Federal civilian agencies are increasingly providing the data necessary through the Cybersecurity and Infrastructure Security Agency’s (CISA’s) dashboards to provide awareness of cybersecurity risks and vulnerabilities, which in turn allows the agency to help its government partners lower cyber risks, a CISA official said on Tuesday.
CISA is also successfully deploying endpoint detection and response (EDR) tools to federal civilian agency computers and servers, giving the agency the ability to routinely hunt for threats on these networks, “connect the dots,” and more rapidly detect intrusions, Eric Goldstein, executive assistant director for cybersecurity at CISA, told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation.
A large chunk of funding for the EDR tools was provided last year as part of a larger stimulus bill to help the U.S. contend with the COVID-19 pandemic and since then these tools are being deployed across 26 agencies and, by the end of fiscal year 2022, they will be in the process of being installed at 53 agencies, Goldstein told the panel, which hosted a hearing on progress in securing federal networks.
That means by the end of September EDR deployments “will be underway at over half of the federal government with more rolling out in the months to come,” he said. “We have seen great uptake across federal civilian agencies but the work needs to continue” through consistent annual funding.
Rep. James Langevin (D-R.I.), a top cybersecurity expert within Congress, asked if there is anything Congress can do to accelerate the EDR deployments. Goldstein replied that providing the funds requested in the FY ’23 budget request will keep the program advancing into the next year.
In his written testimony, Goldstein said that CISA has also published an EDR concept of operations that defines how the agency and other “agencies will persistently hunt for threats” on networks.
“This has allowed us to directly engage and support all agencies impacted by the SolarWinds event,” he wrote.
Russian intelligence hackers are believed to be behind the SolarWinds attack, which involved compromising software updates developed by the software company SolarWinds [SWI] that were routinely downloaded by customers to patch their networks.
Asked later by Rep. Kathleen Rice (D-N.Y.) whether the EDR deployments will extend to mobile device security, Goldstein said that based on the adversary threat model, the focus will largely remain on workstation and server deployments. He said a lesson learned from the SolarWinds compromise was the need to correlate threat activity at an agency’s perimeter with what is happing at a workstation or in the cloud.
Regarding enhanced visibility into federal networks, Goldstein said that through the Continuous Diagnostics and Mitigation (CDM) program, “nearly all” the largest federal agencies are connected to the CDM dashboard and every week more “smaller and medium agencies” are hooking in as well.
Through the dashboard connections, these agencies provide CISA with “object level data…which is so critical for us to understand the prevalence of vulnerabilities and other risk conditions across federal agencies and drive much more targeted and faster mitigation of risk that may emerge,” Goldstein said. He said these advances are “a remarkable technology improvement…and this really is the first time that CISA and federal agencies have had this level of visibility.”
The network data will be used operationally and to support the Office of Management and Budget and the Office of the National Cyber Director “in understanding and measuring federal cybersecurity risk,” he said.
There hasn’t been any resistance to agencies getting onboard with the dashboards as everyone gains from the added visibility across networks, he said.
In addition to the increased visibility, the CDM program provides tools to better secure networks. Most of the focus has been on workstations, laptops and servers, but with federal employees increasingly working in hybrid, or remote environments, CISA has begun to integrate CDM for mobile device asset management, Goldstein said. The agency expects to make “significant progress” in this space by the end of FY ’22, he said.