Security

Federal Agencies Struggle on Cybersecurity Logging Benchmarks

While mandate requirements are a challenge, a variety of new cybersecurity tools are available to strengthen agencies’ security postures.

Alexander Slagg

Twitter

Alexander Slagg is a freelance writer specializing in technology and education. He is an ongoing contributor to the CDW family of magazines.

A Government Accountability Office report released in December raised some concerns about federal agencies’ ability to prepare for and respond to cyberthreats.

Twenty of 23 agencies failed to meet cybersecurity incident response requirements laid out in Executive Order 14028, specifically in their investigation and remediation capabilities.

A follow-up memo to the May 2021 White House directive laid out a tiered maturity model for agencies to follow. Unfortunately, 17 agencies were listed as Event Logging 0 in the GAO report — meaning “logging requirements of highest criticality are either not met or are only partially met” — by the August 2023 deadline. The simple descriptions in the four-tiered maturity model belie the complexity and scope of the changes that need to happen in each agency to reach EL3, meaning all requirements are met.

“What the mandate is asking is a good thing, but it’s a tall order,” says John Dwyer, head of research at IBM Security X-Force. “From the mandate to the guidance from the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency, it is all good, but I think it needs to be taken a step further. The guidance needs to be more prescriptive to the realities of each agency.”

“The mandate is comprehensive, but it is underfunded for what’s being asked,” says Sebastian Szykier, manager of CDW•G’s federal security practice. “You have to actually acquire new technology and be able to manage it. Implementing logging in any organization requires working through lots of organizational politics and silos.”

Click the banner to get the expertise you need to strengthen your ransomware protection.

What Is EL3 Advanced Cybersecurity Logging?

EL3 Advanced Requirements outline specific cybersecurity logging benchmarks that need to be met beyond the previous tiers’ basic and intermediate logging requirements. The benchmarks include: retention formats and time frames for critical logs, finalizing and implementing automated hunt and incident response playbooks, implementing user behavior analytics capabilities driven by machine learning and artificial intelligence resources, integrating container security and monitoring tools with security information and event management platforms, and providing centralized accessibility of all critical logs to the highest-level security operations at the head of each agency.

Meeting EL3’s detailed benchmarks means executing a long chain of security strategies and processes, unfolding over years.

“You have to consider that every piece of data has value; it costs money to gather it,” Dwyer says. “You can’t turn on all logging, so you need to go through this process from level EL0 through EL2 in order to know and appreciate what you really need to capture. EL3 is all about fine-tuning the data sets that you are capturing.”

“The requirements in EO 14028 are aligned with today’s commercial best practices, which is a good thing,” says Robert Sheldon, CrowdStrike’s senior director of public policy and strategy. “All agencies need a record of what’s going on in their environments. Robust information allows you to take a threat hunting approach to proactively find breaches before they do damage, and you need an authoritative and centralized view to understand what’s happened. Logs are really important for that.”

I think agencies are probably balancing what works with what is being mandated, and that’s impacting the GAO findings.”

Sebastian Szykier Manager, Federal Security Practice, CDW•G

The Roadblocks for Agencies Implementing EL3

One of the biggest challenges with large-scale security initiatives is trying to right-size the value of the budget spending with the value of the data being captured in the logs.

“Are you collecting the most valuable data? And by value, I mean how likely is the data to show evidence of an attack?” Dwyer says. “You are always walking a tightrope. Every time you enable a log, it adds resource consumption. Budget is a real consideration.”

“The mandate’s requirements aren’t groundbreaking,” Szykier says. “Security operations center teams, the industry and the broader security market have found ways to right-size approaches that yield better results. I think agencies are probably balancing what works with what is being mandated, and that’s impacting the GAO findings.”

Shared Services Offer an Additional Challenge

Another key consideration is the wider federal government push to use shared services, as outlined in OMB Memo M-19-16.

“Government agencies are increasingly adopting shared services approaches to technology modernization generally, and cybersecurity specifically,” Sheldon says. “This is a positive trend. From an administrative standpoint, it ensures that agencies perform fewer duplicative contracting actions and achieve greater economies of scale. From an operational standpoint, it ensures consistent coverage, reduces maintenance and training costs, and enables defenders to defeat threats across multiple departments and agencies.”

But under EO 14028, the expanding use of shared services also opens a wider net of logging requirements.“The directive doesn’t just pertain to the logging of on-premises data and systems; you also need to secure third-party services, which play a huge role in government,” Dwyer says. “And you need to work with a service provider, so it’s a cascading process that leads to more and more logging complexity and work to accomplish.”

“Agencies described three key challenges that hindered their abilities to fully prepare to respond to cybersecurity incidents: (1) lack of staff, (2) event logging technical challenges, and (3) limitations in cyber threat information sharing.”

Source: Government Accountability Office, “Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements,” Dec. 4, 2023

CISA’s Role in Meeting EL3 Logging Requirements

There is help on the horizon for agencies in their efforts to comply with the logging mandates of EO 14028. The Cybersecurity and Infrastructure Security Agency is planning an initiative that will partially replace the long-serving EINSTEIN cyberdefense system.

CISA requested 2024 budget for the Cyber Analytics and Data System, a new cyber defense initiative that would ingest and integrate security data from multiple sources, including government and private industry — allowing CISA to broadly orchestrate and automate analysis in identifying, detecting, mitigating and preventing cyberattacks on government organizations.

“Organizations should be thinking about and planning for CISA’s CADS program when it comes to logging,” Sheldon says. “Agencies need to start thinking beyond EINSTEIN. The status quo won’t last forever; it will change and evolve over time.”

The Growing Role of Next-Gen SIEM and Other Cybersecurity Tools

Agencies will also want to look more closely at next-generation security information and event management technology, which provides unified security incident detection and response by automatically collecting and correlating data from multiple security data feeds.

“Next-gen SIEM is where the market is going — not securing just endpoints, but securing more holistically across the environment,” Sheldon says. “It allows you to track a breach across systems and architecture.”

Agencies should focus on implementing tools that will simplify their logging efforts.

“Log storage is expensive, transforming logs to make them usable is tedious, indexing them to be performant is expensive and gaining insight through analytics can be complex. Agencies should look at solutions that make these factors simpler at scale,” Szykier says. “Google’s Chronicle, Palo Alto Networks’ Cortex Data Lake and Microsoft’s Sentinel are examples of solutions that work toward the aim of making cybersecurity and security logging simpler.”

Logging Delivers Proactive Threat Intelligence

Agencies also may need to broaden their understanding of the value of their log data. Too often, it is looked at in the context of compliance and building an audit trail, but there is much greater value there — including threat intelligence.

“Threat intelligence is so important to this conversation,” Dwyer says. “It helps you understand what attackers are looking to achieve. Logs reveal what they are doing; attackers need to do certain things to achieve their objectives. Ultimately, you can map that to a data source in the environment.”

“Threat hunting helps you understand what to expect from an attacker. This allows you to do filtering and be positioned to expect the unexpected,” he adds. “One thing that IBM’s X-Force offers is incident response proactive services. We come in, look at log data and develop a prescriptive incident response playbook to guide security staff responses when an incident occurs.”

Evolving the Cybersecurity Industry to Meet Agency Needs

Cybersecurity firms have a big role to play in helping federal agencies to modernize their logging efforts to align with EL3 requirements. Updating the parameters of the products and services that they deliver to agencies would quicken their advances.

“Products should include detailed security logging as a baseline and 12 to 18 months of storage,” Szykier says. “As those providers are negotiating their platform contracts with the Infrastructure as a Service vendors, they should negotiate the necessary discounts to do that as well. It’s always an extra cost to go to the cloud provider and gather that data. These should be included in the cost up front.”

Data storage parameters are a top consideration in assessing logging platforms. One platform offering a flexible data storage approach is CrowdStrike’s next-gen SIEM, Falcon LogScale, a centralized log management tool that helps organizations store, analyze and retain logging data at scale.

“Falcon LogScale provides a lot of transparency in processing data and the associated costs,” Sheldon says. “It gives you flexibility on time in storage and additional quickness in search. It’s a great responsive tool that helps you search for the root cause of security incidents.”

A Flexible Approach to EL3 Logging Alignment

One saving grace of EO 14028 is that it does not require the use of specific tools or resources to meet the benchmarks it lays out. This gives agencies flexibility to choose the vendors and tools that best meet their needs.

“There is no one-size-fits-all solution for federal agencies; they are all unique in what they do,” Dwyer says. “Each agency requires specific prescriptive solutions. Each agency will have unique recommendations for how to best meet the mandate requirements.”

The Role of AI and User Behavior Analytics Capabilities in EL3

User behavior analytics capabilities driven by machine learning and AI resources can help agencies achieve EL3. User behavior analytics refer to analyzing the behavior of users, devices, machines and other network systems in the environment to help identify potential security threats, such as the use of compromised credentials or insider attacks.

Applying machine learning and artificial intelligence resources to this task allows for quick development of a “normal” baseline of activity in the threat environment, which in turn more quickly surfaces abnormal or threatening behavior. This enables security operations centers to step in before a damaging incident occurs, reducing the overall blast radius of a breach.

Andrii Yalanskyi / Getty Images