Practice makes perfect. It’s a cliché for a reason, because it’s very true. The more you work at a particular skill or task, the better and more proficient that you become at it.
Unfortunately for the cyberwarriors that are tasked with the unenviable task of protecting the government’s networks and critical infrastructure, there really aren’t too many opportunities to get hands-on practice against live adversaries. This can make it tough for those responsible for a very difficult job to keep their skills honed for the “real thing.”
However, there are occasionally events and training sessions designed to help cyberwarriors polish their incident response abilities in a real-world environment. In fact, one of them is coming up next week – when DLT and LogRhythm will be hosting an event called LogWars.
We recently had the opportunity to sit down with James Carder, the CISO and VP of Labs for LogRhythm and an IDSA Customer Advisory Board Member, to learn more about LogRhythm, LogWars and the types of incident response skills and best practices that government attendees can learn from the planned “Capture the Flag” challenge at the event.
Here is what he had to say:
GovCybersecurityHub (GCH): Can you tell our readers a little bit about LogRhythm and its products and solutions? 
James Carder: LogRhythm is the most complete, fully featured platform for the modern security operations center (SOC). We’ve combined log management; security information and event management (SIEM); security analytics; user and entity behavior analytics (UEBA); security orchestration, automation, and response (SOAR); dashboard and reporting; and case management all in one platform.
We have a dedicated Labs team of threat researchers, compliance experts, and operational technology experts that build capabilities and content for our customers, so they don’t have to. We’ve built out workflow, playbook, and integration capabilities, as well as content for general threat detection, ransomware, emerging threats, MITRE ATT&CK and much more. We’ve also developed compliance-specific content for most of the active federal and global compliance regulations, as well as content to support medical devices, electronic health record systems, industrial control systems, SCADA, and IT operations.
The combination of our platform’s content and capabilities enables our customers with full visibility into their environments and empowers them to detect, respond, and contain security events before they become catastrophic breaches. Because of this, our platform has proven popular in a variety of industries and sectors, including the government; we currently support multiple Enterprise Mission Systems within the Department of Defense.
GCH: Why are SIEM solutions so necessary for incident response in government agencies today? How do they help government agencies better protect and defend their networks?
James Carder: You can’t protect what you can’t see. A SIEM platform is necessary to provide centralized visibility of your environment – to not just identify threats but to also take action against them.
This is especially critical in environments as vast, segmented, and unique as those of our government agencies. They have specific, mission-driven requirements (such as running air-gapped environments in remote regions around the globe); see all matters of threat; have a variety of operational, business, mobile, IoT, and security technology; and need a platform to centralize and unify these disparate technologies to create a holistic means to detect and respond to threats.
GCH: When it comes to event management and reporting, what are some of the different regulations that government agencies must be in compliance with? What do these regulations require?
James Carder: There are a number of compliance regulations that include event management in reporting. All flavors of NIST (e.g., 800-171, 800-53, and CSF) have some aspect of centralized event and log management. In addition, there are many other agency-specific compliance frameworks (often based on NIST) that include the same requirements.
Adherence to these regulations can be complicated, which is why we’ve put an emphasis on building pre-built compliance modules into the LogRhythm Platform. These modules help our federal customers assess their current security posture against applicable frameworks and make the changes necessary to become compliant.
These modules are updated alongside their corresponding frameworks as well; for example, when we saw the NIST version 1.1 update in 2018, our LogRhythm Labs team updated our NIST module to meet the new version’s requirements, enabling our customers to maintain compliance.
GCH: LogRhythm is hosting a very interesting event next week called “LogWars.” What is this event? Why should government security professionals attend?
James Carder: LogWars is a bit like a “capture the flag” type of competition. It’s a gamified event in which we team people together and show them how to leverage LogRhythm’s platform to detect and respond to real-world threats. The competition employs real-world attack simulations (e.g., MITRE ATT&CK APT scenarios) and other scenarios that correlate to the types of attacks commonly observed at government agencies.
Generally, the types of skills that will help in the challenge are related to incident response, forensics, and red and blue team activities. If you have experience with LogRhythm’s platform, that would be an advantage as well, but we’ve built the event so even a first-time user has an opportunity to win.
Challenges like this are essential because they’re a bit like tabletop exercises that allow incident responders to sharpen their skills. You get a simulated environment to test how you would detect and respond to real threats – without being completely under the gun as you would be with a real, live incident. It gives you the practice and know how to ensure you’re not making mistakes in a real attack situation and trains SOC teams to more effectively and efficiently respond to and contain those real threats.
By the end of the event, participants understand how to successfully detect and respond to these threats – and have had some fun along the way!
For additional information about LogWars, and to register to attend, click HERE.
Practice makes perfect – honing incident response skills
Ryan Schradin
A communications expert and journalist with over a decade of experience, Ryan has edited and contributed to multiple popular online trade publications focused on the security, satellite, unified communications and network infrastructure industries. He serves as a contributing writer for the Gov Cyber Hub. In addition to his work with the Hub, he serves as the Executive Editor of the Government Satellite Report and the Insurance Technology Insider (ITI) online publications. In his spare time, he enjoys hiking across the great state of Virginia with his wife, Sarah, and their rescue pup, Brooklyn the Adventure Dog, who is 13lbs of pure furry fury.
