Oct 01 2020

State and Local Agencies Gain Visibility from Centralizing Logs

Government agencies boost security and compliance with log aggregation.

The Ohio Attorney General’s Office centralizes its log files for two important functions: meeting security compliance requirements, and detecting and mitigating cybersecurity threats in real time.

In 2019, the agency’s IT security team deployed Splunk’s security information and event management (SIEM) software to aggregate the log data from its servers, firewalls and other security and networking equipment into a central repository.

The software allows the Attorney General’s Office to satisfy regulatory mandates by retaining logs for compliance reporting and audits. It also correlates and analyzes the data. When the tool discovers suspicious behavior and potential security threats, it sends out real-time alerts to the security staff.

“Having that visibility makes a huge difference and allows us to stay on top of what’s going on in our environment,” says CISO Joe Cossin.

Integrate Logs with Data Analytics to Gain Visibility 

Local and state governments are increasingly adopting tools that not only centralize log management, but also analyze the data to provide real-time visibility into their IT infrastructure. Through a dashboard, agencies can monitor applications, infrastructure and networks instantly, identify performance issues and remediate them.

While there are basic log aggregation tools, the trend among IT organizations is to deploy SIEM or SIEM-like tools that integrate log aggregation with data analytics, says analyst Frank Dickson, an IDC program vice president who covers cybersecurity and trust.

“It enhances security, efficacy and efficiency and validates that the organization is in compliance with regulations such as HIPAA and PCI DSS,” he says. An integrated security solution is simpler than buying pieces and assembling them, Dickson adds. Vendors include Splunk, IBM’s QRadar, SolarWinds and cloud providers like Amazon Web Services and Microsoft Azure.

“As the number of tools increases, operations and management become more cumbersome and complex — and complexity is the enemy of security. So, simplify with an integrated, end-to-end solution,” Dickson says.

MORE FROM STATETECH: Find out how data lakes can help officials make more informed decisions. 

Ohio Gains More Efficient Threat Detection

The Ohio Attorney General’s Office — which has more than 30 sections, including collections enforcement, crime victim services and healthcare fraud — employs 1,600 employees who access about 250 applications, from Microsoft Office 365 to the Ohio Law Enforcement Gateway, which allows law enforcement agencies to share criminal justice data.

The agency’s primary and secondary data center houses 450 to 500 virtualized servers. It also operates separate lab environments for investigative services.

The Attorney General’s Office previously used a different SIEM tool, but it didn’t integrate with some custom applications and other data sources. So, in 2019, the agency switched to Splunk Enterprise Security, which integrates with everything, including logs from firewalls, Windows servers and Active Directory; applications like Office 365; and security data from Cisco Umbrella, a cloud-based content filtering and anti-malware tool, Cossin says.

Deployment was straightforward. Cossin and his team worked with Splunk’s sales engineering team to architect a multiserver solution. The agency, which currently standardizes on HPE servers, uses two 6-terabyte solid-state drives for indexing and storing information as well as 36TB of hard drive storage for data retention. Splunk offers prebuilt “add-ons” that allow the staff to easily integrate different data sources. It also allows IT staff to easily build custom integrations when needed. 

“It is extremely easy to roll out,” Cossin says.

The SIEM tool and centralized log files allow for faster, more efficient threat detection and response. For example, if Splunk sees a spike in failed virtual private network login attempts, it sends an email alert to the security staff. Through a dashboard, Cossin and his staff can review the logs to see if someone is trying to hack in or if users simply forgot their passwords.

Joe Cossin, CISO, Ohio Attorney General’s Office
Having that visibility makes a huge difference and allows us to stay on top of what’s going on in our environment.”

Joe Cossin CISO, Ohio Attorney General’s Office

The IT staff can also drill down to find the root cause of problems, such as server crashes. They can set alerts, so if circumstances that lead to crashes begin to occur again, the tool can proactively warn the IT staff.

“We can pre-emptively set an alert to email IT support that says, ‘We’ve seen this event before and believe the server will have a problem,’” he says.

The agency also uses Splunk for centralized log retention to comply with IRS requirements and other regulations like HIPAA. The agency keeps some generic logs for six months to a year, but other logs require retention for anywhere from seven years to life, he says.

READ MORE: Find out why agencies need to analyze Big Data effectively to improve citizen services.

Larimer County Gets Help from Managed Services

In Colorado, Larimer County recently implemented Arctic Wolf’s Managed Detection & Response cloud-based serv-ice, which monitors the logs from the county’s endpoint, networking and security devices, such as Syslog servers, firewalls and intrusion detection systems.

The 24/7 managed service correlates and analyzes log data from servers, PCs and networking devices, and through machine learning and custom detection rules, alerts the county IT security staff of anomalous behavior and potential threats, says Tom Iwanski, the county’s IT security and operations team lead.

Larimer County installed agents in each server and PC to get log data from the endpoint devices.

“It’s designed to provide a holistic view of our environment to identify bad actors and any kind of suspicious behavior, so if someone on a PC clicks on a phishing email and malware spreads to a server, it can detect that activity and provide insight and actionable information for us to react accordingly,” he says.

The county previously used a different network monitoring service but replaced it with Arctic Wolf because it supports more data sources. This summer, a few weeks into its deployment, the managed service had not found any major security problems, which is reassuring, Iwanski says.

“We were pretty rigorous with security already,” he says.

The county uses Arctic Wolf in conjunction with two other security tools that the IT staff previously deployed: Forescout Technology’s CounterACT tool for real-time network visibility and Splunk for centralized log management and analysis.

The county did not pay for Arctic Wolf’s log-mining capabilities, so it uses Splunk to drill down into the logs to troubleshoot, Iwanski says.

“Splunk is a convenient and familiar tool for us,” he says. “It helps us troubleshoot or do forensic work after an issue to see if we can find a smoking gun for a problem.”

MORE FROM STATETECH: How do states overcome data analytics challenges? 

Regional Log Analysis in the Bay Area

In Northern California, some Bay Area counties and cities plan to collaborate on a shared centralized logging analysis tool that will analyze their log files in aggregate to improve security regionally.

During a meeting with neighboring IT leaders, San Mateo County CIO Jon Walton mentioned that his security team currently uses multiple tools to analyze and cross-reference logs. He said he’d like to purchase a single, AI-powered tool that could analyze log files across all his different systems to spot patterns and potential vulnerabilities and breaches.

It turns out the other CIOs wanted a similar tool too, so the cities of San Francisco and San Jose, Alameda County, Marin County, San Mateo County and others decided that collaborating on a single system would be more affordable than each of them doing it separately, Walton says.

Each government entity will contribute to the project, but the group also hopes to get a federal grant this year to help fund the effort. The goal is to deploy a system within the next year, a large data lake housed either in the public cloud or a government data center. It will securely collect logs from each city and county and then sift through the log files for threats.

“It can alert us as a joint organization that one organization had a breach or prevented a breach,” Walton says. “It can tell us the pattern found in the log files, the attack vector, the tools used and the signature files. So, we can go check our own logs to see if we can find something similar.”

MATJAZ SLANIC/Getty Images