True Crime: Network Security Saves San Francisco Millions

San Francisco is the 13th most populous city in the country, home to more than 850,000 residents. The city’s District Attorney’s office has a staff of more than 300 and oversees many aspects of the legal process, from charging to victim’s services and special operations.

From an information technology standpoint, the amount of data that flows through the DA’s office on a daily basis is simply jaw dropping. And every single piece of it requires protection, lest entire cases and accused criminals be dismissed based on reasonable doubt.

“If I was a criminal, my first thought would be, ‘how do I compromise the DA’s evidence?’” said Herman Brown, Chief Information Officer for the District Attorney’s Office. “The justice system is based on reasonable doubt. If an attorney makes the case that the DA’s office had a data breach, and evidence could be leaked or a client’s discovery was tampered with, everything is then in question, and the case potentially lost.”

The scope of data in Brown’s charge is deep and wide, from medical records that fall in line with HIPAA compliance, to juvenile information and inmate records, not to mention ongoing cases and a cache of documented evidence supporting each case.

The IT team is a fairly young piece of the puzzle in the DA’s office, about 10 years in the making, and Brown its third CIO. He signed on back in August of 2016, but has been with the county of San Francisco in some capacity since 2012, and sees a lot of potential for the future of the office’s technology posture.

So how can Brown and his team ensure the city the DA’s information is safe?

“Our first priority is to protect that data,” he said. “Our internal staff has appropriate access to data, and we have a certain number of blacklisted sites and applications for security purposes.”

But what happens when an employee decides to move internal information outward?

Luckily for Brown, about five months ago, the office deployed a solution that would produce reports that monitors network activity. The appliance, as Brown called it, sits on the network and monitors any device, including WiFi access points and anything that connects to them. The mechanism will offer visibility into patterns and what normally takes place on the network.

From there, if an abnormality is spotted, Brown and his team are alerted from the appliance’s dashboard. For instance, if an employee accesses one of the aforementioned blacklisted sites, a notification is sent to the dashboard and the IT department is alerted via email.

“We’re not trying to be the police,” Brown said. “But we need to abide by legislative and regulatory compliance, too.”

The deployed solution was worth its weight in gold when Brown learned of an incident that could have led to citywide ramifications and a truly immeasurable cost.

The dashboard notified the IT department of a spike in activity, and an investigation by Brown and his team uncovered anomalies on the network. Over the course of one weekend, an unusual traffic pattern was discovered consisting of dozens of emails being sent with attached documents.

The data ranged in level of sensitivity, from internal information to open and closed cases. When asked what kind of financial impact release of those records could have had on the city, Brown said just one individual document could lead to a loss of millions. Without the network monitoring system, Brown and his team would not have known about the information exchange until it was too late.

The DA’s office will increasingly become mobile in the next year, Brown said, and security will remain its number one priority as the department continues to expand and its workforce evolves. Employees are being issued laptops and smartphones - which will be containerized - to further evolve the office's mobile transformation. As Brown learned firsthand, the cost of implementing a security or monitoring solution pales in comparison to what a breach, leak, or hack could hold.