Security information and event management (SIEM) is key to robust data security. A centralized means of collecting events and alerts, SIEM aggregates and analyzes data from multiple systems to identify anomalous behavior and flag potential threats.
Agencies can use SIEM along with security orchestration, automation and response (SOAR) to manage varied inputs and apply multiple controls.
SIEM offers key capabilities in support of state and local modernization efforts. As state and local agencies migrate to cloud environments, they need new tools to better manage cybersecurity.
“Most agencies have now adopted some form of multicloud strategy. Where is that data being generated? What network is it coming over, what service is being delivered, and who's asking for the service?” says Bill Rowan, vice president of public sector at Splunk. “SIEM is collecting that data and applying real-time analytics.”
This helps agencies bring their protections up to current standards, giving state and local governments “the same solutions that are used at the biggest enterprises in the world, whether you’re talking about banking, finance, healthcare or logistics,” Rowan says.
SIEM also can help state and local IT teams to be more consistent as they seek to secure disaggregated IT deployments.
State and Local Agencies Use SIEM to Secure Growing Enterprises
Within state and local government, “different organizations have procured and are using different products and even technologies,” says Jim Richberg, Fortinet's field CISO for the public sector. “SIEM becomes especially useful in those kinds of highly varied environments: It tends to be designed to deal with input from different kinds of platforms and from different vendors. SIEM does a good job of pulling together different kinds of data.”
With SIEM, government IT leaders can be more effective in implementing cyber controls with the sources at hand.
“State and local governments are challenged on resources both in terms of dollars and, more critically, cybersecurity staff,” Richberg says. “SIEM offers a plug-and-play incident management tool, useful both to governments that lack a security operations center and to larger jurisdictions seeking to up their game and increase their existing cybersecurity capabilities.”
This, in turn, enables state and local governments to stay ahead of escalating cyberthreats.
“The amount of information that a local municipality or state needs to track is growing in leaps and bounds,” Rowan says. “There is all of this information to analyze and a shortage of security professionals in the market. State and local governments may struggle to effectively close those gaps without solutions like SIEM.”
SIEM and SOAR Work Together for Greater Cybersecurity
With SIEM and SOAR, the whole is greater than the sum of the parts. As detection and response mechanisms, respectively, SIEM and SOAR “are a part of the foundational building blocks for collective security,” Richberg says.
SIEM is like a radar system. Just as an airplane pilot needs the ability to see over the horizon, in cybersecurity “it is critical to see what’s coming at you, especially things that you may not be able to see with the naked eye,” Rowan says. “SIEM is that pilot’s radar.”
SOAR, meanwhile, drives the response, giving defenders “the ability to then automate some of the most standard tasks,” he says. “It frees up that analyst in the security operations center to focus on higher-value things.”
State and local leaders would do well to look for a platform-based solution. “You have a bunch of network routers, firewalls and servers, and you need to collect all that data. The goal in implementing SIEM is to make that as simple as possible for the end user. For that, you need a platform solution,” rather than a home-built aggregation of capabilities, Rowan says.
Click the banner to learn about even more technology trends as an Insider.
New SIEM Solutions Help to Identify Malicious Activity
Inside of Splunk, for example, “we have an app store with a connector that collects data for you in an automated fashion. Once you’ve deployed the SIEM solution, you go to the app store and pick the firewall products and the service settings that you need,” Rowan says. “With a platform approach, you can easily deploy those and start getting that real-time data.”
Those with SIEM solutions already in place, meanwhile, should be looking at the emerging state-of-the-art solutions.
“We usually think of SIEM tools as just dealing with information collected from the IT environment they cover. But the latest generation of SIEM tools can actively import cyberthreat information from external sources, which helps in understanding when activity is malicious as opposed to merely abnormal,” Richberg says.
“That makes SIEM a powerful force multiplier, and one that is probably worth a revisit. A new SIEM solution probably does far more than a SIEM product that it’s replacing in terms of capability and functionality,” he says.
READ MORE: How the city of Carlsbad improved data sharing across local government.