NSM-8, one year later: Validating Elastic’s approach to unified data visibility and analysis


In January 2022, the Biden administration released the Improving Cybersecurity of National Security, DOD, and Intelligence Community Systems memorandum, known as NSM-8. The memorandum directs the US Department of Defense (DoD) and Intelligence Community (IC) to increase their focus on cybersecurity through unified standards and reporting. NSM-8 serves a similar purpose as Executive Order 14028 does for US civilian agencies.

The speed and success of cyber incident response can be significantly influenced by the amount and nature of data recorded in network logs, as well as how that data is retained and accessed. This was highlighted by some of the most pointed criticism of vendors following the 2019 SolarWinds/Sunburst incident and the 2021 Log4Shell vulnerability. 

Since the release of NSM-8, Elastic® has helped IC and DoD customers meet requirements through a cost-efficient, unified approach to cybersecurity, logging compliance, and data analysis.

What is NSM-8?

NSM-8 requires IC and DoD agencies to follow the requirements previously laid out in EO 14028. A few highlights include:

  • Section 3 asks agencies to accelerate the movement to secure cloud services and develop a plan to implement a Zero Trust Architecture.
  • Section 7 calls for agencies to deploy Endpoint Detection and Response (EDR) capabilities to support early and proactive detection of cyber incidents, active cyber hunting, containment and remediation, and incident response. 
  • Section 8 calls on agencies and their IT service providers to collect information from network and system logs on Federal Information Systems for investigation and remediation purposes.

The bottom line is that agencies need to deploy a proven endpoint security tool and amplify its effectiveness with telemetry from EDR and event logging for longer periods of time. Just as importantly, older data must be actionable, with the ability to query it in seconds or minutes rather than days or weeks in order to respond and remediate incidents quickly before the damage worsens. With Elastic, agencies can search, correlate, perform outlier analysis, run machine learning jobs, and investigate across all agency data — whether multi-cloud or multi-cluster — in real time, thereby eliminating attacker dwell time.

Zero Trust with NSM-8

Given the complexity of the cybersecurity environment that agencies face, unification and interoperability become even more critical. Section 3 of EO 14028 highlights the importance of Zero Trust in an agency’s strategy. In a Zero Trust architecture, Elastic® can serve as a unified data access layer, connecting the essential yet disparate pillars of a cybersecurity strategy. This ensures that your team has a holistic view of your cybersecurity environment and a single source of truth that brings together all data, no matter the type or source.

The ongoing migration to cloud infrastructure is a real challenge for Zero Trust. The large number of services, short-lived functions, and numbers of people who can now deploy infrastructure combine to expand the threat surface and increase the scope and scale of cybersecurity problems. Elastic's multi-cloud security features can assess the configuration of cloud assets against industry benchmarks like CIS controls. They can also give real-time visibility into OS-based systems with a lightweight agent powered by eBPF. And with container drift protection, they can block an entire class of runtime attacks.

Learn more about Elastic’s role in building a Zero Trust architecture and protecting cloud workloads.

NSM-8 and endpoint security

The primary requirement of Section 7 is to implement an EDR initiative to support proactive detection of cybersecurity incidents, active cyber hunting, containment and remediation, and incident response. When it comes to detecting cybersecurity vulnerabilities, nothing is more critical to comprehensive protection than access to rich, actionable data in real time. With Elastic, agencies have unparalleled insight into agency data. But they also have access to proven, industry-recognized EDR capabilities on a single platform. 

What makes insight to data in Elastic unparalleled? The ability to keep data actionable for longer periods of time for investigative and compliance purposes. Using frozen tier storage, Elastic retains older data and then offers searchable snapshots to query frozen-tier data from low-cost object storage like AWS S3. Using this methodology, security analysts can have query results for massive amounts of data at their fingertips in minutes. Frozen tier is also more affordable and far faster than rehydrating older data. With this business model, storage costs go down significantly — as much as 90% less than hot or warm tiers and 80% less than the cold tier — as a result of using frozen tier.

Elastic’s extended detection and response (XDR) solution is an open security solution, empowering organizations to maximize their existing investments and minimize risk. Elastic’s XDR solution allows users to ingest data from any source, with hundreds of integrations ready for all of your IT and security telemetry or logs.

Using this ingested data, we apply numerous detection layers from threat intelligence sources, enrich them with MITRE ATT&CK metadata, and remediate them through automated policy enforcement and incident response with detailed case management. This includes automatically quarantining malicious files and stopping ransomware in its tracks.

NSM-8 and event logging

Section 8 highlights the importance of collecting and maintaining network and system logs for investigation and remediation purposes. When it comes to increased visibility of cybersecurity incidents, nothing is more critical to event logging than the ability to ingest, categorize, and visualize streaming logs in real time. 

Elastic enables agencies to perform event logging on the same platform used for security. NSM-8 requires minimum log retention periods that range from 72 hours for full packet capture data to 12 months for active storage to 18 months for cold storage data. These are significantly longer retention periods than in prior cybersecurity directives. One reason for this is the SolarWinds attacker dwell time of more than a year. With Elastic, retaining and querying older data is not only possible, it is also affordable. Once again using frozen tier storage, Elastic retains older logs and telemetry, then offers searchable snapshots to query frozen-tier logs and telemetry.

One solution for endpoint security and event logging

Elastic has been able to help DoD and IC customers meet or exceed NSM-8 requirements that keeps all agency data searchable, accessible, and actionable. This is made possible with endpoint security and event logging being unified on a single data platform that is deployable in public or private clouds or on-prem.

As you navigate NSM-8 compliance, the Elastic public sector team is here to help. Whether you need solution architecture for unified endpoint security and logging integration into your ecosystem or consultation on event log management, Elastic experts with experience in the DoD and IC are only a click away.

Learn more about NSM-8 compliance and Elastic

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.