In the past nine months since being sworn in, the Biden White House has covered a lot of ground in the federal government’s quest to modernize its cybersecurity practices.
Whether through executive orders, emergency directives, legislation or high-profile summits with industry and world leaders, an administration that came into office under the shadow of the SolarWinds compromise and a global ransomware explosion has been determined to reset the table when it comes to the federal government’s cybersecurity posture.
Part of that strategy involves spending the next three years shedding their past perimeter-based approach to securing systems and network and pushing agencies to implement “zero trust” security architectures and strategies. A key pillar of these efforts include a heady goal: identifying, classifying all or most of the millions upon millions of remotely connected workstations, laptops, tablets, servers and other devices that connect to federal networks.
“The federal government’s approach to cybersecurity must rapidly evolve to keep pace with our adversaries, and moving toward zero trust principles is the road we need to travel to get there,” said Federal Chief Information Security Officer Chris DeRusha last month.
This, according to agencies like the Office of Management and Budget and Cybersecurity and Infrastructure Security Agency, will help smooth the way for the widespread implementation of endpoint detection and response technologies over top that can help spot vulnerable or unpatched software and hardware, detect early stages of infection or exploitation on individual devices and implement continuous monitoring tools. It can also lay the groundwork for automating much of the lower-level processing and analysis for the many security alerts these systems produce and open up the potential for using more sophisticated platforms, like security orchestration, automation and response (SOAR) down the line.
In testimony to Congress, CISA Director Jen Easterly cast recent federal mandates around asset inventory and EDR as a critical pillar of a larger “paradigm shift” that the administration is seeking around cybersecurity.
Putting such systems in place would “allow us to not just focus on the perimeter but really to focus in-depth, all the way down to the host level, at the workstation, at the server, to ensure that we can see what threats are out there, detect suspicious activity and ensure we’re able to mitigate and remediate it as soon as possible,” Easterly said in a Senate hearing last week.
A simple problem without a simple solution
However, researchers who focus on endpoint detection systems and those with visibility into the federal government’s sprawling IT environment say it might not be that straightforward. Such systems are more widely adopted in the private sector, but are often out of reach for broad swaths of industry that lack the security budget or staff to use them effectively.
Independent testing has also found significant limitations with many top EDR systems on the market: a study this year found many of the top EDR and endpoint protection systems on the market struggle to detect or stop DLL sideloading attacks and other sophisticated intrusion techniques carried out by advanced persistent threat groups.
Large organizations — and the federal government is one of the largest in the world — typically deploy a wide variety of devices and operating systems, and often these devices and systems run on different versions and patches or operate in different environments. Most EDR products, on the other hand, are highly customized and require significant tuning and management.
“EDR offerings each have their own specific operating system and version support, which can prevent or make it challenging to deploy on certain machines,” said Allie Mellen, a technology analyst at Forrester whose work focuses on EDR and other security tools. “EDR technology is also dramatically different to manage on-premise versus in the cloud. Some federal government organizations require on-premise deployments, which come with significant management and maintenance considerations.”
This is not the first time that policymakers have tried to get their arms around this problem. For years, CISA has managed the Continuous Diagnostics and Mitigation program, which forced agencies to buy from an approved list of cybersecurity tools to better monitor for malicious network activity. The first step was asset management, identifying all on-premise devices connecting to federal networks.
That program — still active and touted by CISA officials — has achieved mixed levels of success among agencies, with some struggling to adopt selected tools or integrators or reach the later stages of asset and data security it requires. The explosion of remotely connected workstations, laptops, tablets, and BYOD policies in government in recent years (and particularly since the COVID-19 pandemic), have put a renewed urgency on CISA to get a similar handle on its remotely connected assets.
Still, when asked by Sen. Tom Carper, D-Del., how the government was positioned to meet the Biden administration’s cybersecurity goals, Easterly reported that while complete visibility is a perpetual challenge, the government believes most of its IT assets and devices have already been identified.
“Having a lot of experience in this space ... asset inventory and ensuring that you know exactly what’s on your network is not a trivial endeavor," she answered. "All that said, I’m told that we’re at about 85% of an understanding of federal endpoints."
