Cybercrime continues to be on the rise and is expected to cost businesses worldwide $10.5 trillion annually by 2025. High-profile attacks, including the recent DarkSide ransomware attack on the Colonial Pipeline, the SolarWinds attack, and the recent Hafnium 0-day Exchange vulnerability that led to cyber-attacks on thousands of public sector and private sector organizations, are just a few recent examples.
On May 12, 2021, United States President Biden signed the Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO comes in the wake of an unprecedented year of major cyber events which have greatly impacted Government agencies and the private sector alike.
The intent of the EO is to initiate bold change to improve the Nation’s overall cybersecurity posture. The EO is focused largely on how government agencies protect their networks and extends to federal government vendors and contractors in an effort to improve the security posture of the Federal Government.
The Cybersecurity EO has been developed over the course of several months, but it has been thrust front and center in light of the Colonial Pipeline and Sunburst/Solarwinds attacks, which have disrupted gas distribution and left over 100k systems and their data easily accessible to hackers.
Through this EO, the Biden Administration is introducing several actions for the Federal Government, including:
- Development of a cloud-service governance framework
- Requirement to adopt best practices such as a zero-trust network (ZTX) architecture
- Technological investments such as Endpoint Detection Response (EDR) and Multi-Factor Authentication (MFA)
- Process improvements for the incident response lifecycle.
Ultimately, this EO aims to ensure that the Federal Government can protect, detect, and respond against the increased cyber-attacks and sophistication.
Most of the rules and requirements defined in the EO control how federal agencies handle security incidents but some also extend to procurement of hardware and software from the private sector. As the government is the largest purchaser of IT products, the goal is that vendors will place a greater focus on security and improve the security posture for the entire country.
The EO addresses 11 sections, with each detailing direct actions and timelines for organizing and implementing new administrative and technical resources and consolidating them under the Department of Defense and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
In this post, we’ll discuss what these sections mean in practice and explain how your organization can implement practical changes to comply with the requirements of the EO.
Removing Barriers to Sharing Threat Information
Section 1 (Policy) outlines the current landscape and high-level policy goals to “identify, deter, protect against, detect, and respond to” malicious actors and organizations. While the Government is leading this initiative, it is necessary to partner with private industry to implement security practices to better ensure the security of their products, networks and organizations lest they become a threat vector for the Government.
Section 2 (Removing Barriers to Sharing Threat Information) directs that the Federal Acquisition Regulation (FAR), which defines the contractual rules to conduct business with the Federal Government, be updated to require the sharing of threat and incident information with CISA. This contractually obligates private sector contractors to provide full cyber visibility to the Government.
SentinelOne autonomously prevents, detects and mitigates any known and unknown threats in real-time, effectively and seamlessly with maximum visibility to the SOC Analyst in organizations around the world.
Organizations looking to address the requirements of Section 2 can leverage Deep Visibility and STAR to meet their regulatory needs and better protect their business.
- SentinelOne’s Deep Visibility allows customers to obtain real-time and historic retrospective search capabilities, even for offline endpoints, to improve proactive security.
- With Storyline Auto-Response (STAR) custom detection rules, you can turn Deep Visibility queries into automated hunting rules that trigger alerts and responses when rules detect matches. STAR gives customers the flexibility to create custom alerts specific to their environment that can enhance alerting and triaging of events.
Modernization and Zero-Trust Architecture (ZTA)
Section 3 (Modernizing Federal Government Cybersecurity) of the EO pushes the Government to advance towards adopting zero-trust architectures (ZTA), accelerate migration to secure cloud services and to adopt multi-factor authentication. The Government is to lean away from outdated security models and towards secure cloud services.
Many of these initiatives are in place or underway in many agencies, but this sets definitive timelines for implementation and reporting on the status of their progress for added accountability.
SentinelOne provides capabilities that allow agencies to follow the principle of least privilege (PoLP). This is achieved by supporting multi-tenancy with Role-Based-Access-Control (RBAC). This allows customers to define who sees what and what actions individuals can take based on their own respective scope.
Beyond that, SentinelOne welcomes the decision to adopt zero-trust architecture (ZTA) for agencies and organizations. Endpoints represent a large attack surface, with over 70% of breaches originating on the endpoint.
Organizations have a heterogeneous mix of endpoints connected to their network – whether they be laptops, mobile devices, servers, or IoT devices. These machines often have different configurations, patch statuses, and operating systems, leading to inconsistent approaches to applying security policy.
This problem is compounded by the rise of bring your own device (BYOD) and remote working practices accelerated by the COVID-19 pandemic. While security teams deploy controls to endpoints they can manage, there are a significant number of devices that remain unmanaged or unable to take a management agent.
Adopting Zero Trust for endpoints can assist organizations in reducing this risk by providing the means to monitor, isolate, secure, control, and remove any device from the network at any time. When integrated into a Zero Trust ecosystem, endpoints can provide valuable information when determining whether to grant access, including the device’s identity, health, and compliance status. SentinelOne’s approach to endpoint-centric zero trust provides cooperative capabilities for managing the hygiene, risk, and hardening of endpoints.
