are looking at establishing a privacy approach across the state of Oklahoma, very similar to things we've seen like with GDPR and CCPA.

And then the second part is, being a state government, there are a lot of regulations that we have to adhere to whether it's CGI, IRS 1075, social security, HIPAA, And so it's looking at all those regulations, and seeing how we can apply an enterprise approach to all of those regulations, and making sure we have a standardized approach.

And so the last one-- last but not least-- is foster a cybersecurity/risk-minded culture throughout Oklahoma's workforce. As you might have guessed, that what was the genesis for the OK-ISAC. We look at our state employees-- they're our greatest resource, not only when it comes to achieving the mission of the state of Oklahoma but also protecting the State. They're our front line. And by educating them, you equip them with the tools that will lead to us being successful in defending our system assets and data.

But also we wanted to expand it out more that being a state government, we had more to offer to the state of Oklahoma, not only its citizens but other organizations that are based in here. And so that's kind of where we'll get into further down in these slides of what the OK-ISAC is geared to do.

So, as everybody can see over my shoulder, Oklahoma-- we take football very passionate around here. So the way we decide to break down how Oklahoma Cybercom team is, we're going with the football mentality. We have special teams, defense, and offense. Some of our special teams, we have compliance and privacy, which I just previously alluded to.

On defense, we have two sets of teams in there. We have engineers. So that is our group that is really designed with defense in depth and system hardening. So they are ingrained with a lot of projects with our agencies that are rolling out solutions that benefit the citizens of Oklahoma. So making sure that they're secure, that there's no vulnerability-- exploits-- that could be taken advantage of and, really, it's defense in depth.

On the second part of the defense is our defense operations. They are the technicians that support the engineers. So a lot of our tool sets, they are the service owners for those. They work to more of a customer service, or customer-centric, function in that, if somebody has issues with our secure mail gateway or our proxy, they dive in there. They get the state employee back up and running so we can provide services to the citizens of Oklahoma.

And then on the offensive side of the ball, we have OK-ISAC. That's my area-- Oklahoma information sharing. We'll dive into what that really looks like, and what that's all about here in a little bit. And then we hunt an incident response. That's our IR team, and then also our threat hunters. The threat hunters, they're going out looking for the bad guys, looking for vulnerabilities in our system, and proactively finding ways to fix them before they become an issue for the state.

And then, last but not least, cyber operations. That's our SOC team. So SOC team, they handle provisioning to all the state systems across the enterprise. And they also do our incidents and investigation [INAUDIBLE] forensics. So a lot of what they do generates some of the CTI that we will talk about later in the slides. And to really put a visual on it, they are the cog that makes the OK-ISAC machine-- makes the wheels turn.

So as Meghan and Cody alluded to earlier, so here's some of the threats. I look at this as a David Letterman's top 10 list, except for you don't get any chuckles at this. This is-- for a lot of CISOs and a lot of state governments-- this is what keeps you up at night. It's what you think about. That's what puts the bags under your eyes. And so I'll just touch on a few of these. These are in no particular order or severity to us.

So the first one is phishing and smishing. As we all know, it's one of the cheapest and easiest ways to try to compromise an organization. It kind of relates back to our state employees, that they're the front line. They're often the targets of these. And it's a very cheap way for malicious actors to try to compromise you.

Number three is kind of like Meghan alluded to-- insider threats. So full disclosure, Anomali is one of our great partners, so is Flashpoint. So we do partake in those services of monitoring the dark web to see if we do have insider threats. And it's also a program that we are rapidly improving. Because insider threats-- it doesn't matter what industry you're in, they are a risk that we all have to deal with.

The fourth one is supply chain. Going all the way back to the target breach where the, HVAC supplier led to that breach and then some of the more recent ones like with SolarWinds. Supply chain security has become an increasing focal point for Oklahoma Cyber Command. We are continuously updating our efforts in third party risk management. Because when we engage in a business relationship with these suppliers, we inherit the risk that comes with them. So we are working to identify that risk and properly mitigate it.

And then also another one that [? Meghan ?] graciously touched on to is number nine, physical security. We're seeing a lot more where the cyber world in the physical world are starting to combine. Because if you're operations or your facilities are compromised, that can lead to things are detrimental to your organization.

