How South Dakota Bureau of Information and Telecommunications deploys Elastic to secure endpoints

The South Dakota Bureau of Information and Telecommunications (BIT) provides quality customer services and partnerships to ensure South Dakota’s IT organization is responsive, reliable, and well-aligned to support the state government’s business needs.

The BIT believes that “People should be online, not waiting in line.”

The bureau’s goals for the state's 885,000 residents include: 

  • Delivering valuable services at economical costs
  • Building and retaining a highly skilled workforce
  • Providing reliable, secure, and modern infrastrastructure

When it comes to meeting the goal of a secure government infrastructure, the BIT discovered that its legacy SIEM solution couldn’t adequately monitor and alert on all of the endpoints associated with more than 9,000 systems. The BIT chose Elastic because they required a better tool to mitigate threats — a cost-effective solution with enhanced visibility to promptly pinpoint endpoint security issues and vulnerabilities.

In addition, the new solution needed to provide visibility for endpoints within the state’s environment as well as for remote systems used by employees working outside the office. 

“We needed faster incident response times because our SIEM at the time wasn't able to handle the load. And also coming back to the fiscal costs for bringing in all the endpoint logs was quite a bit of a challenge. So we needed to look for an alternative solution to get quicker response times when we're dealing with security incidents,” says Nicholas Penning, Security Technology Engineer for the BIT’s Security Operations Center.

Endpoint logging use cases 

With a mutate filter plugin on Logstash, engineers can deploy a tagging system so analysts can understand whether events are coming from within the environment or remotely. 

In one example, the critical logs the BIT captures in Elasticsearch and monitors in Kibana are failed Windows logins. This practice could uncover somebody without the proper credentials trying to access the system through brute force. 

For the second example, logs from links and attachments in Microsoft Outlook are also scrutinized to prevent malware seeping into the environment.

“That's a very huge use case today because we're always looking for those users that may be clicking on malicious links,” Penning says.

Harnessing Elastic Security for SIEM

Still, there’s more to it than just discovering a malicious URL, Penning says. What happens after the discovery of a malicious link?

“It looks like nobody clicked on that link, or went to that malicious site when I searched it. But what about four hours from now? Or 10 minutes from now? Are you still continuing to search and look for those things?” Penning asks. 

By harnessing the detection capabilities of Elastic, Penning answers his own questions in the affirmative. That’s because the BIT automatically creates detection rules for indicators of compromise, such as malicious URLs. 

Anytime that detection rule for that malicious URL gets targeted, Kibana will send an alert: “Hey, you know that detection rule we just created 20 minutes ago,” Penning quips, “we actually just got a hit on it.”

Watch the full presentation to learn more about how South Dakota BIT deploys Elastic Security for SIEM to monitor and alert on more than 9,000 endpoints and ensure a secure infrastructure for the South Dakota state government.