惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
V2EX
大猫的无限游戏
大猫的无限游戏
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Jina AI
Jina AI
GbyAI
GbyAI
云风的 BLOG
云风的 BLOG
B
Blog RSS Feed
Last Week in AI
Last Week in AI
The Cloudflare Blog
V
Visual Studio Blog
P
Proofpoint News Feed
博客园 - 叶小钗
L
LangChain Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recorded Future
Recorded Future
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
人人都是产品经理
人人都是产品经理
Y
Y Combinator Blog
罗磊的独立博客
雷峰网
雷峰网
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
L
LINUX DO - 热门话题
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
小众软件
小众软件
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Recent Announcements
Recent Announcements
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
宝玉的分享
宝玉的分享
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
Vercel News
Vercel News
IT之家
IT之家
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
aimingoo的专栏
aimingoo的专栏

Palo Alto Networks Blog

Announcing the General Availability of Prisma AIRS AI Gateway Palo Alto Networks and AT&T - Delivering Quantum-Resilient SASE Fabric What It Takes to Secure Claude Cowork Across the AI Enterprise It Might Feel Like We’ve Been Here Before, But We Haven’t A Defining Moment in Identity Security New Executive Order Accelerates Post-Quantum Readiness Amid the Cryptographic Reset Built to Last: What Stonehenge Teaches us About IT Architecture & Cyber Resilience Expanding Our Footprint: Local Cloud Availability for Prisma AIRS in Japan The Invisible CEO of Crisis: Breaking the Cycle of CISO Burnout Securing the Agentic AI Frontier: Palo Alto Networks and Databricks Deliver a New Standard for AI Security Securing Canada’s Digital Future: Why PBMM Matters Beyond Government Beyond Human Oversight: Adapting to the Frontier AI Era European Digital Sovereignty Starts With Trust How AI and Evasion Demand a Radical Shift in Network Threat Prevention Reinventing Security for the Agentic NVIDIA AI Factory A 4X Gartner Magic Quadrant for EPP Leader. Built for the Agentic Era. Securing and Governing AI Agents At Scale Through A Unified AI Gateway The “Why” Behind NextWave’s New Requirements Beyond the Frontier — Expanding the Ecosystem for Autonomous Defense Defender's Guide to the Frontier AI Impact on Cybersecurity: May 2026 Update From WarGames to Cyberwar Idira — Our Journey to Democratize Privilege Controls A New Era of Security: Frontier AI Defense Nutanix and Palo Alto Networks Integrate for Robust Model Trust 39 Seconds — That's How Long It Takes to Lose Your Data The Dangerous Momentum of Autodownload Phishing Enhancing AI-Driven Defense with Anthropic’s Claude Opus 4.7 Unit 42 Expands Frontier AI Defense with Armadin Partnership Palo Alto Networks and Google Cloud Scaling AI Agents with Confidence Palo Alto Networks Joins DNS-OARC as a Platinum Member The AI Ecosystem Edge — Introducing Our Frontier AI Alliance Defender's Guide to the Frontier AI Impact on Cybersecurity Introducing Unit 42 Frontier AI Defense Securing the UK’s Digital Future Announcing ADEM Universal Agent Palo Alto Networks at Nutanix .NEXT 2026 Closing the Gap by Enhancing Visibility and Mitigating Risks Five Browser and AI Security Questions Keeping CxOs up at Night Securing the Era of Agentic AI with Prisma SASE The Cryptographic Reset Has Begun Prisma Browser for Business — A Secure Workspace for Small Business Securing the Enterprise AI Ecosystem with ServiceNow and Prisma AIRS How NextWave’s Evolution Drives Shared Success Announcing Prisma AIRS Availability in Singapore Region How the National Cyber Strategy Secures Our Digital Way of Life
Shifting from Data Hoarding to Active Defense: Navigating the New Era of OMB M-26-14
Wayne LeRiche · 2026-06-10 · via Palo Alto Networks Blog

The release of OMB Memo M-26-14 ("Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats") marks a historic turning point in federal cybersecurity. By officially rescinding the M-21-31 directive, the White House has delivered a clear message to federal IT leaders: the era of compliance-driven data hoarding is officially over.

While the previous framework was a well-intentioned response to the SolarWinds breach, its mandate to collect and retain vast oceans of unstructured logging data created unintended, unsustainable operational burdens. For the past several years, federal agencies have faced skyrocketing cloud storage bills and overwhelmed Security Operations Centers (SOCs). Crucially, they have been left with vast quantities of cold data that lacked clear operational utility.

As OMB noted, retaining endless data without operational focus is neither cost-effective nor operationally feasible. With M-26-14, the federal government is pivoting to a smarter, sleeker, and far more decisive strategy: a risk-based, prioritized logging framework driven by AI and machine-speed defense.

The Core Shifts: What Federal Leaders Must Understand

M-26-14 strips away administrative "red tape" to focus on how modern cybersecurity risks have evolved. Nation-state threat actors are actively leveraging advanced automation and Artificial Intelligence (AI) to orchestrate attacks at unprecedented speeds. They move laterally across agencies in minutes, hiding behind legitimate corporate credentials.

To beat machine-speed threats, your data layer must operate at machine-scale. The new memo reorganizes federal visibility around two foundational pillars:

1. Continuous Event Monitoring — Owning the Present

Continuous Event Monitoring demands that logging infrastructure shift from a passive archiving tool to a live-streaming asset. Agencies are now required to monitor network and asset activity in real time, rapidly flag anomalous behavior via behavioral analytics, and initiate immediate mitigation actions directly through their SOCs.