So to address those risks that I just previously pointed out, that's where the OK-ISAC came in. And obviously, with the first bullet point-- let's find a way to reduce the risk of cyber threat to the state of Oklahoma. And so by doing that, we want to look at basically centralizing our resources, whether it's through contracts, or consortiums, or programs like the OK-ISAC, to see if we can take a cybersecurity mentality and instill it in all the organizations across Oklahoma.

And the motto I like to say, is high tide raises all boats. We really drive home the point that cybersecurity now is a team sport. The bad guys are working together. There's no reason that the good guys shouldn't work together, whether that's state to state cooperation, public to private, state to federal. That's something we're really stepping back and exploring all the levels and how we can develop those relationships, like Cody and I developed when we talked.

I mean, I have no concept of time now. But several months back, we're seeing what they were doing, the same thing we've done with Texas, Arkansas, Colorado, and Oklahoma. It's a program that we're really trying to shape up. We plan on calling Operation Taco, and it'll be kind of a multi-state, regional sharing. And so heard has started this probably several times, but we want to hold it on Tuesdays, call it Taco Tuesday. Each state comes on. We kind of provide a briefing on different types of attacks we're seeing, [? even though ?] all with the goal of education enrichment in mind.

And so, last but not least, it's kind of just an expansion on that. Let's just keep-- let's develop the ecosystem. There's conversations to be had. It's all about that two-way conversation and removing the silos that have historically been present in cybersecurity. And I understand it. Because cybersecurity people, you're usually hesitant, a little bit-- you're risk-adverse. But having those conversations can lead to something great.

So with OK-ISAC-- so that's our capability. We have a online repository that shares threat intelligence with our members. So we've deployed Anomali ThreatStream. That is our TIP, or threat Intel platform, that we use and on-board our OK-ISAC members in to find them a secure way to share cyber threat intelligence with us, but also to share what we're seeing in our environment out to those members.

And the other part is that COVID's kind of put a damper on these. But we're really starting to ramp these up-- participation in conference workshops and tabletop exercises. Just last week, we had the first ever OK-ISAC symposium. We brought in some of our suppliers that are helping us secure the state of Oklahoma. And we educated the audience on what they're doing alongside us all in the efforts to secure the state of Oklahoma. It was a great conference. It was very beneficial, not only for us to keep developing those relationships but also for the attendees. And we look to have the second annual one as part of National Cybersecurity Awareness Month in late October.

And then the other one is-- higher education is near and dear to my heart. As we all know, there is a workforce shortage for cybersecurity professionals. So we have started partnering with some of the schools in the state of Oklahoma to see how we can have those conversations to develop curriculum for those students to get them ready to join the workforce and get that experience they need to become a cybersecurity professional. 

And then we also-- the public-private, that's another focus of [INAUDIBLE]. And that's kind of the example-- going back to OK-ISAC symposium-- is that we are working with industry partners, see who's leading edge in cybersecurity, finding the ways that we can partner with them and mature our cybersecurity program, and also help the state of Oklahoma.

And then the last bullet point, it's about education. Let's get that awareness out. A lot of organizations do SEAT. Let's go beyond SEAT, or security employee awareness training. Let's go beyond what SEAT provides. Let's really make cybersecurity the forefront when we're starting talking about enterprise and not just a checkbox that you have to do for your organization.

So a shout-out to Austin. I've taken his little fancy graph here and used it for my own purposes. So to kind of look at what we do with OK-ISAC and the sharing of [? our ?] CTI. These are identifying the four sources that we have when it comes to the CTI. So you have your OSINT, or open-source intelligence. We have premium feeds. So, as I previously mentioned, FlashPoint is one of the premium feeds that we put into our TIP.

We have investigations that's conducted by our Cyber Command Operations. Though, all of that is curated and disseminated down. And then we also have our connections at the federal level, whether it be with the Department of Homeland Security, MS-ISAC or CISA.

And so, as stated, all that feeds down into our Anomali ThreatStream instance with Oklahoma Cyber Command. And as we on-board members, they're given access to the ISAC portal where then their analysts, their threat hunters, their incident response team, or any of their SOC, they can actually take some of the CTI or the IOCs that they're getting and put them into the portal to initiate a true two-way sharing.

Because that's-- like I said, main part of it is collaboration. Yes, we can disseminate down all day. But there are some attacks that might be unique to some of the industries that we have in OK-ISAC that would therefore provide more of a 360 benefit to our members.

