Agencies Make Sense of Threat Alerts With Security Systems

As cyberthreats proliferate and become more dangerous, IT professionals need all the help they can get to protect their organizations. Enter security information and event management (SIEM), an essential tool for analyzing and prioritizing the plethora of event information and security logs that networks generate.

Available from makers such as  Check Point, Cisco, Juniper, Novell, RSA and Symantec, SIEM systems help IT react to security incidents quickly, says Jerry Shenk, senior analyst with the SANS Institute. By analyzing and correlating events that occur on a network -- from a user logging on to a database being queried to a router being unplugged -- then prioritizing these events according to preset definitions, SIEM sifts through millions of log records to efficiently report on the critical incidents that require immediate attention. Reporting capabilities also aid investigations and further regulatory compliance by providing a record of events.

The state of Michigan operates a network with 55,000 users and hundreds of locations, making it impossible for IT staffers to track all of the events that happen throughout the environment. The state has been using Symantec Security Information Manager for three years to correlate security information, relieving staffers from having to read endless logs in search of significant events.

"With so many endpoints, it was critical to identify events in a way that wasn't completely dependent on individuals," says Trent Carpenter, Michigan's chief information security officer. "[SIEM] gives us an automated way of identifying and prioritizing issues for response."

Keeping Pace with Threats

Indeed, the need for SIEM in state and local government is evident, says Shenk. "Even very small organizations can generate millions of events a day, and you simply can't read all of those logs," he says. "People need something to help them process all of that information."

Once an agency trains its SIEM product to understand its environment and security priorities, IT staff can spend less time scanning logs and chasing down alerts because SIEM products consolidate that information in order of importance as defined by IT.  Shenk says this makes IT staff more productive because they can rely on SIEM to tell them when an event is routine and can be reviewed later -- if at all -- versus a security incident that requires immediate attention.

In Michigan, although SIEM hasn't allowed the security department to reduce staff, the technology helps it keep pace with the growing number of cyberthreats.

"We haven't eliminated staff because of it, but we have been able to keep up with the increase in threats without adding staff," Carpenter says. "We do have areas where we need staff, but from the event management standpoint, the Symantec product has made it that we need less."

An Extra Pair of Eyes

Fairfax County, Va., chose Juniper Security Threat Response Manager (STRM) to be the IT department's eyes on network events, freeing up security analysts to perform more strategic tasks, says Michael Dent, chief information security officer for the county. "With millions of system log entries, IDS events and traffic flows recorded each day, manual attempts to monitor and correlate information into actionable information can be a futile exercise," Dent says. "STRM has the horsepower to automate the identification of security events, so our analysts can focus on their most critical mission, stopping cyber attacks in their tracks."