In May, President Biden issued an executive order designed to improve cybersecurity in the federal government and, by extension, the nation. Recently, details have started to come out about what this much-needed effort will involve. The latest development is a memorandum from the Office of Management and Budget that focuses on data log collection and analysis.
The August 27 memorandum issued by Acting OMB Director Shalanda Young succinctly explained the critical role data logs play for all branches of the federal government: “Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on Federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs)) is invaluable in the detection, investigation, and remediation of cyber threats.”
This heightened awareness of the value of logging and the ability of security experts to use log data to discover and remediate a wide range of security threats is well known by Devo’s private sector customers. Now, the many benefits of state-of-the-art logging technology will play an increasingly important role in how the federal government protects its data from relentless cybercriminals and nation-states engaging in cyber warfare.
This focus on logging will revolutionize federal cybersecurity.
How the Federal Government Can Benefit from Logging
Let’s dig into this a bit more. If, for example, two federal agencies are being attacked simultaneously by the same threat actor, neither security team will know about the other being attacked unless they share their logs and relevant data with CISA and the FBI, as indicated in the OMB memorandum. One of the most important things about logging is you don’t know what you don’t know — until you look at the logs. And if security teams at multiple federal agencies are detecting anomalies, they all need to dig into and share their logs as quickly as possible to figure out what’s happening and how widespread it might be. That’s the kind of cohesive, collaborative security responsiveness OMB’s implementation of the EO is designed to deliver.
Imagine if federal government agencies had been victimized by an attack similar to the one against SolarWinds that spread to thousands of its customers. Without having up-to-date logs and security teams trained to use them to identify and respond to threats, our government could have been severely impacted.
That’s why logging everything that occurs in each federal agency and department and sharing those logs among security teams is so vital to the cyber health of the federal government. Information is knowledge, and the more information security teams have, the more they’ll know, the faster they’ll know it, and the more decisively they will act.
Log Retention is Critical, Now and in the Future
Collecting logs from all federal entities is a critical first step in improving the government’s security posture. And let’s not overlook what happens to all that collected data. We’re talking about many petabytes of data. This collection of log information from all aspects of the federal government is going to be equally important for improving the security of U.S. businesses, as well. If federal security teams discover a significant threat, they can communicate it broadly, sharing hashes, indicators of compromise, and other important details. This will enable the federal government to play a major role in helping to improve everyone’s cybersecurity. And there is value in companies sharing their own security data with the government, as well. The executive order points to the need for companies to start sharing more data, more rapidly when breaches occur. For example, if a credit card company is breached, the broader security community needs to know about it so we can take that information and look at every other credit card company to see if they have been breached but don’t know it yet. The same is true for companies in the automotive, real estate, consumer packaged goods, and many other industries since a threat against one organization could be similar or identical to threats against others.
Retention of log data is critical because often it is the only way for security analysts to know when and how an organization was compromised and to understand the true nature of the threat. Being able to review older logs also may be the only way to identify the root cause of a compromise. If security teams see malicious activity in their systems today, they may be able to stop it. But that’s just part of the story. Analysts need the complete picture of what happened so they can be confident they stopped the entire threat and will be able to use that information to more quickly and effectively prevent it from occurring again.
Enabling federal security teams to look at the accumulated threat data from both the government and private industry will coalesce powerful collective expertise against sophisticated threat actors and nation-states. This joint effort will create new cybersecurity leadership teams ranging from the White House to the rest of government and into the private sector. This unprecedented level of cooperation will make everyone better able to identify and respond to attacks — quickly and effectively.
That’s why I think the time is ideal for this emphasis on enterprise logging to begin. Now the government, the private sector, and the security industry need to collectively execute on this effort so we can improve everyone’s security, keep our data out of the wrong hands, and prevent damaging disruptions that can hit entire industries. More sharing of threat intelligence makes everyone more secure.
Devo Is Ready to Contribute
I’d be remiss if I didn’t briefly discuss what Devo brings to the table when it comes to data logging and security analytics. First of all, the amount of data the federal government generates and will need to log is massive, which can lead to high storage costs. Those multiple petabytes can only be managed in the cloud. The cloud-native Devo Platform always keeps customer data in raw form. The data isn’t altered in any way that prevents analysts from looking back over time to determine when threats originated and what actions occurred.
Because Devo doesn’t parse or index data on ingest (unlike many other vendors), analysts can query and analyze data in real time, which is a critical advantage for threat hunters when every second counts. In addition, Devo supports thousands of concurrent, real-time queries. And queries never slow, even as more data is ingested.
Devo’s all-inclusive license makes total cost of ownership predictable and allows organizations to maximize log ingestion. Devo charges on one thing and one thing only: average daily data ingest. And Devo Security Operations, our cloud-native next-gen SIEM, empowers SOC teams to enhance their mission to protect organizations against cyberattacks by closing the visibility gap so analysts can detect and investigate cyberthreats more effectively and efficiently. Devo makes it easy to ingest your data, enrich it, correlate it, visualize it, and, most importantly, act on it — with confidence.
Let the logging revolution begin!