The Russia–Ukraine conflict has significantly intensified the cyberthreat landscape. As state-sponsored threat actors collaborate with financially-motivated cybercriminals to launch targeted cyberattacks against critical infrastructures, the cyberthreat landscape has become a free-for-all arena. As a result, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an official advisory regarding active reconnaissance activities implemented by Russian state-sponsored threat actors against critical industries, including the defense industrial base (DIB) and the energy industry.
Thus far, the common denominator for active reconnaissance activities involves threat actors scanning sensitive networks for systems vulnerabilities that can be easily exploited. As a result, organizations were advised to enhance the resilience of their cyberthreat identification, investigation, and remediation processes.
To further strengthen the investigative and remediation processes and provide the federal government with increased visibility before, during, and after a cybersecurity incident, President Biden signed Executive Order 14028, which focused on institutionalizing systems logging requirements for U.S. government agencies and companies handling sensitive federal government data. As a result, the Office of Management and Budget released Memorandum 21-31 to meet the requirements outlined in Executive Order 14028.
Following the Solarwinds security incident, the U.S. sought to formally articulate the importance of maintaining a proactive posture in cybersecurity operations, especially when dealing with data and systems with national security implications. One of the issues associated with the Solarwinds incident was poor log management. Therefore, one of the purposes of the OMB 21-31 memorandum is to establish a maturity model for log management.
This memorandum provides detailed requirements for how government agencies and cleared defense contractors should implement specific systems logging operations to formulate a preventive approach to cybersecurity. In addition, the memorandum introduces a maturity model to guide the implementation of requirements across four event logging (EL) tiers.
According to OMB 21-31, organizations must assess their maturity levels against the maturity model highlighted in the OMB 21-31 memorandum. By performing the maturity evaluation, an organization will identify resourcing and implementation gaps associated with completing the implementation requirements for each EL tier.
Below is a summary of the four EL tiers:
Event Logging Tiers | Rating | Description |
EL0 | Not Effective | Logging requirements of highest criticality are either not met or are only partially met. |
EL1 | Basic | Only logging requirements of highest criticality are met. |
EL2 | Intermediate | Logging requirements of highest and intermediate criticality are met. |
EL3 | Advanced | Logging requirements at all criticality levels. |
These EL tiers will help agencies direct their resources toward critical activities to achieve full compliance without unnecessary delay in implementation. An organization should prioritize its compliance activities by focusing first on high-impact systems and high-value assets (HVAs).
At this level, an organization has not met the following requirement:
Tier EL1 contains most requirements for the subsequent EL2 and EL3 Tiers. The goal is to meet the implementation and centralized access requirements. Each event log must contain an accurate timestamp, status code, device identifier, transaction ID, source, destination IP, additional headers, etc.
Whereas consistent timestamp formats help in accurate and efficient event correlation and log analysis, event forwarding is crucial for significant security operations center (SOC) analysts to obtain events from remote devices — for instance, security information and event management (SIEM) analytics. Therefore, tier EL1 also includes requirements for user behavior analytics to enable traps to detect disruptions in the data stream.
At this level, an organization has met all of the following criteria:
Whereas the primary purpose of EL1 is to set a standard for most critical data sources and assets, the intermediate level Tier EL2 sets a higher standard to match the increased sophistication of cyber threats. A thorough inspection of encrypted data is necessary for detecting attacks hidden in trusted encrypted protocols. For this purpose, agencies must retain and store the collected information or metadata in clear text form and according to the directives.
In addition, agencies must follow the zero trust principle regarding least privilege access, reducing attack surface, and guidance on zero trust architecture. Therefore, at this tier level, an organization has met all of the following requirements:
Although the deadline for completing all Tier EL3 requirements is 2023, early planning and preparation are essential. Meeting the needs of Tier EL3 will help agencies establish a much more robust approach to detection and response to the advanced threats of today’s world.
Leveraging the logging requirements, agencies must monitor all user and non-user accounts with the help of user behavior analytics. This measure helps organizations recognize compromised user credentials, devices or systems, unauthorized asset access, lateral movement of threat actors, and more. The OMB 21-31 Memorandum integrates application container security, operations, and management to modernize federal security infrastructure.
