somchaij - Fotolia

City of Las Vegas masters cyber incident response with Darktrace

The high-rolling city of Las Vegas experiences unique cyber security challenges rarely seen elsewhere. CIO Mike Sherwood reveals how he turned to Darktrace to help address incidents quicker and with confidence

At the start of September 2023, the US city of Las Vegas, Nevada hit the cyber security headlines, when two of its most prominent casino operators, MGM Resorts and Caesar’s Entertainment, were held up in a cyber heist reminiscent of the movie Ocean’s Eleven.

Full details of the twin attacks – likely the work of the same threat actor – are still emerging, but it’s easy to see why the victims were hit; casinos and tourism are big business, pumping millions of dollars and people through the city’s economy every year.

Casinos and Las Vegas are intrinsically linked. The mere mention of the city conjures up thoughts of neon lights stretching across the desert, tourists thronging the Strip with its towering and outlandish buildings, cabaret, concerts and magic shows, lavish dining courtesy of the world’s top chefs, bountiful shopping opportunities, and the noise and clamour of the gaming floors.

Then there’s its history, harking back to the glamour of Frank Sinatra and the Rat Pack, and the enduring mystery and romance of the Mafia.

Of course, the Italian-American organised crime syndicates are long gone, but organised cyber crime is never far away, and Las Vegas chief information officer (CIO) Mike Sherwood, who moved to Nevada in the 2010s having previously worked for the city of Irvine in California, is keenly aware of it, often working closely with the city’s biggest employers on such issues.

Nevada is a great state full of great industry leaders,” says Sherwood, who sat down with Computer Weekly a week or so prior to the MGM Resorts attack. “There is a lot of collaboration and a lot of discussion. Without giving away too many secret details, there are a lot of interactions between CISOs [chief information security officers] and CIOs, all with the vision of not only securing our individual organisations, but really securing our data and our economy.

“People come to Las Vegas for fun and entertainment, and our job is to make sure they don’t have to worry about anything except having fun and having a good time while they’re here.”

Risk exposure

Additionally, the city status as a global entertainment hotspot brings it global brand recognition, and that means its cyber risk levels are substantially elevated, as we have now seen.

“Cities are cities all around the world, but certain cities have more exposure to risk just based on the name,” says Sherwood. “Las Vegas is hosting the Super Bowl. We have Formula One just a few weeks away. Some of the largest conventions worldwide are held here – CES, to name one, brings hundreds of thousands of people.

“So we have a brand and a reputation that we want to uphold,” he says. “Additionally, we have lots of opportunities and name recognition that bad actors would love to be able to take a stab at.”

But when it comes to the more mundane business of protecting a functioning city from cyber attacks, the issues faced by the city government of Las Vegas are no different from those faced by any other local government body in the US or UK, from Akron to Ashby-de-la-Zouch, Des Moines to Dudley, or Shreveport to Sunderland. Schools, rubbish collection, parks and sports facilities and social services are all just a few of the vital ingredients of any modern city’s existence, and they all need protection from cyber threats. Sherwood has all of this to contend with, too.

“Like any other organisation, maybe more for us, one of our priorities internally is securing our assets, doing that effectively, and using the best tools we possibly can,” he says.

Some years ago, back in California, Sherwood got wise to a then little-known artificial intelligence (AI) startup called Darktrace, whose technology he acquired for Irvine. He was quickly impressed.

“I really found it to be quite outstanding, and when I transitioned to Vegas, Darktrace was one of the first products we implemented for the fact of its capabilities – the ability to analyse large amounts of data throughout networks, being able to look for challenges and providing a force multiplier with a first-strike methodology to be able to stop threats, or derail threats, allowing us to continue to operate,” he says.

Closing the loop

With a strong partner relationship already in place, when Darktrace launched its new Heal service earlier in 2023, Sherwood was keen to explore the possibilities.

He had already adopted several Darktrace services, including its Detect product, which gives instantaneous visibility of cyber attacks on the network; its Respond product, which provides targeted AI-powered containment of threats; and in 2022, its Prevent product, which proactively identifies weaknesses in the attack surfaces and hardens defences around critical assets and attack paths.

So AI was already doing a lot of heavy lifting for the city, but Sherwood knew he also needed a security stack that could not only save its human cyber security team hours in threat investigation and response, but spot the subtle signs of emerging cyber incidents before they became problems.

Heal, which combined with Detect, Respond and Prevent completes Darktrace’s so-called Cyber AI Loop, is designed to help to just that, adding the recovery, or healing, process to the mix. Darktrace says Heal enables cyber teams to address more emerging, potentially critical incidents earlier and with more confidence, and focus on critical tasks while letting the AI do the grunt work in a “continuous, reinforcing loop” of cyber improvement.

