Senior Federal and industry cybersecurity leaders agreed that the Office of Management and Budget’s (OMB) August 2021 memorandum M-21-31 to implement new event logging and share threat information has proven to be a significant step in bolstering cybersecurity across Federal civilian agencies.
During MeriTalk’s “Challenge Accepted: The March to Meet OMB’s M-21-31” webinar on April 5, the Federal Emergency Management Agency’s (FEMA) Chief Information Security Officer joined officials from Booz Allen Hamilton and Databricks to talk about the memo’s impact on how agencies collect, preserve, and share with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI crucial log data about cyber incidents. The memo stems from the Biden administration’s Cybersecurity Executive Order issued in May 2021.
FEMA CISO Gregory Edwards Ph.D. said the order has catalyzed action at his agency on priorities that needed work. Edwards said FEMA was “very glad” to get the OMB memo in late August 2021 “because it spoke about a lot of things that we knew we needed to do, and perhaps we needed a little kick in the butt so to get started in that regard.”
“At FEMA in particular … our own experiences indicated that we needed to improve the investigative and remediation capabilities related to cybersecurity incidents,” he said. “I think we would all agree that you can’t get too much of this,” nor can the agency’s security officials have too many good relationships through which to share threat data.
As a high-level priority, Edwards said FEMA had to focus on getting logging data both from its on-prem and cloud-based systems. The agency, he said, has been “moving most of our services and applications to the cloud, and we’ve been doing this for the past two years.”
“It didn’t matter whether we had our services on-prem or we had them in the cloud, we still needed to be able to monitor and get telemetry about those services,” he said. Getting log data from both on-prem and cloud systems, he said, “was very important for us, and I think we can all agree that, it’s very valuable to have those detection, investigation, and remediation capabilities.”
Speaking from experience, Edwards said, “many of us in this business have had the opportunities to respond to many threats, and that’s when you truly know your own detection capabilities, your ability to share information, and how you can reach out, look into your log files, and actually figure out what’s going on in your environment – and more importantly perhaps, find out information from your partners as well.”
“Finally … the memorandum also helped us fulfill our goal of increasing sharing of information,” he said. “Now to some point, we share information that’s appropriate,” Edwards said. “We don’t want everyone to see everything that we’re collecting, so we need to be able to distill that information out and share. My bottom line here would be that this is really a good push in the right direction for us.”
Monzy Merza, Vice President of Cybersecurity Go-to-Market at Databricks, talked about the crucial role that event logging plays for Federal agency cybersecurity and cyber threat detection.
“To do detection, to do an investigation, to do remediation … strong logging and visibility is the root” of all those things, he said. “If you don’t have good logging, you’re not able to detect things and run analytics on top of those log events.”
“If you don’t have logging, when you do have an event or incident you can’t go back and investigate that incident or try to really understand and scope it out,” Merza said. “And when it comes to response, if you don’t have logging, you can’t actually test what your effects were and how your response was conducted, and then go back and look to see if it’s actually made a change.”
“So logging really underpins what’s happening within an environment from a cyber defense point of view, and also from an information-sharing point of view, and also from a compliance point of view,” he said.
Greg McCullough, Principal at Booz Allen Hamilton, said the OMB memorandum is “very data-focused, which I think is the key to building a strong foundation for a proactive cyber defense.”
He cited statistics showing that the vast majority of cyber incidents are alerted and logged, but not responded to quickly enough to prevent the incident. “That’s extremely powerful – I think CISA and the administration are right to start with the data because that’s really where your ability to defend and react starts.”
McCullough talked about cybersecurity architectures that rely on sensors that meet the requirements of the OMB memo, normalizing logging datasets from on-prem and cloud systems, and then implementing a data broker model.
“That’s really what the memo is centered around, providing a centralized way to access and manage control of the data in your enterprise,” he said. “I believe that a federated implementation, managed by one consistent implementation of the data broker across enterprises, is the way to go.”
“That way, you can pull the data and you can be ready to respond,” he said. “It makes it much easier to pull in organizations like CISA when you need help, and so just getting those basic things out of the way makes you a lot more prepared to respond quicker, and maybe you can actually prevent the next cyberattack rather than respond to it and try to do damage control.”
For the rest of the story, please access the webinar replay.