Uncovering new unknowns: How to approach EDR & logging Cyber EO milestones
Our ongoing series on the Biden Administration’s Cybersecurity Executive Order (EO) has covered considerable ground to date — from demystifying the Zero Trust journey to providing strategies for securing critical software and classifying agency data — but there is still work to be done as we look ahead to the next wave of approaching milestones. In this post, we address the two most critical requirements agencies need to turn their attention to next: endpoint detection and response (EDR) and logging, log retention, and log management.
Uncovering new unknown attacks and attacker behaviors with EDR
Outdated endpoint protection strategies based on static prevention-focused capabilities like antivirus are ineffective. Today’s next-generation anti-malware capabilities — powered by advanced machine learning and behavioral monitoring — are critical to helping organizations stop threats. EDR then goes a step further beyond prevention to provide detailed telemetry that provides additional visibility and enables dynamic analytics and automation to discover and remediate more sophisticated threats at scale. Ensuring agencies have the tools necessary to address the full spectrum of endpoint protection, detection, and response is the ultimate aim of the September 9, 2021, EO EDR milestone.
Securing endpoints through EDR and prevention strategies like next-gen anti-malware and attack surface reduction is a crucial pillar of a Zero Trust architecture, an approach central to the EO and outlined extensively in our milestones guidance. In a Zero Trust strategy where compromise should be assumed, EDR helps agencies quickly read threat signals and determine if a device is healthy. Tools like Microsoft Defender for Endpoint, Endpoint Manager, and Azure Defender for Servers and Kubernetes, integrated with Microsoft’s own threat intelligence, deliver agencies automated threat blocking, response, and remediation capabilities while also enabling advanced threat hunting and forensics.
Microsoft’s endpoint security approach has received numerous accolades, including successfully demonstrating industry-leading, cross-platform defense capabilities according to MITRE Engenuity ATT&CK evaluations. We encourage agencies to look holistically across their endpoints to ensure often overlooked areas, like servers and containers, are adequately addressed in deployments. U.S. government agencies also have access to the best practices found in our federal cybersecurity learning path, along with extensive training modules and customized learning roadmaps. By partnering with Microsoft, agencies can build expertise in EDR and easily expand to a more comprehensive extended detection and response (XDR) approach.
Getting answers faster through enhanced logging
Section 8 of the Cyber EO focuses on establishing logging, log retention, and log management requirements by August 24, 2021. This policy aims to centralize “access and visibility for the highest level security operations center of each agency,” to avoid processes that drive up expense and introduce lag time as data flows up the chain.
The EDR capabilities discussed earlier naturally tie into the work that needs to be done to address Section 8 requirements since enhanced logging is a natural outcome of a Zero Trust architecture. For example, an agency can natively connect Microsoft Defender for Endpoint with Azure Sentinel to provide enhanced visibility across both security products and organizations. This combination enables a top-level agency to quickly and seamlessly access data from multiple lower-level agencies operating their own security operations centers (SOCs) without duplicating the data. Approaching logging in this way solves the tradeoffs between either centralized data not enabling distributed response or distributed data limiting centralized visibility. With native Azure Lighthouse capabilities in Azure Sentinel, agencies can do both — ingest the data into their SIEM once and also populate aggregate data views without added delay, overhead, or cost. So in addition to Sentinel’s well-known AI and automation capabilities for reducing analyst fatigue, Microsoft is now also enabling accelerated analyst collaboration across multiple SOC teams.
To further enhance data retention and logging, agencies can combine tools like Azure Data Explorer with Azure Sentinel to open up new possibilities for long-term log forensics at scale. These additional low-cost data management capabilities allow agencies to quickly query and analyze large volumes of log and telemetry data, and achieve up to 100 years of data retention. Ultimately, security data empowers agencies to train machine learning models that better identify patterns, anomalies, and trends to operationalize historical security logs while also minimizing cost.
Continually building upon the Zero Trust foundation
The upcoming EDR and logging milestones underscore the importance of having a strong Zero Trust architecture in place. Building on this foundation, agencies can then extend protection, detection, and response beyond endpoints to achieve a full-platform, pre-integrated XDR that delivers connected security at scale.
We encourage you to visit our Cyber EO resource center and delve deeper into additional resources on some of the topics covered in this blog. Also, stay tuned to this blog for additional insights as we address upcoming Cyber EO milestones.