Integrate Logs with Data Analytics to Gain Visibility
Local and state governments are increasingly adopting tools that not only centralize log management, but also analyze the data to provide real-time visibility into their IT infrastructure. Through a dashboard, agencies can monitor applications, infrastructure and networks instantly, identify performance issues and remediate them.
While there are basic log aggregation tools, the trend among IT organizations is to deploy SIEM or SIEM-like tools that integrate log aggregation with data analytics, says analyst Frank Dickson, an IDC program vice president who covers cybersecurity and trust.
“It enhances security, efficacy and efficiency and validates that the organization is in compliance with regulations such as HIPAA and PCI DSS,” he says. An integrated security solution is simpler than buying pieces and assembling them, Dickson adds. Vendors include Splunk, IBM’s QRadar, SolarWinds and cloud providers like Amazon Web Services and Microsoft Azure.
“As the number of tools increases, operations and management become more cumbersome and complex — and complexity is the enemy of security. So, simplify with an integrated, end-to-end solution,” Dickson says.
Ohio Gains More Efficient Threat Detection
The Ohio Attorney General’s Office — which has more than 30 sections, including collections enforcement, crime victim services and healthcare fraud — employs 1,600 employees who access about 250 applications, from Microsoft Office 365 to the Ohio Law Enforcement Gateway, which allows law enforcement agencies to share criminal justice data.
The agency’s primary and secondary data center houses 450 to 500 virtualized servers. It also operates separate lab environments for investigative services.
The Attorney General’s Office previously used a different SIEM tool, but it didn’t integrate with some custom applications and other data sources. So, in 2019, the agency switched to Splunk Enterprise Security, which integrates with everything, including logs from firewalls, Windows servers and Active Directory; applications like Office 365; and security data from Cisco Umbrella, a cloud-based content filtering and anti-malware tool, Cossin says.
Deployment was straightforward. Cossin and his team worked with Splunk’s sales engineering team to architect a multiserver solution. The agency, which currently standardizes on HPE servers, uses two 6-terabyte solid-state drives for indexing and storing information as well as 36TB of hard drive storage for data retention. Splunk offers prebuilt “add-ons” that allow the staff to easily integrate different data sources. It also allows IT staff to easily build custom integrations when needed.
“It is extremely easy to roll out,” Cossin says.
The SIEM tool and centralized log files allow for faster, more efficient threat detection and response. For example, if Splunk sees a spike in failed virtual private network login attempts, it sends an email alert to the security staff. Through a dashboard, Cossin and his staff can review the logs to see if someone is trying to hack in or if users simply forgot their passwords.