Executive Order 14028, Improving the Nation’s Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. Section 8 of the Executive Order, also known as M-21-31, is a clear directive for Federal agencies to advance logging capabilities, including log retention and management, “with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.”
The importance of this directive cannot be underscored enough. Section 8 provides clear, actionable guidance on certain processes, procedures, and techniques that all Federal agencies should be both willing and capable of implementing. Given the criticality of the data and systems in use at our nation’s governmental agencies, a focus on log management and SOC improvement is long overdue.
M-21-31 states that agencies are now mandated to address the availability and accuracy of their logs, including:
- Identifying all deployed log management technology (e.g., Splunk)
- Visibility into gaps in log coverage (e.g., missing sensors, malfunctioning sensors, API misconfigurations that prevent accurate reporting)
- Assurance that (known) log management tools are deployed correctly and are free from misconfigurations, overly permissive administrative access, and system vulnerabilities
Further, agencies must acquire and maintain comprehensive and ongoing knowledge of all assets (devices, users, networks) to properly manage them and ensure an audit trail of their security state as a means to “accelerate incident response efforts and to enable more effective defense of Federal information and executive breach department and agencies.”
At present, it is likely that most logging and log management at agencies is executed via a SIEM, which helps coordinate much of the logging processes. However, most SIEMs have limited visibility based on the integrations that are configured and logs ingested, and they, quite simply, don’t know what they don’t know.
What agencies (and any organization that wants to improve and enhance its network visibility and control) need is the ability to find both known and unknown network data, missing or broken configurations, and a higher level of correlation that offers actionability against high priority systems and alerts.
How Can Axonius Help
The Axonius Cybersecurity Asset Management (CAM) Platform allows agencies to meet or exceed logging requirements defined in M-21-31. Axonius:
- Assures agencies have full accounting of ALL enterprise assets including log sensors.
- Assures continuous verification that all logging tools and sensors are deployed, deployed correctly, and are functioning properly.
- Provides historical auditing of the daily state of all logs, associated sensors, and users’ interactions with the tools. Reporting is available on a 24/7/365 basis and can be achieved in-platform, via log management tooling, or via an export (e.g., downloadable CSV).
- Provides notification capability for when an asset or a sensor falls out of operational or security policy (e.g., gap of installation, loss of connection, failure of functionality).
- Provides an operational platform for initiating and facilitating incident response actions.
Axonius is uniquely positioned to provide agencies with:
- A complete asset inventory: Ensures that agencies have a complete understanding of their IT/security ecosystem (on-prem, cloud, virtual), with visibility into every tool deployed and every user accessing systems.
- Data consolidation and analysis: Axonius aggregates, correlates, normalizes, and deduplicates data from every IT/security tool deployed in agencies’ ecosystems, including those from log management tools. The data are provided in a consolidated dashboard so that administrators have a centralized view of their environment, leading to greater accuracy, collaboration, reporting, and ongoing cybersecurity management.
- Accurate security gap assessments: Identifies when tools, systems, and users (including those related to log management) are misconfigured or do not conform to policies. This gives agencies the ability to quickly detect and investigate potential security problems before they turn into incidents.
- Remediation capabilities: Allows agencies to remediate cyber threats by providing in-system and push system enforcement actions such as alerting, tagging, ticket creation, patch management, etc.
Why Axonius for M-21-31
Axonius enhances log management capabilities, tying together every asset in agencies’ environments and providing a view into what’s there AND what’s missing — a fundamental capability that will help agencies comply with M-21-31. Unlike a standalone technology or technology with limited integration:
- Axonius can identify every location an agency is NOT logging.
- Axonius will find all agency assets missing log coverage.
- Axonius reveals inconsistencies of tool coverage and tool functionality.
Axonius provides the assurance that log coverage is complete and actionable. The platform provides log data correlation and centralized visibility into assets and their operational state.
But Axonius goes beyond basic. Uniquely, Axonius detects and reports on security gaps — where logs are missing or incomplete, and when censors are misconfigured or malfunctioning.
In short, Axonius tells our customers what other tools can’t find and provides a consolidated view of the entire asset environment for the highest level of security preparedness and defense.
Though regulatory compliance should be just the starting point for any comprehensive cybersecurity program, M-21-31 shows that the U.S. government’s understanding of cybersecurity is improving — and it’s affecting real advancement. Even if agencies meet only the minimum requirements of M-21-31, they will see demonstrable improvement. However, using a tool like Anxious to move beyond the basics will not only result in greater cybersecurity capability, but will allow agencies to speed up triage, using fewer resources, and, as a result, decrease risk steadily over time.