The Biden-Harris administration is working with Microsoft to enhance event logging across federal agencies, improving cybersecurity measures and providing auditable insights into potential vulnerabilities.
Enhancing Event Logging for Stronger Federal Security
( Credit to: Cyberscoop )
The Biden-Harris administration is taking proactive measures to enhance event logging across federal agencies, prioritizing the security of our nation's digital infrastructure. By collaborating with Microsoft, they aim to improve cybersecurity measures and provide auditable insights into potential vulnerabilities.
Event logs play a crucial role in increasing an agency's visibility before, during, and after a cybersecurity incident. While they may not prevent attacks, event logs offer valuable insights into a threat actor's intentions, enabling better future defenses. By collecting a wider range of log data and storing it for longer periods, agencies can gain auditable insights into how user identities, applications, and devices interact with their cloud-based services, as well as uncover potential vulnerabilities that adversaries might exploit.
Collaboration for Enhanced Logging Capabilities
Microsoft has joined forces with the Cybersecurity and Infrastructure Agency (CISA), the Office of Management and Budget (OMB), the Office of the National Cyber Director (ONCD), and the Executive Office of the President (EOP) to increase default access to Microsoft's enhanced logging capabilities across the federal government. This collaboration brings together top resources from all participating members, aiming to provide unparalleled visibility to all US government agencies at no additional cost. The target completion date for this project is June 2024.
The importance of expanded event logging was emphasized in the Biden-Harris administration's Memorandum on Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31). This memorandum outlined logging maturity levels based on the types of data collected and set retention requirements for active and long-term data storage.
Benefits of Microsoft's Enhanced Logging Capabilities
Microsoft's enhanced logging capabilities offer significant benefits in two key areas. Firstly, default log retention has been extended to 180 days from 90 days for all Audit Standard customers. This extended retention period allows agencies to have a longer historical view of their logs, aiding in the detection and analysis of potential threats. Secondly, Microsoft is adding 30 additional audit logs to the Audit (Standard) license, providing deep insights into user behavior and event monitoring across various Microsoft 365 workloads. These logs enable efficient detection of attacks, from low-level cybercrime to advanced nation-state threat actors. They offer capabilities to identify email access, differentiate between legitimate and malicious access, detect phishing attempts, and uncover search terms used by threat actors.
Agencies that utilize these logs meet the Tier-3 (EL3) User Behavior Monitoring criteria outlined in M-21-31 for their Microsoft 365 environments. These logs are provided at no additional cost to Audit (Standard) license holders, with most enabled by default in line with Microsoft's commitment to secure-by-default principles. However, it is essential for agencies to operationalize the data provided by these logs to fully capitalize on their potential.
Operationalizing the Enhanced Logging Capabilities
The Joint Working Group for Enhanced Logging (JWG-EL), consisting of Microsoft, CISA, and other federal agencies, is now focused on operationalizing the new logging capabilities. Microsoft is working on a joint playbook in collaboration with CISA to guide agencies on implementing and understanding the additional logging capabilities provided under Audit (Standard). This playbook will incorporate lessons learned from early adopter agencies and help agencies effectively hunt for and identify advanced cyber threat actors targeting the country. The playbook is expected to be completed in Q1 2024.
Continued Collaboration for a More Secure Future
Microsoft's collaboration with CISA to expand the types of security log data provided to cloud customers highlights their commitment to enhancing built-in security and creating safer digital experiences. As the partnership continues, Microsoft looks forward to working with CISA and the broader federal government to advance security measures and ensure a more secure digital future for all.
