LogRhythm Security Intelligence and Analytics in the Public Sector Whitepaper 2016
SECURITY INTELLIGENCE IN THE PUBLIC SECTOR
Executive Summary
As state agencies, civilian agencies and military branches grow more dependent
on systems and communications in cyberspace, defending the underlying
infrastructure and information and the data it transports is absolutely essential
to our nation’s security and well-being. Cyber threats are constantly evolving,
and agencies must operate under the assumption that a motivated adversary can
and will infiltrate their network environments.
Enormous annual investments in cybersecurity strategies, products and services
have resulted in an overly complex security infrastructure that sometimes fails
to detect malicious intrusions in a timely manner. This is largely due to disjointed
intelligence, alert overload and a dearth of skilled cybersecurity practitioners.
A security intelligence and analytics platform can actually simplify an agency’s
approach to cybersecurity by unifying and analyzing disjointed threat data in order
to surface the important threats and provide automated response capabilities.
The main objective of a security intelligence and analytics platform is to deliver
the right information, at the right time, with the appropriate context, to the
right people in order to significantly decrease the amount of time it takes to
detect and respond to damaging cyber threats. Such a platform takes forensic
data from existing security tools (i.e., log data from firewalls and user activities
from behavioral analytics systems) and aggregates, correlates, and analyzes
the information. This takes the burden off people who would otherwise need to
perform these activities manually to find the threats that pose the biggest risk
to the agency.
A security intelligence platform can help agencies by:
• Increasing the value of their investments in existing security technology
• Discovering and alerting on threats quickly so they can be blocked or stopped
• Increasing the agency’s level of security intelligence maturity
• Meeting compliance requirements for applicable standards and regulations
By following best practices to simplify security intelligence, an agency reduces
the burden on its security operations team and allows technology to do the work
of surfacing and responding to cybersecurity threats.
The LogRhythm Security Intelligence and Analytics Platform empowers agencies
to detect, respond to and neutralize emergent cyber threats, thus preventing
damaging data breaches and other cyber incidents. The deep visibility and
insight delivered by LogRhythm’s platform empowers agencies to secure their
environment and comply with regulatory requirements.
WWW.LOGRHYTHM.COM
PAGE 3
SECURITY INTELLIGENCE IN THE PUBLIC SECTOR
Introduction
Civilian, military and state agencies alike have
grown dependent on a complex set of networks and
communications that represent their own slice of
cyberspace. Due to this dependency, these complex
systems are part of the United States’ national critical
infrastructure. Defending this infrastructure?—?and more
importantly, the information and data it transports
and holds?—?is essential to our nation’s security and
well-being. A strong cyber defense has an impact on
every agency’s mission success.
The threats against this infrastructure are dynamic and
constantly evolving. Some threats are quite advanced and
persistent in their pursuits. Threat actors are well organized
and well-funded, and many of them are known to be
supported by nation states. Attackers relentlessly look for
vulnerabilities to exploit and patiently wait for the right
time to strike. They change their tactics quickly and more
easily than agencies can update their defenses. For most
agencies today, if motivated adversaries want to penetrate
a network, they will.
While defensive strategies are still critically essential today,
it’s even more important to have the ability to find and
associate the subtle signs that a computer system has been
compromised—and to do so quickly to have the opportunity
to disrupt the attack. The time between compromise and
mitigation is a period of great risk for an agency.
Unfortunately, the time it takes to discover a compromise
(known as mean time to detect, or MTTD) is often measured
in weeks or months. The time it takes to process sufficient
intelligence about the attack in order to respond to it
(known as mean time to respond, or MTTR) is too often
measured in days or even weeks. Given such a lengthy head
start, the attackers most likely have already succeeded in
their malicious mission.
The Federal government has already invested tens if not
hundreds of billions of dollars in cybersecurity strategies,
products, and services. All of this investment has led to
an overly complex security infrastructure that exceeds
the human capacity to operate and maintain it efficiently
and effectively. Incident alerts numbering in the tens of
thousands each day overwhelm the security operations
(OPSEC) teams who cannot possibly investigate and
respond to everything.
Across the board with the public sector, there are two
pervasive issues that contribute to this complexity:
• the fact that security tools are, more often than not,
deployed in silos, and
• a lack of trained InfoSec professions in the
cybersecurity workforce.
Security tools, and the intelligence derived from them, are
often deployed in silos.
These are all valuable tools in their own right, and a layered
defense using multiple tactics is critically important,
but the result is a complex security environment with
disjointed intelligence and too many alerts to realistically
evaluate and respond to. Too often, these products aren’t
integrated?—?meaning they can’t exchange and correlate
data?—?so there is little opportunity to connect the dots that
would point to an intrusion. Too many individual dots create
a fog that masks the signs of an attack.
Organizations in the public sector are struggling with
keeping trained personnel on staff due to the lack of
trained InfoSec professionals in the workforce and
frequent turnover.
This issue becomes more acute when teams spend time
training a resource to become highly proficient, and then
that resource leaves. This tends to happen frequently in the
public sector because resources are working on a contract
basis, or they go to the public sector for more attractive pay.
New analysts coming in to fill the vacated roles need time
to ramp up and gain similar expertise. In the meantime, the
mission is jeopardized when the security team is a jack of all
trades but a master of none.
With too much complexity and not enough trained
people, it’s crucial that DoD, civilian and state
agencies simultaneously simplify and strengthen
their approach to cybersecurity to be successful in
their true missions and to stay a step ahead of cyber
adversaries and nation states.
WWW.LOGRHYTHM.COM
PAGE 4
Please complete the form to gain access to this content
