New Logging Standard for Federal Cyber Detection and Response

My last post covered a new federal policy, “Improving the Nation’s Cybersecurity,” set by President Joe Biden in Executive Order E014028 on May 12, 2021. Unlike the broader mandate called the Federal Information Security Management Act (FISMA), the Executive Order aims to focus federal departments and agencies on practical steps to rapidly improve the prevention, detection, assessment, and remediation of cyber incidents. 

In this post, we’ll take a closer look at a related new standard for log management: Executive Memorandum M-21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.”

New Federal Strategic Focus on Logging

The White House considers log management to be a pillar of strong threat detection, investigation, and response (TDIR): “Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.”

The topic of logging is not new. In 2006, FISMA resulted in the production of NIST 800-92, “Guide to Computer Security Log Management.” This 72-page document from the National Institute of Standards and Technology provides a basic but somewhat dated survey of log management. Topics range from an introduction to logging and its infrastructure, planning, and operational processes.

Memorandum M-21-31 is a 44-page document that establishes a maturity model for event log management guiding the implementation of new requirements to accelerate more effective TDIR. The Memorandum also provides agency implementation requirements, government-wide responsibilities, and where departments and agencies can get policy assistance.

Summary of New Logging Guidance

According to the Memorandum, new recommendations for logging shall include “the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations.”

The Memorandum expressly notes that new logging policies are to “ensure centralized access and visibility for the highest level security operations center (SOC) of each agency.” Agencies are also required to increase sharing of this information for acceleration of response efforts to keep federal departments and agencies safer from attacks.

New Maturity Model for Event Logging

The Memorandum is all about prioritization for event logging. The 4-tier maturity model below aims to help agencies prioritize their efforts and resources for full compliance, including implementation, log categories, and centralized access. The Memorandum urges agencies to focus first on high-impact systems and high-value assets.

Tier EL1 for “Basic” Logging Capabilities

Appendix A for the Memorandum contains details of requirements for each tier. Tier EL1 has the most requirements, which also apply to Tiers EL2 and EL3. The main variable is whether implementation and centralized access requirements have or have not been met for high, intermediate, and all criticality levels. 

Each event log must contain certain data if applicable. For example, data must be properly formatted with an accurate timestamp. Also required is a status code for the event type, device identifier, session or transaction ID, autonomous system number, source and destination IP number, status code, response time, and additional headers such as HTTP. Minimum data requirements also include, where appropriate, the username and/or userID, what command was executed, a preferred formatting as key-value-pairs for easy extraction, and a unique event identifier for event correlation.

Consistent timestamp formats are necessary for accurate and efficient event correlation and log analysis. Event forwarding is necessary for central SOC analysts to obtain events from remote devices such as for SIEM analytics. Cryptographic methods are required for logging facilities and data to ensure data integrity. Processes are required to protect and validate log information.

Agencies must implement a passive Domain Name System with analytics to enable rapid identification of the host that sourced each DNS query. Agencies also must automate production of a list of hostnames that are frequently used by legitimate users but are not in general top domain lists; it shall be automatically provided to the Cybersecurity Infrastructure Security Agency (CISA). Logs and other relevant data must be provided to CISA and the Federal Bureau of Investigation (FBI) upon request. 

A major step toward modernizing federal cybersecurity includes new requirements for logging orchestration, automation, and response to leverage new automated hunt and incident response playbooks. This includes requirements for user behavioral analytics to allow for early detection of anomalous malicious behavior. EL1 requires planning for this capability; full implementation is expected for EL3.

Finally, EL1 requires basic centralized access to logs, the DNS logging system, and accompanying analytics. The main idea is to enable traps for detecting data-stream disruption, which is to be monitored and triaged by the component-level SOC.

Tier EL2 for “Intermediate” Logging Capabilities

Tiers are additive, so achieving EL2 means all EL1 requirements must be met. Intermediate logging means required logs categorized as Criticality Level 1 and 2 must be retained in acceptable formats for specified timeframes (see technical details in the Memorandum’s Appendix C). 

If an agency develops or commissions software that produces logs and is deployed in federal environments, the agency must provide the structure (schema) for those logs to CISA. Toward the goal of inspection of encrypted data, agencies shall retain and store in cleartext form the data or metadata it collects as described in Appendix C. The Memorandum states: “In general, agencies are expected to follow zero-trust principles concerning least privilege and reduced attack surface, and relevant guidance from OMB and CISA relating to zero-trust architecture.”

Finally, EL2 is accomplishing intermediate centralized access. This means required logs categorized as Criticality Levels 0 and 1 are accessible and visible for the highest-level security operations at the head of each agency.

Tier EL3 for “Advanced” Logging Capabilities

Achievement of EL3 means the agency has met all requirements for EL2. Advanced logging means required logs categorized as Criticality Level 3 must be retained in acceptable formats for specified timeframes (see Appendix C).

Under logging orchestration, automation, and response, agencies must have finalized and implemented automated hunt and incident response playbooks. Likewise, user behavioral analytics must be implemented for early detection of malicious behavior. By leveraging logging requirements, user behavior analytics must monitor all user and non-user accounts. At a minimum, this capability should be configured to detect and alert on:

• Compromised user credentials
• Privileged-user compromise
• Improper asset access
• Compromised system/host/device
• Lateral movement of threat actor

Another step toward modernizing federal security is a requirement for application container security, operations, and management. The Memorandum requires integration of this capability with SIEM tools. EL3 compliance also means required logs across all criticality levels are accessible to the highest-level security operations at the head of each agency.

Deadlines for Federal Agency Compliance

The deadlines for agency implementation requirements are as follows:

• EL1 Maturity: 27 August 2022
• EL2 Maturity: 27 February 2023
• EL3 Maturity: 27 August 2024

In conjunction with compliance, CISA is tasked by the Memorandum to deploy teams to assist agencies in assessing logging practices. CISA will also develop and publish tools in conjunction with the FBI to assess logging capability. The Department of Commerce (mainly NIST) is ordered to continue maintaining SP 800-92, and to incorporate requirements of the Memorandum regarding logging, log retention, and log management in the next revision of SP 800-92 and other relevant publications.

ConclusionCompliance with various laws and regulations is built into the nation’s expectations for how federal agencies operate in a responsible manner. The new requirements for log management described in Memorandum M-21-31 aim to help focus agencies on processes and technologies that will provide the biggest bang for the buck in rapidly improving threat detection, investigation, and response to cyber incidents. If you or your security teams have questions about the Memorandum, it suggests contacting the Office of Management and Budget’s Federal Chief Information Officer via email at [email protected]. The process of achieving Tier EL3 maturity is at the heart of what Exabeam provides to our customers. We also invite you to learn more about how Exabeam can help your agency.