Security

SIEM Tools: How They Enhance Federal Cybersecurity

Security information and event management tools can help agencies monitor for threats.

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

Facing the triple challenge of expanding data sets, ongoing insider threats and widening IT skills gaps, federal agencies need cybersecurity solutions capable of both action and automation.

Security information and event management systems offer a way to aggregate critical log data, assess potential impacts and avoid critical compromise. Informed by both departmental policies and guidance from federal agencies such as the National Institute of Standards and Technology, adoption of advanced SIEM technologies is on the rise.

But deployment of detection and remediation tools isn’t enough in isolation — organizations need agencywide best practices that both address current issues and allow room for improvement.

What Is SIEM?

SIEM tools combine two infosec abilities: Information and event management. While information management focuses on the aggregation and collection of existing security data from sources such as firewalls, anti-virus tools and intrusion-detection systems, event management prioritizes security incidents — from benign mistakes such as staff accidently entering the wrong password to potential breaches tied to malicious code or unauthorized resource access. Linking these two security functions under a SIEM system allows agencies to “identify deviations from the norm and take appropriate action,” according to Tech Target.

And that’s just the beginning. Jason Yakencheck, president of ISACA’s Greater Washington, D.C., chapter, says that SIEM tools empower “advanced analytics and correlations, including network, firewall or controller data all pulled onto a single pane of glass, getting connected information instead of fragmentation.”

This is the single biggest advantage of SIEM solutions for federal agencies: the ability to aggregate continuously expanding system and log data and perform real-time analytics at scale. With cybersecurity threats on the rise as attackers recognize the value in government-held data and look to exploit potential infosec gaps tied to lacking security or missing skill sets, SIEM tools are an essential part of evolving, zero-trust federal policies.

A Brief History of Single-System Security

The single-system log aggregation approach of SIEM is relatively new; as noted by Philip Carruthers of IBM Security North America, building the groundwork required for current cybersecurity initiatives began in earnest after the Sept. 11, 2001, terrorist attacks, “when the government went into a mode of fortification” and recognized that “if you use government data, you need to secure it.”

In 2002, the Federal Information Security Management Act (FISMA) was created to help agencies manage the increasing volume of IT log data created by tools, users and events. According to Carruthers, organizations “needed a way to manage log data and normalize it into a common format that allowed for the management of both correlation and compromise.”

NIST guidelines such as special publications 800-37, 800-53 and 800-137 emerged to help agencies better address risk management, deploy information security continuous monitoring best practices and identify high-priority vulnerabilities in their IT environments. In 2014, a new version of FISMA was introduced that focused on empowering government departments to “conduct the day-to-day operations of the agency and to accomplish the agency’s stated missions with adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.”

FISMA and other regulations highlighted the role of SIEM tools in effective cybersecurity management, which “became the power tools for searching and recovery at scale,” Carruthers says, allowing agencies to significantly reduce the time between incident detection, remediation and reporting.

5 Advantages of SIEM Tools for Federal Agencies

The fundamental value of SIEM solutions is their ability to aggregate and analyze log data from multiple sources. As noted by Yakencheck, this primary purpose underpins five advantages for federal agencies at scale:

Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take action and reducing the strain on IT departments already spread thin.
Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource overprovision and decreasing overall complexity.
Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
Automation integration: Data generated by advanced SIEM tools underpins security orchestration, automation and response (SOAR) solutions capable of handling low-level infosec incidents without human interaction.
Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.

CDW•G has developed its own proprietary solution for federal agencies called Security Management Infrastructure, in which SIEM “acts as the nerve center of SMI, receiving information from other SMI components, correlating those reports and providing real-time reporting on the security status of the agency,” according to a CDW•G white paper.

For example, CDW•G partners with Splunk to “provide agencies with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.”

The SIEM tool integrates with virus detection, change management, application management and other security components. The SIEM tool at the heart of the SMI solution is “tailored to meet agency requirements for performance and budget, while incorporating existing solutions that the agency already has in place,” according to the white paper.

SIEM Implementation Considerations

As noted by Carruthers, “your ability to respond to an event is only as good as the technology that you have,” but advanced SIEM solutions aren’t enough on their own. “Management is critical,” says Yakencheck, “even good tools won’t provide value if they’re not properly managed.”

To ensure federal SIEM deployments are effectively integrated into IT environments and meet evolving policy guidelines, implementation efforts must address five key areas:

Support: Infrastructure support and operational planning are critical to make the most of SIEM deployments. For Yakencheck, this means “knowing your environment in terms of scale and size to determine what kind of license you need. Just pointing all your logs at it will create more noise and cost more money.”
Scalability: As noted by Carruthers, it’s also critical to deploy SIEM tools capable of aggregating and searching both local and cloud-based event logs. He puts it simply: Users have “left the perimeter” of federal networks as cloud-based resources, third-party applications, distributed databases and single sign-on tools become commonplace. Scalability is a now a requirement for SIEM success.
Speed: Real-time data is essential for effective threat response. While this requires SIEM solutions able to deliver insight on demand, it also speaks to the need for agencies to evaluate current IT infrastructure: Without the last-mile bandwidth and throughput necessary to handle analytics and aggregation at speed, SIEM tools won’t deliver on security potential.
Specificity: Not every log is relevant, and not every incident requires a response. According to Yakencheck, agencies need to “make meaningful decisions up front rather than on the fly” by “configuring, optimizing and tuning out information that won’t be useful or relevant to prioritize specific outcomes.”
Segmentation: It’s also critical for organizations to define automation and orchestration parameters before deploying SIEM or SOAR tools. For Carruthers, this means identifying “level 1” events such as occasional password errors or resource configuration mistakes that can be handled by automated SIEM responses, along with specifying the criteria for level 2, 3 or 4 events that require IT intervention, such as repeated access attempts during off hours.

How to Assess Potential SIEM Vendors

What’s the biggest challenge for federal agencies when selecting SIEM tools? According to Carruthers, it’s a deceptively simple question: “Where’s the value?”

While government organizations recognize the regulatory need to deploy these solutions, connecting actionable insight to SIEM adoption isn’t always straightforward. As result, it’s critical for agencies to find vendor/solution combinations that best match their current IT posture. Yakencheck. recommends an evaluation of “what your existing teams have experience with and what integrates best,” followed by a production evaluation of best-of-breed tools.

For example, IBM’s QRadar offering leverages the company’s Watson AI to continuously monitor networks and proactively detect phishing, malware, data exfiltration and insider attacks. Enterprise SIEM tools from Splunk focus on asset investigation, classification and automated risk scoring, while solutions from SolarWinds prioritize a wide array of log and event management functions to facilitate early detection of cyberthreats.

SIEM tools offer critical insight for federal agencies into both current security posture and potential infosec threats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven outcomes.

gorodenkoff/Getty Images