Agencies Make Sense of Threat Alerts With Security Systems

Agencies employ security information and event management systems to make sense of security alerts.


September 2010 E-newsletter

A Case for SSL VPNs

Security Smarts

Centralize Cybersecurity, Share Widely

WatchGuard XTM 530

SSL VPN Virtuoso

As cyberthreats proliferate and become more dangerous, IT professionals need all the help they can get to protect their organizations. Enter security information and event management (SIEM), an essential tool for analyzing and prioritizing the plethora of event information and security logs that networks generate.

Available from makers such as  Check Point, Cisco, Juniper, Novell, RSA and Symantec, SIEM systems help IT react to security incidents quickly, says Jerry Shenk, senior analyst with the SANS Institute. By analyzing and correlating events that occur on a network -- from a user logging on to a database being queried to a router being unplugged -- then prioritizing these events according to preset definitions, SIEM sifts through millions of log records to efficiently report on the critical incidents that require immediate attention. Reporting capabilities also aid investigations and further regulatory compliance by providing a record of events.

The state of Michigan operates a network with 55,000 users and hundreds of locations, making it impossible for IT staffers to track all of the events that happen throughout the environment. The state has been using Symantec Security Information Manager for three years to correlate security information, relieving staffers from having to read endless logs in search of significant events.

"With so many endpoints, it was critical to identify events in a way that wasn't completely dependent on individuals," says Trent Carpenter, Michigan's chief information security officer. "[SIEM] gives us an automated way of identifying and prioritizing issues for response."


Percentage of respondents at midsize organizations who said detecting and preventing unauthorized access and insider abuse was the top reason to use log management, which is a subset of SIEM.

Source: SANS Institute, June 2010

Keeping Pace with Threats

Indeed, the need for SIEM in state and local government is evident, says Shenk. "Even very small organizations can generate millions of events a day, and you simply can't read all of those logs," he says. "People need something to help them process all of that information."

Once an agency trains its SIEM product to understand its environment and security priorities, IT staff can spend less time scanning logs and chasing down alerts because SIEM products consolidate that information in order of importance as defined by IT.  Shenk says this makes IT staff more productive because they can rely on SIEM to tell them when an event is routine and can be reviewed later -- if at all -- versus a security incident that requires immediate attention.

In Michigan, although SIEM hasn't allowed the security department to reduce staff, the technology helps it keep pace with the growing number of cyberthreats.

"We haven't eliminated staff because of it, but we have been able to keep up with the increase in threats without adding staff," Carpenter says. "We do have areas where we need staff, but from the event management standpoint, the Symantec product has made it that we need less."

An Extra Pair of Eyes

Fairfax County, Va., chose Juniper Security Threat Response Manager (STRM) to be the IT department's eyes on network events, freeing up security analysts to perform more strategic tasks, says Michael Dent, chief information security officer for the county. "With millions of system log entries, IDS events and traffic flows recorded each day, manual attempts to monitor and correlate information into actionable information can be a futile exercise," Dent says. "STRM has the horsepower to automate the identification of security events, so our analysts can focus on their most critical mission, stopping cyber attacks in their tracks."

SIEM Strategies

Here are some tips for getting the most from security information and event management technology:

  • Conduct pre-deployment planning to understand the type and number of sources from which the product will pull information, as well as the anticipated event rate. This will help align expectations.
  • Let your agency's needs -- not the capabilities of the product -- drive deployment.
  • Once installed, allow for time to train the SIEM tool so that it can learn what events and information you deem critical versus routine. A 12- to 18-month ramp-up period is typical.
  • Teach the product to prioritize events in a way that echoes IT's priorities.
  • Conduct occasional fine-tuning to keep up with ever-changing IT environments.
  • Update the SIEM system whenever new hardware or software is added to the network.
Aug 10 2010