Research that identifies the unique needs, priorities, concerns, and trends affecting SLED leaders.

Don’t have time to read this? Take it with you!


Key takeaways

Our most significant research finding – the characteristic that defines the most successful security programs – is the evolution and continuing efforts of a visionary security or IT leader. The challenges these women and men regularly navigate involve a volume of end users that outstrips any private corporation, no matter how large. They’re bound by law, not by profit, and are often handcuffed by time-constrained budgets and election cycles. Successful SLED leaders know that cybersecurity is first about human behavior and only distantly about technology. They are:

  • Both technically savvy and sensitive to the nontechnical concerns of their colleagues.
  • Able to find support from elected officials, the press, and the public.
  • In touch with the practical operation of their agencies.
  • Strong communicators and advocates for balanced security policies.
  • Fully committed to continuously delivering services to the public while protecting their privacy and safety.

Table of Contents

Current Chapter:

Rising to a new level of trust

Digital transformation and the increasing use of cloud-based and SaaS services within the public sector predates the COVID-19 pandemic, but the latter forced a rapid adoption of those initiatives that only expanded in the years to follow. The public sector saw a paradigm shift in cybersecurity strategy and spending to mirror the prevalence of remote work among employees and increasing demand for online services from constituents and stakeholders.

Combined, these two factors – the newly distributed workforce and a pivot to cloud-based infrastructure – have prompted new security priorities and considerations for SLED organizations.

The distributed SLED workforce and cloud adoption

Prior to the pandemic, less than 10% of the public sector workforce was considered fully remote or hybrid.

As the pandemic evolved and working environments changed, pressures mounted on the legacy model, and SLED organizations were forced to rethink their strategies for access, computing, information sharing, and cybersecurity. The number of fully remote workers more than quadrupled from 2018 to 2021, with 66% of U.S. employees now working remotely at least part of the time (Zippia, 2022).

Infographic remote workforce 2020 to now

Accelerated adoption of cloud services

Public sector organizations experienced an overnight shift in usage models that proved unsupportable in traditional on-premises configurations. With non-essential employees required to work from home and municipal facilities limiting access, IT teams struggled to acquire, configure, and sufficiently manage new systems to support existing commitments. Cloud technologies enabling communication and collaboration became the path of least resistance to restoring critical services with appropriate levels of security and responsiveness.

Check out the SLED CPR webinar to hear directly from Milligan-Pate and other industry experts.

It really shows the power of the cloud – the ability to scale elastically to meet demand. You just never achieve those types of outcomes in an on-prem world.
Ian Milligan-Pate
Ian Milligan-Pate Area Vice President for SLED at zero trust pioneer Zscaler

New emphasis on zero trust architecture

The increased volume of remote users had additional unexpected consequences for access control and security management. In January 2022, the U.S. Office of Management and Budget released new guidelines on the use of zero trust architecture as a “key step forward” to the original Executive Order on Improving the Nation’s Cybersecurity.

Drivers of Increased Demand for Zero Trust

As a result, SLED organizations are revisiting their own security operations and management models. Zero trust approaches, grounded in the authority and activity of individual users, simplify the granular information gathering while enriching the association between a user and the requested access or activity. From a security perspective, zero trust creates a clear map for authorized access to individual applications and assets in a way that traditional VPNs and gateways cannot. From a pragmatic cost perspective, the move to zero trust and cloud-based services has a nearly immediate impact.

For a complete list of zero trust benefits, download the 2022 SLED CPR.

Today, 97% of businesses say that they have a zero trust initiative in place or will have one in the next 12-18 months. That’s a 500% increase in the past four years, while only 7% of public sector organizations are taking the initial steps.

Help Net Security

Zero trust and remote access in 2023

The combined pressures of the distributed workforce and cloud adoption created the initial impetus for zero trust expansion and early-stage adoption for SLED organizations in 2020-2022 – it was a leap born of necessity. Looking at 2023 and beyond, this evolution will continue but with intention.

  • 2023 will be the year of systemization and expansion of zero trust enablement across the SLED landscape as organizations accept the hybrid environment as the new normal.
  • Cloud and SaaS services will continue to expand and integrate zero trust into common business practices.
  • Pilot and departmental projects will move mainstream with collective whole-of-state (i.e., agencies, cities, counties, and local governments) initiatives to simplify communications and service collaboration.

