Stopping The Insider Threat: The Case for SIEM in Government IT (Part 3 – Wrap-up)

    We’re moving on to part three of Scott Larsen’s 3-part guest blog at Lohrmann on GovSpace. Scott is a senior security specialist on my Michigan government team. Scott Larsen has been working on Security Information and Event Management (SIEM) for several years as a contractor and a state employee.

This mini-series is written in Scott’s own words. I’ll be back in January 2012 with new security blogs in this same space. Meanwhile, enjoy Scott’s Larson’s 3-part blog on the importance of SIEM in government.

       The Internet has revolutionized the way we communicate and conduct business in the 21^st Century. Because of information technology improvements, businesses and governments have enjoyed ever increasing levels of productivity and spawning of new and innovative business models across the globe. With this innovation and efficiency comes increased need for strong security and monitoring to counter threats to data security.

We are discussing technology’s role in reducing the insider threats using a SIEM solution. In the previous installments of this blog series we have established the need for a SIEM solution and determined roles needed to implement this solution. Now we will discuss the technology required to make the solution a reality.

Once a need for a SIEM solution has been determined an organization needs to establish a team of individuals from across the organization that will develop the solution. Creation of a cross-functional review team is essential to the decision-making process. It is helpful to have representation from different teams within the organization because the solution will affect several different areas of the organization. This team can work together to develop requirements that will apply effectively across the enterprise. The process should include the following steps (not in any particular order):

• Establish a cross-functional team
• Gather system requirements   
• Develop the project plan
• Identify the funding source
• Develop the cost recovery model
• Solicit vendor responses
• Evaluate several competing products
• Status in industry
• Price
• Features
• Training
• Ongoing support costs
• Include staffing requirements
• Select the product
• Evaluation and Development Testing
• User Acceptance Testing
• Production

Another step in selecting a SIEM product solution is to review Gartner’s Magic Quadrant or other independent analysis of product offerings (from companies such as Forrester.) With recent acquisitions of smaller players by larger more established firms the SIEM landscape is changing rapidly. A thorough review of the possibilities will serve well to make the most advantageous decision for a particular organization, with products that are rated in the upper left or “magic” quadrant serving as the safest bet. This is the quadrant the shows the innovators and leaders of the competing SIEM solutions.

Another major factor necessary to ensure success is to obtain executive support.   The executive level of the organization needs to be aware of the case for SIEM and how choosing not to support will affect the overall enterprise strategy and operations. This means the priority of SIEM must be emphasized from the CIO level down through the various director and management levels within the organization. This will serve to provide needed leadership direction as well as sponsorship for the project. Communications will help to disseminate the awareness of the importance of the project to all stakeholders and gain their support. Staff will also be aware of their own role in the project and executive direction will help to minimize confusion.

Some additional factors in selecting a software solution are:

·         Select software that has a good complement of compliance modules available out of the box, requiring limited configuration.

·         Correlation rules that can be customized for unique organizational environments.

·         Software that supports the major RDBMS’s such as Oracle and SQL Server.

·         Software that can be used in a virtual environment.

·         Software that can be installed on open source platforms such as Linux.

·         Software that is intuitive and easy to begin using immediately to show value.

·         Robust reporting capabilities that do not require additional licensing for reporting software.

·         Includes compliance modules that cover the range of subject areas:

             o   FISMA

             o   IRS

             o   HIPAA

             o   PCI

             o   …and others that may apply to the organization.

·         Select software that will integrate well into the organization’s enterprise environment.

·         Software that includes native support for workflow capabilities such as spawning tasks to a Remedy ticketing system for example.

As you can see there are several important considerations for implementing a SIEM solution. In my opinion it is a necessary component to a successful security plan and overall organizational strategic plan. Having a reliable and effective SIEM solution in place will serve to minimize risk and improve security posture as well as address potential audit concerns. I urge you to seriously consider implementing a SIEM solution for your organization. 

  Thank you for reading my 3-part blog on the importance of SIEM.