The first step in ensuring cybersecurity: Understanding what's normal

The toll continues to rise in the aftermath of a ransomware attack on Atlanta’s computer systems. Since March, the city has asked for nearly $15 million to restore its corrupted systems. More than a third of the programs it uses were thrown offline or at least partially disabled. Years of police dashcam footage simply vanished, leaving experts to wonder if the data breach will jeopardize some criminal cases.

As cities become more digital, it’s absolutely critical that you address the security of your systems. Where do you start? SAS, a Council Global Lead Partner suggests something that may not make sense at first: Knowing what a normal state looks like. When a breach occurs, a rapid response is essential, but that requires early detection. The advice below can give you a significant edge. — Kevin Ebi


By Henrik Kiertzner, SAS

Cities around the world are increasing their digital initiatives. Some are using technology to upgrade existing services and reduce delivery costs. Others are launching new services to increase competitiveness, citizen convenience or public safety. As their digital footprints grow, so does the underlying IT infrastructure. Where once the municipal network was relatively static, it’s now ever-changing.

Driven by cloud computing, the Internet of Things (IoT) and more, this new age of connectivity and network openness makes securing municipal networks more challenging than ever. To swiftly detect network aberrations, security teams need to know what “normal” looks like, even as “normal” and the network itself remain in constant flux.

What is normal?
Knowing exactly what the network looks like is like trying to map a shadow as the sun moves across a sky dotted with clouds. It changes from one minute to the next. Such is the case for most municipalities – very complex, legacy network infrastructures, often with some network elements sourced from external providers and extended to suppliers or other governmental networks.  

Despite putting great effort into developing situational awareness, municipalities’ IT network administration counterparts fall short for several reasons:

  • Tools that automate network discovery generally do not flesh out all the needed detail.
  • Depending on the discovery refresh cycle, the network map is nearly always out of date.
  • Trying to synchronize “as mapped” with “as built” requires frequent runs of resource-intensive processes.
  • Network security gets lower priority than network availability, the Holy Grail for IT network administrators.
  • Security measures may introduce performance issues into an already stressed network.

Not knowing what the network should look like at any given time, most municipal security teams easily miss ill-behaving or improperly configured network devices. In their reluctance to implement security measures that could hamper network performance or citizen experience, the infrastructure becomes more vulnerable to attack and sensitive to the impact.

Where do we go from here?
Unfortunately for today’s cities, cyberattacks are a given. Expanding networks only increase the likelihood of attack, and there will always be an adversary who successfully enters the network. How, then, can security teams shorten the window of vulnerability and avoid becoming the next Atlanta?

Security analytics can help reduce the mean time to detect (MTTD) and mean time to respond (MTTR) to potential network threats through immediate visibility. While initiating or expanding security analytics capabilities pose challenges, these three key elements help ensure success:

  1. Data management. Data scale, formats, timing and quality issues are universal struggles in security analytics implementations. Context is also key. Complete and accurate data from multiple sources—network, endpoint, application, user, and threat data—provides more accurate detection.
  2. Multiple analytic methods. Using multiple analytic methods, municipalities can more accurately distinguish between legitimate network traffic and hackers. Machine learning can adapt to changing network behaviors through automated model building. However, beware of solutions that produce anomalies without the guidance to address the issues.
  3. Model governance. Strong model governance provides an activity audit trail and, importantly, supervision and consistency as analytic models evolve or as new models are developed.

As city infrastructures change to support population growth, changing demographics, regional competitiveness or new municipal initiatives, security analytics can play an ongoing role in maintaining service delivery and public safety in the face of cyberattacks.

SAS sponsored a Ponemon Institute study: “When Seconds Count: How Security Analytics Improves Cybersecurity Defenses.” Please visit to learn more about successes and roadblocks in the effort to improve cybersecurity defense. 

Henrik Kiertzner lends his cybersecurity expertise to SAS as a Principal Consultant. Since leaving the British Army in 2000 after a 25-year career in military intelligence, he has held various roles in IT management and consulting for international engineering firms, security and risk organizations and cybersecurity government and enterprise consultancies. He is a Fellow of the British Computer Society and the Royal Society for the Promotion of Arts, Manufacture and Commerce, and a Member of the Institution of Engineering and Technology.