Government Cybersecurity Collaboration: Lessons in Logging and Detection

What the Most Significant Government Collaboration on Threat Detection and Logging Got Right – and Wrong – and What You Should Know About It

Recently, the Australian Cyber Security Centre (ACSC), CISA, the FBI, the NSA, and other international partners came together to agree upon new standards for event logging and threat detection. This collaboration marks a significant step in creating baseline best practices for organizations of all kinds, helping them to stay on top of a cyber landscape that constantly presents new challenges.  

Threats continue to advance and change rapidly, with larger and more devastating attacks being announced almost daily. Adversaries are staying on top of the constant advancements in technology too, finding creative ways to lay low while wreaking whatever havoc they can once they manage to breach a system. The new standards do a great job of delving into some of the evasive techniques popping up, like fileless malware and living-off-the-land binaries (LOLBins). Current logging and detection methods can often miss these, as they are constantly evolving to remain undetectable. As organizations continue to expand their security ecosystems with technology like cloud computing, mobile devices, and combined IT/OT environments, the landscape that they need to keep secure grows—so updated strategies like this are crucial to offer valuable direction for the future.  

This collaboration has clearly outlined the importance of ingesting high-quality and relevant event logs, centralizing those logs, and making sure that both IT and OT environments are included in the overall strategy. By doing this, organizations can ensure as much visibility as possible across various systems and have an idea as to which logs will be particularly helpful to have eyes on. Secure transport and storage of logs is also emphasized in the standards report, which will further help to protect critical infrastructure systems from unauthorized access or tampering.  

While it is impossible to come up with a blanket guide that covers all aspects of security for every organization, there are a few areas that would benefit from being expanded upon in order to make the content more relevant to a wider audience. 

Complexity and Scalability 

Many organizations, especially those in critical infrastructure sectors like utilities, emergency services, and manufacturing, have small-to-medium security teams that are responsible for other areas of information technology for the organization as well. While thorough for organizations with larger, built out teams, the recommendations made in the report will likely be challenging to implement for smaller teams with limited resources. Suggested strategies for securing distributed systems, machine learning-based detection and large-scale detection platforms require a high level of dedicated expertise and a large budget. It would be beneficial to a much wider audience if the guidance were to introduce tiered recommendations that scale with the size and resource levels of an organization. Smaller organizations could benefit from practical, cost-effective solutions such as lightweight SIEM alternatives or managed security services, allowing them to achieve foundational event logging and threat detection without needing extensive in-house resources. 

Static Baselines 

It’s important, especially with the current emphasis on artificial intelligence and machine learning, to establish baselines for what normal behavior and activity look like. Knowing where a behavior lies on a spectrum and having a “normal” range is the only way that these technologies can begin to detect and alert on anomalous behavior. The document does a fantastic job of encouraging setting baselines to detect deviations in behavior, but doesn’t address just how dynamic modern networks are. Environments, especially those that are cloud-based, are in a constant state of flux that can render static baselines obsolete, which can run the risk of missing important anomalies or even blend them into evolving patterns. In order to address this, an update to the best practices should include methods for continuous reassessment of standards and managing dynamic baselines. It would also be a good idea to encourage the use of tools that can adjust baselines automatically in rapidly changing environments, especially those in cloud and hybrid settings.  

Insider Threats 

Many of the large breaches in the news stem from insider threat incidents, and any CISO asked will likely say that insider threat is one of the most challenging issues for their company to address. The problem exists in that these breaches are often successful by leveraging privileged user accounts that have the authorization to access the data in question, so they are hard to protect against without removing the access necessary for the person to do their job. While there is a brief mention of monitoring for anomalous user behavior in the report, more attention should be given to detecting and mitigating insider threats. Prescriptive guidance surrounding privileged account monitoring, user behavior analytics, and identity and access management (IAM) solutions would be beneficial. Often, these incidents are also found to stem from accounts and access levels that are no longer needed, so regular audits of access controls and privileged accounts should be emphasized alongside the recommended anomaly detection for a more thorough look at potential unauthorized activity.  

Operational Technology (OT) Environments 

OT environments and technology are often neglected when it comes to security guidance, so the inclusion of OT here is a positive step forward. However, the recommendations for alerting and anomalous behavior remain very broad. OT systems, especially in critical sectors like energy and manufacturing, require more detailed and actionable strategies to address some of the unique challenges they face. OT systems often include embedded software that provides its own set of unique challenges when it comes to monitoring, updates, and security. Additionally, organizations with OT should be guided on implementation of cross-domain monitoring, as IT, OT, and cloud systems should all be integrated for as much visibility as possible.  

Ultimately, while the brief presents a material advancement in improving event logging and threat detection strategies, there are definitely areas where it can be further strengthened. By addressing scalability gaps for smaller organizations, managing dynamic baselines, focusing on insider threats, and developing specific strategies for OT environments, the guidance can better serve organizations in all industries and of all sizes.