Recommendations for zero trust and remote enablement

  1. Educate your SLED stakeholders. Translate security jargon into relatable stories. Concentrate on outcomes with a mission-focused mindset, and underscore improvements for employees and constituents.
  2. Develop and deliver a rationale for change. Inertia is a powerfully resistant force. Leverage external statistics on the benefits within the context of your organization to ensure support that will withstand the next budget cycle.
  3. Maintain focus on the associated changes required. Prior to creating a detailed plan and initiating the rollout, ensure all organizational elements that will be affected are informed and integrated into the planning process.

For a complete set of recommendations, download the 2022 CPR.


  • The trend toward an increasingly remote workforce is here and will not change.
    Citizens and stakeholders are looking for a consistent and available suite of services.
  • As you execute your own strategy for improved access and accountability, identify the broad value it can bring, from visibility to policy enforcement.
  • Develop and deliver on your remote access and authentication strategy right now to support future efforts, providing immediate secure access for your growing population of remote users.

Download the 2022 CPR

Better security through SLED collaboration

The cybersecurity community isn’t a large one, particularly in SLED, and it’s uncommon to have more than a couple of dedicated cybersecurity resources within any one organization. As a result, leading a cybersecurity program can feel isolating, with few opportunities to share ideas, concerns, and challenges. Compounding the scarcity of contact is the impression that collaboration and information sharing are antithetical to cybersecurity. The SLED community are trustees of private information on thousands, even millions of users, and relied upon as both stewards and service providers.

These are the challenges driving SLED leaders to seek new forums and mechanisms for connection and collaboration. There are recent and ongoing efforts to do more than traditional breach and threat notification – efforts that involve consistent, timely sharing of information, and the joint development or adoption of best practices.

Cybersecurity collaboration is evolving

Security practitioners have always been willing to share what they know and their recommendations for improving the execution of cybersecurity. But organizationally, the sharing of information, updates, and security events has been more limited.

From the practical perspective of SLED security leaders, traditional industry membership organizations (e.g., the Information Sharing and Analysis Centers (ISACs)) don’t provide easily actionable information. They’re valued by security professionals looking to share experience and report on threats, but the outputs don’t neatly convert to strategies for improving coverage, funding, support, or custom response procedures. Professionals are reporting what is happening without necessarily sharing how they handled it.

Good news! New efforts are underway to support actionable collaboration amongst SLED security leaders.

New collaboration models in SLED

2022 saw changing drivers of increased interest in collaboration, and a new level of investment in delivering on its value. Part of the reason is an influx of available funding that’s leading to the development of broader initiatives and partnerships that demand tighter collaboration.

Operational consolidation

A trending form of collaboration across all sectors of the SLED marketplace is the consolidation of security operations, which offers:

  • Increased visibility and economies of scale.
  • Improved fidelity and completeness in analytics.
  • Expanded exposure and effectiveness.
At the state level

The expansion of federal funding and mandates under the 2022 State and Local Cybersecurity Grant Program (SLGCP) has provided an impetus for an unprecedented expansion in strategic consolidated investment.

To learn how the SLGCP is driving new statewide initiatives, download the full report.

This new funding and the requirement for more collaborative work on both proposals and implementation is fueling the creation and evangelism of statewide security operations centers (SOCs). States and municipalities are collaborating on the type of available services and the mix of access and authorized actions. System inventories, traffic monitoring, and service requirements are gathered from client organizations, informing analysis and recommended responses delivered by a statewide SOC.


SLED CPR Americas Cybersecurity Investment Infographic
In higher education

There are new and ongoing efforts to combine experienced technical personnel with cybersecurity education initiatives to establish university-led SOCs. These units are created through collaboration at the state system level and across multiple universities through new academic initiatives.

In most cases, these operations combine industry technologies and advice with student-led teams to create the shared benefit of improved security and pre-workforce learning and development.

Benefits of operational consolidation
  1. Optimization of investment in scarce, costly security personnel
  2. Increased visibility and responsiveness through broader data gathering
  3. Upskilling of municipal leaders in cybersecurity through shared learning and best practices
  4. Economies of scale for both operations technologies and teams

Managed service adoption

For SLED organizations that lack either the funding or authority to establish consolidated collaboration models, a growing trend is the adoption of managed services.

By design, MSSPs federate information from multiple clients into a consolidated operation, increasing cost efficiencies for analysis and service delivery. Similarly, threat intelligence gathering, staff skills development, and infrastructure management costs drive consistent approaches and outputs.

85% of state and local governments will evaluate a managed security service alternative in 2022.

SLED organizations leveraging a suite of managed services are creating a new type of arm’s-length collaboration. Service providers are driven by SLED clients to deliver SLED-appropriate configurations, pricing, and outputs. The result is a form of consensus through multi-client collaboration.

