Collecting and analyzing event log data is essential to implementing zero trust in government agencies. But it can be easier said than done. Logging involves massive quantities of data that can be in a variety of formats, presenting agencies with multiple logistical challenges.
MeriTalk spoke with Frank Dimina, senior vice president of Americas and public sector at Splunk, about the value of log data and how agencies can facilitate collection and analysis.
MeriTalk: The Biden administration’s Executive Order on Improving the Nation’s Cybersecurity (EO) and the Office of Management and Budget memo M-21-31 call for agencies to collect and retain logging data to ensure centralized access and visibility for security operations center (SOC) staff. Before these directives, how were agencies typically doing event logging, and what has changed so far?
Frank Dimina: The EO is a great start, and M-21-31 is wonderful. I can’t be a bigger fan. It will enhance cyber capabilities across the Federal domain. It’s going to create a lot of efficiencies, improve the fidelity of cyber data, and help agencies to respond faster to cyber events. The phased implementation of M-21-31 is very well thought out. Before M-21-31, many agencies were pursuing event logging, but it wasn’t mandated. Now it’s mandated, and it’s mandated in a way to ensure all relevant security data is leveraged.
Previously, some cyber programs made great incremental improvements, such as the National Cybersecurity Protection System’s EINSTEIN and EINSTEIN 3 Accelerated, which centralized Federal network connections to understand internet access traffic. The Continuous Diagnostics and Mitigation (CDM) program was great at establishing risk reporting on Federal endpoints. Those were evolutionary programs. But they didn’t provide operational capabilities like responding quickly to events on the network. The missing piece was the logs. Log retention, access to data, and viewing data rapidly and at scale are great steps towards true security visibility, which is the foundation of any zero trust approach.
MeriTalk: What role does logging play in helping an agency implement zero trust?
Dimina: Zero trust starts with having complete understanding of your environment, which is ever-changing, complex, distributed, and geographically dispersed. Logging is a core piece of that understanding, but it’s a tougher challenge than most folks realize. The variety and volume continue to grow exponentially. Success with zero trust requires aggregating logs, understanding network traffic, and knowing who’s on the network – in as close as possible to real time. Then you can extract the data, analyze it, and visualize it for someone in a SOC all the way up to the chief information officer.
Agencies can also use log data to trigger automations. Once I can observe events with confidence, I can trigger pre-built playbooks, restrict access control, or quarantine something suspicious. Automation of repetitive and routine tasks can reduce staffing needs and let employees work on higher-order tasks.
MeriTalk: Agencies are required to collect, analyze, and share massive amounts of log data. What obstacles stand in the way of agencies improving their logging capabilities?
Dimina: We see 3 main obstacles that agencies are facing. Funding is the No. 1 challenge. Meeting the mandate is a big undertaking, and it needs the right level of appropriation support. Because this is a cyber modernization effort, some agencies have considered applying for the Technology Modernization Fund.
Another challenge is siloed data sets. Today’s data is primarily used for reporting. Bringing data sets together – across agencies – would allow the government to use the data in an OpSec capacity. I testified to Congress about this years ago. Today, we have a static photograph of what’s happening in an environment; if we connect our data sources, we’re creating a live video feed.
Agencies are also grappling with technical challenges associated with collecting petabytes of log data in different formats from endpoints, servers, and mobile devices. That’s why Splunk exists; dealing with these challenges is our core business. We’ve been the market leader for 20 years in helping customers make log data accessible, usable, and valuable at scale.
MeriTalk: Splunk created the Government Logging Modernization Program (GLMP) following the release of M-21-31. How does this program help to accelerate the M-21-31 journey for your customers?
Dimina: As soon as M-21-31 came out, our team quickly analyzed the mandate and put together a targeted bundle of offerings to meet the requirements in a cost-efficient way. These are not new technologies or services, but we packaged them so government partners can accelerate their ability to comply with the mandate in weeks instead of months.
GLMP is unique because it’s designed for the technical challenges with logging. It has given us a way to engage with our government customers in a more prescriptive way and improve our partnerships. It’s FedRAMP certified as well, which we’re quite proud of.
MeriTalk: How can public-private partnerships help agencies improve logging and meet the requirements of the cybersecurity EO? How have public-private partnerships changed over the last couple of years?
Dimina: Private-sector vendors have decades of experience, tons of subject matter expertise, track records of great partnerships – and most importantly, deep understanding of the mission. We’re spending on R&D, so we can innovate faster; we can move with a little more agility, and we can scale. We’re bringing these strengths to the table to help agencies improve their cybersecurity posture and meet their mandates. In fact, I’ve never seen private sector vendors collaborate as much as we have in support of our partners like the Department of Homeland Security. For example, Splunk and Recorded Future are working together to bring more threat intelligence value to the government.
Even small activities can have a lot of value. Splunk has a security research team called SURGe, which helps our customers respond to security directives and events. When the Cybersecurity and Internet Security Agency (CISA) issues an emergency directive, our SURGe team goes to work immediately. By reviewing the directive and leveraging our partnership and membership in the CISA-led Joint Cyber Defense Collaborative (JCDC), SURGe creates rapid response blogs for breaking news security events. Although the guidance created by SURGe is focused on helping our customers, it is written to help the whole community in those first hours of a global incident. Even if you are not a customer you should get some value out of their effort. In fact, SURGe was recently called out by CISA’s Cyber Safety Review Board (CSRB) as one of the first private sector companies to respond to the Log4Shell event of 2021. Folks can find out when SURGe released new content by signing up online at https://www.splunk.com/en_us/surge.html. Furthermore, SURGe is focusing on a research project to release at Splunk’s Govsummit this year with prescriptive guidance around some of the tricker sections
of the OMB memo. A perfect example of how private/public relationships help secure the whole world via collaboration.
MeriTalk: What role does JCDC play in helping agencies?
Dimina: JCDC is creating a coordinated whole-of-nation approach to the risks we’re facing, and it’s addressing challenging questions. What are the most serious risks? How can we have a more holistic view and situational awareness of the Federal cyber domain? How do we bring vendors together to devise multi-vendor solutions? How can we protect critical infrastructure?
The JCDC brings together the best minds among government partners. Being part of JCDC has been an honor for Splunk; we’re one of a small group of industry partners that were asked to join, and we have a team dedicated to supporting it. Our goal is to bring expertise to establishing a unified national cyber defense plan and supporting the agencies responsible for it.
MeriTalk: What’s next after agencies get a handle on event logging? How can they take this capability to the next level?
Dimina: When you get visibility and implement programs with zero trust, the broader conversation becomes about business and operational resilience. That’s not just cyber. That’s IT, applications, users, and ensuring that critical functions can continue working. Zero trust encourages organizations to take a holistic approach to respond to variables, whether that’s malicious actors, natural disasters, or fire at a data center.
That’s where you’re seeing cybersecurity merge with development, observability, and DevSecOps. As a company, Splunk is investing big in that area to help our customers improve their business and operational resilience.
MeriTalk: Where do you think government event logging will be in a year or two?
Dimina: I am very confident that the mandate will be met in a couple years – at least to cover high-value assets. And a lot of smaller agencies will leverage lessons learned from the larger agencies to make progress. Ultimately, government cyber staff will be able to make faster and more confident decisions informed by data.
I do think there’s an opportunity to amplify the return on this investment by bringing data together across cyber programs such as event logging, CDM, and EINSTEIN. If you could bring all the data sources together so cyber operators could easily look across different tools, rapidly and at scale, you could make generational leaps in responses to Federal cyber events. This would require policy changes, technical tools, the right data platforms, and interagency agreements. But it would be a huge leap in agencies’ capabilities.