Recent waves of cybercrime underscore the importance of increased government visibility before, during, and after a cybersecurity incident. As adversaries continue to target government networks and other infrastructure, efficient event logging is crucial in identifying, investigating, and preventing attacks. President Biden’s May 2021 executive order on cybersecurity set new requirements for event logging, and Office of Management and Budget memorandum M-21-31 in August 2021 provided guidance for agencies on how to meet those requirements.
MeriTalk recently spoke with Juliana Vida, chief technical advisor, public sector at Splunk, and former Navy deputy CIO, to discuss the new event logging mandates, how Splunk is helping agencies meet them, and the growing clout of agency cybersecurity teams.
MeriTalk: President Biden’s cybersecurity EO calls for the development of “requirements for logging events and retaining other relevant data within an agency’s systems and networks.” Why is event logging such a critical component of a strong cybersecurity posture?
Juliana Vida: Logging has always been critical for the government – truthfully, for any organization that manages data. Logs hold vital information that can provide the insight needed to prevent attacks; they’re where all activity across an IT environment is captured for analysis. They act as a red flag and reviewing them regularly will help identify malicious attacks on a system.
The need to manage and optimize Federal systems is not new, but the cybersecurity EO and M-21-31 memorandum raised the issue of observability across the environment and maintaining logs to a higher level than ever before. There’s now a spotlight on event logging that didn’t exist before.
Other leaders are now talking about this as well. In early January, Rob Joyce, director of the National Security Agency cybersecurity directorate, shared a fantastic tweet on bad actors continuing to focus on persistent access to compromised networks, and how robust logs are crucial in a focused effort to hunt, find, and kick them out. This is just a small part of the NSA’s continuing cybersecurity mission to warn organizations and help the cybersecurity community reduce the risk presented by these threats.
MeriTalk: What are the most critical things agencies can do to improve their logging capabilities?
Vida: The most important thing an agency can do is establish a common, scalable data platform. Why? A common data platform allows event logs to be reviewed and synthesized to provide observability across the entire environment. This can’t be done with siloed legacy systems, which have created a patchwork of data that every agency recognizes is hard to maintain, inefficient, and inhibits cybersecurity professionals’ productivity.
Creating a common data platform isn’t going to be simple, especially for agencies with a large environment of legacy applications and systems, but it’s absolutely critical. The amount of data being generated, used, bought, sold, leveraged, lost, and gained every day is beyond any human’s ability to manage, and it is beyond the capability of most legacy systems.
MeriTalk: That does sound like a formidable challenge. What other roadblocks do agencies face with event logging and management?
Vida: We know our customers are very concerned about the added storage, the infrastructure, tight deadlines, and – let’s be honest – the licensing costs that event logging brings to the table. Those are always concerns for the government, but particularly with M-21-31, agencies can interpret that larger requirement to do more logging and add significantly more storage as an exorbitant cost they aren’t sure how to manage.
We’ve had people tell us they’re going from ingesting a few terabytes to petabytes of data to comply with this memorandum. To understand the scale of a petabyte, think of the companies producing popular search engines many of us use every day. Those companies look at petabytes of data a day. Many government agencies could be required to increase their logging to that level of magnitude, and, understandably, it’s hard for our Federal customers to get their heads around.
Another challenge they face is high levels of complexity. Think about how hard it is for agencies to move from legacy environments to modern cloud-based environments. Now add in the additional layer of multiple clouds, hybrid clouds, or clouds within a cloud – these are complex dependencies across services.
MeriTalk: Splunk created its Government Logging Modernization Program (GLMP) following the release of the OMB guidance. What prompted Splunk to launch the program?
Vida: Federal ecosystems and the cybersecurity challenges leaders face aren’t getting any easier – we understand that deeply. When the M-21-31 memorandum dropped, we wanted to help agencies meet the requirements outlined in the maturity framework for log management, to enhance their capabilities, to empower them to execute their missions, and to prevent them from being overwhelmed by the data and technology they rely on for those missions. We designed GLMP to remove barriers to modernization and help agencies execute on the memorandum, not only because it’s a requirement, but because it’s the right thing to do.
MeriTalk: How does the GLMP help agencies address the logging guidance and other mandates in the cyber EO?
Vida: GLMP has four pillars. The first pillar is new Splunk cloud FedRAMP packages and pricing that is designed solely for M-21-31 and exclusive to Federal agencies. This targeted packaging and pricing will help lower costs, accelerate compliance, and improve cybersecurity resilience as agencies work to meet the requirements of M-21-31.
The second pillar is expanded storage options with lowered costs. This enables customers to accelerate their investigative and remediation capabilities through enterprise log retention, which is a part of the M-21-31 mandate. You might notice a theme – we listened to the feedback from our customers and created new, flexible pricing models to address their higher data and logging requirements.
The third pillar is a comprehensive Splunk cloud FedRAMP migration assessment and customized services. We’re increasing the level of customer support we provide because we know agencies will be shouldering a heavy burden.
Lastly, the fourth pillar provides access to an assigned security expert. This service will help guide agencies along the cloud maturity path and navigate the event logging maturity model outlined in M-21-31.
With the technology, the expertise, and the new pricing models in the GLMP, we aim to provide everything the agencies need to execute on – and succeed with – the event logging mandates. It can be a heavy lift for a lot of agencies, but wow, what a benefit it will be.
MeriTalk: What is the biggest change that you’ve seen among Federal technology teams since the release of the cyber EO?
Vida: I may surprise you a bit here because I’m going to pivot from all this talk about data and technology. The biggest change I’ve seen is a cultural pivot. IT and cybersecurity teams historically struggle to get buy-in from leadership across the agency because they haven’t been able to create a compelling story for why investments should be made in better security.
Now, escalating cyberattacks during the pandemic and the Biden administration’s concerted focus on cybersecurity have created an environment where technology teams, and security teams, in particular, have a stronger voice. They’re learning how to use stories of what’s going on in the real world to show their leadership why investment is necessary in a way that they just haven’t been able to do before.
I’ve also seen a huge improvement in government-industry partnership over the last two years. I think the government now realizes that we’re better together. Government and industry both have strengths, and each sector has areas where the other can help. It’s a big pivot from years of the “government can do it better and industry can fill in the holes” to true partnership, and it’s really important. Truly, that is the biggest improvement I’ve seen.