For more insight into the value of working with an MSSP, download the full report.

Shared protection through shared intelligence

Since 2016 – and especially during the COVID-19 era – there’s been a marked increase in school districts and small governmental agencies falling victim to ransomware. The campaigns that triggered successful attacks were seen multiple times, but targets weren’t aware that others had been victimized.

In response, there are new efforts underway to support actionable threat intelligence collaboration among SLED security groups.

NuHarbor Security, for one, is working with multiple statewide agencies on a structured approach to information sharing called the Cyber Resilience Early Warning System (CREWS). CREWS delivers information on the identifiable characteristics of a threat in action along with specific recommendations for blocking the threat before it has a chance to succeed.

For more on CREWS and early threat detection, download the full report.

Defining collaboration: the four c’s

This new wave of collaboration goes beyond event reporting and includes sharing experiences with applications, vendors, and thoughts on best practices and response procedures. To make this sharing effective and motivate continued participation, some basic characteristics are required.

True collaboration is multifaceted. A community for collaboration is both a platform for reporting and a place for continued learning and professional development. Collaboration is evolving to map more clearly to these four criteria.

Effective, engaging, and justifiable collaboration must be:

Collaboration Infographic


Collaboration is both an indicator and an enabler of transformative leaders in the SLED cybersecurity space, and organizations that undertake this type of shared effort are likely to lead the way as cybersecurity becomes more of a shared service. These leaders are willing to share their own experiences to help others while being comfortable exposing gaps or concerns for others to help them address.

You need a visionary who can spark a collaborative mood. Historically, for many organizations, there can be an atmosphere of skepticism due to previous cases of miscommunicated expectations. It takes someone with vision and leadership ability to get those teams aligned.
Frank Myers
Frank Myers Strategic Advisor for SLED at monitoring and observability leader Splunk

These leaders also benefit from visibility into efforts on a larger stage and will increase the depth and scope of their networking with other like-minded experts.

Starting can be difficult. Here are three steps toward regular and programmatic collaboration:

  1. Collaboration begins at home: Socialize the benefits of sharing information and insights with others. Develop the right policies and rules for sharing that you can later apply externally. Encourage your own teams to be more open with security needs, events, concerns, and objections.
  2. Test the waters: Talk with peers, analysts, and even vendors to identify the types of collaborative groups or partnerships that will bring the most value. In some cases, these will be established forums, but look beyond other SLED organizations to vendors with whom others are finding success and take advantage of the information and insights they’re already gathering.
  3. Plan for success: Now that you have a baseline set of skills, information, and partners, generate a rational estimate of the investment you’ll need to support the collaborations you create. Start with less, and only add when you become both a successful consumer and provider of information to the collaborating team. You’ll always have an audience that is grateful and clamoring for your help. Remember to balance your own goals with those of your peers.

The path to application security for SLED leaders

As SLED organizations advance their services and use of cloud infrastructure, they’re creating and exposing more critical applications. Remote access and increased adoption of work-from-home policies are widening the access gap to both internal and client-facing software. There’s a growing interest in and emphasis on application security accordingly. From statewide efforts to create programs and policies for increasing visibility and control, to legislative action mandating proactive application security management, the cost- and time-savings associated with early exposure and intervention are clear.

Download the full report to learn how the public sector is leading the way in application security.

The state of application security in the public sector

Application security is understood by most security and IT professionals to be important, particularly when it comes to the assessment of risk in support of standards. Penetration testing, as a mechanism of assessing combined infrastructure and application security, is a common approach to satisfying standards as diverse as PCI-DSS, SOC-2, GDPR, and HIPAA.

But testing results paint a challenging picture of application security. The flaws that are most difficult to discover and remediate – those discovered during software composition analysis and static analysis testing – live longer within public sector organizations than anywhere else.

Download the full report for insight into vulnerabilities by industry vertical.

We reviewed our application security strategy from the ground up with an inventory of our applications. In the process, we identified over a thousand applications that were either created exclusively for the Commonwealth or were highly customized. I don’t think this is uncommon in state government.
Sean Hughes
Sean Hughes Assistant Secretary for Technology, Security, and Operations for the Commonwealth of Massachusetts

Given this volume of unique software, a rigorous application security program is critical because the software will not be exposed to the same level of use and examination as more common third-party programs. The challenge extends to remediation, as most bespoke software contracts contain little to no language about security testing, recourse when vulnerabilities are found, or service level agreements on time to fix. Whereas a large group of users demanding patches will drive investment from packaged software providers, there’s no such groundswell when a single client has deployed a custom application.

