Organizations and agencies across industries and government have been rocked in recent years as cyberattacks are getting more sophisticated, costly, and disruptive. With the Federal government in the crosshairs of bad actors trying to steal sensitive data – or worse – President Biden has made cybersecurity a critical focus of his administration. His Executive Order on Improving the Nation’s Cybersecurity (EO 14028) gives Federal technology teams clear directives designed to quickly secure Federal networks. One of those directives instructs agencies to adopt a zero trust architecture.
Zero trust can’t be fully realized without strong endpoint detection and response (EDR) capabilities. Section 7 of the cyber EO requires agencies to deploy EDR tools to proactively detect incidents within the Federal infrastructure, contain incidents at the endpoint, and provide quick remediation and incident response.
While EDR is a necessary capability in a cybersecurity portfolio and a requirement to build a zero trust architecture, it is not a lone silver bullet.
“Because of the accelerated timelines in the mandates, many agencies are rushing into EDR implementation absent a broader strategy in which EDR is just one component,” said Bryan Palma, CEO of Trellix, the organization recently forged from the merger of the McAfee Enterprise and FireEye technology organizations. “The Federal government has very diverse endpoints, including traditional endpoints like servers, laptops, and phones, and unusual endpoints like weapons systems and satellites. Agencies may tackle each endpoint with specific EDR tools designed for each particular endpoint, but it doesn’t provide holistic cybersecurity with a view across endpoints or achieve the spirit of the cyber EO for a secure Federal government.”
To gain a holistic view, Federal agencies should look to an extended detection and response (XDR) platform, Palma advised. XDR is a next-generation solution correlating EDR, network, email, cloud, and other data from across the enterprise – and across environments – into a single view in the security operations center (SOC). XDR uses automation and machine learning to provide threat analysts and the SOC team with more accurate threat detection to improve response time.
Palma shared five benefits Federal technology teams can realize by implementing an XDR platform on the path to zero trust security.
- XDR ingests and distills data from multiple security tools.
The SOC is ground zero in the fight against hackers. However, analysts in the SOC are faced with an onslaught of data from different EDR solutions monitoring different groups of endpoints spread across agency environments. They also deal with massive amounts of alerts, many of which are false positives, which leads to alert fatigue. With limited resources, it’s hard for technology teams to keep up, which can cause significant gaps in cybersecurity.
The XDR platform uses automation to collect, consolidate, and analyze data from multiple security tools. By combining endpoint telemetry, the SOC can quickly identify and act upon meaningful alerts and threats. As an added benefit, agencies don’t have to replace any existing technology to improve endpoint security. XDR works with the technology tools the agency already has in place.
- Technology teams gain a holistic view across the entire threat landscape.
Not only does XDR collect and analyze data from multiple security tools, but it also pulls data from different environments. XDR ingests data from the cloud, networks, endpoints, users, email, etc., and combines it into a single place. Using machine learning, XDR correlates the information quickly and applies situational security context to identify root causes of issues and drive responses. XDR provides the holistic, single pane of glass view agencies need to achieve cybersecurity across the enterprise.
- XDR is not proprietary.
XDR must support native integrations with the ability to also support open architectures to integrate security tools from different vendors. This means it can integrate new technology and new environments as agency needs and missions change. With an open architecture solution, agencies don’t have to make additional investments. An open architecture allows the platform to scale.
“In today’s environment, proprietary doesn’t work,” Palma said. “XDR saves time and resources by not requiring specific tools or vendor solutions. It’s open to accept data from any tools the agency already has or needs.”
- XDR helps agencies achieve Federal EDR and zero trust mandates.
The cyber EO sets aggressive timelines. With the move to zero trust architectures and the increased focus on EDR capabilities, agencies may rush to implement a solution to meet the mandate. There is an alternative option. XDR incorporates existing and planned EDR and SOC solutions while providing the SOC team with threat intelligence based on machine learning to greatly improve response time.
- XDR is implemented as a SaaS model to better support technology teams.
Industry is ready to help Federal technology teams so they can focus on the mission. XDR employs the software-as-a-service model, in which trusted industry partners design, architect, implement, train, and provide ongoing maintenance of the solution. Vendors help operationalize XDR, ensuring the agency’s technology teams are benefiting from all its capabilities.
“One of the biggest things agencies can do to meet some of those aggressive mandates from CISA, the cyber EO, and other mandates handed down to them is to bring in experienced partners to work towards a more resilient and confident security future,” Palma observed.