Rich Meraz, Deputy CISO at Los Angeles Unified School District, describes how the district is hardening its cybersecurity posture.

Apr 10 2024

CoSN2024: Los Angeles Tech Leaders Reveal How They Turned the Table on Hackers

The nation’s second-largest K–12 district mounts a counteroffensive security strategy.

After making headline news for falling victim to a ransomware attack on Labor Day in 2022, Los Angeles Unified School District technology leaders are speaking out. Because LAUSD is the second-largest school district in the country, with more than 600,000 students, the attack was a wake-up call for all of K–12. The incident made it very clear that when it comes to cyber targets, size isn’t the issue.

“The bottom line is that, at the end of the day, it doesn't matter if you're a big school district or a small school district, that parent of that student whose information was leaked cares as much as any other parent,” said Rich Meraz, LAUSD deputy CISO.

Meraz and Deputy CIO Eddard Romero joined representatives from Palo Alto Networks at the CoSN2024 annual conference in Miami to share lessons from the attack and describe their path forward.

Click the banner to access exclusive content on educational tech when you register as an Insider.


How LAUSD IT Quickly Recovered After the Ransomware Attack

Once IT discovered that the breach — which  allowed bad actors to move laterally across the network — came from the district’s facilities IT department, the main IT services team moved quickly to notify a response team, shut down the network to prevent further data exfiltration, engage executive leaders and federal law enforcement, and activate their continuity plans.

They also had to ensure that students were identified, fed and transported.

The team had less than three days to get the system back up so students could return to school after the holiday.

LAUSD's IT team went on to reset 700,000 passwords and roll out multifactor authentication. Team members also analyzed and patched critical applications before rolling them back into production, added an endpoint detection and recovery solution and implemented a 24/7 security operations center to identify and respond to threats.

Then the district did something that was rather startling.

“We refused to pay the ransom,” Romero said. In addition to not wanting to negotiate with criminals, he explained that the threat actors had not encrypted their data and, “we had a good path forward. We knew that we could recover, and we knew that we had good backups.”

He  also believes that not paying the ransom, along with transparent communication from Superintendent Alberto Carvalho and CIO Soheil Katal, was an important part of helping to build back trust with the school community.

Eddard Romero
We refused to pay the ransom. We had a good path forward. We knew that we could recover, and we knew that we had good backups.”

Eddard Romero Deputy CIO, Los Angeles Unified School District

Accelerate Cybersecurity with Zero Trust and Other Efforts

For LAUSD, boosting cybersecurity across the district is an ongoing process. Knowing that their district did not have a well-defined risk management framework, they adopted the National Institute of Standards and Technology Cybersecurity Framework. As a result, they are in the process of adopting a zero-trust framework that includes continuous network monitoring, least-privilege access and microsegmentation.

The district also adopted Palo Alto Network’s security information and event management and security orchestration, automation and response (SIEM and SOAR) platform to help monitor logs. However, with the platform ingesting billions of logs over a short period of time, it’s impossible for the IT team to analyze and take action on all of the data. This is where the district is looking to leverage automation instead of human personnel, Meraz said.

Finally, the district had a maturity assessment using the NIST framework, which revealed that it had no security baselines. The assessment reiterated the importance of having an out-of-band communication tool in the event of another incident.

DISCOVER: This school system stood up a 24/7 security operations center.

Incident Response Plans Need Practice, Practice, Practice

While LAUSD had a skilled staff that quickly executed its incident response plan, Meraz and Romero noted that the team came to some key realizations after the attack.

Among them: Incident response plans can get dusty from lack of practice or use, Meraz said.

“Sometimes if you look at them, people who are playing key roles may have left the [district],” he said. “So now, to get that muscle memory and team building,  every other Friday we do incident response and bring in other groups to help people get into the mindset of the role they play.”

For those looking to improve their incident response plans, Romero recommended identifying “incident commanders” who know the environment very well and can cut down on response time, close off access and slowly recover the environment.

Because time is of the essence, Romero said, having an incident response partner on retainer would have also been great, as they can do more than just provide support during incidents — they can also work proactively to take action before an incident escalates, he said.

WATCH: IT Experts reveal critical incident response best practices for K–12.

Schools Must Eliminate Shadow IT by Tracking All Technical Assets

“If you have shadow IT, you have technical assets that you are not aware of, and if you can’t identify a technical asset, you can’t protect it,” Meraz said.

District leaders are now working to eliminate shadow IT and bring them under the district’s main IT division. Romero further explained that not having awareness of what tech other departments have running, or a baseline for their cybersecurity efforts, gave threat actors a way in.

Schools Must Leverage AI for a Mature Cybersecurity Program

“At the end of the day, we are never going to have enough people,” Meraz admitted. “And if you think of the threat actors, AI is in their hands as well.”

He noted that artificial intelligence and automation could become a critical force multiplier. From his perspective, AI could be a particularly valuable part of the SOAR playbook.

Join EdTech as we provide written coverage of CoSN2024. Bookmark this page and follow us on X (formerly Twitter) @EdTech K12.

Photography by Taashi Rowe

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.