Public sector security: 4 considerations for implementing a modern SIEM

06-women-on-steps.jpg

If you’re a public sector organization, security is top of mind. One of the best ways you can secure your data and systems is through a modern SIEM platform, which many government agencies and education institutions are using as a critical piece of their Zero Trust cybersecurity architecture.

SIEM technology and strategy is constantly changing, and keeping up with the latest updates and requirements can be challenging. Whether you’re new to SIEM or thinking of augmenting your current SIEM, here are some considerations to keep in mind for public sector.

Back to basics: What is SIEM?

For those not familiar, SIEM — or security information and event management — is a security management system that holistically looks at data from multiple sources, detects issues, and takes action. SIEM technology combines SIM (security information management) and SEM (security event management), and has logging at the heart of its functionality.

Depending on the size and scope of your organization, you may already have a SIEM, or have one and need to re-evaluate — 47% of public sector organizations globally say they will replace or augment their SIEM.

According to FedTech Magazine, adoption of advanced SIEM technologies is increasing across U.S. federal agencies, due to NIST guidance and updated logging requirements. In the U.K., SIEM capabilities are so crucial that the National Cyber Security Centre (NCSC) has posted guidance on how organizations can set up basic logging functions for cybersecurity purposes, as a first step even before having a SIEM — noting that logging is “crucial if you want to detect and catch cyber attackers.”

Why is SIEM important for public sector now? 

Cyber threats are increasing and becoming more targeted. Cybercrime is expected to grow 15% year over year through 2025, according to Cybercrime Magazine. And the global average cost of a data breach is $4.35 million — and higher in the U.S. at $9.44 million. Public sector continues to be a target for cyber crime, given its use of highly sensitive data such as health records, citizen IDs, and more. Globally, the education sector experiences the highest number of cyber attacks, followed by government.

Data is multiplying, and SIEMs can scale. These days, it’s not unusual for data conversations to focus around the word “petabytes.” Data usage is certainly not decreasing anytime soon. SIEM technology can aggregate all this information from any source and enable IT teams to find anomalies in real time — and thwart threats proactively, before they have time to infiltrate your organization or affect your constituents. And because data comes in several forms (such as structured and unstructured), a SIEM that can quickly sift through both types quickly is worth its weight in gold.

SIEM streamlines tools for IT and security teams. Public sector teams are competing with private sector organizations for IT and security talent, and frequently coming up short. Under-resourced teams have too much data to dig through on their own, making automation and data consolidation at scale absolutely essential — along with the ability to aggregate under a single view. Additionally, cloud-based solutions help put SIEM tools within the affordability range of smaller agencies and organizations that may previously not have had the resources for an on-premise solution.

SIEM empowers teams to make mission-critical decisions quickly. With a single unified agent, you can deepen host visibility, block ransomware and malware, streamline inspection, and invoke remote response action. This is crucial in a cybersecurity environment where every second counts, and where data may be coming from, or going to, critical environments such as the battlefield edge.

What are some key considerations for successful public sector SIEM implementation?

There are a number of considerations to look out for when choosing your SIEM solution — such as how often you add data sources, the size of your team, and what your current processes look like. In addition to the more common factors, for the public sector specifically, we recommend keeping the following top of mind: 

1) Ability to search past logs 

Recent directives such as M-21-31 in the U.S. are focusing on the ability to investigate the true history of long dwell-time attacks and requiring agencies to retain logs for longer periods (for M-21-31, 72 hours for full packet capture data to 12 months for active storage to 18 months for cold storage data). These requirements are significantly longer than previously stipulated, so they should be front and center in your search for the right SIEM solution. Many legacy SIEMs only keep 30 days’ worth of data and force older data to cold storage, which gets very expensive and cumbersome to manage.

2) Speed at scale 

As your organization increases its data use, as it inevitably will, you can’t compromise on speed. When it comes to mission-critical data, every millisecond makes a difference. Consider not just how fast a SIEM solution is now, with the data sources you currently use, but project how much data you may consume in the future and whether the speed will be affected by the increase. Plus, if you can’t search this data quickly, your agency is wasting team resources. Most public sector security teams just don't have the luxury of restoring archives to the SIEM. In this case, having a searchable frozen tier is essential.

3) Log storage requirements and costs 

Pay attention to how a SIEM provider structures their fees. Many legacy SIEM platforms base licensing cost on the amount of daily storage you’re using. That pricing model will quickly become unmanageable for many public sector agencies that are experiencing a significant increase in log collections due to recent cybersecurity mandates. Look for a flexible solution that will scale with your organization.

4) On prem or in cloud 

It’s important to know how much flexibility solution providers are offering around cloud and on-prem. Some SIEM solutions are available only on cloud, which may be a deal-breaker for public sector organizations that need an on-prem solution, or at least the option for it. If you’re interested in cloud, make sure any cloud-based SIEM solutions align to any relevant government compliance mandates and regulations such as FedRAMP. 

Learn more about SIEM for public sector