Public sector organisations are heavily targeted due to the rich quantity of data they hold. It’s crucial that citizens can trust their government organisations not to let their personal information fall into the wrong hands. SIEM tools might just be the answer to this. Sascha Giese, Head Geek at SolarWinds, identifies exactly what a SIEM is and how public sector organisations, including governments, can make the right decision when choosing which SIEM tool is right for them.
Cybersecurity is one of the biggest challenges being faced throughout the public sector today. Keeping the data of the general public safe and inaccessible is not only crucial for maintaining the trust of citizens, but also for ensuring critical and sensitive data doesn’t fall into the wrong hands. The task of maintaining and advancing cybersecurity in a public sector organisation is complex and while no single tool or technology can solve this problem, Security Information and Event Management (SIEM) software might just be the answer to the biggest dilemmas.
Spelling it out
So, what is SIEM? SIEM tools blend Security Information Management (SIM) with Security Event Management (SEM) capabilities into a single solution, with the intention of providing comprehensive threat detection, incident response and compliance reporting capabilities.
SIEM tools work by collecting data from event logs of most devices in an organisation, from servers and firewalls to anti-malware and spam filters. The software then analyses these logs, identifies any anomalous activity and issues an alert – or, in many cases, responds automatically.
Specifically, with SIEM software, an IT professional can quickly identify potentially suspicious activity, learn who has been affected and implement automated mechanisms to stop an attack before it affects the organisation. And when the IT organisation in question is part of the public sector, protecting central government data from harm means protecting people across the UK.
One of the main advantages of SIEM software is how it pulls together data consolidation and centralisation. When data is coming from multiple places – for example, from different departments of a hospital, or across different sites – SIEM software consolidates and analyses this data in its entirety; the IT team can then view all the data from a single dashboard. A single, unified view can help find trends, spot any unusual activity and help establish a proactive (as opposed to a reactive) response.
Making the right decision
The range of SIEM tools from third-party businesses today is huge, with each offering its own benefits. These tools can provide everything an organisation needs, from big data analytics to centralised forensic visibility to artificial intelligence-driven behaviour analytics. However, it can be a real challenge to choose a tool to best fit the organisation’s requirements.
There are multiple things to consider when choosing a SIEM solution. Some are more obvious than others, such as scalability; IT teams understand the importance of investing in a tool that will grow as the organisation’s needs grow. Cost is also always a major factor, particularly for the public sector where budgets are typically quite restricted.
Other things to
consider may be less obvious, but are just as important, such as:
- Does the SIEM provide enough native support for all relevant log sources? It will be integrating a lot of data from a lot of different sources. Be sure the chosen toolset matches well with the types of devices from which it will be collecting and analysing information.
- If the SIEM doesn’t have native support for a relevant log source, how quickly and easily can it be created, and can it support custom log sources for applications developed in the organisation? Government IT teams will often have to develop bespoke applications to handle their unique activities, so choose a tool that can easily be extended to support new data sources as needed.
- How well, and quickly, can the SIEM tool analyse data? The quicker the IT security team can identify and contain threats, the more secure the organisation and its data. Reducing the time to detection (TTD) is critical to prevent exposure, data loss, and compromise. Choose a SIEM tool with the ability to provide advanced analysis quickly, with little security team intervention to free up their time for other tasks.
- Does the SIEM include useful, relevant, easy-to-use out-of-the-box reports? The value in the visibility provided through SIEM software is the ability to see one report or one chart encompassing a vast amount of data. Be sure the organisation’s chosen tool provides templates that can be easily implemented and just as easily customised where necessary. The quicker the tool is up and running, the quicker security threats can be identified and thwarted.
- Does the SIEM make it easy to explore the log data and generate custom reports from this? Out-of-the-box reports are always useful, but sometimes questions are asked requiring teams to dig a little deeper and create a more customised view to show senior management. Choose a tool that simplifies the data exploration and reporting function to help you get answers quickly and with minimal effort.
At the end of the day, government cybersecurity is never going to be an easy fix. It’s becoming one of the most important aspects of an IT department’s remit, if it isn’t already and so it’s key to understand and implement the right solutions to support these employees where they need it most. Cybercriminals are getting smarter and finding more and more creative ways to infiltrate computer systems and networks. In the public sector – where funding for new and innovative technologies isn’t always readily available – IT leaders should prioritise the tools that will provide the most value and will deliver the most effective performance across the organisation.
With its ability to identify, alert and even resolve security issues faster than a human employee, a SIEM tool might just be what prevents the next WannaCry disaster.