White House Executive Order – Navigating Endpoint Detection and Response (EDR) Implementation

Tom Gann · March 08, 2022

This is the fourth in a series of blogs on the Biden Administration’s Executive Order (EO) on Improving the Nation’s Cybersecurity. I encourage you to read those you may have missed. (Part 1, Part 2, Part 3).

Background: In May of 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity to modernize our cybersecurity defenses by protecting federal networks, improving cyber information-sharing between the public and private sectors and strengthening the U.S.’ ability to respond to cyber incidents. Federal agencies have been carefully reviewing their current cyber capabilities and initiatives to ensure they meet the new EO requirements; but where gaps are identified, they will need to reevaluate their approach to align with the new framework and defined capabilities, including Endpoint Detection and Response (EDR).

Over the past several months, the administration has continued to put significant emphasis on cyber threat intelligence and how it will help government agencies make better decisions about responding to cyber threats and incidents. Introducing EDR solutions to enterprise environments is a priority in the EO, as these solutions can enhance an organization’s ability to be more proactive in detecting vulnerabilities throughout their network. By incorporating EDR, government agencies can have granular control and visibility into their endpoints to detect suspicious activity.

In line with the second phase of implementation of the EO, on October 8, 2021, the Office of Management and Budget (OMB) released memo M-22-01 directing federal agencies to assess their EDR capabilities in coordination with the Cybersecurity and Infrastructure Security Agency (CISA). Trellix’s Senior Vice President for Public Sector Ken Kartsen joined Federal News Network’s Federal Drive show to discuss what the guidance means for agencies and how they can reach full EDR capabilities. Ken made the point that for EDR capabilities to be the most effective, agencies must coordinate their incident response around available intelligence to apply necessary context to the data they are collecting. Early detection warnings, platform mitigation capabilities and prescribed proactive response actions all take intelligence into account, making it actionable and specific to an organization so it can effectively stay ahead of potential threats. Ultimately, these capabilities must be integrated into an organization’s detection and response platform.

EDR products on the market today can be fairly limited in scope unless additional context, such as network and cloud data, are added to detection response capabilities. So, it is critical for organizations to carefully choose a security partner that has a track record of platform integration and consistent execution. Security managers already are left to oversee too many disconnected security tools and datasets from too many vendors and should be wary of jumping to something new that appears to be cutting edge, especially if they have a trusted partnership with an existing security vendor.

EDR products from trusted government security vendors like Trellix can improve an agency’s security posture and help them achieve the requirements laid out in the cybersecurity EO. With a track record of collecting and analyzing threat intelligence data globally, Trellix’s Endpoint Security platform can discover, block and investigate threats through analytics and help provide an incident response plan. To fully realize the opportunity presented in the EO, however, federal leaders must embrace a holistic approach to cybersecurity. This includes building sufficient flexibility into the OMB guidance to enable agencies to buy endpoint solutions that are on the cutting edge of innovation, such as Extended Detection and Response (XDR) solutions, which are the next generation of EDR.

According to analyst firm Gartner, XDR is “a SAAS-based, vendor specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” These products improve detection and response activity by centralizing security tools and using machine learning to reduce false positives and reveal alerts that matter.

XDR is one example of the type of innovation the private sector is committed to delivering to agencies to help them maximize the opportunity to deploy cutting-edge endpoint solutions to make the promise of the EO a reality. Trellix is at the forefront of the XDR revolution, pioneering a brand-new way to bring detection, response and remediation together in a single living security solution. Our innovative XDR ecosystem empowers agencies to detect advanced attacks across all vectors, move from attack detection to threat prevention and embed next-generation security into their operations.

At Trellix, we are fully supportive of the EO and the guidance on EDR capabilities released by OMB. We’re encouraged by the progress the administration is making on improving the cybersecurity posture of federal agencies and critical infrastructure owners and operators. The EO, OMB guidance and increased funding for CISA are all examples of concrete progress. We are proud of our 20-year partnership with the federal government, and we look forward to continuing to work with agencies to shore up their cyber posture.