- The White House is providing guidance to implement an agency-wide endpoint detection and response (EDR) initiative, according to a memo released Friday from Office of Management and Budget Director Shalanda Young. The guidance follows President Joe Biden's May cybersecurity executive order asking for the Federal Civilian Executive Branch to deploy an EDR initiative.
- The federal government wants to improve early detection capabilities in agencies, creating "enterprise-level visibility" across bureaus and sub-agencies, according to the memo.
- Agencies have 120 days to assess current EDR capabilities with the Cybersecurity and Infrastructure Security Agency (CISA). Agencies have 90 days to give CISA access to their enterprise EDR deployments, or at least collaborate with CISA "to identify future state options." CISA then has 90 days to develop a process for monitoring EDR system performance across agencies.
EDR houses the collection and monitoring of endpoint data, giving insights and visibility into advanced persistent threats (APTs) lurking on networks. But already, extended detection and response (XDR) capabilities are beginning to overshadow traditional EDR. The federal government needs modernized IT and cybersecurity, with the SolarWinds breach highlighting shortcomings in federal defenses.
Federal security leaders are emphasizing the zero trust model, and EDR "is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector for cyberthreats," the memo said. The goal is to centralize information to better act on visibility, attribution and response in agency systems, using a CISA-implemented centrally located EDR initiative for governmentwide visibility, the memo said.
CISA's EINSTEIN system, part of the government's existing EDR, is used to detect and block cyberattacks, and provide the agency with "situational awareness to use threat information detected in one agency to protect the rest of the government," according to the agency. But to some legislators, EINSTEIN is outdated, and the SolarWinds breach proved the system's failure.
"EINSTEIN developed some 15 years ago, when we were all focused on the perimeter. We know that the world has changed, it is a new normal," said Jen Easterly, director of CISA, while speaking at the Mandiant Cyber Defense Summit last week.
CISA is working to transform the system, focusing more on detecting threat activity at the endpoint. CISA wants to better detect threat activity in the cloud, Easterly said. Because the perimeter doesn't really matter anymore, "the architecture has to be predicated on zero trust principles," which is why it was included in Biden's executive order.
The National Defense Authorization Act (NDAA) FY2021 gave CISA more authority for threat hunting across government networks. Before, the agency was only welcome to threat hunt when an agency asked.
"Once we get all the EDR technology instantiated, once we get access to the object level data, once we can build the analytics to allow us to persistently hunt based on the new authorities we were given, I think we can make some real change," Easterly said.
When CISA was established in 2018, cyber operations became centralized for federal departments and agencies. CISA's goal is to use threat analysis only the government can provide to enrich "commercial feeds with sensitive government data," making it easier for outside organizations and companies to work with CISA.