We're moving on to part two of Scott Larsen's 3-part guest blog at Lohrmann on GovSpace. Scott is a senior security specialist on my Michigan government team. Scott Larsen has been working on Security Information and Event Management (SIEM) for several years as a contractor and a state employee.
This mini-series is written in Scott's own words. I'll be back in January 2012 with new security blogs in this same space. Meanwhile, enjoy "part 2" of Scott's Larson's 3-part blog on SIEM in government. If you like the topic, please send a tweet to others.
Role players are important in every team environment. Vinnie Johnson, the star guard of the NBA’s Detroit Pistons, was called “The Microwave” for his scoring prowess by “heating up the team” quickly when coming off the bench. He could play both the shooting guard and point guard roles very well. Johnson was viewed during the Pistons back to back NBA championship run during the 1989 – 1990 seasons as the best sixth man in the league. He was the consummate role-player. He could have easily been a starting guard on many other NBA teams during the peak of his career. But he chose to remain as a role player for the Pistons, an integral part of a successful team.
This article is about roles and they are as important in government IT as they are in the NBA. The roles and responsibilities required for successful SIEM implementation and the importance of establishing clearly defined roles cannot be over-emphasized. Roles that comprise every successful sports team require players that execute their given role proficiently. The same is true when implementing a SIEM solution.
So why talk about roles? Without clearly defined roles for each participant there would not be clear accountability, responsibility or effective division of labor. It is important to establish clear roles for each participant, especially to ensure proper separation of duties. Proper separation of duties will significantly minimize exposure to various security violations. This is so that no single person can commit fraud, steal data or introduce malicious code without being detected. An organization does not want to have an audit finding or an incident that could require staff reorganization so roles and responsibilities need to be addressed from the outset.
Since the activities being monitored can impact enterprise resources then the separation of duties should be at the enterprise level, not buried within an organization. If the monitoring responsibilities are buried within an organization that would mean the management of that area could hide security violations with impunity or at minimum be unaware of the potential risks involved. The enterprise security team needs to be tasked with overseeing the enterprise monitoring of these systems, in collaboration with the various other teams to increase cooperation and awareness.
Executive support and sponsorship is critical in establishing expectations, roles and responsibilities for SIEM across an organization. Directors from the various stakeholder areas need to be in agreement as to the priority of SIEM for the enterprise. Clear lines need to be drawn to ensure compliance with various policies, regulations and statutes governing IT security. NIST Special Publication 800-92 Guide to Log Management outlines these roles and responsibilities with regard to log management, roles that apply to every level from the CIO on down. As part of the log management planning process NIST states in Section 4 of the SP800-92 the following: “To establish and maintain successful log management infrastructures, an organization should perform significant planning and other preparatory actions for performing log management. This is important for creating consistent, reliable, and efficient log management practices that meet the organization’s needs and requirements and also provide additional value for the organization. This section describes the definition of log management roles and responsibilities, the creation of feasible logging policies, and the design of log management infrastructures.” NIST outlines these typical log management roles as follows: (Quoted from NIST SP800-92)
System and network administrators, who are usually responsible for configuring logging on individual systems and network devices, analyzing those logs periodically, reporting on the results of log management activities, and performing regular maintenance of the logs and logging software
Security administrators, who are usually responsible for managing and monitoring the log management infrastructures, configuring logging on security devices (e.g., firewalls, network-based intrusion detection systems, antivirus servers), reporting on the results of log management activities, and assisting others with configuring logging and performing log analysis. (Notation: Because some log management duties, such as log analysis and maintenance, are considered boring and mundane by many system, network, and security administrators, organizations should consider rotating such duties among administrators to prevent burnout. The duties can also be made less mundane by providing tools and techniques that reduce the workload and allow administrators to focus on the more interesting aspects of log management. )
Computer security incident response teams, who use log data when handling some incidents
Application developers, who may need to design or customize applications so that they perform logging in accordance with the logging requirements and recommendations
Information security officers, who may oversee the log management infrastructures
Chief information officers (CIO), who oversee the IT resources that generate, transmit, and store the logs
Auditors, who may use log data when performing audits
Individuals involved in the procurement of software that should or can generate computer security log data.
In centralized organizations these roles will likely be very similar. In de-centralized organizations staff may serve multiple roles, which could lead to separation of duties issues. In some cases there may even be an existing organizational structure that impedes successful SIEM deployments. The existing organizational structure may need to be modified or changed to enable effective implementation. On example that I think is applicable…Have you ever begun doing some simple home repair and found yourself fixing three or four other issues that cropped up from this one simple repair? That’s what can happen when implementing new roles and responsibilities when beginning a SIEM solution so it’s important to address this early in the process.
Some may wish to split the SI from the EM, meaning separation of Security Information (SI) from the Event Management (EM). In my view this would be counter-productive. I would agree however that separating the “hunting threats” from the “ensuring compliance” aspects could be helpful from a staffing perspective, as they require unique sets of skills and are used by different groups within organizations.
Have you already deployed a SIEM solution in your organization? What are some of your successes? What types of challenges have you faced? How were the SIEM roles for your organization established? How would you characterize your experience in implementing a SIEM solution? I look forward to your responses! Thank you!