Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›December 9, 2021
If you read my last blog post, you’re already ahead of the game. You know that in May of 2021, the Biden Administration announced Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, which mandates each federal agency to adapt to today’s continuously changing threat environment. Well, folks, the saga continues.
On August 29, 2021, the Office of Management and Budget (OMB, if you’re nasty) released a memo in accordance with the EO. It establishes a maturity model for event log management, provides requirements for agency implementation, and details government-wide responsibilities for the initiative. I focus on the logging maturity model and agency implementation here (it’s the meat of the memo), but if you’re interested in the other pieces, I’d encourage you to read through the full memo here.
There are always a ton of ways to achieve the same goal. Let’s say I want to clean my apartment. I typically make my bed first, tackle the laundry, clean the kitchen, then the living room, and save the bathrooms for dead last (mostly because I hate cleaning bathtubs). Give my husband the same task, and he’d likely go about it in an entirely different way and in an entirely different order.
Timelines are an issue too. I’d clean the apartment in a few hours because I want to get it done as fast as possible. It might take my husband a few days, with the cleaning moving further down the to-do list as priorities shift. The same thing often happens with agencies during government-wide implementations like this one; different agencies could end up addressing cybersecurity and log management gaps at different speeds. The maturity model is meant to help agencies effectively prioritize what they need to do, while the implementation requirements lay out when it needs to be done.
The maturity model is made up of four Event Logging tiers, called EL0, EL1, EL2, EL3.
To go back to our example, EL0 is the evaluation stage where you survey the damage, see how dirty your apartment is, and wonder who on Earth would possibly allow themselves to live in such filth. In the same vein, agencies need to evaluate their maturity against the model and identify implementation gaps within 60 calendar days of the memo.
EL1 lays out basic logging requirements for each agency. Are they set up for proper event forwarding, so admins can get info from source or forwarding computers and store them on central servers? Are their timestamps consistent across all events?
Have they started planning for the implementation of security, orchestration, automation, and response (SOAR) and user behavioral analytics (UBA) platforms? Are their logs centrally aggregated by an agency component-level Enterprise Log Manager for full visibility? Agencies get a calendar year to sort that out, and this is what the majority of agencies are working on today.
EL2 details requirements for inspecting encrypted data. The data needs to be effectively encrypted, and it’s got to be accessible and visible to the highest-level ops teams at the head of each agency.
Lastly, agencies have got to have methods in place to detect and monitor data stream disruption, as well as a way to triage them. Agencies have 18 months from the memo release date for this piece.
The last logging tier, EL3, is where they’ll need to tie their container security and monitoring tools together with a SIEM, and finalize their SOAR and UBA implementations – two years later.
All four logging tiers significantly increase retention periods for logs and dictate acceptable formats for storage. Not only that, but the specified timeframes and formats are different depending on the type of log.
So to recap: M-21-31 puts forth a maturity model for logging. Agencies should evaluate their maturity against the model and identify implementation gaps within 60 days, get to Event Logging tier 1 maturity within a year, reach EL2 maturity within 18 months, and achieve EL3 maturity within two years of the memo’s release date (August 27, 2021).
Agencies also have to “provide, upon request and to the extent consistent with applicable law, relevant logs” to the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and “share log information, as needed and appropriate, with other federal agencies to address cybersecurity risks or incidents.”
Are you exhausted yet? It’s a lot to think about, and a huge undertaking for many of the agencies I’ve spoken with so far. If you don’t know the solutions available to you, it can be daunting. Wondering how your agency will comply with the EO and this memo? Cribl Stream can help.
Join us for an exclusive session on Wednesday, December 15, where we’ll walk through how Stream can help federal agencies:
The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.
Clint Sharp Aug 27, 2024
Felicia Dorng Aug 15, 2024
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?