On Wednesday May 12, 2021, President Biden signed an executive order aimed at strengthening U.S. cybersecurity. The order was prompted by a series of sweeping cyberattacks on public companies, companies supplying the U.S. Federal Government, and Federal Government networks over the past year. This includes the 2020 SolarWinds attack and the most recent attack on the Colonial Pipeline by the hacker group DarkSide.
On the 28th of August, 2021, a memorandum to the Executive Order was issued, emphasizing the need for reliable log management.
Maturity Model Memorandum M-21-31
This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.
How Snare Can Help with Memorandum M-21-31
To meet existing and updated cybersecurity requirements laid out by the Executive Order and specifically Memorandum M-21-31, Snare provides the following:
- Centralized Access via Snare Central – Snare’s centralized logging solution Snare Central was designed and developed to provide the type of centralized access called out in the Memorandum M-21-31.The latest version of Snare Central features:
- Snare Management Center (SMC) – A centralized management view of multiple Snare Central systems, eliminating the need to visit each system on-site.
- Enhanced automated alerting to improve threat hunting speed
- New log types to expand coverage and enhance investigation capabilities
- Cloud-based log management and reports to support cloud or hybrid environments
Zero Trust Initiative
There can be several methods of using Snare to help detect activities. As part of the Zero Trust initiative, adequate detection is key to ensure controls are functioning correctly. If there is nothing to perform analysis on, there can be no validation of technical controls working correctly, and no information for adequate remediation in the event of a problem or incident response. Section 3(e) states that within 90 days all agencies should implement a logging solution to:
- Collect logs from as many sources as possible – all servers, desktops, network devices, everything that can send a syslog. All devices should have some form of logging or monitoring in place.
- Use FIM, FAM, RIM and RAM to track and monitor all key files and system configuration. Know who and when files were changing and what tools they used.
- Use Database Activity Monitoring (DAM) to track key activity on SQL databases. Know if admin accounts are being abused and validate that key data has not been tampered with.
- Having evidence to show if the attack vectors came in via email, USB, a web link download, a software update are all important to knowing how they got in.
The Snare software suite provides an easy-to-use solution that is fast-to-deploy using our lightweight agents and Snare Central Server centralized logging platform. Most sites are up and running in as little as an hour, and immediately capable of collecting and reporting on activity. With around 400 out-of-the box, customizable reports, dynamic query for advanced searching and drill-down on data, active dashboards, key statistics on system logs, real time alerting and threshold reporting, Snare Central provides a comprehensive logging, detection, and analysis tool for any cyber team.
Customers are not penalized from collecting more data by having additional charges. Customers can collect as much data as they like and keep it for as long as they need, as they can manage the storage needs of the system for the business. Data is often needed for several years for longterm incidents where the bad actors have been in a network for an extended time and keeping a low profile to help avoid detection.
As per 7 (c,d) the Snare CLM suite helps to facilitate and compliment EDR solutions with enhanced logging and detection to provide the needed forensics with threat hunting.
As per 8(b) Snare Central uses cryptographic hashing functions to validate the logs collected have not been tampered with along with other forensic meta data in events.
“I tend to use Snare when customers have a lot of end points, 1,000 or more though particularly over 10K windows end points and they know they want to monitor each and every one of them. I know Snare will report in every time, all the time, even in large scale environments. Snare is well documented and easy to install. Snare also does encryption from the agent to the QRadar host, which is very important for most organizations, though in particular federal customers.”