Improved Cybersecurity Logging Gives Agencies Better Network Visibility

While cutting-edge technologies grab our attention, it’s the decades-old field of cybersecurity logging that’s increasingly recognized as critically important for finding and addressing vulnerabilities.

The past few years have been full of new cybersecurity logging requirements for federal agencies. Some have struggled, however, to expand their logging capabilities to include all the new requirements.

The largest set, for instance, defined a maturity model for cybersecurity event logging and required all agencies to achieve the highest maturity level within two years of the memo’s August 2021 release.

However, December 2022 guidance from the Cybersecurity and Infrastructure Security Agency gave extensive advice on how to achieve the Basic maturity level, not the Advanced level, which is the highest. This implies that agencies have found it difficult to scale their capabilities to accommodate the additional amount of log detail, extended log retention periods and supporting tools required by that memo.

Logging has grown more challenging as technology has become more complex and diverse, particularly with transitions to the cloud, mobile, the Internet of Things and other technologies that often use separate logging solutions.

Click the banner to get the expertise you need to strengthen your ransomware protection.

Each agency should use logging in conjunction with various tools for finding vulnerabilities on each of its IP network-connected technology assets, including missing patches, outdated software versions in need of upgrading and misconfigured software and services.

To help agencies address these new logging-related requirements, NIST recently released Special Publication 800-92 Revision 1, Cybersecurity Log Management Planning Guide.

Most agencies will need to use several tools in combination to achieve the necessary visibility for all of their assets, no matter where each asset is located at any time. Let’s take a closer look at some of these tools.

Install a CDM Dashboard to Find and Share Vulnerabilities

CISA’s Continuous Diagnostics and Mitigation Program provides offerings specific to logging and logging tools, including agency dashboards that bring together log data from many internal sources to provide an agencywide picture of current cybersecurity vulnerabilities and threats.

While these dashboards are obviously useful to agencies as they prioritize their mitigation actions, they also help create a bigger picture. Each shares data with the CDM Federal Dashboard, which aggregates the vulnerability and threat data from all participating agencies.

This enables CISA to identify issues more quickly and use information gleaned from an issue at one agency to help determine which other agencies may be similarly at risk. It also allows CISA to track an agency’s mitigation of each vulnerability.

CISA Binding Operational Directive 23-01 requires all agencies to identify vulnerabilities in their software at least every two weeks using privileged credentials. It also requires agencies to add that information plus associated vulnerability detection performance data to their agency dashboard, which will be shared with CISA via the Federal Dashboard.

EXPLORE: Check out CDW•G’s threat and vulnerability management solutions.

Know the Best Places to Log the Most Valuable Information

Every agency can tap many potential sources for cybersecurity logging. First, there are all the operating systems, end-user applications and services that perform their own logging.

Second, there are technology management solutions, such as asset management software, desktop and laptop management software and mobile device management software, as well as vulnerability, patch and configuration management technologies.

The final group of log sources is cybersecurity technologies that support vulnerability and threat discovery. These include active and passive vulnerability scanners; network monitoring and network flow monitoring; endpoint detection and response technologies; and anti-virus, anti-malware and intrusion detection and response solutions.

The “Vulnerability Assessments” entry in Appendix C of OMB M-21-31 requires federal agencies to retain all vulnerability assessment (discovery) logs for a minimum of 12 months in active storage and then at least 18 months in cold storage, regardless of whether the logs indicate the discovery of any vulnerabilities.

Information to be retained includes which software and software versions are installed, which vulnerabilities are in each piece of software and what the severity of each vulnerability is.

LEARN MORE: How CDW can assist in your data center transformation.

Collect Logging Data in an Organized Infrastructure

Log infrastructure refers to all the platforms, software and other components that are used to store, process, and analyze log data. Typically, log data is transferred from the sources that generate it to central storage. For example, OMB M-21-31 specifies the use of central enterprise log manager servers.

Once in central storage, the log data is analyzed to look for vulnerabilities, threats, incidents and other events requiring action. This is usually performed by a security information and event monitoring solution or a security orchestration, automation and response solution, both specified in OMB M-21-31.

SIEM and SOAR tools have many of the same capabilities, such as vulnerability management, but SOAR tools usually have more robust automation and vulnerability mitigation capabilities.

When it comes to smaller agencies, CISA provides the CDM Shared Services Platform for vulnerability detection and logging. These tools can be used by agencies that lack the resources to acquire, implement, maintain and monitor such platforms and tools on their own.

Inside the CDM SSP are log infrastructure components to which smaller agencies can send their log data. The CDM SSP also includes an agency dashboard for each participating small agency, enabling those agencies to meet their requirements to share vulnerability data with the Federal Dashboard.

By providing the log infrastructure and dashboard components that would be prohibitively expensive for a smaller agency, the CDM SSP makes it possible for all agencies to contribute to and benefit from the CDM Federal Dashboard.