CISA Offers Free 'Logging Made Easy' Tool for Diagnosing Threats -- Redmondmag.com

CISA Offers Free 'Logging Made Easy' Tool for Diagnosing Threats

By Kurt Mackie
10/27/2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week introduced Logging Made Easy (LME) version 1.0.

LME is a bundle of free and open source software for organizations lacking a security operations center or security information and event management (SIEM) solution, as well as lacking the security knowledge and expertise to set up an intrusion detection system, per its GitHub description. However, CISA's description also was quick to point out that LME is "not a professional tool, and should not be used as a SIEM."

The tool has limitations, but it is "better than nothing," CISA stressed. It may be particularly useful for "small isolated networks" that lack corporate monitoring.

LME currently just works with Windows environments. "LME is limited to on-premises networks with an Active Directory," CISA explained in its FAQ document. It does not work with cloud services, such as Windows on virtual machines, but CISA is considering adding such support in the future.

LME is based on "Windows Clients, Microsoft Sysmon, Windows Event Forwarding and the ELK stack," per its GitHub description. The ELK stack is an abbreviation for three tools, namely "Elasticsearch," which offers the Apache Lucene search and analytics engine, "Logstash," which is an open source data ingestion tool, and "Kibana," which is a data visualization and exploration tool, per AWS' definition.

LME also uses "free, publicly available software, such as Ubuntu, Docker, and Elastic." Three computer groups are used for it, per CISA's LME architecture diagram:

**[Click on image for larger view.]** *Figure 1.* CISA's Logging Made Easy architecture, using three groups of computers.

The LME tool offers self-installation guides, "easy integration," event-driven logs for diagnosing threats and "prebuilt" security detection rules. The solution is vetted by CISA, per the FAQ. Organizations only bear operational costs when using it. "Organizations and individuals who choose to use the LME assume all subsequent operational costs," the FAQ noted.

Anyone can download, install and use the LME software, but CISA specifically aimed to support "resource-constrained organizations" in releasing it.

"LME was designed with resource-constrained organizations in mind, as a way to offer log management capabilities they might otherwise not be able to obtain," the FAQ stated.

LME is a "reimagined version" of a "free and open solution designed and managed by the United Kingdom’s National Cyber Security Centre," CISA explained. CISA began overseeing its version of the tool in April 2023.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.