Best Practices for States Implementing SIEM
The first step in any state SIEM deployment is finding the right tool. While enterprise-grade, on-premises tools were historically out of budget for many state agencies, new cloud-based solutions make it possible for states to evaluate several SIEM tools to identify their best fit.
According to Vanover, effective deployment of SIEM tools doesn’t happen in isolation. He notes that while “SIEM tools are the hub of incident detection and identification and can help shorten the time between when incidents occur and when they’re detected, other components are critical to make best use of this data.”
- Robust backups. As Vanover notes, “backups are necessary to handle events of interest. When I think about what an event of interest would mean to a state organization, there’s only one thing that matters: The ability to restore data.” While SIEM tools provide critical frameworks for monitoring and management, backups make it possible for agencies to get back on track if key data sources are isolated or compromised.
“Cybersecurity is kingdom of false positives. Bad actors only have to be right once, but security teams need to be right all the time,” he adds. Despite best efforts, no security stack or staff is perfect, so robust backups are critical to limit the impact of security incidents.
- Effective analysis. Vanover also points to the need for effective data analysis, which can help reduce the time between detection and remediation. “What can we do to shorten the time between an incident and its observation and detection? You don’t want the detection to come from the help desk or the user. SIEM services can trigger an event of interest to start this process, while analytics tools can help pinpoint the problem.”
- Experienced staff. “You need the right people,” Vanover adds. “Who’s looking at the data? You need the right skill sets to leverage this information and the right people to execute the plan.” This speaks to the broader role of SIEM within state organizations: In effect, it acts as a framework to help jump-start the detection of issues and the aggregation of data. Having the right people in the right places, meanwhile, can help states make best use of SIEM data.
What’s Next for SIEM?
“SIEM is an area that’s going to progress and develop quickly,” Vanover says. He points to the recent evolution of malware as one driving factor: “There’s new ransomware that can trigger from GIFs or Slack or Discord. While you don’t hear much about these yet, they are in development.”
To meet this growing challenge, SIEM tools must evolve in areas such as:
- Automation. While Vanover notes that while “we’re early in the market for automated handling of all events and data, this is an area that’s going to progress and develop.” It makes sense; given the sheer number of endpoints, devices and services now used by state governments to deliver both internal and public-facing IT functions, automation is critical to both manage and monitor security data sources at scale.
- Aggregation. According to Vincent Berk, CTO and chief security architect at Riverbed Technology, “State and local governments stand a better chance to catch advanced persistent threats with sufficient packet, flow and endpoint visibility. SIEM is usually at the top of the food chain in terms of security triage, but it is notoriously bad at helping catch the big APTs that come with multimillion dollar ransoms. Log-based SIEM is no longer sufficient to detect threats as they move through the network.” Next-generation tools must both capture and aggregate key data for maximum impact.
- Artificial intelligence. AI also forms a key component of evolving SIEM solutions. “Threats that inflict the most damage are the ones that know how to stay hidden,” Berk says.
“Most high-value ransomware events are evidence-free, or the evidence was insufficient to trip a traditional network detector,” he adds. “Recognizing that the most dangerous adversaries are both human and highly skilled, we must rely on an extensive telemetry network to gather the data we need to stand a chance in our defense. Such visibility is not limited to logs. Network-based anomaly detection and endpoint threat detection are crucial aspects of picking up the trail of breadcrumbs advanced adversaries leave behind.”
Increasing commercialization and cloud adoption have made SIEM tools more affordable and accessible for state governments. While they’re not a silver bullet for cybersecurity response, they offer consistency and visibility often lacking in state IT operations — without breaking the bank.
When it comes to SIEM solutions for state governments, Vanover offers a straightforward piece of advice: “If you don’t have one, get one.”