What Does the M-21-31 Requirement Mean for Federal Agencies?

Originally published by Axonius.

Written by Tom Kennedy.

The cybersecurity memorandum M-21-31, from the Office of Management and Budget, provides guidance on how to stop this type of leapfrogging before it can begin. M-21-31 focuses on visibility and incident response, and establishes a four-tier maturity model to help government agencies prioritize efforts and measure progress.

The road to M-21-31 maturity

There are two big pushes in the memorandum. The first is logging. Most organizations log network activity as a matter of course, but not many are able to put those logs to best use. They use them to trigger alerts and identify threat trends, but they could be doing so much more.

Earlier this year, Rob Joyce, director of the NSA’s Cybersecurity Directorate, tweeted advice to “invest in logs and monitoring [now] to minimize the impact if a compromise occurs.”

Complete logs can expose malware activity and make it easy to rapidly pinpoint the source of an attack or the location of a persistent attack. With this information, the attack can be halted, and the incident response team can immediately begin remediation.

Managing logs well requires great observability. Observability is the ability to ingest, search, and correlate log data, such as metrics, events, and traces.

To achieve observability, an agency first needs visibility. Visibility is the ability to see everything on the network, including shadow IT, unknown devices, and cloud services that connect and disconnect as needed.

Identifying the unknown

Most organizations rely on security information and event management (SIEM), which coordinates the alerts from logs, sensors, and other events but doesn’t ensure complete visibility. In fact, most SIEMs have limited visibility due to integrations that haven’t been fully configured and lack the capability to correlate enough data to show you missing logs that haven’t been ingested. There is unknown data on the network.

And when there is unknown data on the network, network management becomes a hope-for-the-best situation, and broken audit trails become the norm. The agency is out of compliance, threat intelligence is incomplete, and – more urgently – the ability to rapidly respond to alerts on high-priority systems is thwarted.

A log management system works best with a strong correlation engine that can show what’s present on the network and what’s missing. Things like unlogged locations, missing assets, misconfigured sensors, and spotty tool functionalities need to be detected, and the results need to be rolled into a consolidated view in order to be actionable.