An ambitious project to create a statewide cyber-alert "early warning" system in the state of Washington to link with the federal Department of Homeland Security (DHS) is starting to take shape and could be a cyber security monitoring model for other states.
The Public Regional Information Security Event Management system (PRISEM) is designed to offer an online early warning about everything from botnet incursions on compromised desktops to possible full-fledged cyber-attacks from terrorists. As now designed, PRISEM will use customised security and information event management (SIEM) equipment from NitroSecurity that's being kept at the University of Washington's Applied Physics Lab where researchers will assist on the project, says Michael Hamilton, CISO of Seattle.
PRISEM is intended to be a central security-event and analysis point to aggregate real-time log and event information. Such alerts would be generated from local and state agency networks - and possibly private companies - and offer an early warning system for potential cyber-attacks or botnet activities. DHS would be kept in the loop on PRISEM's security findings.
For about a year the city of Seattle has used its own NitroSecurity-based SIEM with the NitroRSC Correlation Engine to collect security event information from its multiple internal network sources, including intrusion-detection systems, in order to have the SIEM correlate a real-time analysis of any threat.
Sharing Seattle's threat data with PRISEM would help others in the state. "Suppose I get an alert about suspected botnet infections on some desktops," Hamilton says. "We all need to know that."
Attacks on SCADA systems would be especially important to monitor, and the idea behind the PRISEM approach is to share this kind of threat data with the central SIEM aggregation point at the University of Washington, where the SIEM would be collecting security-related input from state and local agencies.
Under the PRISEM effort, agencies entitled to receive help in deploying what's known as SIEM collectors for their local security and network gear would be able to transmit security-event information to the central PRISEM aggregation point. The analysis of the data would be eventually shared with other PRISEM participants but only in an aggregated, confidential way that shielded the identity of each participating organisation. The analysis data would also be shared with the federal government's DHS.
Discussions are ongoing with cities and local organisations that include Bellevue, Kirkland, the Port of Seattle, the Port of Tacoma and other places, including some private-sector firms, including Amazon and Starbucks, whose CISOs participate in the Pacific CISO Forum, says Hamilton. He claims he has $1.5 billion in the pipeline, including half a million dollars in hand from DHS to help fund the project.
Smaller city authorities typically have limited IT staff, perhaps only two or three people, and the PRISEM effort would give them a way to gain insight into the big picture of threat activity hitting networks in the state of Washington, without their having to deploy a SIEM on their own. "It's a shared 'community watch' for cyber-threats," says Hamilton.
It would be the first initiative of its kind piloted in the US and could become a model for other states. Optimistic, Hamilton said PRISEM could help in bringing about a viable implementation of public-private cooperation in response to cyber-security threats. He added that some efforts which have been around for some time, including the federally-organised Information Sharing and Analysis Centres, simply don't do enough to help in the response to today's real-time threats.