Finally, a distinctive motivation for addressing application security in SLED is the cyclical nature of purchase and support for applications. Funding is defined by priorities and legislation in a fixed window, without consideration of the out-years funding required to keep applications updated and patched. According to a report from IT software company Ivanti, unpatched vulnerabilities are the favored attack vector for emerging ransomware schemes and have long been the primary target for exploit kits and automated attacks. In SLED, where budgets are specifically allocated and priorities shift with changes in administrations, ensuring security and response expectations from the start is key.

Improving application security

The catalyst for improving application security varies, but it’s commonly a reaction to an external event or some sudden rise in awareness, like facing a breach or failing an audit.

SLED CPR Hidden Targets Infographic

Regardless, the path forward is comprised of five key elements:

  1. Creating and socializing an application security plan: Improving application security requires new thought processes on the part of the organizational leaders who are accustomed to acquiring or developing applications to solve immediate problems. An application security champion must establish a collaborative process, balancing functionality, price, and availability for sufficient internal support and building a sense of urgency and focus on the benefits of prioritizing application security.
  2. Understanding the application landscape and inventory: Securing applications starts with being able to find them. SLED organizations require a repeatable process for identifying applications in use among agencies, secretariats, or schools. A proven methodology is to first survey leaders for their list of critical applications, noting characteristics like traffic type, authorized users, and integrated data, then review user activity and network traffic for anomalous connections and accesses to illuminate unauthorized or unknown applications.
  3. Improving and applying new contract language: Successful application security programs focus on more than simply identifying vulnerabilities in deployed software. Such programs place equal importance on decreasing or eliminating the acquisition and adoption of new applications that haven’t been assessed for security. The creation and integration of application security terms and conditions into software acquisition RFXs and contracts raises awareness among procurement and supply chain stakeholders.
  4. Classifying application types to drive prioritization: Hundreds, even thousands, of applications are in use among larger colleges, universities, and most state and local organizations. It’s impossible to meaningfully assess and remediate more than a fraction of that number, so the development of prioritization criteria is critical. Start with mission-critical, citizen-facing applications and work backward into your infrastructure.
  5. Communicating critical impacts of the policy: To effectively move through the steps described above requires a shift in expectations on the part of stakeholders requiring new applications and in the mindset of other security leaders. Improving application security involves the creation and execution of practices and policies outside the ordinary experience and purview of security teams, which will change the usual process for application acquisition. This drives the need for clear and consistent communication around the impact of any application security program, as security requirements must be demonstrably balanced with business needs.
SLED organizations know of only 80-85% of the apps in their environment. This leaves up to 15% that aren’t even known, much less secure. That 15% gap can turn out to be really scary.
Neal Byrd
Neal Byrd Vice President of Public Sector at Veracode
Infographic application risk criteria

Another prioritization factor for identifying and assessing existing applications is known, exploitable vulnerabilities. While an application security program should be constructed to avoid liability, prioritizing the lightweight analysis of existing mission-critical applications, even where the contract language is lacking, is paramount to understanding their relative risk to the organization.

Download the full report for recommendations on secondary mitigation options.

Conclusions: unexpected benefits

The SLED community is very different from both the private sector and the federal government. Each state, county, city, college, and university isn’t in direct competition with its peers when it comes to security. In fact, leaders in this corner of the public sector are lauded for their information sharing and collaboration. Improving SLED application security will deliver benefits that extend beyond a single organization.

Shared expectations

While specific terms and trade-offs will be individually negotiated, the SLED market demand for increased transparency and visibility into vendor security will raise the tide for all boats. SLED consumers represent one of the largest buying blocks, and shared expectations and contract terms regarding security rigor will benefit all future contracts and customers.

Improved outcomes

As vendors and custom software providers normalize the need to improve their own processes and deliverables, each future SLED client benefits from improved security in the newest product or development practices. With this constructive market pressure, vendors are finally incentivized to take application security more seriously.

Expanded awareness

The security of applications has been a long-running issue because senior leaders assumed the condition was inevitable, and that addressing vulnerabilities was practically intractable. Through the development and socialization of application security programs, senior-level stakeholders and contract signatories will learn about balanced measures to address these risks and ideally factor them into decisions.

Download the 2022 CPR

Early warnings

A CREWS Q&A with NuHarbor Security CEO Justin Fimlaid

A central finding of our work on this year’s SLED CPR is the widespread shift towards increased collaboration and information sharing among the SLED community.

