Executive Orders, Regulations, and Guidelines: OMB M-21–31, National Security Agency (NSA), OWASP Top 10 CI/CD Security Risks, SANS, Chronicle-Google
In today’s complex cybersecurity landscape, executive orders, regulations, and guidelines are more than mere bureaucratic requirements; they are essential frameworks that shape how organizations protect sensitive information. Among the many facets of these regulations, log retention and the use of hot logs stand out as critical components in the detection, investigation, and response to cybersecurity incidents. Implementing these directives is not only a matter of compliance but also a strategic necessity for safeguarding organizational assets.
OMB M-21–31: A Framework for Federal Cybersecurity Resilience
The “Memorandum for the Heads of Executive Departments and Agencies,” known as OMB M-21–31, published by the Office of Management and Budget, is pivotal in enhancing the cybersecurity posture of the federal government. This directive underscores the importance of improving investigative and remediation capabilities related to cybersecurity incidents, with a central focus on robust log retention policies.
OMB M-21–31 mandates that federal agencies retain specific types of logs for extended periods, particularly those pertinent to detecting and responding to cybersecurity threats. The memorandum emphasizes that logs — including network activity, system logs, and application logs — must be retained in a manner that allows for rapid access and analysis. This strategy supports forensic investigations by enabling security teams to trace the origins of an incident and understand its full scope. Notably, OMB M-21–31 requires 12 months of active storage (hot logs) and 18 months of cold data storage, ensuring both immediate and long-term accessibility of crucial logs.
Best Practices for Event Logging and Threat Detection: Insights from the NSA
The National Security Agency (NSA) provides comprehensive guidance on event logging and threat detection, reinforcing the principles laid out in OMB M-21–31. The NSA’s document, “Best Practices for Event Logging and Threat Detection,” emphasizes not only the retention of logs but also the importance of ensuring that they are readily accessible — referred to as “hot logs.”
Hot logs are crucial for real-time threat detection and incident response. The NSA advises organizations to prioritize storing logs most relevant to active monitoring and threat detection, ensuring these logs can be quickly retrieved and analyzed. This approach enhances the ability to detect anomalies, identify potential breaches, and respond swiftly to mitigate damage. The NSA also highlights that it can take up to 18 months to discover a cybersecurity incident, with some malware dwelling on networks for 70 to 200 days before causing overt harm. Therefore, organizations should prioritize log retention periods that comply with regulatory requirements and cybersecurity frameworks applicable to their jurisdiction, particularly logs critical for confirming intrusions and assessing their impact.
OWASP Top 10 CI/CD Security Risks: The Risk of Insufficient Logging and Visibility
The Open Web Application Security Project (OWASP) identifies “Insufficient Logging and Visibility” as a significant risk in the Continuous Integration/Continuous Deployment (CI/CD) pipeline. Inadequate logging practices can leave organizations blind to malicious activities within their software development lifecycle, making it challenging to detect and respond to breaches promptly.
OWASP’s guidance aligns with the broader regulatory emphasis on log retention and hot logs, stressing that insufficient logging can delay the identification of security incidents and hinder effective remediation efforts. Organizations are encouraged to implement comprehensive logging mechanisms that provide visibility into all stages of the CI/CD pipeline, ensuring that critical logs are retained and accessible for ongoing security monitoring. This proactive approach is vital for maintaining the integrity and security of the development process.
Event Logging Guidance from the Treasury Board of Canada Secretariat
The Treasury Board of Canada Secretariat provides additional insights into event logging, particularly within the context of public sector organizations. Their guidance reinforces the importance of maintaining detailed logs as part of a broader cybersecurity strategy, emphasizing that these logs are essential for both routine monitoring and in-depth investigations.
The Treasury Board’s guidelines recommend that organizations retain logs for extended periods, ranging from 90 days to 2 years, consistent with legal and regulatory requirements. They also emphasize the need for secure storage to prevent tampering, which is crucial for ensuring the integrity of logs during investigations. This approach not only supports compliance but also enhances an organization’s ability to respond effectively to incidents, thereby strengthening its overall security posture.
SANS and Gartner: Evaluating NextGen SIEM Solutions
When considering the implementation of NextGen Security Information and Event Management (SIEM) solutions, guidance from SANS and Gartner is invaluable. The SANS “Evaluator’s Guide to NextGen SIEM” and Gartner’s insights on SIEM features highlight the need for solutions capable of handling large volumes of logs and providing real-time analysis capabilities.
NextGen SIEM systems are designed to address the challenges posed by modern cybersecurity threats, particularly through the effective use of hot logs. These systems enable organizations to aggregate and analyze logs from multiple sources in real time, offering actionable insights that can be used to detect and respond to threats quickly. Gartner emphasizes that a capable SIEM solution should support long-term log retention, ensuring organizations can comply with regulatory requirements while maintaining the ability to conduct detailed forensic investigations.
Chronicle-Google: The Value of Long-Term Log Retention
The discussion around log retention is further enriched by insights from Chronicle-Google. Their analysis, “Retaining Logs For A Year: Boring or Useful?”, argues that long-term log retention is far from a mundane requirement; it is a critical aspect of effective cybersecurity.
Logs retained over extended periods provide historical context that is invaluable during an investigation. This long-term perspective allows security teams to identify patterns and correlations that might not be immediately apparent, leading to a deeper understanding of the threat landscape and more informed decision-making. Chronicle-Google’s perspective underscores the strategic value of long-term log retention in enhancing an organization’s ability to detect, investigate, and respond to cybersecurity threats effectively.
Conclusion: The Strategic Imperative of Log Retention and Hot Logs
The evolving regulatory landscape in cybersecurity places a clear emphasis on the importance of log retention and the use of hot logs. Whether guided by OMB directives, NSA best practices, or insights from OWASP, the Treasury Board of Canada, SANS, Gartner, and Chronicle-Google, the message is clear: effective log management is a cornerstone of modern cybersecurity.
Organizations must ensure compliance with these guidelines while leveraging them to enhance their overall security posture. By prioritizing log retention and ensuring that critical logs are accessible for real-time analysis, organizations can significantly improve their ability to detect, respond to, and recover from cybersecurity incidents, thereby protecting their most valuable assets from evolving threats.
References
5. https://chroniclesec.medium.com/retaining-logs-for-a-year-boring-or-useful-9b04c1e55fba
6. https://www.sans.org/media/vendor/evaluator-039-s-guide-nextgen-siem-38720.pdf
7. https://owasp.org/www-project-top-ten/
8. https://owasp.org/API-Security/editions/2019/en/0x11-t10/
9. https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring
10. https://csrc.nist.gov/pubs/sp/800/53/a/r5/final (AU-11, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800–53A)
11. https://ccb.belgium.be/en/document/cyber-security-incident-management-guide — The importance of logging and keeping those logs for a certain period of time (up to 6 months)
12. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
13. https://www.gartner.com/en/articles/searching-for-a-siem-solution-here-are-7-things-it-likely-needs
14. http://vadodarasmartcity.in/vscdl/assets/tenders/17.09.2020/2021_499-1.pdf
