Governance, Risk and Compliance, Threat Intelligence

The Biden EO: A good step, but far from the finish line

Today’s columnist, Matan Kubovsky of Illusive, says the Biden administration’s EO last May was a good first step, but as we translate the EO into action the industry has to focus on stronger detection strategies. https://www.flickr.com/photos/59908088@N00;https://creativecommons.org/licenses/by/2.0/legalcode

The recent Executive Order (EO) has been a positive development for the security industry and our nation, and while I applaud the Biden administration’s efforts, there are some glaring inconsistencies that we cannot ignore.

While the recent EO offers a step in the right direction toward improving the security of the U.S. federal government, we are still far from the finish line, as evidenced by continued attacks on our critical infrastructure. From the food supply chain and local transportation services to our oil and gas pipelines, there’s clearly no industry or organization immune to the devastating impact of cyberattacks like ransomware and nation-state assaults.

So, what should organizations conclude from the EO and what should they take with a grain of salt?

First the positives: The primary themes of the EO are improved prevention, detection, assessment, remediation, and information sharing – all important areas of focus to improve cybersecurity across the public and private sectors alike. While it’s encouraging to see the public sector urge for action, at a high level, many of the identified steps have been implemented by organizations with today’s available security tools and processes – the very same organizations that have been victims of recent high-profile attacks.

However, within the order, Section 7 on Improving Detection of Cybersecurity Vulnerabilities, and Incidents, gives us some concern because at the end of the day, improving threat detection can’t rely solely on a single solution such as endpoint detection and response (EDR). Rather, it requires a more diversified threat detection strategy to thwart sophisticated attackers. Take the SolarWinds attack. Adversaries clearly demonstrated they can disable EDR-based security and operate inside organizations for months without detection.

The order mandates centralized control of endpoint detection capabilities by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) – a capability recently evaded by nation-state attackers over an 18-month attack campaign. Forensic analysis of the recent major SolarWinds attack details the process for defeating EDR, which continues to have significant ramifications for those impacted.

Of further concern, executing the order without a diversified detection strategy will result in the awarding of tens to hundreds of millions in new revenue to endpoint detection solution providers vulnerable to current nation-state attack techniques. The Cyber Safety Review Council aims to expose this scenario to prevent federal agencies from purchasing known compromised software solutions.

The EO does hit the mark on its objective to modernize its approach to cybersecurity and expands on the mission, stating that incremental improvements will not give us the security we need. Simply dictating an EDR direction that has yet to defend against attacks doesn’t seem consistent with making bold changes and certainly not making incremental improvements.

With recent ransomware events like Colonial Pipeline, JBS, and Kaseya catapulting security considerations into the mainstream, we’ll need to make bold changes to prevent further damage by these cyber criminals. Tactics, techniques, and procedures (TTPs) are tailored to specifically avoid existing security controls, which is further evidence that adversaries are becoming increasingly more sophisticated and ransomware constantly evolves.

To keep pace with both attacker and tool sophistication, organizations should develop a more diversified threat detection strategy that ensures threat detection control integrity even when ransomware detects high profile security controls like EDR.

In the words of Admiral Mike Rogers, “As we translate the executive order into action, it’s imperative that we diversify our detection strategy and technologies and not simply default to an incomplete detection strategy, while expecting a different result.”

No one solution, EDR included, will stop attackers in their tracks. We must assume compromise and instead focus our efforts on stopping lateral movement to keep attackers from getting their hands on the crown jewels. The Biden EO does offer us a roadmap to making that happen in the months and years ahead.

Matan Kubovsky, vice president of research and development, Illusive

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.