Are You Ready for EL1?
Last year, the U.S. Government released mandatory data requirements for executive departments and federal agencies. The first major deadline hits August 27th.
Why Is This Happening?
The memorandum points to the SolarWinds hack as the primary motivator in reexamining government network vulnerabilities. The result is an intimidatingly long list of agency requirements to better secure and protect government assets from cyber-attacks.
What Do I Need to Do?
The memorandum has four sections, the most critical of which include Section 1, Logging Standards, and Section 2, Implementation Requirements. Because of the length of detail, we will refer directly back to the memorandum for reference.
Section One defines different event logging levels of maturity and the requirements for each level. These levels include “Not Effective,” or EL0 “Basic,” or EL1 “Intermediate,” or EL2, and “Advanced” EL3.
Section Two sets specific implementation requirements and deadline dates for each level.
NOTE All Federal Agencies must meet the minimum requirements for EL1 completion by August 27th.
Although only mandatory for federal agencies, state and local agencies are encouraged to participate in modeling after these cybersecurity and network visibility best practices.
What are Section One Requirements for EL1 Event Logging Maturity?
Basic Logging Categories and Requirements for Data Retention
Full packet capture data, in general, is required to be stored for a minimum of 72 hours unless the log category is considered a criticality Level 0. All Level 0 categories require more extended time frames and additional format types.
The majority of these log categories require data retention of 12 Months of Active Storage and 18 Months of Cold Data Storage in (at least) log format.
Examples of these log categories include:
- Network Device Infrastructure
- Operating Systems
- Cloud Environments
- System Configurations
- Authentication and Authorization
NOTE: To see the complete list of exceptional categories, please consult Appendix C of the executive order at whitehouse.gov.
What are Section Two Requirements For EL1 Certification?
To Meet EL1 Basic Requirements, Federal Agencies Must Adhere to the following centralized access and implementation requirements.
- Basic Logging Categories ( See Section 1)
- Minimum Logging Data
- See Table 2, Appendix A for the different logging data requirements
- Time Standard
- EL1 requires consistent timestamp formats across all event logs from all computing devices, routers, switches, and servers in a format that meets the requirements of ISO 8601 and RFC 3339: Date and Time on the Internet: Timestamps.
- Event Forwarding
- Admins must be able to obtain events from remote / source computers and store them on a central server in real time. Data must be encrypted in transit, and the original log must be able to be replayed.
- Protecting and Validating Log Information
- Passive DNS
- Agencies should make a list of frequently accessed hostnames automatically accessible to CISA
- Implement a Domain Name System (DNS) logging system that meets the logging requirements identified in Section 1, see Appendix C
- Cybersecurity Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) Access Requirements
- Agencies shall provide logs and other relevant data to CISA and the F.B.I. upon request, consistent with applicable law, including 44 U.S.C. § 3553(l).
- See Table 2, Appendix A for the different requirements for monitoring log integrity
- Logging Orchestration, Automation, and Response – Planning Stage Only
- User Behavior Monitoring – Planning Stage Only
- Basic Centralized Access
NOTE: Please see Table 2 in Appendix at whitehouse.gov for additional details about each requirement.
Capabilities that Assist with Meeting EL1 Basic Certification
Packet Capture & Adequate Storage Space
Packet capture data, in general, must be stored for a minimum of 72 hours and, depending on the category, up to 18 months to meet EL1 Basic Certification. To achieve packet capture storage for extended periods, look at how NPM solutions store the data. LiveAction uses intelligent packet capture to maximize storage space for a more extensive historical callback.
Tool Unification
The most straightforward network visibility management solution for centralized data access is 1, not 8. Find a platform that supports, analyzes, and reports on diverse data types. A centralized platform means fewer steps in meeting a centralized data access requirement. It’s easy as creating a custom report and exporting a log file. This includes having a unified device management service (DMS) easily accessible with a dashboard that allows packet-level visibility into network devices.
Playback Ability
Use DVR-like playback ability to easily view network disruptions by date and time for required data in data-loss prevention audits. LiveNX users can rewind time and perform analysis and troubleshooting for real-time or historic video conference calls using the Medianet Performance Monitor Path Analysis feature.
Encrypted Threat Analysis
A requirement of EL1 certification is visibility into DNS traffic, encrypted or otherwise. EL2 requires inspection of encrypted data. The most resource-efficient, accurate way to inspect network traffic is through Encrypted Traffic Analysis (ETA). ETA can use advanced techniques to see into traffic without requiring decryption. LiveAction uses Deep Packet Dynamics (DPD), a highly effective, non-invasive method that allows admins to profile traffic characteristics and anomalies for risk.
User Behavior Monitoring
To receive EL1 certification, agencies must complete the planning state of User Behavior Monitoring. When considering behavior-based malware solutions look for solutions that pull in Machine Learning (ML) to improve their accuracy and prediction capabilities over time.
User-behavior monitoring abilities to consider:
- Uncover activity relating to a user browsing a phishing website or clicking on a malicious link in an email that prompts a network-based malware call-back.
- Use behavioral baselines to track expected network behavior, identify resources commonly accessed, ex: RDP, VPN, and S.S.H., and maintain an inventory of communications used to identify anomalies associated with threat actor initial access.
- Detect host behavior anomalies associated with scanning activity, tracking communications to destinations, services, and ports often associated with threat actor discovery.
- Incorporate change-point detection in its modeling approach to identify outlier anomalies from the normal active social network (clique expansion) and synchronization between new communicating parties, such as unexpected/unauthorized RDP, PowerShell Remoting, and unexpected encryption tunnels
Need to know more? Address all questions or inquiries regarding this memorandum to the O.M.B. Office of the Federal Chief Information Officer (OFCIO) via email: [email protected].
About LiveAction
LiveAction is a trusted network visibility and security solutions provider for government bodies and federal agencies. Initially founded in 2007 to aid the U.S. Department of Defense in operating its networks, LiveAction’s DNA meets and exceeds government network requirements. We’ve been innovating since to provide the broadest telemetry platform available on the market with cutting-edge security advancements. Questions for us? Speak with an expert today.