An ambitious project to create a statewide cyber-alert "early warning" system in the state of Washington to link with the federal Department of Homeland Security (DHS) is starting to take shape and could be a cybersecurity monitoring model for other states.
Security information and event management tools require fine-tuning
The "Public Regional Information Security Event Management" system (PRISEM) is designed to offer an online early warning about everything from botnet incursions on compromised desktops to possible full-fledged cyber-attacks from terrorists. As now designed, PRISEM will use customized security and information event management (SIEM) equipment from NitroSecurity that's being kept at the University of Washington's Applied Physics Lab where researchers will assist on the project, says Michael Hamilton, CISO of Seattle.
PRISEM is intended to be a central security-event and analysis point to aggregate real-time log and event information. Such alerts would be generated from local and state agency networks — and possibly private companies — and offer an early warning system for possible cyber-attacks or botnet activities. DHS would be kept in the loop on PRISEM's security findings.
The city of Seattle for about a year has used its own NitroSecurity-based SIEM with the NitroRSC Correlation Engine to take in security event information from its multiple internal network sources, including intrusion-detection systems, in order to have the SIEM correlate a real-time analysis of any threat situation.
Sharing Seattle's threat data with PRISEM would help others in the state. "Suppose I get an alert about suspected botnet infections on some desktops," Hamilton says. "We all need to know that."
Attacks on SCADA systems would be especially important to monitor, and the idea behind the PRISEM approach is to share this kind of threat data with the central SIEM aggregation point at the University of Washington, where the SIEM would be collecting security-related input from state and local agencies.
Under the PRISEM effort, agencies which would get help in deploying what's known as SIEM collectors for their local security and network gear in order to be able to transmit security-event information to the central PRISEM aggregation point. The analysis of the data they feed in would be eventually shared with other PRISEM participants but only in an aggregated confidential way that shielded the identity of each participating organization. The analysis data would also be shared with the federal government's DHS.
Discussions are ongoing with cities and local organizations that include Bellevue, Kirkland, the Port of Seattle, the Port of Tacoma and other places, including some private-sector firms, including Amazon and Starbucks, whose CISOs participate in the Pacific CISO Forum, says Hamilton who say he has $1.5 billion in the pipeline, including half a million dollars in hand from DHS to help fund the project.
Smaller cities typically have limited IT staff, perhaps only two or three people, and the PRISEM effort would give them a way to gain insight into the big picture of threat activity hitting networks in the state of Washington, without their having to deploy a SIEM on their own. "It's a shared 'community watch' for cyber-threats, says Hamilton.
It would be the first of its kind attempted in the U.S. and could become a model for other states. Optimistic, Hamilton said PRISEM could help in bringing about a viable implementation of public-private cooperation on response to cyber-security threats. He adds some efforts that have been around for some time, including the federally-organized Information Sharing and Analysis Centers that encourage attendance by industry, simply don't do enough to help in the response to today's real-time threats.
Read more about wide area network in Network World's Wide Area Network section.