CISA Offers Free 'Logging Made Easy' Tool for Diagnosing Threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week introduced Logging Made Easy (LME) version 1.0.

LME is a bundle of free and open source software for organizations lacking a security operations center or security information and event management (SIEM) solution, as well as lacking the security knowledge and expertise to set up an intrusion detection system, per its GitHub description. However, CISA's description also was quick to point out that LME is "not a professional tool, and should not be used as a SIEM."

The tool has limitations, but it is "better than nothing," CISA stressed. It may be particularly useful for "small isolated networks" that lack corporate monitoring.

LME currently just works with Windows environments. "LME is limited to on-premises networks with an Active Directory," CISA explained in its FAQ document. It does not work with cloud services, such as Windows on virtual machines, but CISA is considering adding such support in the future.

LME is based on "Windows Clients, Microsoft Sysmon, Windows Event Forwarding and the ELK stack," per its GitHub description. The ELK stack is an abbreviation for three tools, namely "Elasticsearch," which offers the Apache Lucene search and analytics engine, "Logstash," which is an open source data ingestion tool, and "Kibana," which is a data visualization and exploration tool, per AWS' definition.

LME also uses "free, publicly available software, such as Ubuntu, Docker, and Elastic." Three computer groups are used for it, per CISA's LME architecture diagram:

[Click on image for larger view.] Figure 1. CISA's Logging Made Easy architecture, using three groups of computers.

The LME tool offers self-installation guides, "easy integration," event-driven logs for diagnosing threats and "prebuilt" security detection rules. The solution is vetted by CISA, per the FAQ. Organizations only bear operational costs when using it. "Organizations and individuals who choose to use the LME assume all subsequent operational costs," the FAQ noted.

Anyone can download, install and use the LME software, but CISA specifically aimed to support "resource-constrained organizations" in releasing it.

"LME was designed with resource-constrained organizations in mind, as a way to offer log management capabilities they might otherwise not be able to obtain," the FAQ stated.

LME is a "reimagined version" of a "free and open solution designed and managed by the United Kingdom’s National Cyber Security Centre," CISA explained. CISA began overseeing its version of the tool in April 2023.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube