CISA’s Role in Meeting EL3 Logging Requirements
There is help on the horizon for agencies in their efforts to comply with the logging mandates of EO 14028. The Cybersecurity and Infrastructure Security Agency is planning an initiative that will partially replace the long-serving EINSTEIN cyberdefense system.
CISA requested 2024 budget for the Cyber Analytics and Data System, a new cyber defense initiative that would ingest and integrate security data from multiple sources, including government and private industry — allowing CISA to broadly orchestrate and automate analysis in identifying, detecting, mitigating and preventing cyberattacks on government organizations.
“Organizations should be thinking about and planning for CISA’s CADS program when it comes to logging,” Sheldon says. “Agencies need to start thinking beyond EINSTEIN. The status quo won’t last forever; it will change and evolve over time.”
The Growing Role of Next-Gen SIEM and Other Cybersecurity Tools
Agencies will also want to look more closely at next-generation security information and event management technology, which provides unified security incident detection and response by automatically collecting and correlating data from multiple security data feeds.
“Next-gen SIEM is where the market is going — not securing just endpoints, but securing more holistically across the environment,” Sheldon says. “It allows you to track a breach across systems and architecture.”
Agencies should focus on implementing tools that will simplify their logging efforts.
“Log storage is expensive, transforming logs to make them usable is tedious, indexing them to be performant is expensive and gaining insight through analytics can be complex. Agencies should look at solutions that make these factors simpler at scale,” Szykier says. “Google’s Chronicle, Palo Alto Networks’ Cortex Data Lake and Microsoft’s Sentinel are examples of solutions that work toward the aim of making cybersecurity and security logging simpler.”
RELATED: Logging helps agencies identify unusual activity and improve security.
Logging Delivers Proactive Threat Intelligence
Agencies also may need to broaden their understanding of the value of their log data. Too often, it is looked at in the context of compliance and building an audit trail, but there is much greater value there — including threat intelligence.
“Threat intelligence is so important to this conversation,” Dwyer says. “It helps you understand what attackers are looking to achieve. Logs reveal what they are doing; attackers need to do certain things to achieve their objectives. Ultimately, you can map that to a data source in the environment.”
“Threat hunting helps you understand what to expect from an attacker. This allows you to do filtering and be positioned to expect the unexpected,” he adds. “One thing that IBM’s X-Force offers is incident response proactive services. We come in, look at log data and develop a prescriptive incident response playbook to guide security staff responses when an incident occurs.”
Evolving the Cybersecurity Industry to Meet Agency Needs
Cybersecurity firms have a big role to play in helping federal agencies to modernize their logging efforts to align with EL3 requirements. Updating the parameters of the products and services that they deliver to agencies would quicken their advances.
MORE FROM FEDTECH: CISA is improving incident response for federal email.
“Products should include detailed security logging as a baseline and 12 to 18 months of storage,” Szykier says. “As those providers are negotiating their platform contracts with the Infrastructure as a Service vendors, they should negotiate the necessary discounts to do that as well. It’s always an extra cost to go to the cloud provider and gather that data. These should be included in the cost up front.”
Data storage parameters are a top consideration in assessing logging platforms. One platform offering a flexible data storage approach is CrowdStrike’s next-gen SIEM, Falcon LogScale, a centralized log management tool that helps organizations store, analyze and retain logging data at scale.
“Falcon LogScale provides a lot of transparency in processing data and the associated costs,” Sheldon says. “It gives you flexibility on time in storage and additional quickness in search. It’s a great responsive tool that helps you search for the root cause of security incidents.”
A Flexible Approach to EL3 Logging Alignment
One saving grace of EO 14028 is that it does not require the use of specific tools or resources to meet the benchmarks it lays out. This gives agencies flexibility to choose the vendors and tools that best meet their needs.
“There is no one-size-fits-all solution for federal agencies; they are all unique in what they do,” Dwyer says. “Each agency requires specific prescriptive solutions. Each agency will have unique recommendations for how to best meet the mandate requirements.”