Enhancing Software Supply Chain Security
Section 4 (Enhancing Software Supply Chain Security) requires greater Government visibility into their software supply chain. In the wake of SUNBURST, where the adversary leveraged SolarWinds to provide signed and trusted updates that were embedded with malware, it is a top priority to prevent something like that from happening again.
To assist in that effort, NIST is directed to publish guidelines that cover core security practices that vendors must implement and, when asked, provide evidence of the implemented best practices. The guidelines include:
- Separate build environments
- Audit trust relationships
- Multi-factor authentication
- Encrypting all data
- Monitoring and reporting any cyber incidents
- Use tools to maintain trusted source code chains
- Check for any vulnerabilities before releasing code
- Publish a Software Build of Materials (SBOM) that lists all components embedded in the software
This will eventually lead to a software rating system for vendors that can be used to demonstrate best security practices are being used.
Recent incidents like the SolarWinds attack demonstrate the growth of adversaries focusing on the supply-chain. In that particular instance, SUNBURST was unable to disable or bypass SentinelOne in any customer environments. We acknowledge the importance of this field and welcome the modernizing efforts in supply chain security.
Today, SentinelOne is protecting thousands of the world’s leading enterprises with the Singularity Platform. Protecting endpoints, cloud, and IoT attack surfaces with patented Artificial Intelligence tracking, SentinelOne replaces legacy and next-generation products with an autonomous platform to further support the U.S. public sector.
SentinelOne has achieved the coveted FedRAMP designation, which enables U.S. federal government customers to leverage the most innovative endpoint security solution from the fastest-growing cybersecurity company in the market.
Responding To Cyber Incidents and Vulnerabilities
Section 5 (Establishing a Cyber Safety Review Board) establishes a Cyber Safety Review Board to act as a strike team to respond to significant cyber incidents in the same manner the National Transportation Safety Board (NTSB) investigates and reports on civil transport accidents. This board will include stakeholders from across the Government including DOJ, DOD, CISA and NSA along with representatives from private sector entities and lead by a board appointed by DHS.
Section 6 (Standardizing the Federal Government’s Playbook for Responding to Cybersecurity’s Vulnerabilities and Incidents) creates a standard playbook for responding to cybersecurity vulnerabilities and incidents to be used across the Federal Government. This will document procedures used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems.
SentinelOne provides various security automation and response (SOAR) capabilities that aid security professionals during Digital Forensics Incident Response (DFIR) type activities. Through SentinelOne’s ActiveEDR capability, customers can automatically respond to most alerts. When manual intervention is required the Singularity Platform offers various remediation and recovery options. All of the capabilities that are provided can also be orchestrated by leveraging the rich API ecosystem around the SentinelOne solution.
Section 7 (Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks) focuses on improving detection of vulnerabilities and incidents on Federal Government networks. Here the Government acknowledges that traditional antivirus is not enough, and that Endpoint Detection and Response (EDR) capabilities are required to be able to perform “active cyber hunting, containment and remediation, and incident response”.
ActiveEDR, powered by SentinelOne’s patented Storyline technology, provides analysts with real-time, actionable correlation and context and lets security analysts understand the full story of what happened in their environment.
Storyline automatically links all related events and activities together with an attack chain and a unique identifier. This allows security teams to see the full context of what occurred within seconds rather than needing to spend hours, days, or weeks correlating logs and linking events manually.
SentinelOne’s behavioral engine tracks all activities on the system, including file/registry changes, service start/stop, inter-process communication, and network activity. It detects techniques and tactics that are indicators of malicious behavior to monitor stealthy behavior and effectively identify fileless attacks, lateral movement, and actively executing rootkits.
SentinelOne automatically correlates related activity into unified alerts that provide campaign-level insight. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts.
Improving Investigative and Remediation Capabilities
Section 8 (Improving the Federal Government’s Investigative and Remediation Capabilities) focuses on the importance of accurate and complete data logging to be able to properly investigate cyber incidents.
The EO requires recommendations on the types of logs to be maintained, the time periods to retain the logs (i.e., retention) and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs.
SentinelOne provides access and visibility into your environment for 365 days and beyond to let you analyze incident activities and conduct historical analysis.
The ability to look back into any point in time allows analysts to see if the threat has targeted the organization in the past and view the full stream of information on how that attack occurred, including the entire process tree, timeline, and related activities.
SentinelOne data retention capability also provides the answer to your compliance needs across different data retention and audit requirements. Allowing customers to be ready for audits including PCI DSS, HIPAA, NIST, and more, by leveraging connected data insights across multiple endpoints.
While much more remains to be done to fully address the worsening cyber threat environment, this Executive Order takes a number of necessary steps to strengthen American cybersecurity. SentinelOne’s suite of autonomous endpoint protection products is ideally suited to help federal agencies meet the requirements and goals laid out in the Order, and we look forward to engaging with federal decision makers and being a part of these critical efforts to secure federal networks.