With cyberattacks being top of mind to most people, it’s no wonder that cybersecurity is a top priority for the Department of Defense (DoD). In the first article of this series, we took a close look at the Defense In-Depth approach to cybersecurity with the help of Rico Cody, Solutions Architect at Verizon. Using this approach, based on an ancient military strategy, the DoD strategically places specific cybersecurity defense tools throughout the network to have multiple opportunities to mitigate an attack.  But Defense In-Depth is only one aspect of a strong cyber defense strategy. Another crucial aspect of a robust cybersecurity posture is effective logging, which enables security analysts to capture and investigate security incidents. Despite the inherent value of logging, there is widespread dispute on what to log, how much to log, and how long to keep logs. Being able to solve these conundrums will help create an effective logging strategy that will help the DoD fulfill requirements and enhance cybersecurity measures.

The importance of logging cannot be understated. In section eight of the May 2021 Executive Order on Improving the Nation’s Cybersecurity it states: “Information from network and system logs on Federal Information Systems is invaluable [emphasis added] for both investigation and remediation purposes. It is essential [emphasis added] that agencies and their IT service providers collect and maintain such data” and be able to share the data if applicable to an investigation. Under the EO, the Director of the Office of Management and Budget (OMB) was tasked with instituting policies for agencies to establish log requirements, log retention requirements, and log management requirements in consultation with the Secretary of Commerce and the Secretary of Homeland Security. These requirements were laid out in a memorandum released by the OMB three months after the EO, addressing everything from the length of time logs must be kept to the creation of advanced logging categories. The memorandum outlined a maturity model for agencies to follow in order to meet all of the new requirements and establish a logging strategy built on best practices.

One of the biggest challenges the DoD has experienced with logging has been the sheer volume of data that needs to be collected and analyzed, Cody explained. With an ever-increasing number of cyber threats and attacks, the DoD must monitor and analyze log data from various sources, including network devices, servers, and endpoints. With the enormous amount of data generated every day, the DoD needs to determine what information is valuable enough to be logged and how long to keep it. Logging and storing too much information may be cost-prohibitive, unmanageable, and may actually hinder the DoD’s ability to identify and respond to potential threats. On the other hand, logging too little information could leave the DoD blind to critical events and unable to fully investigate security incidents. Additionally, the DoD must balance the cost of storing and managing logs with the potential benefits of having access to the information they contain.

While the OMB memorandum provided some guidance, it still left critical actions and key decisions open to interpretation. For example, the memorandum lists various log categories and the required length of time that each category of logs needs to be stored. Most logging categories have a 12-month active storage and 18-month cold data storage retention period, but as it clearly states, the retention periods are only minimum requirements, and “agencies may retain data for longer periods if appropriate.” Each agency within the DoD must develop a logging strategy that aligns with their specific needs and requirements. This strategy must also consider the type of data being collected, as sensitive or classified data may require additional security measures and longer retention periods. If they can navigate the broad directions, the DoD will enhance its cybersecurity posture and better protect against attacks that will inevitably compromise national security.

One approach that shows promise in creating an effective logging strategy is akin to the Defense In-Depth (DiD) approach, which conceptually operates like a cone with cyber defensive tools positioned in a layered approach to mitigate threats as they move through the network. Similar to DiD, this approach, which we can refer to as Logging In-Depth, involves classifying data sets so that the DoD logs only the essential information as traffic passes through different stages, making logging more targeted and, therefore, more effective. Additionally, DoD agencies can choose to keep logs for varying durations based on their significance. The specific rules for what to log and how long to keep logs are strategically layered throughout the traffic flow of the system. For instance, maybe only five percent of the data from layer two is logged, and it’s only kept for the minimum retention period. “By using this layered approach, the DoD can reduce the volume of logs while increasing the efficiency of the logging process,” Cody emphasized.

One important consideration for agencies implementing a Logging In-Depth approach is determining the appropriate log retention periods for each layer. The OMB memorandum provides basic guidelines on retention periods, but the DoD may need to tailor these guidelines to their specific needs and risk profiles. Additionally, agencies should consider factors such as compliance requirements, incident response needs, and storage capacity when deciding retention periods. A well-planned log retention strategy can help agencies quickly identify and respond to security incidents while also mitigating the risk of storing unnecessary data. It is crucial to find the right balance between retaining enough log data for effective incident response and minimizing storage costs and data management complexities including creating a data repository that is ripe for attack.

Effective logging is a crucial part of a robust cybersecurity posture for the DoD, as it enables security analysts to investigate security incidents and build knowledge about not only attacks that have happened, but those that are on the horizon. While logging and log analysis should not be overlooked or ignored by security analysts, there are inherent challenges to creating a truly viable logging strategy, as shown by the vague guidance in the OMB directive and the cybersecurity EO. With these limitations in mind, in part three we explore some mechanisms to assess the ROI of various Defense-in-Depth strategies to optimize budget use and investment opportunities.