November 5, 2021
The Federal government has defined new standards for cybersecurity event logging systems.
On May 12th, 2021, just days after the headline-making Colonial Pipeline ransomware attack, the White House issued an executive order on improving the nation’s cybersecurity.
This order formally introduces the Federal government’s stance on cybersecurity technologies and frameworks like zero trust architecture. It also shows the government’s focus on logging technology to address increasingly complex cybersecurity incidents.
Following that executive order, the Federal government released Executive Memorandum M-21-31, which sets new standards for cybersecurity log management. These new standards represent the latest guidance for government agencies, large enterprises, and public institutions to protect sensitive data and defend against persistent, advanced cybersecurity threats.
Log Data Empowers Advanced Detection and Response Technology
Advanced SIEM/SOAR solutions like Exabeam Fusion and AlienVault USM Anywhere rely on logging to monitor, investigate, and analyze security events. Accurate, detailed logs are the cornerstone of effective detection and response. Without a formal logging standard to adhere to, it’s not possible to ensure functionality and interoperability across the entire enterprise threat surface.
Accurate log aggregation, processing, and analysis enable cybersecurity forensics to take place. Logs are the building blocks of advanced threat detection, response, and remediation.
PowerShell logs are an incredibly important asset for modern cybersecurity platforms because so many of today’s most sophisticated cyberattacks rely on running malicious PowerShell scripts. PowerShell can do execute almost any kind of program without needing to run additional applications, making it a prime target for cybercriminals who want to gain control of victims’ devices and networks.
Check out Castra’s PowerShell Best Practices
The Federal government has created new logging standards in order to centralize access and visibility into the events that indicate advanced attacks like PowerShell exploits. By establishing a maturity model for log requirements and criticality, the government can quickly assess the robustness of the organization’s logging capabilities – and use that to determine how effective their SIEM/SOAR solutions really are.
The Four-Part Federal Logging Maturity Model Explained
Memorandum M-21-31 establishes a four-tier maturity model designed to help agencies prioritize logging for high-impact systems and high-value assets. Each tier is additive, meaning that every tier contains the requirements of all the other tiers below it.
- EL0. The bottom tier describes systems that do not meet logging requirements for highly critical systems. Logs may not contain accurate timestamps, status codes, device identifiers, or user identity data. A centralized repository for log data may not exist, or certain logs may fail to be collected.
- EL1. The minimum level of logging maturity describes a system that successfully logs accurate data about security incidents. These logs contain event data, device identifiers, a unique transaction ID, and more. They are cryptographically encrypted so that attackers cannot easily modify the logs to hide their activities.
- EL2. Intermediate logging capabilities include all requirements in tier one, along with centralized access and zero-trust architecture for log access. All logs categorized with criticality levels of 1 or 2 are retained in acceptable formats for time frames specified in the Memorandum.
- EL3. Advanced logging capabilities include all requirements for tiers one and two and include advanced behavioral analytics capable of detecting and flagging malicious behavior. It must be able to alert security team members about compromised devices and user credentials, improper asset access, and lateral movements by threat actors.
According to the Memorandum, all federal agencies must achieve EL1 by August 2022. They must then achieve EL2 maturity by February 2023, and EL3 maturity by August 2024.
Exceed Federal Logging Requirements with Castra, Exabeam, and AlienVault
Exabeam’s advanced logging capabilities give enterprise-level organizations the ability to meet and exceed Federal logging standards with robust, out-of-the-box functionality. With this federally compliant technology, security teams can force PowerShell scripts to generate detailed logs and ensure compromised devices and accounts generate high-priority SIEM alerts.
Exabeam uses powerful machine learning algorithms to interpret log data and scrutinize PowerShell script behavior according to configurable rules. With Castra security operations center (SOC) personnel augmenting Exabeam functionality with sophisticated custom rules, you can prepare your organization for Federal logging standard compliance well within the government’s announced time frame.
AlienVault’s USM Anywhere orchestrates multiple tools into a single, comprehensive cybersecurity platform. USM Anywhere offers a comprehensive solution for capturing SIEM event information and producing compliant audit logs from multiple different applications. It then makes them accessible from a single intuitive interface, making it an excellent choice for organizations with limited resources.
Castra is a leading managed service provider with expertise in Exabeam and AlienVault technology to secure organizations against cyberattacks. Our security operations center is outfitted with federally compliant audit logging tools that generate insights and protect your organization's sensitive data from exfiltration.