The Office of Management and Budget issued Memorandum 21-31 (OMB M-21-31) in August 2021 for the heads of executive departments and agencies of the federal government. The purpose of OMB M-21-31 is to support the logging, log retention, and log management requirements of Executive Order 14028 (Improving the Nation’s Cybersecurity), with a focus on ensuring centralized access and visibility for the highest-level enterprise security operation center (SOC) of each agency.
This document outlines how LiveAction helps federal agencies support the maturity model outlined in OMB 21-31 (see Figure 1), which guides the implementation and requirements across four Event Logging tiers and mandates adherence timelines. These tiers will help federal agencies prioritize their efforts and resources so they can achieve full compliance with requirements for implementation, log categories, and centralized access.
How LiveAction Helps with the OMB 21-31 Maturity Model
LiveAction offers solutions for network performance monitoring (LiveNX), packet capture and forensic analysis (LiveWire), and network detection and response (ThreatEye). In short, LiveAction delivers real-time network intelligence to monitor, troubleshoot, and help secure enterprise networks and applications no matter where they are, including on-premises, hybrid, SD-WAN, and cloud operations.
For the OMB 21-31 Event Logging Tiers, LiveAction helps federal agencies address the logging requirements for three important sections of Executive Order 14028 as related to these event logging tiers, as detailed in Figure 2.
LiveAction and the OMB 21-31 Maturity Model Event Logging Tiers
LiveAction and the OMB 21-31 Maturity Model Event Logging Tiers
The ESG report investigated the number of use cases security teams are applying an NDR platform. The findings showcased several items and at the top of the list are response capabilities. According to ESG research, more than 55 percent of respondents seek to improve their organization’s response capabilities. Relatedly, 47 percent use an NDR platform to accelerate their incident response processes.
The research also showcased that the evolution of traditional network traffic analytics (NTA) toward NDR is focused on streamlining workflows and facilitating integrations to ensure that once a threat is detected, it can be addressed quickly and effectively.
More than half of respondents use an NDR platform to monitor cloud environments, further validating the previous point about the need for consistency across internal and external environments.
Along similar lines, 41 percent use an NDR platform to monitor assets on which agents cannot be deployed. This could point to cloud environments as well as IoT devices, both of which can benefit from agentless deployment models.
LiveAction Capabilities that Assist with Meeting EL1 Basic, EL2 Intermediate, and EL3 Advanced Requirements
- Packet Capture & Storage Packet capture data, in general, must be stored for a minimum of 72 hours and, depending on the category, up to 18 months to meet EL1 Basic Certification. LiveAction can provide solutions cost-effectively supporting very high sustained levels of network traffic, delivering up to 100Gbps of lossless full packet capture with the industry’s most powerful and dense footprint. Customers requiring weeks to months of full PCAP duration are easily designed with our extremely dense storage platform purpose-built for Cyber Security Operations Center (SOC) teams. The solution interoperates with the security stack via a RESTful API and currently supports many solutions, including but not limited to SIEM (Splunk, Elastic, etc.).
- Tool Unification LiveAction supports, analyzes, and reports on diverse data types and offers a centralized platform (LiveNX) that requires fewer steps in meeting a centralized data access requirement. With LiveAction, users simply create a custom report and export a log file. In addition, LiveNX delivers a unified device management service (DMS) with a dashboard that shows packet-level visibility into network devices enabled through LiveWire.
- Playback Ability LiveNX offers a DVR-like playback ability to easily review network security incidents and disruptions by date and time for forensic analysis. And LiveWire extends playback capabilities to deep packet inspection for packet-level visibility into security incidents.
- Encrypted Traffic Analysis A requirement of EL1 certification is visibility into DNS traffic, encrypted or otherwise. EL2 requires inspection of encrypted data. The most resource-efficient, accurate way to inspect network traffic is through Encrypted Traffic Analysis (ETA), which allows users to see into traffic without requiring decryption. ThreatEye uses Deep Packet Dynamics (DPD), a highly effective, non-invasive method that allows admins to profile traffic characteristics and anomalies for risk.
- User Behavior Monitoring To receive EL1 certification, agencies must complete the planning state of User Behavior Monitoring. LiveAction offers behavior-based malware detection based on Machine Learning (ML) to improve accuracy and prediction capabilities over time. To receive EL3, User Behavior Monitoring needs to be implemented.
For more information on how LiveAction supports federal agencies for OMB M-21-31, please contact our Federal Sales Team via email [email protected] or call 425-239-8186.