Meet requirements outlined in OMB M-21-31 from tier 0 to 3 and Zero Trust while effectively facilitating network monitoring and analytics with the help of LiveAction solutions. In Carahsoft’s podcast, Navigating OMB M-21-31 and Zero Trust Compliance with Expert Insights from LiveAction, you will learn how LiveAction helps federal agencies support the requirements outlined in OMB M-21-31, including implementation and planning strategies, as well as caveats to watch out for. Joining Carahsoft, LiveAction's CTO and Founder, John Smith, sheds light on the specific requirements for each tier, emphasizing the urgency federal agencies face in meeting the mandate's obligations. Learn how LiveNX, LiveWire, and ThreatEye can play a pivotal role in fulfilling tier 0 - 3 network requirements, leveraging packet capture, encrypted traffic analysis and user behavior insights, cloud and network flow logs, SNMP, and centralized access.
LiveAction 21-31 Podcast
John Smith00:00
So the memorandum 2131 really clarifies section eight, it talks about increasing visibility before, during and after a security incident. And it talks about, you know, collecting and analyzing logs, on premises, but also in the cloud for detection, investigation and remediation. And it really details out the logging and retention. And we'll go into much more detail on that as well. And it does talk about information sharing. And there's the NIST document that I showed briefly. And I'll talk more about that, that talks more about how to do logging. And this is provided by NIST. So what is the different maturity levels, so I'll just briefly go over the different levels, and we'll dig into ELT specifically. But Yellow zero was basically you know, making sure all the critical things are logged to get started with an El one built upon that foundation and talked about the more logging different types of events. But they added things like, you know, sharing of information, which is an FBI, and doing planning, like user behavior monitoring. And I'll dig into this user behavior monitoring because the planning should happen, you need one, but you have to implement it el three, not para el two. But I think some of the things they do you do in El too will affect how it's done in El three, for example. So there's some consequences of how you actually implement each tier, and ELT. I'll go into more detail in the next few slides. But the big one here is inspection of encrypted traffic and packet storage for 72 hours comes up in this level. In year three, I'll talk a little bit more but because much more advanced in terms of using AI ml techniques for user behavior monitoring, and also centralized access. The section I want to talk about know how live action solutions can help move not just level two, but levels zero through three in more detail. And what I did was No, it's not just meeting the requirements, like I mentioned, it's really actually improving investigated and remediation capabilities. And I took the network related requirements from El zero and eel three. And I map that through these three sections. So packet capture encrypted traffic user behavior. And the third one is various flow logs, logs, SNMP, and centralized access. And when we map it to our product, we have three products that actually map very well to these three sections here. And the three products that we have, as part of our network intelligence platform is live and x, which is our network performance monitoring Live Wire. This is packet capture and real time analysis, and threat AI, which is network detection and response on encrypted traffic using ml AI. And it covers the logs on the bottom here from NetFlow flow log SNMP packets, but we also leverage API's to get know log information and status information that's mentioned in Appendix C as well. A key aspect of this is the network landscape that you need to get this log from. So we cover Cloud Data Center campus branch, but also SD win and SDN. So SD Wan vendors, we can integrate and get telemetry from their fabric. We have deep integrations with specific ones, and we can understand how they're implementing their security policies, for example, also polo and edge. And just back on SDN. You know, there's a lot of VX LAN, micro and macro segmentation that's happening. So you want to leverage products that can actually look inside the segmentation as well Livewire, which is packet capture and real time analysis. So this helps me do packet capture. And there's also web PCAP requirement from level one. And really looks at packets grab it from Cloud Data Center campus bridge colo has a wide variety of capabilities, but also different footprints as well. So we have ones that can be virtual in your VMware infrastructure, also cloud. So AWS as your GCP. We also have physical appliances that you can put into your small office or branch and we have larger ones for our data center. And we can stack these to you know, 2040 100 gauge if you need so they're very modular in use, but their size is also very small. So these are T to use for the most powerful ones in the storage capacity. or 6490 628 terabytes, if you need petabytes, you know, come talk to us. And we have solutions coming out for that as well. And what Livewire does is deep packet inspection constantly for the wire data in the packets that it's seen. And they'll do forensic packet analysis as well. And no export IP fix to our live annex platform. So if you need metadata for the packets, we can provide that as well. And we have workflows for high level views down to packets. So no, a lot of issues are you have a fleet of packet analytics but need to find one related to an incident. So the way that Livewire integrates the live and acts with the generated alert or metadata, we can track down and go down to that specific Livewire data, that specific packet and helps reduce mean time to repair but also mean time to incident response, resolution as well, high level summary of the event logging levels. And I kind of highlighted in red, the ones that are related to network analytics and visibility. So level zero is like you're really kind of starting out, you're logging the most critical things in acceptable format, as they say. And you're one, you know, starts getting into more interesting login categories, categories. Also, things related to having access by the scissor and FBI, like I mentioned, this will keep coming up at each level. And then logging interesting things like you know, DNS, also, how do you protect them validate the log information, orchestrating this, and then a really kind of difficult task is user behavior monitoring, you're supposed to start planning for this, and you're supposed to implement in it, you know, three. So this is somewhat hard, but we do have products, they'll help you there as well.
07:13
But that to Elon, one thing, I'd point out with the with the SR guidance that just came out, they strongly emphasized DNS as something that really needs to be monitored. And also DHCP. I imagine that that has something to do with binding identity to activities, just want to save you some reading.