Some in industry have floated concerns that it's not clear how these activities will be funded or staffed.. Last month, the Information Technology Industry Council submitted public comments on the zero trust memo supporting the underlying goal but warning OMB and other agencies that they must now harmonize all the workstreams created by some of the major cybersecurity mandates that have been pumped out of by Biden administration since January.
The OMB memo “appears to perpetuate the concept of security silos, addressing challenges in context solely to areas of functional capability (e.g., identity, data, devices)” instead of offering use cases that connect these goals together and realistically grapple with the sticky realities of federal IT bureaucracy, the organization said.
“Minimally, an emphasis on tight linkage between users and devices, and their role in approving authentication, should be defined,” wrote Gordon Bitko, ITI’s senior vice president of public sector policy. “Further, the strategic plan should explicitly detail instructions on securing critical infrastructure and Internet of Things devices while maintaining consistency with other security requirements developed in this space, for instance by the National Institute of Standards and Technology.”
Budgets, bodies and other basic needs
ITI also wants the government to reflect these mandates in budget and workforce discussions and scope out what kind of information EDR vendors are required to share with CISA.
The organization is one of several to question what kind of funding and staff will be attached to these efforts. Federal IT and cybersecurity officials have already raised concerns about who will pay for a bevy of new cybersecurity mandates they’re expected to implement and where the money will come from.
In addition to dollars, dedicated staff are often necessary to effectively manage EDR systems and process the high volume of alerts (positive, false or unknown) they tend to generate. Qualified cybersecurity personnel are not easy to come by and EDR “is not a tool you can set and forget,” said Mellen.
“Large organizations especially need several analysts and incident responders on staff to triage, investigate, and respond to EDR alerts,” she said. “Some or all of EDR activities can be outsourced with a managed detection and response provider, which is a popular option for security teams with limited staff, but ultimately you still need someone to manage that relationship and handle anything the MDR team cannot.”
There are other potential benefits and applications; in August a white paper composed by a group of industry and federal IT officials noted that the government has “hundreds of thousands of fixed and mobile assets [and] thousands of buildings and campuses around the country and world” that connect with critical infrastructure and operational technology. These connected devices often come with sensors or actuators that can be leveraged to capture new streams of data or telemetry to feed into “intelligent systems” and detect or prevent emerging cyber attacks.
However, agencies face a number of challenges in using or processing this kind of data, including “diffuse ownership and control of assets (both sensors and systems), budgetary constraints, legacy information technology systems, cyber security concerns, and employee skills,” the authors note.
Mike Hamilton, chief information security officer for managed detection and response contractor Critical Insight and a former vice chair of the DHS State, Local, Tribal and Territorial Coordinating Council, said that despite sluggish or uneven adoption across the federal enterprise, programs like CDM and strict asset inventory requirements in federal contracts have positioned the government well to carry out the first part of that mission.
Like Easterly, he said it would be a challenge to quickly or easily capture all of the remaining assets that are still unaccounted for. Additionally, scanning for things like IP addresses may give you awareness of a connected device, but tell you little about what it does, what operating system it’s running, what role it plays in an agency’s IT environment and how critical it is to operations.
“The federal government … is probably in not a bad situation to be able to create an inventory of the human-operated devices, but always stuff falls through the cracks,” Hamilton told SC Media. “Because of the breadth of the federal government, the effort to do this is going to be pretty substantial to make sure that they get all the round off error in there.”
He also took issue with what he views as an overly “aggressive” timeline laid out by the Biden administration for this shift, looking to accomplish most of these goals in less than three years. Without a dedicated stream of funding and persistent pressure by agencies like CISA and OMB, it’s not clear how many agencies will be able to get a complete asset inventory or implement endpoint security systems by then.
“Unless the government is going to dump unbelievable amounts of resources into this, they’re kind of setting themselves up to fail by saying we want to do this by the end of 2024,” Hamilton said, noting that the administration itself has put language into its cybersecurity executive orders emphasizing that incremental improvements are not sufficient to meet today’s threats in cyberspace. “When you’re that publicly aggressive, you’re setting yourself up [for failure] later. As anyone in IT can tell you, stuff doesn’t go the way you think it’s going to go. I think they’re going to get potentially a black eye from this.”