City of Los Angeles Makes SIEM a Star

Centralizes Cybersecurity Incident Data Analysis

Cybersecurity tools have evolved, and state and local agencies today collect mountains of data on cyberthreats. Not surprisingly, 68 percent of Fed, State, and Local cyber pros report their organization is overwhelmed by the volume of security data they collect. But, as the City of Los Angeles—and 86 percent of government cyber pros —know, big data holds the key to effective cybersecurity.

The City of LA’s Information Technology Agency (ITA) is managing all network traffic for 41 of 44 city departments and working to protect the networks from cyberthreats before the threats can break through. City of LA has centralized cybersecurity efforts through a Cyber Intrusion Command Center, the city-wide cybersecurity working group that leads cybersecurity preparation and response to security incidents. They are also implementing the City’s first Integrated Security Operations Center that collects and correlates logs and events into a single database and a meaningful dashboard to provide a high-level security posture city wide. Collecting and correlating data from all 41 departments has proved to be an extensive task—the data collected includes 14 million+ events in every 24-hour period.

Like many other cities across the U.S., Los Angeles has worked within tight budget and personnel constraints. Timothy Lee, the city’s chief information security officer (CISO), wanted his team to be able to focus more on incident response vs. system management. Against the backdrop of limited resources, Lee spearheaded the implementation of a new security information and event management (SIEM) solution to help consolidate, maintain, and analyze security data across the city’s multiple departments.

“The ITA receives data from city agencies ranging from Financials to LA Tax to City Internet,” says Lee. “Prior to implementing the SIEM solution, it was necessary to pull security logs from each department individually, analyze each on its own, then try to correlate data manually with multiple security tools. That was a slow process that left a lot of room for error. We were not able to proactively tackle enough of the cyberthreats infiltrating our networks.”

Safer, Together

Leveraging Splunk software, Lee devised a plan to customize the platform to meet the city of LA’s security analysis needs, while staying within resource and budget boundaries.

Lee based the city’s cybersecurity program on the NIST Cybersecurity Framework, a set of standards, guidelines, and practices that promotes the protection of critical infrastructure and management of cybersecurity-related risk, selecting tools that directly and indirectly fell within the program template.

Given the limited resources—from staffing to budget—the city deployed Splunk Cloud together with the Splunk App for Enterprise Security (ES), to centrally manage security operations. Using Splunk Cloud and ES, the team gains cloud-based SIEM functionality to manage and correlate all security events from the different security appliances across the city departments. The team is also able to monitor and analyze everything from clickstreams and transactions to security events and network activity, turning machine-generated data into valuable intelligence that in turn drives good decisions.

SIEM functionality delivered by Splunk Cloud and ES has provided ITA with the ability to correlate all security events from all security appliances across the network, in one place. Instead of going to each of the 41 departments, Lee and his team can now correlate and analyze all data from a centralized, customized dashboard, 24 x 7 any time, anywhere.

The new technology has also enabled smooth collaboration between the city’s Cyber Intrusion Command Center and FBI CyberHood Watch. With the data in one place, the City of LA and its FBI counterpart can quickly and efficiently gather information about threats, and identify strategies to prevent future intrusions.

Security First

“Security is the precursor to ensuring optimal performance from city departments,” says Lee. “Looking at where we were before and after implementing the Splunk platform for our SIEM solution, I can confidently say we have avoided a number of catastrophic security breach situations because we implemented these proactive tools. We have blocked intrusion attempts, have been able to swiftly correlate data and share among departments across the city, and have been able to expedite the time it takes to close these security incident tickets.”

Moving forward, Lee and his team plan to continue building on the city’s cyber-initiatives. They are developing additional customized dashboards for both the ITA and other city stakeholders. These dashboards will enable the LAPD, LAFD, LA Bureau of Engineering, and other tier one departments to isolate their own security data and develop the most effective cyber strategy for their department needs.

Learning from LA

The City of LA has successfully improved cybersecurity by consolidating and centralizing security information management and analysis. Lee’s efforts are a model for effective change, working within budget realities. His advice is to be very clear about where you want to go and the resources you have, and then fill the gap. Work within an established framework, such as the NIST Framework for Cybersecurity. Ensure your Cloud Service Provider (CSP) is FedRAMP compliant.

Under Lee’s leadership, the City of LA has set the stage for other government organizations as they evolve cybersecurity infrastructures and protect government data against known and unknown threats. As a result, they are able to stay focused on their real mission: delivering citizen services.

^1,2 “Go Big Security.” MeriTalk, April 2015.