![\"A](\"https:\/\/cdn.defenseone.com\/media\/img\/upload\/2017\/12\/08\/AP_17046095751450\/defense-large.jpg\")
LOS<\/span>\u00a0ANGELES<\/span>\u00a0\u2014 Four years ago, cybersecurity operations for the city of Los Angeles were divided between four centers that didn\u2019t regularly share information with each other. When they did communicate, it was a managed through phone calls and emailed\u00a0spreadsheets.<\/p>\nCybersecurity awareness among the city\u2019s 48,000 employees was mixed. Protections at the city\u2019s 40 departments were hit or miss. Top department officials often didn\u2019t know all the computer systems they were running, making it impossible to defend\u00a0them.<\/p>\n
Despite these deficiencies,\u00a0L.A.<\/span>\u00a0was a high-tech city and believed it was reasonably well defended. \u201cWe thought we were secure, but we just didn\u2019t know,\u201d the city\u2019s Chief Information Security Officer Timothy Lee told\u00a0Nextgov<\/em>\u00a0this\u00a0week.<\/p>\n The truth, Lee said, was that city computer systems were far from secure. When the city flipped the switch on a cyber scanning tool from the company FireEye in February 2015, it turned up about 15,000 instances of malware sitting on city\u00a0systems.<\/p>\n Now, Los Angeles has become a case study for how a city can use models developed in the federal government and industry sectors to not only protect municipal networks but also improve cyber protections for local\u00a0businesses.<\/p>\n Las Vegas sent about 40 city officials to examine\u00a0L.A.<\/span>\u00a0cyber protections last week, Lee said, and Chicago officials visited this week. Officials from New York also plan to visit, he\u00a0said.<\/p>\n At the heart of\u00a0LA<\/span>\u2019s cybersecurity surge is its integrated strategic operations center, or\u00a0ISOC<\/span>, a bank of computers and human operators located in a small chunk of downtown\u00a0L.A.<\/span>\u00a0office space next to the Los Angeles Police Department\u2019s emergency response division and just a few blocks from City\u00a0Hall.<\/p>\n The\u00a0ISOC<\/span>\u00a0processes cyber threat information from the Homeland Security Department, the\u00a0FBI<\/span>\u00a0and various private sector and non-profit sources and feeds it out to its member operations centers and to city\u00a0departments.<\/p>\n Those four operations centers that formerly didn\u2019t speak to each other\u2014at the city\u2019s\u00a0IT<\/span>\u00a0office, the Water and Power Department, the Port of Los Angeles and Los Angeles International Airport\u2014now all have precisely the same\u00a0picture.<\/p>\n They\u2019re also far less burdened by redundant busy work. Instead of each of the centers poring through thousands of raw threat indicators separately, the\u00a0ISOC<\/span>\u00a0only forwards a handful of indicators that it has verified pose a danger to city systems, Lee\u00a0said.<\/p>\n \u201cOur overall security posture and situational awareness has improved dramatically,\u201d he\u00a0said.<\/p>\n Know Yourself; Know Your\u00a0Enemy<\/strong><\/p>\n Lee compares the\u00a0ISOC<\/span>\u2019s mission to a lesson from the 5th century\u00a0B.C.<\/span>\u00a0Chinese military strategist Sun Tzu in his treatise \u201cThe Art of\u00a0War.\u201d<\/p>\n \u201cIf you want to win the battle, you need to know your enemy and you need to know yourself,\u201d Lee said. \u201c\u2018Know yourself\u2019 applied to cybersecurity is situational awareness, and \u2018know your enemy\u2019 is threat intelligence\u00a0sharing.\u201d<\/p>\n A bank of display monitors at the front of the\u00a0ISOC<\/span>\u00a0demonstrated just how well the city now knows\u00a0itself.<\/p>\n One screen tallied digital security events. That could mean anything from a phishing email sent to a city email address to a curious request to a city system.<\/p>\n The figure typically hovers between 800 million and 1 billion events every 24 hours but was only around 300 million during the Monday morning when\u00a0Nextgov\u00a0spoke with Lee because hackers, like everyone else, prefer to take weekends\u00a0off.<\/p>\n Another screen listed the countries these security events originated from. The U.S., Russia and China led the list, as usual, Monday morning with the\u00a0U.S.<\/span>\u00a0on top. Attempts from Russia and China tend to rise during normal business hours in those countries and fall during their sleeping hours, he\u00a0said.<\/p>\n Another screen tracked activity on city websites for possible attempts to overwhelm them with distributed denial of service\u00a0attacks.<\/p>\n There had been 4.5 million failed attempts to log into city accounts that day, according to yet another screen. When that figure rises above 6 or 7 million, Lee begins to pay attention, he\u00a0said.<\/p>\n One of the most important screens at the\u00a0ISOC<\/span>\u00a0tracks activity on 104 particular city assets that are considered highly critical, such as its payroll\u00a0system.<\/p>\n \u201cAnything that targets those, we focus on that and we\u2019re in an elevated threat space,\u201d Lee said. Three of those systems were being targeted that Monday\u00a0morning.<\/p>\n The\u00a0ISOC<\/span>\u00a0monitors city networks using a system of sensors developed for state and local governments by the Homeland Security Department and based on the federal government\u2019s own threat detection system called Einstein. The\u00a0ISOC<\/span>\u2019s system, called Albert (get it?), detects malicious traffic coming in and out of city\u00a0networks.<\/p>\n The\u00a0ISOC<\/span>\u00a0also continuously monitors activity on employee computers and networks and receives alerts about anomalies that suggest someone other than a city employee is inside the system. Those alerts could come when someone accesses a system late at night, for example, or copies an excessively large number of\u00a0files.<\/p>\n Knowing itself is only half the battle, though. The\u00a0ISOC<\/span>\u00a0also struggles to know its\u00a0enemy.<\/p>\n Lee\u2019s office receives streams of threat data from the Homeland Security Department\u2019s automated indicator sharing program, which includes threat intelligence from the government\u2019s own sensors and intelligence services as well as information companies share with the government under a 2015 law that guarantees them legal indemnification for doing\u00a0so.<\/p>\n The center also receives threat information from a government-backed cybersecurity information sharing program for state and local governments, known as the Multi-State Information Sharing and Analysis Center, and subscribes to a feed of private sector threat\u00a0data.<\/p>\n The Homeland Security data is, by far, the most useful and voluminous data source, Lee said. He echoed a\u00a0criticism<\/a>\u00a0made by private companies, though, that the Homeland Security data often lacks context that would make it easier to determine which threat indicators are most important and how they apply to city\u00a0systems.<\/p>\n