NuHarbor Security founder and CEO Justin Fimlaid has been working with multiple SLED organizations on developing a structured approach to information sharing, particularly focused on threat intelligence and defensive recommendations. He’s calling it CREWS, short for Cyber Resilience Early Warning System, and its intent is to provide a consistent means of sharing visibility into new threats with the added benefit of a common language: protection. More than a reactive tool for threat hunters searching out IOCs, CREWS is built to deliver both the identifiable characteristics of a threat in action and specific recommendations for how to avoid becoming a victim of that new threat in the first place.

We sat down with Justin shortly before publication.

Justin Fimlaid 

In your work over the last several years, you noticed the need for a style of early warning system that doesn’t exist in the security market today. Can you tell us what the discovery process was like for you and what led you to think something more was needed?

I see it as an evolution of need. Hearing clients talk about their different concerns, I realized that many of those pain points could be addressed with the tools that are already available to us but repurposing them to create a different outcome. The concept of CREWS evolved from the realization that simply reacting to threat intelligence isn’t enough. Clients told me they wanted to know about the risk from these threats before an incident occurred, before they could create the effects that would allow them to be detected. They didn’t want to be in the position of detecting threats after they had already gone to work.

Looking at the data, we had all the information we’d need to predict if or when a security event might occur.

So, your premise was that you could put another lens on existing data to draw conclusions that would prevent attacks that hadn’t yet occurred?

My theory was that we could use our data to perform a function more like an early warning system for tornados, and less like FEMA cleaning up after an event. We could use threat intelligence to be proactive instead of just reacting to the information. We need warnings that give us the heads up that something’s about to happen so we can preserve assets.

The way that you position threat intel in describing CREWS, it sounds as though it’s more than just a warning that something’s coming. It’s a warning that something’s coming and specific guidance based on what you’ve learned. Help me understand how you see that information-getting developed so that it arrives as more than just a siren going off.

With the early warning comes recommendations for how subscribers can strengthen their position. Because they can’t run away from the threat – it’s out there, it’s going to happen. So, with those recommendations comes the signature of the attack and the list of indicators of compromise. Many possible proactive steps exist to disrupt a threat that may be coming. Knowing that these threats exist and what events can happen accordingly, we can be proactive in our use of the technology we already have in place to prevent damage from occurring.

Early warning evokes a sense that these threats are new, being seen for the first time. How do you envision being able to separate a breach or known attacker from something brand new that’s just happening?

It’s a function of threat intel and how it’s used. Sure, there’s information sharing that exists, but it hasn’t been used to identify brand-new attacks or make new recommendations. No one’s taken that direction, mainly because no individual organization has the motivation to care that much.

CREWS enumerates all the reasons you should care. Now there are emotional reasons to share and prevent events from happening. CREWS proposes a fundamental change in information sharing that drives these specific outcomes to actually help people.

Download the full report for more on leveraging CREWS to communicate urgency around threat protection.

Many sources of threat intelligence provide updates. But you suggest that with CREWS, threat analysts are far better off. Can you help me understand why CREWS is a better idea than trying to orchestrate these other sources independently?

Sure. We live in a security environment where threat intelligence is stale and outdated after 36 hours. Threat intel is circulated extensively; it’s shared, but that doesn’t make it good. In the new model, there’s a combination of understanding wide-scale security monitoring and attack simulation competency. Here’s an example:

Let’s say an organization is the first to see a new credential stuffing attack on a web or edge application. For anybody unversed in attack simulation, clearly translating the characteristics and path of that event to others is somewhere between challenging and impossible. Once the attack succeeds and there are obvious signs, it’s much easier; any trained observer will know how to detect it, but that isn’t what organizations need. They want a recommendation for how to block it from occurring in the first place. Someone with simulation experience can do that and suggest means of closing gaps going forward.

This is how CREWS improves detection, but more importantly, how to block the attack so you won’t have to worry about detecting it. That’s the shift that needs to occur. CREWS empowers subscribers to move from a reactive position to a proactive, preventative position that will preserve their assets and their integrity.

 CREWS empowers subscribers to move from a reactive position to a proactive, preventative position that will preserve their assets and their integrity.
justin fimlaid
Justin Fimlaid Founder & CEO

For organizations that are first hearing of CREWS through the CPR, what are the concrete benefits you’d expect a participant to receive that would justify joining?

They’ll get timely, expert intelligence on threats that have a proven likelihood of occurring. They’ll gain situational awareness so they can protect themselves. There will be fewer surprises and less blindsiding. They’ll also get a type of continuous, threat-based, contextualized risk assessment. With CREWS, you see risks that are meaningful to you; your assessment doesn’t change when new attacks evolve that can’t affect you. Subscribers get the recommendations we’ve been talking about. This won’t be something they can create themselves, even if they were staffed and trained for it.

