Biden Administration Executive Order Reinforces Log Standardization is Key to Security

In May 2021, the Biden Administration issued its much-anticipated Executive Order aimed at improving the cyber posture of the country. The fact sheet accompanying its release appropriately noted that “[r]ecent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” Since the order’s release in May, we have not seen any decrease in the sophistication and frequency of incidents.

As we approach the end of summer, which coincides with roughly 90 days post-order release, many of the order’s requirements have already been implemented or are in the early stages of implementation. However, section 8 of the order has yet to be implemented. While this section is formally titled “Improving the Federal Government’s Investigative and Remediation Capabilities”, the main objective is to establish system log data standardization across the federal government.

After explicitly noting the importance of collecting and storing this data, the order goes on to give two key directions:

First, the Department of Homeland Security (DHS), working with the Department of Justice (DoJ), was to submit its initial recommendations regarding “requirements for logging events and retaining other relevant data within an agency’s systems and networks. Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs” to the Office of Managment and Budget (OMB) by the end of May.

Second, OMB is to “formulate policies for agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency” within 90 days of receipt of the initial recommendations from DHS. Accordingly, we should have a better understanding of the federal government’s implementation of Section 8 near the end of August with the release of the formal OMB policy.

While OMB is drafting this policy,there are perhaps two key elements around data that should be considered:

Data handling specifications on:

• Immutability, that is enforced in transit, at rest, and when accessed;
• Data Taxonomy, that is organized based on the collection points, in transit and at rest;
• Data Access, driven by 800-53 auditing & least privilege principles, in transit and at rest.
• Chain of Custody, that is audited and provable, driven by case law precedence;

And, data governance specifications on:

• Where data is captured, driven by a risk assessed security architecture supporting the MITRE ATT&CK framework;
• What data elements are captured, drivendata categories supporting the MITRE ATT&CK framework;
• How data is captured, driven by data handling requirements.

By addressing specific frameworks such as the above, the forthcoming OMB policy should push the federal government forward in achieving the order’s goal of improving investigative and remediation capabilities. Implementing each of the order’s sections will require a sustained funding mechanism. Given the tremendous importance that has been placed on securing federal information systems, and the growing cyber threat, the administration must put forth a clear plan and funding mechanism that Congress should formally support.

Click here to learn more about Splunk and how we can help.