The White House, on January 26, announced a new zero-trust strategy to harden cybersecurity across federal agencies.
Shalanda Young, Acting Director of the Office of Management and Budget (OMB), said in a Memo: “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
The Cybersecurity and Infrastructure Security Agency (CISA), in its January 18 edition of CISA Insights, reminded organizations in the United States that they are ‘at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.’ CISA added that public and private entities in Ukraine have suffered a series of cyberattacks including website defacement and potentially destructive malware found on their systems.
Going beyond the perimeter to endpoints
The time to expand beyond perimeter-based defense is here. While zero-trust provides the layers of security that ensures access is based on the principle of not trusting anyone or anything, agencies need to ensure that Threat Detection and Response (TDR) technologies are integral to their heightened security posture. Agencies must assume they have been breached and hunt for threats that could be lurking within their systems, potentially already moving laterally.
The latest OMB Memo and M-22-01, released in October 2021, dive deep into the need for TDR technologies such as EDR. The direction is to deploy endpoint detection and response technologies as part of the shift in cyber defense from a reactive to a proactive posture. The OMB mandates agencies that lack EDR capability to work with CISA in procuring such capability.
Agencies and organizations must ensure the following capabilities are inherent in the EDR technologies they choose:
- Get in-depth visibility into forensic artifacts on endpoints throughout the agency. Comprehensive endpoint telemetry detection provides the full context of an attack, enabling quicker response.
- Detect threats in real-time with integrated threat intelligence and view alerts in an easy-to-read interface for the insights needed to swiftly detect and act.
- Insist on flexibility that embraces interoperability to connect to additional data sources, modify or add new detections and update configurations to easily adapt and customize to leverage the latest attack tactics.
Agencies should also complement EDR with TTP-based threat hunting services to monitor for unusual behaviors across their endpoints, networks, and systems.
TDR: From the endpoint to networks
Besides EDR, the OMB Memo also dives into network visibility and attack surface. It says: “As agencies broadly encrypt traffic, it will be critical to balance the depth of their network monitoring against the risks of weak or compromised network inspection devices. Inspecting and analyzing logged network traffic is an important tenet of zero trust architecture.”
Agencies have an immediate opportunity to embrace network detection & response (NDR) to consistently monitor their networks for threats. By adding NDR to their EDR capability, agencies can:
- Eliminate blind-spots by gaining real-time visibility of their network, using cloud-ready smart sensors that let analysts instantly see traffic health, including anomalies
- See everything by using smart packet capture (PCAP) as the ground truth from network traffic and link this context immediately to detected threats
- Understand everything better by retaining longer-term, session-based context in data nodes that links high-fidelity network metadata directly to events, no matter when they occurred. This enables deeper forensics and threat hunting.
In the final analysis, it is about employing smart TDR tools to reduce excessive alert noise levels. Vito Rallo, Director of Cyber Incident and Threat Management at PwC, sums it up nicely: “NDR and host detection (often referred to as EDR) serve two different purposes. For visibility into modern threats, network hunting is a fast and extremely effective approach. Every modern threat generates some level of network noise. If you can pick up that noise when it happens, it gives you a lot of information early on in an attack’s progression.
Host hunting technology and agents give much more visibility into device metrics than NDR. If you know the specific endpoint or server impacted, you can quickly identify it and rapidly respond. When used together, the network solution identifies issues, and the host technology allows you to dive deeper.
If you correlate both tools into a SOAR platform, you get two perspectives simultaneously, which is even more powerful. Visibility from two different perspectives also increases efficiencies, which reduces analyst fatigue, false positives and other common issues faced by security operations teams.”
Clearly, the OMB is in the right direction, requiring agencies to treat TDR technologies as an integral part of their respective zero trust strategies.