Defense Department’s Multi-Cloud Cloud Strategy: A Role for SIEM

It’s difficult to recall a time over the last ten years when cloud requirements were not at the forefront of the Defense Department’s modernization efforts. Cloud capability reviews and requirements, in some form, extend from the Pentagon’s net-centricy efforts — to the Joint Information Environment, Digital Modernization, and up through to today.

Naturally, Congress has noted the value of the approaches to cloud in virtually every annual National Defense Authorization Act over this timeframe. While we wait for a Senate-passed version of the Fiscal Year 2023 bill and a conferenced version later this year, we can look to the Senate and House Armed Services Committee reports for what is coming.

The Senate Armed Services Committee referenced DoD’s multi-cloud strategy in writing:

Similarly, the House Armed Services Committee noted:

While DoD undertakes the effort to meet these requirements regarding multi-cloud approaches, the time is right to also consider the advantages of Security Information Event Management (SIEM) capabilities as applied to cloud. Among other benefits, a SIEM capability aims to centralize and aggregate all security-relevant events as they’re generated from their source, can add context and threat intelligence to security events, and ingest all data (users, applications) from cloud and on-premises sources and make them available for monitoring, alerting, investigation and adhoc searching, while reducing risk by enabling faster detection and incident response to newly discovered and ongoing threats with ready to use relevant content. By utilizing SIEM for cloud, DoD can quickly deploy, scale and consolidate all relevant security information in a single repository, ensuring that it’s protected, indexed and analyzed.

It is clear that commercial-off-the-shelf SIEM has tremendous benefits that lead to effective network security. This capability provides a single security management system that offers full visibility into activity within Department of Defense networks, thus allowing Security Operations Centers to respond to threats in real time. As the Department continues to increasingly transition to a software-as-a-service model, security must remain a key consideration in moving to the cloud.

The Department should explore expanding SIEM for higher sensitivity controlled unclassified information (CUI). Perhaps JFHQ-DODIN and the Military Services might conduct a pilot program for a commercial-off-the-shelf SIEM capability for impact level 5 (IL5), with JFHQ-DODIN aligning that effort with the security orchestration and automated response pilot activity that was directed in the National Defense Authorization Act for fiscal year 2022?

For more information, check out our "Take Your SIEM to the Cloud" whitepaper.