The SLED CPR is the first place where CREWS is being discussed at this level and in a very public way. What’s next in the development and delivery of CREWS to fulfill your vision?  

The more participants that contribute to CREWS, the smarter it becomes. It’s an intelligent system, and the machine learning that exists within that system only gets smarter with more data that we feed it. In my vision, if we had the entire country participating – every state, city, county, and college – we’d have unprecedented visibility for malicious activity nationwide. That’s a pretty high bar, though. In the meantime, there’s an emerging version of CREWS for state and local municipalities that are short-staffed, organizations that aren’t equipped to understand and make changes even if they receive the recommendations. We’re also developing an appliance that will sit on the edge, or within an organization, and tell you exactly how an incoming CREWS message or recommendation applies to you. This device will run benign versions of CREWS campaigns so that organizations can see exactly what would happen, allowing them to find the support and resources that they need. For the first time, they will be informed of the newest threats, made aware of the potential impact, and empowered to go and tell that story to drive change.

For a look at the full interview, and more on how CREWS will empower advanced threat protection, download the full report.

SLED intelligence: threats & actors

While most automated or platform-based attack campaigns aren’t focused on specific verticals or targets, there’s an evolving recognition within the SLED community that some threat groups and attack types are more likely to affect their organizations. Sometimes the nature of the attack is one that exercises common SLED weaknesses, while other times, the requirements for openness and availability make SLED a more attractive space to target. State and local organizations became more aware of this changing attack profile in 2022 as they worked to ensure public confidence in election systems and technologies. Our research shows that specific actors and attack types are occurring with more frequency in the SLED community.

Top threat actors

Wicked Panda

  • Years active: 10+
  • Country of origin: China
  • Targets: Healthcare, telecom, and technology

Characterized by the MITRE organization as a Chinese state-sponsored espionage group, APT41 has been in existence for over a decade. They combine multiple attack types to infect organizations, deploying multiple information-gathering and financially motivated payloads. Over the past year, they’ve been increasingly active and successful in their efforts against U.S. state governments. Their most recent successes have been enabled by vulnerable public-facing applications with either common custom application vulnerabilities like injection attacks, or vulnerable components within applications, like the zero-day vulnerability disclosed in Log4j.

Download the full report to learn how these issues are driving increased attention to application security.

Cozy Bear

  • Years active: 10+
  • Country of origin: Russia
  • Targets: Government, consulting, and technology

APT29 is a known threat group characterized by the MITRE organization as sponsored by, or a party to, Russia’s Foreign Intelligence Service (SVR). APT29 rushed into the American consciousness as a result of their reported compromise of the U.S. Democratic National Committee in 2016. Research shows the APT29 group continues to target diplomats, with a combination of access techniques. Of the three groups listed, APT29 appears to be the most active and to perform the most targeted and outcome-driven attacks.

Download the full report for more on how APT29 impacts the SLED community.

LockBit 3.0

  • Years active: less than a year with the latest version
  • Country of origin: Unknown
  • Targets: Healthcare, telecom, and technology

LockBit is a long-standing ransomware threat, ranking second behind the more popular Conti family until that organization’s demise in May 2022 following increased public pressure and investigation. LockBit has continued to enhance both its attack vectors and malware payloads as some members of the former Conti group joined and supported the evolution of the LockBit Ransomware as a Service (RaaS) platform. The LockBit group is not specifically associated with any nation-state sponsor of attacks, but the attacks themselves avoid Eastern European systems and those configured to communicate in languages using Cyrillic characters. LockBit also leverages stolen credentials, using unauthorized access through legitimate accounts to establish a foothold, in addition to identifying and exploiting some classes of web-facing application vulnerabilities.

Download the full report to learn how LockBit’s exploits are particularly relevant to the SLED community.

Mitigating the root causes

A consistent theme among SLED security leaders is concern over both the attribution and results of these campaigns. Perceived state-sponsored attacks are considered more dangerous and more of a public opinion concern, driving behaviors focused on blocking traffic from untrusted geographies, or even advocacy for federal action against perpetrating nations.

