Blumira Resources & Blog

Customer Story: City of Murrieta

Written by Thu Pham | Jun 26, 2024 4:46:38 PM

The Challenge

The City of Murrieta needed a solution to help them get visibility into ransomware actors after an incident.

The Solution

Blumira's free SIEM allowed them to determine the scope of their ransomware incident within 10 minutes of deployment.

"I turned on the free version of Blumira and put it into our Microsoft 365 environment, and immediately we started getting information within 10 minutes that revealed we had malicious logins from other IPs outside the United States; credentials being changed."

Mike Amado
IT Program Administrator
 
Industry Driver Company Size
City Government Ransomware prevention, CJIS 430

City of Murrieta

Murrieta is a city with a large share of newcomers, a strong sense of history and a promising future. Between 2000 and 2010, this community grew more than 133%, making it one of the fastest growing cities in the state. Many were young professionals just starting families. Murrieta now claims some of the top-rated high schools in the state, and a #6 spot on America’s Safest Cities list. 

Over the years, it developed and preserved more than 20 miles of hiking trails, 52 parks and countless recreational opportunities. Murrieta became known as an ideal place to settle down and call home--and many people did. Murrieta’s robust economic growth includes revitalization of Historic Downtown; the emergence of a regional medical hub with five major healthcare facilities; a cutting-edge biotechnology center; and expanded shopping and entertainment for all ages. And through it all, Murrieta remains connected by community.

The Challenge: Ransomware Attacks, Limited Budgets & Complex CJIS Compliance Requirements

Like other state and local government entities, the City of Murrieta faced challenges of high attack volume, limited budgets, and complex compliance requirements.

“Being a public entity, we definitely catch the attention of threat actors worldwide, constantly attempting anything they can get from the city. As a smaller city, we do have a limited budget,” IT Program Administrator Mike Amado said. “I came from a much larger city where they had dedicated resources and budgets for these types of things, and we have to pick and choose – do we upgrade infrastructure or put money towards security? In a perfect world, we'd like to get as much as we can, but realistically we can only get so much. It's definitely a big challenge.”

On the compliance side, the Criminal Justice Information Services (CJIS) policy from the FBI drives their need to support their police department and follow strict guidelines to keep criminal justice information secure. This is a compliance framework that many state and local governments must adhere to, with security requirements for generating audit records, logging system events, automating the audit monitoring and analysis process, retaining audit logs for one year, and more.

Meeting compliance requirements while maintaining defenses against attackers can be challenging with limited resources.

“Some of these threat actors can be backwater groups or state-level sponsored groups that have a much larger budget than the city does,” Amado said.

The City of Murrieta was the target of a ransomware attack launched over a holiday weekend.

“We got an email from our dispatch center, which runs 24/7 for our police department, and they said, ‘Hey, I got a weird message on my screen. It says something about my files being locked and my computer's not really working right. I'm not really sure what's going on,’” Amado said.

According to Amado, by the time they figured out which networks the attack was affecting, roughly 50% of their infrastructure was crippled. They discovered the source, but the damage had already been done. Their team attempted to remediate and determine if the threat was still persistent and the threat actor’s access was still available. 

“How do we get on top of this to prevent this from occurring again? The house was already on fire. We were trying to put it back together as fast as possible. Our major problem was getting back to business, understanding the damages that have already occurred and how we can resolve that quickly and effectively,” Amado said.  

The Solution: Fast, Easy Blumira Deployment to Detect & Prevent Further Ransomware Activity

Since it was an active event, Amado’s first priority was to mitigate the threat, as well as get ahead of the threat actors to see if they were still in the network.

“We needed something fast and quick so that we could start getting as much information compiled as possible. I turned on the free version of Blumira and put it into our Microsoft 365 environment, and immediately we started getting information within 10 minutes that revealed we had malicious logins from other IP's outside the United States; credentials being changed,” Amado said. “We discovered that it was no longer just on prem. They were moving to our cloud environments as well.”

Once the ransomware incident was contained, the City of Murrieta looked into doing full evaluation of different products to understand how they could assist them. They looked at Splunk, LogRhythm and Blumira, since they already partially implemented Blumira’s Free SIEM version. 

“It really came down to ease of use; being able to implement it within a couple hours, which we had already done prior – because like anybody in IT knows, you can have as many tools in the world as you can, but if you don't actively use them or actively look at them, they're useless,” Amado said. “When an alert does come out, it really simplifies it down to, ‘This is your problem, walk through these steps and here's how you remediate it.’”

Without a dedicated security team to help internally, Amado leans on Blumira’s 24/7 Security Operations team to help support them throughout incidents or answer questions that may come up. 

“It’s like having that extra person working for the city to help us with security. It makes it a pretty easy choice,” Amado said. “Automation is huge, especially with Blumira, that’s where a lot of the automation comes in place. It’s ingesting billions of logs over the past six months. We don't have a dedicated person to actually look through and make determinations on that. It'll save time. And in my opinion, I believe it focuses the resources your staff needs to implement to address these issues.”