Connecting Government Agencies to Zero Trust – MeriTalk

Collecting and analyzing event log data is essential to implementing zero trust in government agencies. But that may be easier said than done. Logging involves huge amounts of data that can be in a variety of formats, presenting agencies with multiple logistical challenges.

MeriTalk spoke with Frank Dimina, Senior Vice President Americas and Public Sector at Splunk, about the value of log data and how agencies can facilitate collection and analysis.

MeriTalk: The Biden Administration’s Executive Order on Improving National Cybersecurity (EO) and Office of Management and Budget memo M-21-31 call for agencies to collect and retain log data for Ensure centralized access and visibility to Security Operations Center (SOC) personnel. Prior to these guidelines, how did agencies typically log events and what has changed so far?

Frank Dimina: The EO is a good start, and M-21-31 is wonderful. I can’t be a bigger fan. It will improve cyber capabilities across the federal domain. This will create a lot of efficiencies, improve cyber data fidelity, and help agencies react faster to cyber events. The gradual implementation of the M-21-31 is very well thought out. Prior to M-21-31, many agencies continued event logging, but it was not required. Now it’s mandatory, and it’s mandated to ensure that all relevant security data is leveraged.

Previously, some cyber programs brought great incremental improvements, such as EINSTEIN and EINSTEIN 3 Accelerated of the National Cybersecurity Protection System, which centralized connections to the federal network to understand Internet access traffic. The Ongoing Diagnostics and Mitigation (CDM) program has been excellent at reporting risks on federal parameters. They were evolving programs. But they did not provide operational capabilities such as rapid response to network events. The missing piece was the logs. Keeping logs, accessing data, and seeing data quickly and at scale are important steps toward true security visibility, which is the foundation of any zero-trust approach.

MeriTalk: What role does logging play in helping an agency implement zero trust?

Decrease: Zero trust starts with a complete understanding of your environment, which is constantly changing, complex, distributed and geographically dispersed. Journaling is central to this understanding, but it’s a harder challenge than most people realize. The variety and volume continue to grow exponentially. Success with zero trust requires aggregating logs, understanding network traffic, and knowing who is on the network as close to real time as possible. Then you can extract the data, analyze it, and visualize it for anyone in a SOC all the way up to the chief information officer.

Agencies can also use log data to trigger automations. Once I can confidently observe events, I can trigger predefined playbooks, restrict access control, or quarantine something suspicious. Automating repetitive and routine tasks can reduce staffing requirements and allow employees to work on higher-order tasks.

MeriTalk: Agencies are required to collect, analyze, and share massive amounts of log data. What barriers prevent agencies from improving their logging capacity?

Decrease: We see 3 main hurdles that agencies face. Funding is challenge #1. Delivering on the mandate is a big undertaking, and it requires the right level of ownership support. Because this is a cyber modernization effort, some agencies have considered applying for the Technology Modernization Fund.

Another challenge is siled data sets. Today’s data is primarily used for reporting. Gathering datasets – across agencies – would allow the government to use the data as OpSec. I testified in Congress about this years ago. Today we have a static photograph of what is happening in an environment; if we connect our data sources, we create a live video stream.

Agencies also grapple with technical challenges associated with collecting petabytes of log data in various formats from terminals, servers and mobile devices. This is why Splunk exists; meeting these challenges is our core business. We’ve been the market leader for 20 years in helping customers make log data accessible, usable and valuable at scale.

MeriTalk: Splunk created the Government Logging Modernization Program (GLMP) following the release of M-21-31. How does this program help accelerate the M-21-31 journey for your clients?

Decrease: Upon release of M-21-31, our team quickly analyzed the mandate and put together a targeted set of offerings to meet the requirements in a cost effective manner. These are not new technologies or new services, but we have bundled them together so that government partners can accelerate their ability to comply with the mandate in weeks instead of months.

GLMP is unique because it is designed to address the technical challenges of logging. This has allowed us to engage with our government clients in a more prescriptive way and improve our partnerships. It’s also FedRAMP certified, which we’re pretty proud of.

MeriTalk: How can public-private partnerships help agencies improve logging and meet cybersecurity EO requirements? How have public-private partnerships evolved in recent years?

Decrease: Private sector providers have decades of experience, tons of subject matter expertise, a track record of great partnerships – and most importantly, a deep understanding of the mission. We spend on R&D to be able to innovate faster; we can move with a little more agility and we can evolve. We bring these strengths to the table to help agencies improve their cybersecurity posture and fulfill their mandates. In fact, I have never seen private sector vendors work together as much as we do to support our partners like the Department of Homeland Security. For example, Splunk and Recorded Future are working together to bring more threat intelligence value to government.

Even small activities can have a lot of value. Splunk has a security research team called SURGe that helps our customers respond to security directives and events. When the Cybersecurity and Internet Security Agency (CISA) issues an emergency directive, our SURGe team immediately gets to work. By reviewing the directive and leveraging our partnership and membership in the CISA-led Joint Cyber ​​Defense Collaborative (JCDC), SURGe creates rapid response blogs for topical security events. While the tips created by SURGe are focused on helping our customers, they are written to help the wider community in the early hours of a global incident. Even if you’re not a customer, you should get some value from their efforts. In fact, SURGe was recently named by CISA’s Cybersecurity Review Board (CSRB) as one of the first private sector companies to respond to the 2021 Log4Shell event. People can find out when SURGe has released new content by registering online at Additionally, SURGe is focusing on a research project to be published at Splunk’s Govsummit this year with prescriptive guidance on some of the most misleading sections.

of the OMB note. A perfect example of how private/public relations secure the whole world through collaboration.

MeriTalk: What role does JCDC play in helping agencies?

Decrease: The JCDC creates a coordinated national approach to the risks we face and addresses difficult issues. What are the most serious risks? How can we get a more holistic view and situational awareness of the federal cyber domain? How to bring suppliers together to design multi-vendor solutions? How to protect critical infrastructures?

The JCDC brings together the best minds among government partners. Being part of JCDC has been an honor for Splunk; we are one of a small group of industry partners who have been invited to join, and we have a dedicated team to support it. Our goal is to provide expertise to establish a unified national cyber defense plan and support the agencies responsible for it.

MeriTalk: What’s next once agencies have mastered event logging? How can they take this ability to the next level?

Decrease: When you gain visibility and implement programs without trust, the larger conversation is about business and operational resilience. It’s not just cyber. It’s about IT, applications, users, and ensuring that critical functions can continue to function. Zero trust encourages organizations to take a holistic approach to responding to variables, whether it’s malicious actors, natural disasters or a fire in a data center.

This is where you see cybersecurity merging with development, observability, and DevSecOps. As a company, Splunk invests heavily in this area to help our customers improve their business and operational resilience.

MeriTalk: Where do you think government logging will be in a year or two?

Decrease: I am very confident that the mandate will be fulfilled in a few years – at least to cover high value assets. And many smaller agencies will leverage lessons learned from larger agencies to move forward. Ultimately, government cyber personnel will be able to make faster, safer, data-informed decisions.

I think there is an opportunity to amplify the return on this investment by gathering data through cyber programs such as event logging, CDM and EINSTEIN. If you could bring all data sources together so that cyber operators could easily consult different tools, quickly and at scale, you could make generational leaps in responses to federal cyber events. This would require policy changes, technical tools, the right data platforms and interagency agreements. But it would be a huge leap forward in agency capabilities.

Ashley C. Reynolds