OMB Mandates Agency Log Standardization to Improve Security

The Office of Management and Budget’s memo mandates a maturity model for event log management, sets agency implementation requirements, and establishes government-wide responsibilities. Fortunately, Splunk solutions can help agencies comply with the new mandates.

As I wrote in a recent blog post, Biden Administration Executive Order Reinforces Log Standardization is Key to Security, in May 2021, the Biden Administration issued its much-anticipated Executive Order aimed at improving the cyber posture of the country. The Fact Sheet accompanying its release appropriately noted that “[r]ecent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” Since the Order’s release in May, we have not seen any slowing down in terms of the sophistication and frequency of incidents. 

On August 27, OMB issued an implementation memo specific to the Order’s directions in Section 8 regarding log management.  The “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents” memo is broken down into three key sections: 

Maturity Model for Event Log Management

The Maturity Model sets distinct logging tiers with the stated purpose of helping agencies to prioritize certain aspects of implementation to reach full memo compliance over time. These tiers include “not effective,” “basic,” “intermediate,” and “advanced” categorization. 

Agency Implementation Requirements

In section 2 agencies are directed to immediately begin implementing the memo’s requirements, with several milestones that must be met within a specific timeframe. For example, agencies have 60 calendar days to submit any identified resource gaps and funding plans to meet the memo’s requirements. Agencies must also reach the intermediate level under the maturity model within 18 months. 

Government-Wide Responsibilities

In the third section on Government-Wide Responsibilities, specific tasks are given to both CISA and the Commerce Department. For CISA, they have been tasked to send teams to individual agencies to advise on their current logging capabilities and to work with the FBI to develop tools to assess logging maturity. The Commerce Department is tasked with updating NIST’s Guide to Computer Security Log Management to account for these new requirements.  

MISC

The memo also includes a series of appendices covering things like centralized access and definitions. Appendix C, in particular, provides specific logging technical details that agencies are being required to follow. In this appendix, OMB breaks down log categories and corresponding required data, format, criticality, and specific retention periods. 

How Splunk Can Help

Splunk can assist agencies in implementing these requirements in numerous ways, including:

• Event Forwarding, Centralized Access, and FBI/CISA Access: Leverage the Universal Forwarder, Splunk Connect for Syslog, and dozens of other technical add-ons and apps to collect & route data wherever it needs to go, like Splunk’s SIEM Enterprise Security. Provide real-time access to appropriate data to FBI/CISA via Federated Search without needing to ship data outside your environment.
• User Behavior Monitoring: Implement Splunk User Behavior Analytics to provide unsupervised machine learning to detect anomalous user actions and combat advanced threats.
• Logging Orchestration, Automation, and Response: Build playbooks inside of Splunk SOAR to automate threat hunting, intelligence gathering, and remediation activities. Embrace SOAR workbooks to streamline and standardize analyst workflow for incident handling procedures
• Application Container Security, Operations, and Management: Use the Splunk Connect for Kubernetes to maintain visibility into container-related events 
• Standardized Log Structure: Splunk’s schema-at-read capability is perfect to adapt data to published standards, like the Common Information Model, or future standards developed by CISA
• Protecting and Validating Log Information: Splunk can be trusted to safely store data both in the cloud as well as on-premises using FIPS 140-2 validated cryptography.
• Passive DNS: Organizations can quickly create Passive DNS collections using Splunk by bringing DNS data into Splunk for analysis.  In 2016, this method was discussed at the 2016 Virus Bulletin conference. If needed, this data could easily be exported daily to CISA via an automated mechanisms like using Splunk SOAR.

This article was co-authored by Drew Church, Security Consulting Sales Engineer at Splunk, and Ryan Kovar, Distinguished Strategist at Splunk.