Here’s a compilation of the root causes of threat campaigns in SLED:

  1. Vulnerable software is easily identified and exploited by these campaigns: Whether it’s a local criminal or state-sponsored threat team, vulnerable software deployed on publicly accessible networks presents a list of likely victims for attackers. What’s worse, vulnerabilities in well-known packages provide a path to target identification that is simple to automate and execute. With vulnerabilities found in over 80% of public sector applications and average patch times well over six months, it’s clear why this approach is working for attackers.
  2. Attacks are long-lived, once successful: Preventing attackers from gaining an initial foothold is critical to blunt the impact and frequency of these events. While there has been progress in decreasing dwell time, those improvements remain out of step with the speed of modern attack campaigns. Internal detection of successful attacks in the U.S. has been reduced from 64 days to 60 days, but the time for installation of eavesdroppers or a damaging ransomware incident to occur is in the hours.
  3. The source isn’t that important: Once successful, particularly an attack focused on disrupting services or destroying data, the source isn’t nearly as important as the impact. While it may be a politically viable strategy to highlight the sophistication of a state-sponsored organization as a mitigating factor, the current environment is rife with examples of individuals and petty criminal organizations leveraging those same platforms and approaches. Whatever vulnerability or stolen credential is facilitating the attack, the same weakness will work for any motivated party.

Key takeaways

Successful teams focus on the threat vectors exercised by these attackers to identify gaps and areas suited to practical risk mitigation, regardless of the source and motivation of the attack. Meaningful conclusions of these efforts include:

  • Improve frequency and response planning for vulnerability assessment and vulnerability management within the organization to minimize the window of exposure.
  • Increase consistency and coverage of monitoring for both systems and networks to quickly identify and quarantine security events before they can spread and increase damage.
  • Focus security investment on prevention, monitoring, and response, and drive support through demonstrable activity in blocking attempted attacks.
  • Maintain a close relationship with service and threat intelligence providers to stay abreast of emerging threats and campaigns.

Download the full report for more data-driven advice on advancing critical improvements tailored to secure and evolve SLED infrastructure.

Looking forward to 2023

The SLED CPR is the product of dozens of conversations with NuHarbor Security SLED clients, SLED IT leaders, and cybersecurity experts over the course of 2022. It was designed to represent the impressions and concerns of SLED decision makers, and for the first time deliver broad cybersecurity information tailored specifically to the SLED marketplace.

With the first annual SLED CPR complete, we also want to share our expectations for the future. We’ll revisit these in next year’s CPR and see how close we are.

Justin Fimlaid – Founder & CEO

Jack Danahy – VP, Strategy & Innovation

Prediction 1: Back to basics

Justin: We’re going to see SLED leaders move back to basics as they conclude that buying more and newer technology every year is not making them more secure. The availability of new funding will present a tempting opportunity to double down on technology acquisition, but I’ve spoken with successful leaders who’ve concluded that after adopting a cornucopia of cybersecurity technologies, they still have gaps and unaddressed risks leading to security events and setbacks. I predict they’ll reapply the fundamental blocking and tackling that’s been underserved in cybersecurity. The events of 2022 and earlier will cause the epiphany that they should have prioritized basic security hygiene all along.

Download the full report for a complete list of fundamentals to prioritize for maximum protection.

Prediction 2: Teaming up

Jack: I predict the growth of state-led cybersecurity collaboration that will improve protection for municipalities and local agencies. The SLGCP (State and Local Cybersecurity Grant Program) – federal funding that’s intended to provide a new level of cybersecurity support in SLED – stands to deliver 80% of its support to local and municipal organizations. With that support, and likely new services to carry the cybersecurity load, I expect to see collaboration in the creation of common requirements as those services are rolled out.

More importantly, I envision a cascading improvement in cybersecurity resulting from increased teamwork beyond the state borders.

Download the full report for a deeper look at state and local collaboration in 2023.

We should expect states to take on a central role in cybersecurity as more of a service infrastructure, in the way that states currently handle other common services required across local boundaries. They’ll be exposed to all the challenges and threats seen by their client municipalities, making them more informed and aware than even the largest private firms.
jack danahy
Jack Dahany VP, Strategy & Innovation

Prediction 3: Staying on top

Justin: No matter the threat, SLED leaders are talking about the need to better understand the identity and characteristics of the assets they’re being called on to protect. I predict we’re going to see renewed interest and investment in asset identification and asset inventory programs within the SLED community.

Many organizations are rethinking their endpoint strategies as that market continues to evolve and commoditize. From newer vendors like CrowdStrike or SentinelOne to long-time players like Symantec or McAfee, to Microsoft, they’re questioning the marginal benefits of one versus the other. They’re most concerned with systems not currently on their radar, systems that are operating outside the scope of their management systems, and frustrated with the absence of a consistent representation of their environments.

