New Executive Order Forces Federal Agencies to Rethink Log Management

On May 12, 2021, U.S. President Joe Biden issued a widely publicized executive order to improve cybersecurity and protect federal government networks. The order comes in the wake of several recent prominent attacks against public- and private-sector infrastructure including the Colonial Pipeline ransomware attack that disrupted fuel supplies and triggered gasoline shortages in the Southeast. The executive order is intended to increase information sharing, improve cybersecurity readiness and response and reduce software supply chain vulnerabilities. It directs government agencies to adopt stronger security measures and practices such as introducing zero-trust architectures, implementing multifactor authentication solutions, and encrypting data at rest and in transit. The order also instructs agencies to improve investigative and remediation capabilities by introducing more robust and consistent logging practices. More specifically, section 8 of the executive order states: Information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) is invaluable for both investigation and remediation purposes. It is essential that agencies and their IT service providers collect and maintain such data and, when necessary, to address a cyber incident on FCEB Information Systems, provide them upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law. Over the next several weeks the U.S. Department of Homeland Security (DHS) is likely to provide specific recommendations related to gathering, retaining and securing log data. Now is the time for federal government agencies (as well as private-sector companies) to take a fresh look at their log management systems and practices and start preparing for the future.

Disjointed Logging Solutions Expose Agencies to Malicious Attacks and Data Theft

Most agencies rely on a diverse collection of IT and networking systems from different manufacturers and service providers. Diverse products can generate a unique set of vendor-specific log messages. And messages are often stored on disparate servers scattered across the enterprise (and in the cloud). This can combine to make identifying, pinpointing and mitigating security a more manual and time-consuming proposition. In such circumstances, with no holistic view of the network, security administrators can be forced to investigate threats in an inefficient piecemeal fashion. And to make matters worse older log data is frequently purged because of storage constraints. Data gaps and blind spots make it difficult for security professionals to identify and respond to cybersecurity incidents in a timely fashion. Savvy attackers can penetrate systems, escalate privileges and traverse networks to steal confidential data or carry out malicious activities while avoiding detection. (One large supply-chain breach last year went undetected for an estimated nine months.) Many agencies will need to update their log management systems and architectures to strengthen security and meet the emerging DHS data collection and retention guidelines. But gathering, maintaining and analyzing mountains of live log data can be a challenge. Many organizations simply don’t have the budget, resources or expertise to carry it off. Open-source log management solutions such as ELK (Elasticsearch, Logstash and Kibana) can be notoriously complicated and costly to maintain and scale. And most commercial log management solutions may result in financial challenges for budget-constrained government agencies.

Humio Improves Security Observability and Streamlines Investigations

Humio can help. Humio is a modern log management platform, designed from the ground up to log everything. We can help any organization achieve the benefits of large-scale logging and analysis, without breaking the bank. And we can help any government agency introduce robust and consistent logging practices to comply with last week’s executive order. With Humio you can ingest, aggregate and analyze massive volumes of streaming log data, from a wide array of on-premises and cloud-based sources, at scale. The solution supports a variety of cybersecurity use cases including alerting, forensics, incident response and remediation, impact assessment and threat hunting. Humio provides live observability with sub-second latency, index-free search for unmatched speed, and advanced data compression for superior economics. The solution also provides configurable, shared dashboards that make it easy for security teams to visualize data, carry out investigations and collaborate. Ideal for budget-constrained government agencies, Humio can offer the lowest total cost of ownership (TCO) of any major log management solution. You can self-host Humio on your own infrastructure to maintain complete control or deploy it as a SaaS solution for ultimate simplicity and time-to-value. And you can extend your investments by using Humio for additional use cases such as DevOps and ITOps.

 

Conclusion

The May 12 executive order will force many government agencies to re-evaluate their approach to log management. Humio can help you eliminate data gaps and blind spots, strengthen securit, and reduce risk quickly and cost-effectively. Access a free toolkit on maximizing resilience through modern log management or contact us today to learn how.

 

Additional Resources

  • Access a free toolkit on maximizing resilience through modern log management in a global crisis.
  • Listen to our recent Hoot Podcast, where Security Engineer Miguel Adams explains how his federal agency uses Humio to identify and mitigate malicious activity.
  • Watch our on-demand Log Management 101 webcast to get up to speed on log management concepts and functionality.
  • Download our How-to Guide to learn how to use log management as the foundation for your security stack.