The cybersecurity memorandum M-21-31, from the Office of Management and Budget, provides guidance on how to stop this type of leapfrogging before it can begin. M-21-31 focuses on visibility and incident response, and establishes a four-tier maturity model to help government agencies prioritize efforts and measure progress.
The road to M-21-31 maturity
There are two big pushes in the memorandum. The first is logging. Most organizations log network activity as a matter of course, but not many are able to put those logs to best use. They use them to trigger alerts and identify threat trends, but they could be doing so much more.
Earlier this year, Rob Joyce, director of the NSA’s Cybersecurity Directorate, tweeted advice to “invest in logs and monitoring [now] to minimize the impact if a compromise occurs.”
Complete logs can expose malware activity and make it easy to rapidly pinpoint the source of an attack or the location of a persistent attack. With this information, the attack can be halted, and the incident response team can immediately begin remediation.
Managing logs well requires great observability. Observability is the ability to ingest, search, and correlate log data, such as metrics, events, and traces.
To achieve observability, an agency first needs visibility. Visibility is the ability to see everything on the network, including shadow IT, unknown devices, and cloud services that connect and disconnect as needed.
Identifying the unknown
Most organizations rely on security information and event management (SIEM), which coordinates the alerts from logs, sensors, and other events but doesn’t ensure complete visibility. In fact, most SIEMs have limited visibility due to integrations that haven’t been fully configured and lack the capability to correlate enough data to show you missing logs that haven’t been ingested. There is unknown data on the network.
And when there is unknown data on the network, network management becomes a hope-for-the-best situation, and broken audit trails become the norm. The agency is out of compliance, threat intelligence is incomplete, and – more urgently – the ability to rapidly respond to alerts on high-priority systems is thwarted.
A log management system works best with a strong correlation engine that can show what’s present on the network and what’s missing. Things like unlogged locations, missing assets, misconfigured sensors, and spotty tool functionalities need to be detected, and the results need to be rolled into a consolidated view in order to be actionable.
The Axonius approach: Innovation you can see, efficiency you can quantify
Axonius gives federal agencies a comprehensive inventory of everything in the environment, including missing controls and misconfigurations. If an agency has a malfunctioning log sensor or a misconfigured API, they will know.
Manual processes cannot keep up with today’s complex, dynamic IT environments. Axonius eliminates that problem by automating asset discovery. There’s no impact on network performance because Axonius leverages APIs to fetch metadata instead of traditional agents that eat up network resources.
Want a closer look at the state of the network? Pull a report any time through a simple dashboard or export a file in the format of your choice.
Whether your network is on-prem, cloud, virtual, or hybrid, you can gain a complete and current inventory of every asset, tool, service, and user in your environment. Continuous verification, accurate security gap assessments, and powerful remediation capabilities put you in control of your network, no matter how complex it has become.