We’re seeing new investment by technology vendors in an increasing number of centralization platforms, like Microsoft Sentinel, CrowdStrike Falcon LogScale (formerly Humio), or Palo Alto Cortex. This is responsive to market demand, including from the SLED community, for increased leverage of their security resources and funding. For these technologies to deliver their full measure of value, they need visibility into all relevant assets, and the current absence of authoritative asset inventory decreases the confidence organizations have in the decisions they make.

Download the full report to learn more about how the SLED community is ahead of the curve in recognizing the need for this single source of truth.

Prediction 4: Election-driven urgency

Jack: Almost all our state and local contacts were heavily focused on election security in 2022. I predict that election security in the two-year run-up between the midterms and the 2024 presidential election will create new support and requirements for improving the cybersecurity of public services and the demonstrable integrity of anything related to election operations or tallies. Where historically there has been trust that votes will be counted correctly and the associated technology will be well-vetted, there’s now increasing scrutiny and distrust. I see SLED leaders taking the initiative to improve visibility and clarity around the security of their operations prior to any controversy starting, thus eliminating the basis for as many questions and challenges as possible.

Download the full report for insight into the mindset required for comparing election security to most other types of security efforts.

As we move to 2024, I predict that the broad lack of public understanding and unabashed technical fearmongering will create an environment where the integrity of the individual vote needs to be demonstrated to be inviolate. In our current political climate, vote count integrity is considered corrupt unless proven otherwise. We only need to look at the past presidential elections of 2016 and 2020 to see callous campaigns from both parties that were meant to sew distrust and invalidation of the results. By relating this back to our cybersecurity predictions, we can expect that demonstrating integrity, in both operations and results, will be a new element in the SLED cybersecurity equation.

Prediction 5: States will lead private industry to new models of security.

Justin: I see state government becoming a role model for their private sector counterparts. People have talked about public sector organizations as potential incubators and theoretical testbeds, and I think for the reasons above, we’ll see a new pattern emerge in cyber, in which states are pacesetters for the industry.

States are faced with challenges at a tempo and scale beyond any single organization, and the solutions they develop and deliver will prove that these things can be done with broad-based collaboration. They’ll be solving problems that their private sector counterparts can’t or haven’t thought about.
justin fimlaid
Justin Fimlaid Founder & CEO

In the SLED market, funding justification and use are very different than in the private sector. When a state receives dollars for a technology investment, it needs to consider the role of central IT and the impact on all the other agencies that are supported. Sometimes they have legislative mandates to set the standard for agencies and municipalities. This allows them to deploy a uniform security strategy that private sector teams can’t because individual departments in the private sector commonly advocate for – and against – security practices based on their own priorities.

Download the full report to learn how SLED is finding success by leaning into collaboration over bureaucracy.

About our sponsors

Thank you to all of our sponsors. These sponsors didn’t approach us; their participation is a result of specific and frequent mention by the SLED leaders who are helping us to understand their challenges. You won’t find product recommendations or use cases. Instead, these vendors gave us access to their experts to better inform the CPR with data and trends we might not see otherwise.

Primary sponsor


NuHarbor Security is a leading national cybersecurity services firm, supporting the diverse needs of hundreds of clients with clear, comprehensive, and outcome-based solutions. We support only best-of-breed security technologies with thoroughly trained and vetted analysts. We make cybersecurity easier for our clients by integrating the most comprehensive set of security services in the market, from compliance and offensive testing to award-winning 24×7 managed security operations. What’s more, NuHarbor advisors analyze information from multiple sources to deliver the most well-informed strategies for building, improving, and maintaining your cybersecurity program.

NuHarbor makes it easy to secure what matters most to you. Learn more at nuharborsecurity.com.

Contributing sponsors


Splunk Inc. (NASDAQ: SPLK) turns data into doing with the Data-to-Everything Platform. Splunk technology is designed to investigate, monitor, analyze, and act on data at any scale. Learn more at splunk.com/publicsector.


Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves application security from inception through production so agencies can confidently innovate with the web and mobile applications they build, buy, and assemble, including the components they integrate into their environments. Learn more at veracode.com.


​Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest in-line cloud security platform. Learn more at zscaler.com or follow us on Twitter @zscaler.

Explore comprehensive cybersecurity protection today.

  1. Consult with an expert

    Talk to one of our cybersecurity experts so we can better understand your needs and how we can help.

  2. Agree on a plan

    Based on your objectives we’ll create a tailored plan to meet your cybersecurity needs.

  3. Start maximizing your protection

    Experience peace of mind knowing what matters most is secure.

Consult with an expert