Read more about Darktrace

  • The chief product officer of AI security firm Darktrace explains how large language AI models are making it harder for people to spot email attacks.
  • We speak to Jack Stockdale, CTO of Darktrace, about Cambridge’s strong data analytics and artificial intelligence links and the role of AI in cyber security.

At its core, Heal is an AI-enabled product that helps users prepare for, remediate and recover from cyber attacks, using its abilities to create and simulate realistic attacks with bespoke, AI-generated playbooks that replace static, unadaptable tabletop exercises and incident plans.

This enables Sherwood and his team to benefit from bespoke incident response plans when real-world cyber attacks unfold, and automate actions needed to respond to and recover from them.

AI wargames

“The entire Darktrace ecosystem was a great implementation for us,” says Sherwood. “Specifically Heal, to not only continue with the loop, but it was a way to address certain key areas within our operation that we felt needed strengthening.

“We do a lot of third-party audits and other types of exercises, and Heal gives us the capability to allow our teams more in-depth practice ... Security professionals don’t get enough practice,” he says. “They implement tools, they acquire tools, but the real skill of having a tool – anybody can get a shovel and dig a hole – is the more you know the tool, the more you know your craft and your capabilities and limitations, the better you can become.

“[So] a big part of the Heal component is being able to run scenarios and in fact practice what those impacts would be, and how we are going to mitigate those impacts,” he says.

“[This is about] not only understanding our network and some of the vulnerabilities, but what kind of playbook will we have when something occurs, what does that look like from an exposure perspective, and what does that look like from a staffing perspective, and how we can train and help our staff heal our network and get us back on track,” says Sherwood.

“Heal allows us to look at how the incident comes in, who sees it first, how it is responded to, what kind of communications are they providing to other units within the organisation, and how are those being addressed?” he explains. “It give us a 360-degree view of what’s happening internally with our operations.

“As an executive, I’m very concerned about things like when did we notice it? How long did it sit there before someone acted on it? Did they put in the right tickets? How did this flow go? Was it as discussed and how our policies and procedures outlined, or did someone panic during the process? And now we need to go back through and retrain.

“It’s all about training, education and communication, and the more you can practice that in a safe scenario, the better off you will be when something occurs in the real world,” says Sherwood.

Read more about the Las Vegas cyber heist

Sherwood is making good use of these wargame scenarios, and has already tested Heal’s mettle on multiple occasions – although he can’t share in-depth details of his planning regime lest he start giving threat actors something new to chew on.

“We [often] put scenarios out there for staff to react to even though they know these are test scenarios that we clearly mark and define. But it doesn’t matter. If you’re at practice, you know the coach is watching you, and that puts a little pressure on you.”

Nor – obviously – can he outline any real-world cyber attacks on which his team has brought Heal to bear. “I will tell you,” he says, “that we use the tools on an ongoing, regular basis, and those tools are actively defending and protecting the city of Las Vegas. That’s as close as I can get!”

Lines of communication

Since enabling Heal across Las Vegas’s IT infrastructure, Sherwood has also seen various parts of the city’s IT teams communicating and working better together as well, from security operations, to audit and compliance, to infrastructure, and applications.

“All of them now are more openly communicating,” he says. “The integrations that we’re able to use with other products that we have in our portfolio [such as] ServiceNow and Microsoft Teams, provides a lot of flexibility and capability that we didn’t have during incidents.”

Previously, the city had relied on older communications methods – such as email – which in a severe cyber incident may not necessarily be available. For Sherwood, having communications capabilities that are both secure and self-contained enable the various teams to collaborate more effectively when dealing with the threat at hand.

“Again, it’s all about keeping the city operational,” he says. “What I love most of all is how great a team we have, that it is able to pick up a new tool, and with the right encouragement has really risen to the challenge. I think also the ability that some of the new capabilities within Heal bring, to communicate effectively, to be able to practice, [shows] just how valuable communication and practice are in lowering our response time, and really improving overall service delivery to all the customers we serve.

“As a long-term Darktrace customer it’s really … the whole AI loop or ecosystem that sets out our partnership with them; we look at them as a partner and part of our team,” says Sherwood. “It’s all the components working together that gives us what we believe is a competitive advantage not only in efficiency, but in securing the digital assets within our organisation, and Heal just takes it to that next level of capability.”

What’s next?

Looking to the future, Sherwood plans to continue to expand the city’s playbook to encompass more external intelligence.

As the 25th most populous city in the US and an important cog in its economy, there are clearly open lines of communication with law enforcement and state and federal agencies to surface potential threats that may be coming Las Vegas’s way, whatever they may be.

With Heal, Sherwood is now focusing on some of the specific threat intelligence that comes across his desk, and is able to start proactively working to get his team ready and confident to deal with whatever may come next.

And as recent weeks have demonstrated, what comes next can be a global news story.

Read more on Data breach incident management and recovery