CISA: Majority of US Government Will Get EDR Later in 2022EDR Deployments Will Be Underway at More Than Half of Federal Agencies This Year
Endpoint detection and response deployments will be underway at more than half of federal civilian agencies by the end of September, according to federal officials.
The Cybersecurity and Infrastructure Security Agency is currently in the process of deploying EDR across 26 federal civilian agencies and expects to have work underway at 53 agencies by Sept. 30, says Eric Goldstein, CISA's executive assistant director for cybersecurity. Goldstein was one of four witnesses at a congressional hearing Tuesday focused on strengthening federal network cybersecurity.
"One of the lessons learned from the SolarWinds intrusion is that we need to correlate threat activity that we might see at the perimeter of a federal agency to something happening at a workstation to something happening in the cloud," Goldstein said at the hearing. "This EDR visibility is really foundational in giving us the ability to connect the dots on intrusions far more quickly."
Goldstein testified with Office of Management and Budget Federal CISO Christopher DeRusha, National Institute of Standards and Technology Director Charles Romine, and General Services Administration CIO David Shive before a U.S. House of Representatives subcommittee focused on cybersecurity. The hearing comes 16 months after the SolarWinds compromise wreaked havoc on the U.S. government (see: Why Didn't Government Detect SolarWinds Attack?)
Securing Mobile Devices
CISA's EDR deployment is focused largely on workstations and servers residing inside U.S. government agencies, which Goldstein says will provide CISA with the authority needed to consistently hunt persistent threats across federal networks. As part of this data collection effort, Goldstein says federal agencies are now providing CISA with object-level data for the agency's diagnostic and mitigation dashboards.
"We are now able to access that necessary data which is so critical for us to understand prevalence of vulnerabilities and other risk conditions across federal agencies and drive much more targeted and faster mitigation of risk that may emerge," says Goldstein.
Nearly every large agency is now connected to the federal dashboard, Goldstein says, and more small and medium-sized agencies are getting connected each week. Goldstein says CISA's Continuous Diagnostic and Mitigation Program is going beyond workstations and servers sitting at federal agencies to integrating mobile asset management capabilities, with more progress expected in coming months.
"In this new hybrid, remote-first universe which we're living in, a lot of federal employees are using their mobile devices for a significant volume of agency work and processing important information," Goldstein says.
Shive says the General Services Administration over the past year has extended its ability to assess endpoints with granular visibility beyond laptops and servers to include mobile phones and operational technology devices. The GSA can increasingly see where non-user-based devices are and what they're attempting to do, which addresses a significant threat vector for nation-state groups.
"We're expanded that ability to have granular visibility into the form, function and action of those devices that we didn't have a year ago," Shive said during the hearing.
The GSA has deepened its encryption, going beyond simply encrypting everything residing in the cloud to also encrypt most of the agency's internal infrastructure, according to Shive. The GSA has also made its multifactor authentication - which was already nearly ubiquitous - easier to use so that agency employees aren't inclined to try to find other ways to get into the GSA's systems, Shive says.
Making Einstein More Intelligent
Since President Joe Biden signed an executive order in May 2021 focused on improving the nation's cybersecurity, Goldstein says federal agencies have invested a significant amount of money and made significant progress in deploying multifactor authentication wherever possible and encrypting data both in transit and at rest.
"We know that given the significant breadth of legacy, outdated IT infrastructure across federal agencies, deploying modern security controls can at times be challenging," Goldstein says. "But every agency with the capacity to deploy MFA and encryption has done so in almost all cases."
CISA is also looking to modernize its Einstein intrusion detection system to improve its ability to detect previously unknown or unseen threats, according to Goldstein. Einstein came under criticism by lawmakers in both parties for failing to detect the SolarWinds intrusion prior to December 2020 despite the federal government having spent more than $6 billion on the system.
Goldstein says CISA plans to strengthen Einstein by improving its visibility at the endpoint level and building in the capability to aggregate logs in cloud environments. In addition, Goldstein says CISA is looking to modernize its perimeter defenses and move toward commercial shared services in an effort to move Einstein beyond its legacy of being overly focused on the network and perimeter.
Finally, Goldstein told lawmakers at the hearing that the national and global cybersecurity community is doing urgent work to create an approach to the software bill of materials that's both automated and interoperable.
"At this point, that foundational work is a prerequisite to a [SBOM] mandate being effective and achieving the change that we collectively want to advance," Goldstein says.
EDR Rollouts No Easy Feat
Rolling EDR out across a single homogeneous enterprise is a relatively straightforward process, but each federal agency is essentially its own enterprise with no overarching management system connecting devices at different agencies, says Venable Senior Director of Cybersecurity Services Grant Schneider. As a result, he says, each federal agency basically has to roll EDR out on its own.
"Any rollout across federal agencies is hard," Schneider tells Information Security Media Group. "I think it's a very challenging logistical task that they're doing."
Schneider, who is an ISMG contributor, would like to see federal agencies go beyond EDR and take on extended detection and response to incorporate other systems such as network devices and get a more holistic view of the enterprise. Enterprises need a situational awareness of what's happening in their environment and should tap into tools such as XDR that can help with digesting and reacting to data.
Schneider was pleased to hear that branches of the federal government such as the GSA are attempting to enhance their situational awareness of nontraditional devices to better understand what's happening in their environment.
"It's definitely very important for enterprises to be able to understand what's happening on those nontraditional devices to give them a better view of their overall ecosystem," Schneider says.