The cybersecurity memorandum M-21-31, from the Office of Management and Budget, provides guidance on how to stop this type of leapfrogging before it can begin. M-21-31 focuses on visibility and incident response, and establishes a four-tier maturity model to help government agencies prioritize efforts and measure progress.
There are two big pushes in the memorandum. The first is logging. Most organizations log network activity as a matter of course, but not many are able to put those logs to best use. They use them to trigger alerts and identify threat trends, but they could be doing so much more.
Earlier this year, Rob Joyce, director of the NSA’s Cybersecurity Directorate, tweeted advice to “invest in logs and monitoring [now] to minimize the impact if a compromise occurs.”
Complete logs can expose malware activity and make it easy to rapidly pinpoint the source of an attack or the location of a persistent attack. With this information, the attack can be halted, and the incident response team can immediately begin remediation.
Managing logs well requires great observability. Observability is the ability to ingest, search, and correlate log data, such as metrics, events, and traces.
To achieve observability, an agency first needs visibility. Visibility is the ability to see everything on the network, including shadow IT, unknown devices, and cloud services that connect and disconnect as needed.
Most organizations rely on security information and event management (SIEM), which coordinates the alerts from logs, sensors, and other events but doesn’t ensure complete visibility. In fact, most SIEMs have limited visibility due to integrations that haven’t been fully configured and lack the capability to correlate enough data to show you missing logs that haven’t been ingested. There is unknown data on the network.
And when there is unknown data on the network, network management becomes a hope-for-the-best situation, and broken audit trails become the norm. The agency is out of compliance, threat intelligence is incomplete, and – more urgently – the ability to rapidly respond to alerts on high-priority systems is thwarted.
A log management system works best with a strong correlation engine that can show what’s present on the network and what’s missing. Things like unlogged locations, missing assets, misconfigured sensors, and spotty tool functionalities need to be detected, and the results need to be rolled into a consolidated view in order to be actionable.
Axonius gives federal agencies a comprehensive inventory of everything in the environment, including missing controls and misconfigurations. If an agency has a malfunctioning log sensor or a misconfigured API, they will know.
Manual processes cannot keep up with today’s complex, dynamic IT environments. Axonius eliminates that problem by automating asset discovery. There’s no impact on network performance because Axonius leverages APIs to fetch metadata instead of traditional agents that eat up network resources.
Want a closer look at the state of the network? Pull a report any time through a simple dashboard or export a file in the format of your choice.
Whether your network is on-prem, cloud, virtual, or hybrid, you can gain a complete and current inventory of every asset, tool, service, and user in your environment. Continuous verification, accurate security gap assessments, and powerful remediation capabilities put you in control of your network, no matter how complex it has become.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010