Cybersecurity Lessons Learned From Snowmageddon
Social media reminded us that seven years ago, a mere two inches of snow in the middle of the day shut down Atlanta, our beloved city. It’s now affectionally referred to as Snowmageddon or Snowpocalypse. We both worked at competing security vendors then — Brian in the office at the Secureworks HQ in Sandy Springs (just outside Atlanta) and JB remotely from his home outside Atlanta (OTP for the locals) for Solutionary.
Brian barely made it home by leaving at the first sight of snowflakes while JB stayed warm and dry all day. One of Brian’s teammates slept at his desk. Many of our neighbors took drivers into their homes overnight. Millions of Atlantans were stranded on highways and in corporate parking lots. Crazy stories from that day abound — kids slept in school buses, and home improvement stores stayed open all night so stranded motorists could sleep on their floors. At least one baby was born on the side of I-285! Atlanta suffered further (but deserved) humiliation by Saturday Night Live!
Folks living in colder climates asked us how this happened. How could Atlanta be so ill-prepared? Largely, this was a failure of preparation, a dearth of people and tools (no meteorologist on staff at GEMA or Road Weather Information System sensors, too few brine trucks and snowplows), a lack of communication, poor execution during the event, and an overtaxed infrastructure. To be fair, threats (like the weather) get a vote, and no one could control the timing of the snowfall.
Is it just us, or does this sound a lot like how immature organizations respond to cybersecurity incidents? There was lack of investment, failure to prepare, missed intelligence, poor communication between stakeholders and incident responders, weak execution of processes during the incident, and an overtaxed, complex infrastructure to defend.
And, just like the weather, cyberthreats don’t care whether you are prepared for them or not.
So what’s changed since 2014 in the Atlanta region’s winter-weather preparedness, and what are the cybersecurity metaphors? The governor earmarked $15 million to make sure “it would never happen again.” Sound familiar? The state spent that money in several areas that proved their worth when a section of Interstate 85 caught on fire and collapsed in 2017. The table below compares several post-Snowmageddon initiatives to cybersecurity.
|Georgia Response||Cybersecurity Equivalent||Why?|
|Hired a state meteorologist||Threat intelligence||To forecast future threats|
|Improved relationship with NWS||ISACs||To share information|
|Road Weather Information Systems||EDR||To have visibility on affected assets|
|Communications tools||Security analytics platforms||To correlate and prioritize events|
|Tow company and contractor retainers||Incident response retainers||To call in reinforcements without going through procurement in a crisis|
|New GDOT position: manager of emergency operations||Hiring an incident response manager||To manage the IR process and manage stakeholders|
|Addition of bulk salt storage||Acquiring digital forensics gear||To collect and analyze forensic artifacts|
|Increased number of snowplows and brine trucks||Implementing prevention technologies||To provide availability and protect users|
|Real-time dry runs with all stakeholders||Incident response tabletop exercises||To identify communication and process gaps before an incident|
Moreover, these events teach us that we can’t wait for the incident to happen to plan and prepare. They also teach us to have an early warning system and ready our response so that we’re ready when the first flakes start to fall. Speaking of snow falling, Atlantans still freak out at the mere mention of snow in the forecast, buying up all the milk and bread in the store.