M-21-31 logging compliance: Overcoming the 3 top challenges

Several federal agencies have been using the Elasticsearch platform to meet M-21-31 requirements over the past year — taking a unified approach that includes both logging and threat response. Based on these agencies’ experiences using Elasticsearch for M-21-31, we recommend the following ways to respond to the challenges GAO noted in the study.

Federal agencies are leveraging the accessibility and flexibility of Elasticsearch to automate time-consuming tasks and democratize data insights. Instead of hiring more employees or re-skilling existing teams, agencies are benefiting from Elastic®’s democratized approach to insights and the accessible capabilities built into the Elasticsearch platform. A few of the functionalities helping agencies address the skills gap: 

• Consolidated view into data: Align teams and roles around common data sets, providing a unified view of infrastructure performance and enriched by threat intelligence. This consolidated access is making it easier and faster to consume and act on data and insights, no matter where it’s located.

• Drag-and-drop visualizations: Analyze logging and cybersecurity data through Elasticsearch’s intuitive, visual drag-and-drop dashboards. These dashboards surface insights generated from Elastic’s machine learning (ML) and AI capabilities, allowing everyone access to this information in real time — as opposed to having to wait on a data scientist with specialized knowledge or access.

• Automation capabilities: Leverage the power of Elastic’s open approach to implement security detection rules honed and shared by Elastic threat researchers and community members. Agencies are also saving time by using centralized analytics and alerting to uncover anomalies and threats. Further augment your team’s abilities with the Elastic AI Assistant, which integrates generative AI to simplify tasks and help users find context and information for understanding anomalies and threats faster and speeding problem resolution.

One of the roadblocks in logging compliance is not having access to all logging data. Without streamlined visibility into all data types and sources, the ability to accurately pinpoint threats and patterns is significantly limited. Many organizations are challenged with the high costs involved in managing and storing large quantities of disparate logging data. Elastic’s approach simplifies data ingest and analysis, while our resource-based pricing gives teams the flexibility to pay for what they need.

• Streamlined data ingest: Ingesting different types of data from different sources typically requires multiple tools and processes (and high costs). Using Elastic Agent to ingest all your logs, metrics, and traces can eliminate dependency on external plugins and integrations that may require you to give up control of sensitive data.

• Unified schema: To organize and make sense of all types of ingested data, Elastic uses an open-source, community-driven schema known as the Elastic Common Schema, or ECS. This common data structure unifies all modes of analysis available in Elastic, including search, drill-down and pivoting, data visualization, machine learning-based anomaly detection, detection rules, and alerting.

M-21-31 called for agencies to share logging data with one another, “as needed and appropriate, to accelerate incident response efforts.” Traditionally, sharing data outside an agency introduced significant risk for already-sensitive data, as well as potential costs and time required to copy data or move it to a central source. 

Using Elasticsearch, however, agencies can securely share data across agencies, teams, and projects. In fact, federal agencies are probably already familiar with the cyber intelligence data provided by CISA; Elasticsearch powers CISA’s CDM Dashboard, giving CISA centralized visibility into 100+ agencies’ cybersecurity data when needed. CISA, and other federal agencies, have been relying on Elasticsearch for its:

• Distributed approach: With Elastic’s cross-cluster search and cross-cluster replication capabilities, agencies can securely share their data outside their agency without moving it. In addition to reducing the risk, time, and costs involved with moving data, this approach enables each agency to retain control of their data in its original secure location.

• Data privacy controls: Working hand in hand with cross-cluster search and replication, Elastic’s role and attribute-based access control (RBAC/ABAC) security lets you decide who at your agency can access what data — down to the document level. These security permissions are applied locally, where the data resides. This allows you to create secure dynamic data access policies for certain classification levels and functional areas.

Learn more about how Elastic can provide integrated, cost-effective support for M-21-31 compliance, from log storage, management, and cybersecurity capabilities within our unified AI-powered platform:

• Download the M-21-31 white paper

• Contact the Elastic Federal team