EDR and cyber logging: Preparing for the next big cybersecurity guidance

hh5800/Getty Images

Insufficient logging hampers an organization’s ability to detect intrusions, mitigate those in progress and determine the extent of an incident.

It’s been more than three years since President Biden released the Executive Order 14028, Improving the Nation’s Cybersecurity. Since then, federal agencies have been working toward a common goal of meeting this order and modernizing security defenses by protecting federal networks, improving information-sharing on cyber issues and strengthening the ability to respond to incidents.

The order initially focused on modernization for secure cloud services and a zero-trust architecture — this was not a shock to the industry. The use of multifactor authentication and encryption, an essential practice for all government agencies, was nothing out of the ordinary.  However, there are areas within the order where the government needs to evolve cyber-incident detection, logging and remediation.

A key aspect of the executive order includes the improvement of investigative and remediation capabilities. Insufficient logging hampers an organization’s ability to detect intrusions, mitigate those in progress and determine the extent of an incident. Agencies must shore up logging and endpoint detection and response capabilities to further advance cybersecurity efforts and strategies.

Having a true understanding of cybersecurity incidents enables teams to better face threat actors as log retention is beneficial to agencies that need to perform post-incident analysis and develop lessons learned. Also, the government today logs and retains related information post-incident for more than two years — to log is easy, but analysis of the data is what bolsters cybersecurity detection and remediation efforts.

Depending on the security information and event management solution in use within a federal agency, the volume and storage increase can introduce architecture, resource and funding challenges. For example, the estimated cost to meet the enterprise logging requirements for a large agency with over 350,000 endpoints was nearly $200M. This estimate included additional hardware, software, licenses, storage and labor.

Current state of EDR in the federal arena

As noted in the Office of Management and Budget’s M-21-31 from August 2021, events like the SolarWinds incident underscore the importance of increased government visibility before, during and after a cybersecurity incident.

Information from logs on federal systems — both on-premises and those hosted by third parties, such as cloud services providers — is invaluable in the detection, investigation and remediation of cyber threats.

To better understand and learn from threat actors, federal leaders must ensure centralized access and visibility for the highest-level enterprise security operations center of each agency. This is in addition to increased sharing of critical information to accelerate incident response efforts and to enable more effective defense of information, executive branch departments and agencies.

Many federal agencies fall short on enterprise logging and are still working to meet these needs. The government continues to focus on maintaining proper cybersecurity postures while meeting the speed of mission delivery — a challenging balance act.

Automation highlights key incidents

EDR processes are working well at various federal agencies, gaining support from CISA and providing steps and relevant guidance. This includes approaches for different maturity levels, noting that those of the lowest maturity should prioritize their logging capability, deployment, collection and storage decisions based on data sensitivity and system impact. 

Automation can help with this process and ensure agencies are utilizing storage effectively to log and retain essential information from primary or notable incidents. Another benefit of automation is its effectiveness in catching user behaviors or threat actor patterns, a facet of the tool that supports security.

Agencies can lean on automated triggers or data management platforms that provide alerts to the SOC for incidents that break a threshold or set of parameters, in turn citing a priority incident that the SOC must examine.

This also assists with information sharing — as noted from OMB, you must share details “as needed and appropriate.” If you have automation triggers in place, agency teams will instantly know when to begin the process for information collecting and sharing, with an overall goal of accelerating incident response efforts and enabling more effective defenses.

Implementing tools to compress and enrich log data can save agencies on storage costs without jeopardizing the need to store critical log data needed to support incident response and post-incident forensic investigations. Federal agencies are also leveraging current SOAR programs to integrate security tools and automate incident response processes, increasing incident detection while reducing response times.

Getting ahead of the next big cybersecurity order

The OMB memo on investigative and remediation capabilities will remain a necessary presence beneficial for the government. Federal agencies must approach this requirement more effectively to remain in or achieve compliance and improve the detection of critical cyber incidents.

A recent, common incident includes activity against software and supply chains, caused by threat actors or not. To get ahead of potential future requirements set forth by the government, agencies should find ways to address these contemporary issues. Advanced monitoring of secure code development and open-source software and how we consume and operationalize software bill of materials will be a major priority.

In March, CISA shared the repository for software attestation to enable software producers serving the federal government to attest to the implementation of specific security practices. Being able to conduct analysis of proprietary and open-source software remains a key priority for the agencies. CISA will continue to strengthen the security practices for software developers, and proper logging and EDR can help the government build on this mission.

As noted, many steps can be taken with current technology tools present in federal agencies, which will ease cost and resource constraints. Also, an automated approach with specific guardrails helps agencies define key incidents, giving them the ability to reduce the storage of logs from past cyber issues, especially those that have already been addressed. Enhancing EDR capabilities and utilizing automated monitoring will set government teams up for more effective security and appropriate compliance.