A modern SIEM for whole-of-state cybersecurity

A whole-of-state security strategy is an approach that many US states are taking to consolidate security services under the leadership of a state CISO. Such a strategy would enable local government agencies, school districts, state agencies, public colleges and universities, and even the private sector to leverage the same security tools, systems, team, and strategy. Benefits of whole-of-state security include the centralized budgeting and resources, reduction of duplicative work and tools, and ultimately stronger security and incident response. 

Though intent and vision may be there, CISOs are still in the early stages of implementing whole-of-state strategies. According to NASCIO/Deloitte, 64% of state CISOs have limited to no collaboration with local agencies, and 70% have limited to no collaboration with K–12 school districts.

As CISOs start mapping out the potential technological underpinnings of a whole-of-state cybersecurity program, a critical component to consider is a SIEM (security information and event management) solution. Many individual agencies have run SIEMs for years as a way to holistically examine logging data from multiple sources, detect cyber threats, and remediate issues. 

However, moving to a centralized shared-services security approach necessitates re-examining your SIEM’s capabilities to ensure it’s up for the (much larger) task. And for what it’s worth, states aren’t alone in re-evaluating their legacy SIEM tools right now — 44% of organizations report that they are looking to replace or augment their SIEM.

Cyber threats targeted at government increased by 95% in the second half of 2022 (compared to the same period the previous year). And they come at a significant price: the global average cost of a data breach is $4.35 million — and higher in the US at $9.44 million.State and local government agencies continue to be a target for cyber crime, given the prevalence of highly sensitive data such as health records, citizen IDs, and more.

As you consolidate security services under a unified umbrella, you’ll bring together large quantities of logging data from previously disparate agencies, tools, and systems. SIEM technology can aggregate all this information from any source and enable IT teams to find anomalies in real time — and thwart threats proactively, before they have time to affect your operations, data, or services. And because data comes in several forms (such as structured and unstructured), a SIEM that can quickly sift through both types quickly is invaluable for statewide initiatives.

Learn how CISA’s CDM dashboard consolidates security operations for federal agencies.

Local government agencies, schools, and universities are competing with private sector organizations for IT and security talent. In fact, 50% of state CISOs say that “inadequate availability of cybersecurity professionals” is a barrier to cybersecurity. 

Under-resourced teams have too much data to dig through on their own, making automation and data consolidation at scale absolutely essential — along with the ability to aggregate under a single view. Additionally, cloud-based solutions facilitate cross-organization sharing and help make SIEM more affordable.

With a single, unified agent, you can deepen host visibility, block ransomware and malware, streamline inspection, and invoke remote response action. This is crucial in a cybersecurity environment where every second counts, and where data may be coming from, or going to, critical environments that involve vital infrastructure, social services, or student data. When multiple agencies and organizations have access to the same centralized data, you enable your extended team to make fast, collaborative decisions — no matter where they are or where they work.

There are a number of considerations to look out for when choosing your SIEM solution — such as how often you add data sources, the size of your ecosystem, and your current cross-organization processes. For CISOs looking to integrate SIEM into their whole-of-state cybersecurity strategy, we recommend prioritizing the following capabilities:

Many SIEM solutions require you to move your data to a central location for analysis. State CISOs need a SIEM that does not require data to be moved outside of the departments, since much of the data they’re responsible for is sensitive and needs to stay within a department’s own network. Elastic’s SIEM solution allows all data to be searched and analyzed from where it resides — ensuring that sensitive data remains within each agency — yet still allowing analysts at the state level to access, search, and analyze that data in order to detect threats, identify patterns, and remediate as needed. Very few SIEM solutions offer this capability, so it’s a good idea to lead with this as a conversation starter as you evaluate your current or prospective SIEM.

Recent directives such as M-21-31 in the US are focusing on the ability to investigate the true history of long dwell-time attacks and requiring agencies to retain logs for longer periods (for M-21-31, 72 hours for full packet capture data to 12 months for active storage to 18 months for cold storage data). 

Even if these mandates are not directly applicable to you, it’s worth noting that there are requirements significantly longer than previously stipulated, driving home the importance of historical logging data in government cybersecurity strategy. The ability to store and access data affordably should be front and center in your search for the right SIEM solution. Many legacy SIEMs only keep 30 days’ worth of data and force older data to cold storage, which can get expensive and cumbersome to manage.

As you deal with increasing amounts of data from agencies and schools from all across your state, you can’t compromise on speed. When it comes to data that affects your states’ student and citizen services, every millisecond makes a difference. Consider not just how fast a SIEM solution is now, with the data sources you currently use, but project how your data analysis needs will change in the future and whether the speed will be affected by this growth. 

Plus, if you can’t search this data quickly, your agency is wasting team resources. Most state security teams don't have the luxury of restoring archives to the SIEM when they need to access historical data. As such, having a searchable frozen tier is essential.

Note how a SIEM provider structures its licensing and costs. Many legacy SIEM providers charge you based on how much data you have to store. This pricing model can quickly become unmanageable when you have large quantities of logging data. Therefore, especially when supporting a whole-of-state approach, choose a flexible solution that will scale as you expand and connect more organizations into your shared security services.

Some SIEM solutions are available only on cloud, which may be a deal-breaker for organizations that need an on-prem solution, or at least the option for it. If you’re interested in cloud, a good baseline is to look at SIEM solutions that are FedRAMP compliant, so you know they have gone through rigorous security approvals (even if you’re not required to adhere to FedRAMP).

Legacy SIEM solutions struggle to bring together data from disparate tools, teams, or agencies. A modern SIEM, on the other hand, offers flexibility to adapt to your needs via custom integrations, dashboards, and workflows. When a SIEM is built on a platform with an open foundation, data sharing becomes significantly easier (and you also get access to a longstanding community of experts who have implemented SIEM solutions in a variety of environments and use cases).