Compliance with Tier EL3 represents that required logs across all criticality levels are accessible to the highest-level security operations at the head of each agency. At this tier level, an organization has met all of the following requirements:
Federal agencies do not have the time to experiment with services: they must implement technologies that deliver high-quality, out-of-the-box support that meets all the outlined requirements. LogRhythm is an organization’s solution for achieving EL1 to EL3 compliance. LogRhythm SIEM can aid federal agencies in meeting these requirements via log management, its embedded deterministic user and entity behavior analytics (UEBA) monitoring, and security orchestration, automation, and response (SOAR) solution. These are all rolled into a single out-of-the-box, end-to-end security operations platform that allows LogRhythm to fulfill all OMB 21-31 requirements.
LogRhythm SIEM’s customizable content, such as playbooks for various use cases and threat scenarios, enables agencies to meet the deadlines laid out in the memorandum. With LogRhythm’s MDI Fabric — containing over 1,000 out-of-the-box correlation rules — necessary metadata is pulled from raw logs while maintaining the original, raw structure. Time normalization is performed upon log ingestion. Additionally, data is protected with a digital chain of custody, and playbooks are coupled with LogRhythm’s security operational maturity model to help federal agencies through the SOAR and UEBA processes.
Before implementing the log management requirements in OMB 21-31, an organization should analyze its infrastructure to ensure alignment with the logging requirements. When evaluating your infrastructure for compatibility with OMB 21-31 logging requirements, LogRhythm provides cost-effective services in several programming languages, customizable automation, and prolonged guidance when navigating the tools.
Below are some ways LogRhythm SIEM’s capabilities help organizations meet the OMB 21-31 implementation deadline.
A brief comparison of LogRhythm SIEM and its competitors is provided below. However, implementing any cybersecurity-related regulation or mandate can be tedious, expensive, and complex. Often, many organizations fail to comply with essential regulations because they cannot find a trusted cybersecurity partner capable of deploying specific requirements without breaking the bank.
Below are a few reasons why LogRhythm is well-positioned — unlike competitors — to collaborate with your organization in seamlessly deploying OMB 21-31 requirements at each tier level.
LogRhythm provides flexible deployment options to serve your organization’s goals and environment best. It offers a SIEM experience that is adaptable and as simple as a SaaS solution. In addition, you can deploy the LogRhythm SIEM solution on-premises through a managed security service provider.
LogRhythm SIEM renders log management features to centralize log data and apply a consistent schema across every data type. As a result, you can quickly search your organization’s data to answer critical questions, troubleshoot operation issues, and identify security events. It also offers simple visualizations and dashboards.
LogRhythm provides flexible pricing and licensing models. The unlimited pricing option ensures that a specific price is locked in for up to 36 months, thus preventing overspending on the organizational budget. On the other hand, other competitors’ prices are based on an organization’s headcount. Therefore, the headcount and price point needed for competitors to help an organization implement OMB 21-31 requirements are usually three to four times higher than LogRhythm’s threshold.
Organizations following the traditional compliance models and relying upon manual control validation or periodic reporting find the new logging mandates imposed by the M-21-31 memorandum challenging. Correct, relevant, and timely data about the maturity of security telemetry and log management infrastructure is necessary for organizations to evaluate their enterprise security monitoring and reporting capabilities. The Presidential Executive Order aims to improve the security of Federal assets, supply chain, and networks and set up compliance and effectiveness standards for risk management programs. M-21-31 addresses the requirements and guides the implementation process, enabling organizations to identify and respond to cyberthreats effectively.
The OMB 21-31 memorandum is more than an organization’s current defensive posture and response capabilities. It establishes a maturity roadmap and sets objectives to improve threat visibility and incident response effectiveness, aligning it with the long-term goal of securing the national information assets and infrastructure of the United States. As the mandates evolve, organizations failing to implement data-driven automation will face an increasing burden of compliance programs.
However, with LogRhythm, organizations can meet and comply with the newly established federal directives with minimal effort. The single all-in-one, end-to-end security operations platform, compromising of the LogRhythm SIEM Platform, UEBA, and SOAR, enables federal agencies to fulfill their specified deadlines. In addition, with flexible deployment options, customized pricing, and comprehensive log management features, LogRhythm is well-positioned to collaborate with organizations and deploy the specific requirements of the OMB 21-31 memorandum at each tier level.
LogRhythm simplifies the tedious, expensive, and complex process of implementing any cybersecurity-related regulation. It acts as a central aggregator for logs and inspects encrypted data for abnormalities. It also uses artificial intelligence and machine learning to detect anomalies and combat advanced threats. As a result, organizations can leverage the multi-faceted benefits of associating with LogRhythm to comply with the OMB 21-31 memorandum and thoroughly secure their assets and cyber ecosystem.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…