On average, it takes 287 days to identify and contain a data breach, according to IBM Security’s 2021 Cost of a Data Breach report. The longer the delay in identifying a breach, the costlier it is. When a breach takes more than 200 days to identify and contain, it cost organizations an average of $4.87 million in 2021, while breaches that took less than 200 days cost an average of $3.61 million, IBM found.
Beyond monetary impacts, breaches threaten public trust in government, disrupt normal agency operations, and can compromise national security. A series of attacks identified in 2020 and 2021 put these impacts in sharp relief for government and industry.
The SolarWinds attack, for example, was one of the most widespread and sophisticated hacking campaigns ever conducted against the Federal government and private sector, the Government Accountability Office noted in its January 2022 assessment of the Federal response. The Microsoft Exchange Server attack exploited zero-day vulnerabilities and had the potential to provide bad actors with unauthorized remote access to email across the Federal government, GAO also noted.
Lack of log data slows cyberattack response
Gaps in network and log coverage slowed agency response to the SolarWinds and Microsoft incidents, agency officials told the GAO. They said varying data log management preservation practices and a lack of data collection tools limited evidence collection. Some agencies retained log data for 90 or 180 days, while others maintained no log data. One official noted that the threat actor behind the SolarWinds attack was in agencies’ networks for months before it was detected.
Lack of log data not only hinders evidence gathering after the fact, but it also prevents organizations from setting a baseline of normal activity and then using that baseline to quickly detect abnormal activity.
“Information from logs on Federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats,” noted Shalanda Young, acting director of the Office of Management and Budget, in the August 2021 memorandum M-21-31, which provides specific event logging requirements and guidance to Federal agencies.
The memo builds on President Biden’s May 2021 executive order on cybersecurity, which called on agencies and their IT service providers to collect and maintain log data.
Biden administration makes event logging a must
“The cybersecurity EO and M-21-31 memorandum raised the issue of observability across the environment and maintaining logs to a higher level than ever before. There’s now a spotlight on event logging that didn’t exist before,” observed Juliana Vida, chief technical advisor, public sector at Splunk, and former Navy deputy CIO.
M-21-31 establishes requirements for logging, log retention, and log management, with the goal of providing centralized access and visibility for the highest-level security operations center of each agency.
Increased event logging and retention will help agencies identify malicious attacks sooner rather than later, Vida said. It will also bring challenges, including increased costs for storage, infrastructure, and licensing, and greater complexity as agencies work to collect and manage log data across on-premises and cloud systems.
“We’ve had people tell us they’re going from ingesting a few terabytes to petabytes of data to comply,” Vida said. “Now add in the additional layer of multiple clouds, hybrid clouds, or clouds within a cloud – these are complex dependencies across services.”
A common data platform can bring clarity to massive data volumes
Despite the challenges, increasing numbers and sophistication of cyberattacks make improved logging an imperative. And now more than ever, advanced technologies including application programming interfaces and data collection and analysis platforms make it easier for organizations to improve their capabilities, experts noted.
A common, scalable data platform is essential to timely assessment of log data, Vida said. It provides observability across the agency enterprise, which can’t be done with legacy, siloed systems.
“Creating a common data platform isn’t going to be simple, especially for agencies with a large environment of legacy applications and systems, but it’s absolutely critical,” she said. “The amount of data being generated, used, bought, sold, leveraged, lost, and gained every day is beyond any human’s ability to manage, and it is beyond the capability of most legacy systems.”