What Is SIEM?
SIEM tools combine two infosec abilities: Information and event management. While information management focuses on the aggregation and collection of existing security data from sources such as firewalls, anti-virus tools and intrusion-detection systems, event management prioritizes security incidents — from benign mistakes such as staff accidently entering the wrong password to potential breaches tied to malicious code or unauthorized resource access. Linking these two security functions under a SIEM system allows agencies to “identify deviations from the norm and take appropriate action,” according to Tech Target.
And that’s just the beginning. Jason Yakencheck, president of ISACA’s Greater Washington, D.C., chapter, says that SIEM tools empower “advanced analytics and correlations, including network, firewall or controller data all pulled onto a single pane of glass, getting connected information instead of fragmentation.”
This is the single biggest advantage of SIEM solutions for federal agencies: the ability to aggregate continuously expanding system and log data and perform real-time analytics at scale. With cybersecurity threats on the rise as attackers recognize the value in government-held data and look to exploit potential infosec gaps tied to lacking security or missing skill sets, SIEM tools are an essential part of evolving, zero-trust federal policies.
MORE FROM FEDTECH: Find out how to choose between software-defined perimeters and VPNs.
A Brief History of Single-System Security
The single-system log aggregation approach of SIEM is relatively new; as noted by Philip Carruthers of IBM Security North America, building the groundwork required for current cybersecurity initiatives began in earnest after the Sept. 11, 2001, terrorist attacks, “when the government went into a mode of fortification” and recognized that “if you use government data, you need to secure it.”
In 2002, the Federal Information Security Management Act (FISMA) was created to help agencies manage the increasing volume of IT log data created by tools, users and events. According to Carruthers, organizations “needed a way to manage log data and normalize it into a common format that allowed for the management of both correlation and compromise.”
NIST guidelines such as special publications 800-37, 800-53 and 800-137 emerged to help agencies better address risk management, deploy information security continuous monitoring best practices and identify high-priority vulnerabilities in their IT environments. In 2014, a new version of FISMA was introduced that focused on empowering government departments to “conduct the day-to-day operations of the agency and to accomplish the agency’s stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.”
FISMA and other regulations highlighted the role of SIEM tools in effective cybersecurity management, which “became the power tools for searching and recovery at scale,” Carruthers says, allowing agencies to significantly reduce the time between incident detection, remediation and reporting.
MORE FROM FEDTECH: Find out how file integrity monitoring can help feds improve cybersecurity.
5 Advantages of SIEM Tools for Federal Agencies
The fundamental value of SIEM solutions is their ability to aggregate and analyze log data from multiple sources. As noted by Yakencheck, this primary purpose underpins five advantages for federal agencies at scale:
Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take action and reducing the strain on IT departments already spread thin.
Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource overprovision and decreasing overall complexity.
Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
Automation integration: Data generated by advanced SIEM tools underpins security orchestration, automation and response (SOAR) solutions capable of handling low-level infosec incidents without human interaction.
Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.
CDW•G has developed its own proprietary solution for federal agencies called Security Management Infrastructure, in which SIEM “acts as the nerve center of SMI, receiving information from other SMI components, correlating those reports and providing real-time reporting on the security status of the agency,” according to a CDW•G white paper.
For example, CDW•G partners with Splunk to “provide agencies with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.”
The SIEM tool integrates with virus detection, change management, application management and other security components. The SIEM tool at the heart of the SMI solution is “tailored to meet agency requirements for performance and budget, while incorporating existing solutions that the agency already has in place,” according to the white paper.