2. Threat Hunting, Investigation, Response, and Forensics — Dominating the Post-Compromise

When a compromise is suspected, agencies can no longer spend days running slow database queries or pulling disconnected csv files. M-26-14 mandates that agencies keep 6 months of logs "hot and searchable" and 1 year fully "retrievable." This allows defenders to immediately stitch together cross-domain attack patterns, perform rapid root-cause forensics, and share threat intelligence seamlessly with CISA and the FBI.

3. Expanding the Blast Radius: Entering IoT and OT

Perhaps the most significant structural change is the explicit inclusion of Internet of Things (IoT) and Operational Technology (OT) systems. Adversaries do not respect the boundary between your corporate IT network and your physical infrastructure. Under M-26-14, your logging and threat-hunting capabilities must aggressively cover the entire enterprise—from public cloud workloads to the physical facility controls and critical infrastructure grids running on an agency's behalf.

The Clock is Ticking: The Aggressive Maturity Deadlines

Agencies cannot afford a passive approach. The timeline established by OMB M-26-14 moves quickly:

  • T+90 Days: CISA will publish the new Logging Reference Architecture (LRA) codifying hybrid/centralized deployments, Zero Trust Maturity Model (ZTMM) integration, and AI-driven monitoring guidelines.
  • LRA +90 Days: Agencies must submit their comprehensive Agency Logging Plans.
  • LRA +120 Days: Achieve Basic Level 1 Maturity.
  • LRA +180 Days: Achieve Intermediate Level 2 Maturity.
  • LRA +320 Days: Achieve Advanced Level 3 Maturity (Advanced/Optimal Effectiveness).

Activating OMB M-26-14 with Palo Alto Networks Cortex

Trying to retrofit a legacy SIEM architecture to meet the advanced or optimal effectiveness tiers of M-26-14 is an engineering and budgetary dead end. Legacy SIEMs scale costs linearly with ingestion and rely on static, human-written correlation rules that fail against AI-fueled threats.

The FedRAMP Certified Palo Alto Networks Cortex platform—anchored by Cortex XSIAM (Extended Security Intelligence and Automation Management)—was engineered from the ground up to solve the exact problems this new memo addresses.

From Disconnected Columns to Cross-Domain "Stitching"

Legacy logging stores data in isolated silos. An analyst trying to track an adversary has to manually look at an identity log, cross-reference it with a network firewall alert, and match it to an endpoint execution.

Cortex XSIAM features a revolutionary Analytics Engine that automatically stitches multi-vendor logs across cloud, network, endpoint, and identity at the moment of ingestion. It transforms raw text into a single, cohesive, context-rich story, instantly aligning incidents with the MITRE ATT&CK framework.  Cortex XSIAM doesn’t just ingest data, it understands the data which enables stitching of multiple data elements into a single, multi-context construct which accelerates analysis via AI and machine learning.

Replacing Static Rules with Cloud-Scale AI

Adversaries use AI to evade signature detection. Cortex XSIAM fights fire with fire, applying out-of-the-box, unsupervised machine learning models to baseline normal behavioral patterns across your entire federal enterprise. When an anomalous lateral movement, data exfiltration attempt, or credential abuse event occurs, XSIAM flags the threat instantly—without requiring your team to spend weeks writing custom correlation code.

Accelerating Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response and Forensics (THIRF)

There is more to CEM than just monitoring network activity.  Activity on endpoints, within your identity management solution(s) and in the cloud are just as important.  Understanding the data, knowing which log records are related to each other across multiple log sources, which events are relevant and the context they provide is required.  

Understanding these events and their contextual relationships is fundamental to providing THIRF in an efficient manner.  Cortex XSIAM provides over 2,900 machine learning models out of the box, models that are trained on the data in your environment so they detect anomalous activity based on what is “normal” in your environment, not trained on generic data from other customers or a lab.  These models can identify threats based on data stitched together from multiple sources to provide a more complete context yielding more accurate and consistent results while decreasing time to value.

Securing the Unmanageable: Agentless IoT/OT Defense

You cannot install an EDR logging agent on a smart building HVAC system or an industrial programmable logic controller (PLC). Palo Alto Networks utilizes non-disruptive, passive network analysis to continuously discover, profile, and generate high-fidelity security logs for IoT and OT infrastructure. These logs stream directly into XSIAM, eliminating critical federal blind spots and protecting your High Value Assets (HVAs) from cross-boundary pivot attacks.

Solving the Storage Conundrum Safely

Keeping six months of high-velocity event logs fully "hot and searchable" under a traditional database indexing model creates a crushing financial burden. Cortex XSIAM fundamentally resets the Total Cost of Ownership (TCO) equation by leveraging an index-free, cloud-native data lake architecture that decouples storage costs from analytical performance. By eliminating legacy ingestion taxes and infrastructure overhead, federal defenders can search petabytes of data in seconds—effortlessly meeting the 6-month searchable and 1-year retrievable thresholds. Furthermore, integrated data masking rules strip away sensitive PII or low-value data noise before it hits the SOC, ensuring agencies only pay for operationally vital intelligence.

The Bottom Line for Federal Leaders

OMB M-26-14 is a massive step forward for federal cybersecurity. It frees CISOs from the operational gridlock of untargeted data archiving and empowers them to build faster, modern, and highly responsive security operations.

Meeting the strict 120-to-320-day maturity milestones requires moving past the tools of the last decade. By partnering with Palo Alto Networks and deploying the Cortex suite, federal agencies can seamlessly transition into a risk-aligned, AI-driven SOC. They can confidently check the box on OMB compliance while achieving what the directive actually intends: protecting the resilience and integrity of the federal mission at machine speed.

Palo Alto Networks’ Cortex XSIAM is FedRAMP certified at both the moderate and high levels.

Want to learn more about how to structure your upcoming Agency Logging Plan to meet CISA's upcoming Logging Reference Architecture? 

Contact the Palo Alto Networks Federal Team today to schedule an architectural deep-dive.