Security

What Is SIEM and How Can It Help State Governments Close the Security Gap?

Security information and event management tools offer a way for state governments to identify issues and increase visibility across their IT environments.

Doug Bonderud

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

State governments face a unique IT security gap: consistency. With geographically and demographically disparate counties, cities and towns, cybersecurity teams often struggle to ensure consistent visibility and adaptability across state networks.

Security information and event management (SIEM) solutions offer a way to help close this gap but historically have been out of budgetary reach for many state governments. The advent of commercialized and on-demand cloud services now offers a way for states to access the benefits of SIEM tools.

What does this look like in practice? What can SIEM tools do to close cybersecurity gaps? How do states effectively deploy these tools at scale?

The State of Cybersecurity for State Government

State governments are increasingly under threat from malicious actors. In January 2020, malicious actors breached New York state government networks and tunneled into multiple servers that transmit encrypted information. In March 2021, a phishing attack on California’s State Controller’s Office resulted in the theft of 9,000 Social Security numbers.

In part, these attacks stem from the rise in threat vectors such as ransomware, which offer a reliable way for cybercriminals to exfiltrate valuable information. As noted by Rick Vanover, senior director of product strategy for Veeam, increasing threat volumes are also tied to accelerated Software as a Service journeys driven by the shift to remote work.

“Agencies needed to make a change, and they had to make a choice: Do we do it right, or do we do it now? For most, doing it now was the only option.”

To help combat these threats, some states have started deploying their own SIEM solutions to help detect and defend against attacks. Washington state recently rolled out a logging and monitoring service, which according to Washington Technology Solutions, “provides a security information and event management (SIEM) platform for monitoring targeted network, systems, applications and security log sources.”

What Are SIEM Solutions?

According to Vanover, SIEM solutions provide a way for organizations to identify issues and increase visibility. They collect data from multiple sources, finding threat matches, pinpointing sources of potential concern and then taking specific action.

This action might include alert generation for IT teams, creating a log of the event or interacting with other security services to suspend suspicious processes.

By actively monitoring threats as they occur and then aggregating this threat data for IT review and analysis, SIEM tools can help states close the security gap.

Best Practices for States Implementing SIEM

The first step in any state SIEM deployment is finding the right tool. While enterprise-grade, on-premises tools were historically out of budget for many state agencies, new cloud-based solutions make it possible for states to evaluate several SIEM tools to identify their best fit.

According to Vanover, effective deployment of SIEM tools doesn’t happen in isolation. He notes that while “SIEM tools are the hub of incident detection and identification and can help shorten the time between when incidents occur and when they’re detected, other components are critical to make best use of this data.”

Robust backups. As Vanover notes, “backups are necessary to handle events of interest. When I think about what an event of interest would mean to a state organization, there’s only one thing that matters: The ability to restore data.” While SIEM tools provide critical frameworks for monitoring and management, backups make it possible for agencies to get back on track if key data sources are isolated or compromised.
“Cybersecurity is kingdom of false positives. Bad actors only have to be right once, but security teams need to be right all the time,” he adds. Despite best efforts, no security stack or staff is perfect, so robust backups are critical to limit the impact of security incidents.
Effective analysis. Vanover also points to the need for effective data analysis, which can help reduce the time between detection and remediation. “What can we do to shorten the time between an incident and its observation and detection? You don’t want the detection to come from the help desk or the user. SIEM services can trigger an event of interest to start this process, while analytics tools can help pinpoint the problem.”
Experienced staff. “You need the right people,” Vanover adds. “Who’s looking at the data? You need the right skill sets to leverage this information and the right people to execute the plan.” This speaks to the broader role of SIEM within state organizations: In effect, it acts as a framework to help jump-start the detection of issues and the aggregation of data. Having the right people in the right places, meanwhile, can help states make best use of SIEM data.

What’s Next for SIEM?

“SIEM is an area that’s going to progress and develop quickly,” Vanover says. He points to the recent evolution of malware as one driving factor: “There’s new ransomware that can trigger from GIFs or Slack or Discord. While you don’t hear much about these yet, they are in development.”

To meet this growing challenge, SIEM tools must evolve in areas such as:

Automation. While Vanover notes that while “we’re early in the market for automated handling of all events and data, this is an area that’s going to progress and develop.” It makes sense; given the sheer number of endpoints, devices and services now used by state governments to deliver both internal and public-facing IT functions, automation is critical to both manage and monitor security data sources at scale.
Aggregation. According to Vincent Berk, CTO and chief security architect at Riverbed Technology, “State and local governments stand a better chance to catch advanced persistent threats with sufficient packet, flow and endpoint visibility. SIEM is usually at the top of the food chain in terms of security triage, but it is notoriously bad at helping catch the big APTs that come with multimillion dollar ransoms. Log-based SIEM is no longer sufficient to detect threats as they move through the network.” Next-generation tools must both capture and aggregate key data for maximum impact.
Artificial intelligence. AI also forms a key component of evolving SIEM solutions. “Threats that inflict the most damage are the ones that know how to stay hidden,” Berk says.

“Most high-value ransomware events are evidence-free, or the evidence was insufficient to trip a traditional network detector,” he adds. “Recognizing that the most dangerous adversaries are both human and highly skilled, we must rely on an extensive telemetry network to gather the data we need to stand a chance in our defense. Such visibility is not limited to logs. Network-based anomaly detection and endpoint threat detection are crucial aspects of picking up the trail of breadcrumbs advanced adversaries leave behind.”

Increasing commercialization and cloud adoption have made SIEM tools more affordable and accessible for state governments. While they’re not a silver bullet for cybersecurity response, they offer consistency and visibility often lacking in state IT operations — without breaking the bank.

When it comes to SIEM solutions for state governments, Vanover offers a straightforward piece of advice: “If you don’t have one, get one.”

EXPLORE: Get five questions a cybersecurity assessment must answer.

Chainarong Prasertthai/Getty Images