Time, visibility and understanding are critical when confronting the complex world of cybersecurity. The faster attacks and vulnerabilities are detected, the sooner experts can respond. However, detection requires full visibility into everything that is going on, with a clear understanding of what’s normal and what’s not.
Unfortunately, state governments often find all three in short supply.
- Time. There’s too much to do, including updating, patching and keeping current with emerging threats, managing multiple security products, and ensuring compliance.
- Visibility. Government agencies rely on many point products that rarely communicate with one another, rendering the security picture murky.
- Understanding. It’s impossible to spot anomalous behavior without a clear understanding of the baseline — something that’s hard to establish.
Help is available. Security information and event management is designed to meet the three key requirements of timeliness, visibility and understanding. SIEM is ideal for organizations where security systems operate as silos, scattered over multiple locations. It can gather data from a number of sources.
REGISTER: Sign up for free to hear cybersecurity expert Theresa Payton discuss today's pressing IT security challenges.
SIEM Is Gaining Ground Among States
Far beyond a logging solution, SIEM can provide a real-time, overall view of security issues with quick remediation. This is no secret to state governments: 85 percent of states include audit logging, security information and event logging in their cybersecurity budgets (an increase of 16 percent over 2018), according to the National Association of State Chief Information Officers.
SIEM solutions collect data from multiple operating systems, applications, networks and endpoints, normalize it and perform multistage analysis with strong forensics and threat hunting. All SIEM solutions can identify and prioritize significant events, and some — such as SolarWinds Security Event Manager — can even trigger a response to events, mitigating threats in real time.
For years, SIEM seemed out of reach for many state governments. Originally built for large organizations with their own security operations centers, previous SIEM solutions were often expensive to configure and implement, and difficult to manage.
Thanks to recent advances, today’s SIEM solutions can be ideal for state governments. An example is the state of Washington’s Consolidated Technology Services agency’s SIEM solution, which reports and alerts on abnormal traffic in near real time, helping agencies identify indicators of compromise and take swift action.
SIEM Best Practices for Government
State governments embarking on SIEM implementations will find that following best practices from expert implementations can help them align solutions to their specific needs.
First, define the most important use cases. Is detecting a potential attack and quickly responding to it important, or does compliance top the list? This analysis helps determine which systems, users, networks and applications are in scope and which reports are important.
The number of states with a cybersecurity budget line item
Source: Deloitte and the National Association of State Chief Information Officers, 2020 Deloitte-NASCIO Cybersecurity Study: States at Risk: The Cybersecurity Imperative in Uncertain Times, October 2020
Choose a SIEM solution that collects all relevant data and produces needed reports. Note that some systems can even integrate data from physical security systems such as building access systems when set up to do so.
Next, choose the right tool for the environment. If a combination of software, appliances and/or virtual appliances is needed, look to solutions such as RSA NetWitness, which supports flexible deployments. Pay close attention to how the team will interact with the SIEM solution. Are staffers available to do in-depth analysis, or does the agency need a solution that has out-of-the-box content with visualizations that quickly show the answers? If it’s the latter, SolarWinds can minimize the workload and perform triage, providing a virtual SOC for smaller security programs.
With the best solution selected and critical use cases defined, it’s time to set up policies that will cover the remaining gaps in the current security environment. This helps to determine what to audit, what exceptions to allow, what actions are required to resolve issues, how often to review audit logs and how to integrate suspicious audit events into incident response processes. It’s important to identify who should review reports and how often, and what actions should be taken in the event of abnormal readings.
EXPLORE: Find out how data lakes can help officials make more informed decisions.
Look to Existing Government Security Standards
Rather than creating policies from scratch, start by looking at existing state government standards. The Massachusetts Logging and Event Monitoring Standard spells out the requirements for detecting unauthorized activities on the commonwealth’s information systems and provides a good outline. It contains specifics on what to log, how to review and report on logs, how to protect them from unauthorized access, and how to stay in compliance with requirements and regulations.
Another good source is Minnesota’s Security Logging and Monitoring Standard, which includes policies on logging, security system failure and response, and more.
Ready for production? Run a test to make sure everything is as expected. Start with a small number of reports that meet immediate needs, then tweak and optimize them. The more agencies can help SIEM, the more it can help them.
MORE FROM STATETECH: Find out how agencies can gain visibility by centralizing logs.
Yuji Sakai/Getty Images