John Smith07:39
And the good point about DNS, and remember, the Zero Trust says encrypt DNS, right, the previous memorandum we talked about, so you can't use the existing, you know, hey, we can actually see all the DNS messages in the clear, it's going to be encrypted. So that to plan for that is our joint solution. On the left hand side is the environment that we've been talking about. So whether it's, you know, cloud, and you got multi cloud, right, it's not just a single one. And then you have on premises. So most companies are doing hybrid cloud, where they have multiple cloud providers doing certain specific things, even Google, I see a lot of our customers using GCP, for specific and they'll AI because they're very good at that. And they combine it with AWS for their app developers, and DevOps and SRE is, are primarily there, then they connect back to the data center. And they might have multiple data centers. And with edge computing, you might have a regional data center, for example. And it's very difficult to instrument all this. So that's very, very critical in getting all the different types of telemetry. And the Gigamon solution does a great job of doing that. And that feeds our solution live action, using packets, obviously, but also NetFlow and Nat we'll talk more in detail about AMI, which is a very good metadata source for advanced metric information. And then I'll talk in more detail once we get this quote unquote log but it's really multi colorimetry. What can live action do? Packet perspective flow perspective and metadata security meta data perspective to give you the solution to the toilet wn Issues
09:21
Course evolved for a traditional next generation packet broker, right? We're taking packets from the left side of this diagram between network devices using network taps, from span sessions and tackles and of course now we've we've evolved into bringing that in from different types of cloud environments and all the different types of virtual environments like VMware, for example. So we're sending of course packets over to live wire after they've been transformed, deduplicated focused so that LIDAR can get a good clean signal that's not too full of unnecessary packets. But we're also engaging in deep packet inspection to look into the network traffic and then generate very lightweight metadata, all the good stuff that folks are trying to pick out of network packets anyway. So that can be over 3000 different applications. And over 5000, unique metadata elements, right? This is what generates the NetFlow. This is what pulls out
John Smith10:35
the live action network intelligence platform, once you get all that packet flow AMI information, we can send that to our three products. The three products, we have our live wire, so packet capture and real time analysis. And this is on the right side, the requirements that we satisfied on 21 and 2131. So the 72 hours of web PCAP. The middle product of thread AI is network detection and response. And so you can do actually encrypted traffic analysis, you don't have to decrypt the traffic. But we'll use ml AI techniques to understand you know, if this is a compromise or an attack, and we also do user behavior modeling. So does this person act like they were previously does the server act like what it did previously, as well. And maybe it's compromised, the talking to too many people like it wasn't before. So it can do a lot using a SAS base machine learning AI platform to analyze the data there. And lastly, live annex is a centralized platform, or flow log cloud for logs centralized access and SNMP. Data. memorandum 2131, it clarifies the executive order and it's really about increasing visibility before, during and after after an incident and talks a lot about logs. So whether it's on premises and cloud, and their term log actually is somewhat broad, like packets, NetFlow, flow log SNMP, they're all considered part of logging. So it's not just you know, Syslog, or traditional syslog. Yet, you might think about, it also talks in very good detail about how long to retain these logs, what the what the log, and also the management of it. And they also emphasize, you know, being able to share this, not just within your organization, but with Sousa and other agencies that might get involved in incidents. And they gave a pretty aggressive timeline. And at the bottom, I show the different tier levels. So section one or 2131, lays out all the different tiers and at a high level. And there's a appendix which I'll show that goes into details of each of the different logging categories. Like I mentioned, el zero is no critical level zero. And there's quite a bit of it as well. But then you get to the basic level er, one. So there's more things related to protecting and validating log information. Like I mentioned, Souza, and FBI requirements. So when you have an incident, they want to be able to access that as well. I think Vivian has the results, if you can. That is no what that is. Okay, very good. So half of us are at El zero and half is just starting the journey. So perfect. You're in the right webinar. That's good to know. So focused on getting to El one, inhale two, because I think those are the ones that are going to be most challenging. And you're one, there's a requirement for user behavior monitoring, planning, it's not executing the planning. So I think this is one of the things that you got to watch out for, because when you get to elf three, there's this user behavior monitoring, monitoring implementation. So they're giving you some opportunities to start planning, but then actually implementing an eel three, and it's not a trivial task. So having time to put in the right set of logs to get to yesterday, I think is important at level one and level two. We all do I think is where it starts get much harder. And this is where you have the full full packet capture 72 hours of packet capture, but also the inspection of encrypted data and why they want you to do that as they want to retain and store metadata information so they can do more real time analytics on this This is really helpful for the packet capture 72 hours. But you could do a lot more with that. But also do real time packet analytics be able to send the metadata, web PCAP as well. The second piece of the threat is so when we talk about encrypted traffic analysis without decrypting, using machine learning, this is the solution now provide that capability and live and x is the central access to getting the flow log, the metadata from the Livewire blood flow log SNMP, knows how to talk to all the different parts of your network. So let's dig into my wire, which is the packet analytics piece. So the deep packet inspection, constant capture from wire but it also do real time packet analysis, you know, send that metadata for the live and acts. And they'll have workflows that you can do from a high level by being able to drill down to that very specific packets. It also has an intelligent packet capture option, which I'll talk in more detail. You can do just packet capture if you want or you can buy it as part of a solution or the platform. And it can also do large scale management. Like I mentioned earlier, if you have a fleet of these, you know, think about how you undo backup restore upgrades, configuration management, so you want something that has that capability, but you have a dozen or hundreds and also do metadata extraction for encrypted traffic analysis. And it comes in a wide variety of form factors. So live or virtual do run we have instances that you can run in all the different cloud service providers or even on your VM infrastructure as well. And we have an edge, a core and a parkwalk. They have a big data center of like to know for