And so that's kind of where we go into as-- that's one thing we offer is a STIXX TAXI feed to our members. And as members on-boarded, we work with Anomali. We conduct workshops to show these organizations how they can integrate this into their environment, whether it be their SIM, their firewalls, or their security tools, just so we get that more proactive approach for defense of their organization.

And they also can benefit from the-- [INAUDIBLE] being the state government, we have a very large presence in the state. So due to that, we experience a different variety of attacks and complexity and frequency of attacks that we can help those organizations that may not experience that-- we can proactively protect them.

And so that's one thing how the genesis of the Cyber Command came around. Just like Cody said, COVID was kind of one of those things that really hampered our ability to get out, knock on doors, have that conversation. So one thing that we did is we leveraged our existing relationships. And so it wouldn't be an IT presentation without a Venn diagram. So we've got this displayed here.

So as you see, we've kind of tried to break up our existing relationships into five different groups. So we work closely with law enforcement. We've had situations where we've provided information that helps them in their capabilities. Obviously, we're working with federal agencies, as they are one of the major sources that we get those IOCs and that technical information when it comes to protecting an organization.

Homeland Security-- we work with a lot of state agencies. There's approximately 130 agencies in the state of Oklahoma. We work with a lot of them, not only to secure their assets but provide them with the information that they may need. And then affiliates-- the basic the way to break that down-- it's anybody that receives tax revenue.

So this is where we're really focusing a lot of OK-ISAC efforts, particularly k-12. Because, in some situations, the football coach or the library, they might be the sysadmin. And they will not have a dedicated cybersecurity team. And so k-12 is also another one of those passions for me, along with higher ed-- getting them the resources, bringing them on, showing how we can help them. 

Because, as we've seen the news, K-12 is a very popular ransomware target, and it's unfortunate. So that's where we want to shift our focus, bring them in, have the conversations. And then also working with cities, and counties, and the tribes. Because they're an important part of this. They provide services to the citizens and their constituents.

And so this is a current look at the OK-ISAC. We currently have 133 members in this organization. We launched the OK-ISAC September 2020. So we just passed our one-year anniversary. A lot of this was possible due to the previous-- those partnerships I showed you.

So when we first rolled it out, we had 20 flagship members. We had a nice representation of health care, k-12, law enforcement. And we had the conversation with them, seeing what they wanted, what would help them, and had that conversation really centered around driving value and what OK-ISAC could be.

And the resounding thing that we saw is there was a gap when it came-- in Oklahoma-- there was a gap when it came to collaboration and, basically, the sharing of cyber threat intelligence. So we created the OK-ISAC to fill that void.

And so, as you see, that's kind of a conversation we've had a few times. ISAC-- it's not a novel-- it's a novel idea. They are MS-ISAC, [? collection ?] ISAC. So what we're doing is-- with an ISAC, a lot of people define that as specific to an industry. We've kind of taken a step back and didn't use ISAO in that we're making Oklahoma an industry here. Because we have several different industries present in the state, whether it be oil and gas, aviation.

And so that's where, as you can see, we've taken a cross-section of our membership to show that we've really focused in on city, and county, and k-12. And just recently, we've had an uptick in private-- Oklahoma-based organizations are coming to us, seeing what it can be and how they can be a part of this, not only to ingest the CTI, but find ways to give back to the state of Oklahoma.

And that's one thing we have planned for 2022-- workshops, and bringing those resources, and those questions and expertise that they have, and being able to disseminate it across the state of Oklahoma. So that's the very high-level overview. So if anybody has-- if you would like to have a more extended conversation outside of this medium, there is some contact information for you.

And then, also, I'd be remiss to not mention one thing that we just rolled out last week, which is the Oklahoma Civilian Cyber Corps. Basically, the way to look at that is we are wanting to develop a group of volunteers that would be able to assist in the event of a cyber incident.

And as part of that, we will take this group of volunteers-- with permission from their employer, since it's probably about 10-hour commitment a year-- to do training like NIMS-- so National Incident Management System-- give them that training. And then also put them into a more rigorous training to give them the tool sets that they need to effectively respond to cyber incidents, in all with the mentality that-- let's help the organizations that are the unfortunate victims of cyber attacks and see if we can get them back up and running.