Examining the EO Mandate on Logging
Posted by: Craig Bowser
Over the past two weeks, our blog series has been analyzing Biden’s EO on Improving the Nation’s Cybersecurity and providing insights and recommendations that agencies can use to prepare for the regulations as they are put in place.
Today we will focus on Section 8 which talks about improving and increasing logging requirements. This section actually contains the first deadline in the EO, that within 14 days (that is by 26 May) the “Secretary of Homeland Security, in consultation with the Attorney General and the Administrator of the Office of Electronic Government within OMB, shall provide to the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks.”
That deadline passed one week ago and the only public announcement was the DHS security directive to pipeline operators for mandatory reporting and appointing a cybersecurity representative. It is unknown if there were any recommendations referred to above that were made internally between government organizations. But the EO does describe what those recommendations should contain and we can break them down as follows:
- The types of logs required to be enabled, collected, and retained.
- The length of time required logs must be retained.
- The mechanism required to protect the logs.
Each of these recommendations will be fleshed out at some point in the next few months so agencies will have more specific directions for implementation. But in the meantime, here are some things that can be done now to prepare.
- Prepare for mandatory logging across all devices and applications: Agencies are already following criteria such as NIST 800-53 a large variety of logs that must be collected. With the new policies, what is not known is if they will make a subset of the logs mandatory (similar to ICS 500-27) or take a broader approach and give descriptions of activities to be audited, but leaves the specifics up to each agency (similar to the Framework for Improving Critical Infrastructure Cybersecurity). Agencies should start now documenting exactly what types of activity they are currently logging, so when the recommendations are released, they can immediately know if and where they fall short.
This effort should not only look at Windows Operating Systems, but consider Linux servers, databases, cloud services, and over remote access connections. Also, do your custom applications log user activity? I have seen servers with full auditing enabled, but the custom application running on top of the server does not log any user activity. Enterprises are blinded because user interactions are not logged past the fact that an IP address made a connection.
Once you have a solid understanding of what logs are currently enabled, determine the options for increasing your audit capabilities. Note the level of effort for each option, so once the requirements are released, you have a head start on your planning and implementation efforts.
- Prepare for longer log retention: Log retention is the struggle between desire and the reality of the limits of space and cost. And moving to the cloud wasn’t the cheap panacea originally envisioned. But now there will be a requirement to keep some amount of logs for a significant amount of time. To know the challenges you will face to meet this requirement, you need to know what your retention is now. Review the age of your oldest data in your SIEM and/or log storage. Pay particular attention to how long each type of log is kept. Often voluminous logs (i.e., firewall logs) are kept for shorter periods of time. Verify what is in your storage, whether that is in your SIEM or your S3 bucket or in your NAS. Then determine what your options are for increasing your capacity. What will it take to store logs for six months? One year?
Keep in mind two things: 1) Older logs do not have to be kept online or searchable and 2) You may be collecting more than what will be required per the EO. Therefore, you may be able to archive only a subset of what you initially ingest.
This preparation will require you to make your best estimate on how much space you will need, now and going forward. Remember, your environment will only become more complex, resulting in more logs that meet the mandatory requirement that you will have to store. Plan now for that continued growth.
- Prepare to protect your logs: Many organizations assume that by centrally collecting the logs, they have simultaneously protected them. Unfortunately, this is simply not true. Many SIEMs store the logs in plain text. Thus, if a malicious user is able to access the index, they may be able to access and alter what is stored. (Protecting the logs in transit from source to destination is also critical, but not the topic discussed here). The EO says “Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention.” This is where the government, in my mind, needs to provide some clarification as to what exactly that entails.
This also could be the most challenging requirement to implement. Not many SIEMs or log storage applications have this capability. Therefore, check with your SIEM or log storage vendor to determine if encryption of data at rest is offered or if it is even on their roadmap. Additionally, please note that full disk encryption (FDE) may not answer the mail for ACTIVE collection of logs. FDE is only fully encrypted when the data or the disk is not being used. While data is actively being collected, those indexes are constantly being written to and read from, therefore the data remains in an unencrypted state. FDE may suffice for archived logs however.
The baseline established in these three areas, what is being logged, how long those logs are kept, and how those logs are protected, will enable your agency to increase their cybersecurity posture while building a roadmap toward compliance with this EO.
For more details on the impact of the Executive Order and how GuidePoint can help, please check out our other blogs from the last 2 weeks, which examined supply chain risk management, cloud security, zero trust architecture, endpoint detection and response (EDR), encryption and MFA. We will continue to monitor developments coming off this EO and provide further consultation to customers.
Craig Bowser
Federal Practice Director, Data Analytics,
GuidePoint Security
Craig Bowser is a dedicated information security professional with over 20 years of experience in the field. He began his career in the Air Force as a communications officer where he received his first taste of defending networks and has been hooked ever since. After separating, he has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer with various government agencies and currently is a practice director for a commercial and government contractor.
He has spoken at various security conferences such as Black Hat, BSidesDC, BSidesCharm, DerbyCon and multiple SANS events such as the SOC and the SIEM Summits. He holds multiple certifications from SANS (GSEC, GCED, GCDA) as well as the CISSP from ISC2.