Log Management Key to Meeting OMB-21-31 Requirements

Reading Time : 3min read

Q&A With Public Sector General Manager Dan Wilbricht

Last Summer, President Biden issued Executive Order 14028 to help boost and improve government cybersecurity operations in response to increased threats worldwide.

Memorandum OMB-21-31 from the Office of Management and Budget soon followed, which explained the critical role data log collection and analysis play across all branches of the Federal Government.

The many benefits of state-of-the-art logging technology are playing an increasingly important role in how the federal government protects its data from relentless cybercriminals and nation-states engaging in cyber warfare.

We talked with Dan Wilbricht, Public Sector General Manager at Devo, to get an update on the initiative and learn how the focus on logging will revolutionize federal cybersecurity.

Q. Why did the President take this action?

Dan: Several security breaches over the last few years, including the SolarWinds incident, really underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Sharing information from logs on Federal information systems for on-premises systems — and by third parties such as cloud services — is invaluable in helping detect, investigate and remediate cyber threats.

If security teams at multiple federal agencies are detecting anomalies, they all need to dig into and share their logs as quickly as possible to figure out what’s happening and how widespread it might be. You don’t know what you don’t know — until you look at the logs.

Q. How does the Federal Government benefit from logging?

Dan: Information is knowledge, and the more information federal security teams have and share, the more they’ll know about the threat, the faster they’ll know it, and the more decisively they can act to stop it. The SolarWinds event is a good example. Without having up-to-date logs and security teams trained to use them to identify and respond to threats, our government could have been impacted severely. We were very fortunate.

That’s why logging everything that occurs in each federal agency and department and sharing those logs among security teams is so vital to the cyber health of the federal government.

Q. What logging data is now required to be captured?

Dan: The OMB M21-31 mandate requires agencies to collect all logs. It defines various event logging (EL) tiers and the log data that must be captured for different log categories. EL1 is defined by a basic rating, in which logging requirements of the highest criticality are to be captured. EL2 and EL3 describe additional event logging maturity levels, which build on EL1. The end goal of all of this is to collect and analyze all relevant event data and make it available to each agency and the highest-level security operations center (SOC).

Q. What are the cost implications for logging so much data?

Dan: When considering cost implications, you need to look at it from two perspectives. First, what is the cost of NOT taking action? And second, what is the cost of full implementation. Prior to the mandate agencies simply didn’t collect all their logs – not because they didn’t want or need the data. It was due to limitations of legacy SIEMS. Agencies had to “leave data on the floor” to maintain other cyber initiatives. The missed cost of not collecting all the data leaves an agency open to a much slower mean time to detect (MTTD) — not to mention the protection and data loss that affects the security of our nation. To store that much data for 365 days of hot availability on premises would be astronomical. But today’s next-generation cloud-native SIEMS make petabyte-scale data ingestion and management more viable and cost-effective. They provide all of the benefits of a log management system without any of the administrative and infrastructure overhead.

Q. Will U.S businesses benefit? How so?

Dan: This collection of log information from all aspects of the federal government — many petabytes of data — is going to be equally important for improving the security of U.S. businesses as well. If federal security teams discover a significant threat, they can communicate it broadly, sharing hashes, indicators of compromise, and other important details. This will enable the federal government to play a major role in helping to improve everyone’s cybersecurity. And there is value in companies sharing their own security data with the government, as well. The executive order points to the need for companies to start sharing more data, more rapidly when breaches occur. More sharing of threat intelligence makes everyone more secure.

Q. How does Devo contribute and help agencies?

Dan: The Devo Platform manages multiple petabytes in the cloud and always keeps customer data in raw form. The data isn’t altered in any way that prevents analysts from looking back over time to determine when threats originated and what actions occurred. And because Devo doesn’t parse or index data on ingest, analysts can query and analyze data in real time, which is a critical advantage when every second counts. Devo also supports thousands of concurrent, real-time queries. And queries never slow, even as more data is ingested. Devo makes it easy to ingest your data, enrich it, correlate it, visualize it, and, most importantly, act on it.

You can get more information here on our Logging-as-a Service offering.