ÎÞÓÇ´«Ã½

Enabling Federal Cybersecurity with EDR Deployments

The Challenge: Deploying EDR Tools Rapidly and Seamlessly to Each Agency’s Unique Environment

CISA developed the CDM program to fortify federal civilian digital networks against increasingly advanced cybersecurity threats. CDM delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security postures by reducing their attack surfaces, increasing visibility into their cyber landscapes, and strengthening their cybersecurity response capabilities.

EDR technology is a critical new piece of CDM. It provides deep visibility into behaviors and activities on endpoints from across the enterprise network environment, as well as advanced monitoring, threat detection, and threat remediation capabilities that can be automated to streamline detections and improve a security analyst’s response time. Executive Order 14028 directs all Federal Civilian Executive Branch (FCEB) agencies to deploy an EDR capability. With the right EDR tools deployed, properly integrated, and configured, a federal agency can gain enough insight into the operations of devices, software, and users in its environment to effectively mitigate risks prior to a breach. EDR tools also enable agencies to share valuable cyber threat intelligence across the federal enterprise through integration with other enterprise security tools. They also introduce automation that lets security analysts review critical information more efficiently. Furthermore, the adoption of EDR capabilities enables agencies to achieve greater maturity in meeting federal zero trust mandates and requirements.

The Approach: A Repeatable Deployment Model Powered by Deep Knowledge of Federal Missions, Operations, and IT Environments

In 2018, CISA contracted ÎÞÓÇ´«Ã½ to assist federal agencies in all aspects of CDM implementation, including EDR deployments. CISA needed an industry partner that could help agencies quickly acquire and deploy commercial EDR capabilities. This job came with considerable challenges. For example, there are many EDR solutions (five in the CDM program alone) and EDR technologies are advancing rapidly. This meant that ÎÞÓÇ´«Ã½ had to possess a deep technical understanding of the full range of tools in the marketplace to match the right tools to any given agency.

Moreover, each federal agency is unique in terms of its IT environment, organizational complexity and size, and cyber operations maturity. ÎÞÓÇ´«Ã½ combined technical expertise with a deep knowledge of federal environments and operations to configure, integrate, and deploy EDR tools rapidly and seamlessly to suit each agency’s unique circumstances. 

These EDR deployments are now transforming how federal cybersecurity teams identify, assess, and remediate malicious activity. With improved operational visibility enhanced by EDR, these client agencies can now more quickly and easily identify an active exploit threatening a network and share that threat intelligence with CISA and other agencies so the threat can be rapidly remediated, and any damage can be minimized—all automatically. This capability enables CISA and its client federal agencies to adopt a more collaborative and proactive cybersecurity posture.

To implement EDR solutions rapidly, consistently, and successfully for their agency clients, ÎÞÓÇ´«Ã½ used a repeatable framework that is adaptable to unique customer environments and can be leveraged to deploy any industry-leading EDR solution. Included in this framework are several activities that go beyond the normal acquisition and distribution of licenses. These activities include but are not limited to:

  • Capitalizing on ÎÞÓÇ´«Ã½â€™s data-quality efforts to validate the number of endpoints at each agency
  • Inclusion of readiness assessments for each organization to avoid shelfware and waste in the deployment process
  • Establishment of clear roles and responsibilities among system integrators, original equipment manufacturers (OEM), and agency administrators

We worked with agency endpoint management teams to ensure that EDR software is automatically included in all new computers moving forward and that retired computers have their EDR licenses reclaimed for use on future endpoints.

ÎÞÓÇ´«Ã½ also leveraged:

  • Internal test labs where the team was able to deploy multiple EDR solutions across many endpoints with various operating systems—this allowed our teams to familiarize themselves with various EDR capabilities, as well as explore and test configurations, deployment methods, operational scenarios, and more
  • Pre-development of custom configurations, as needed, to accelerate deployments on Day One and ensure that the initial baseline configurations established the necessary foundation to meet CISA EDR requirements for the CDM program
  • Implementation of a Peered Services Request System (PSRS) process where ÎÞÓÇ´«Ã½ subject matter experts supplemented OEM professional services by providing Tier 1 and 2 support to agency stakeholders as needed while allowing the OEMs the ability to focus on Tier 3 and other targeted issues—this enabled a more streamlined approach for agency personnel to receive the most effective level of support for a new system
  • Development and implementation of deployment scorecards designed to serve as a "peer review" of EDR agent deployments (regardless of whether an OEM, agency, or system integrator deployed)—these ensured key deployment and configuration goals were met, providing a way to track progress achieved over the course of the project
  • Curated training to ensure agency staff were capable of fully utilizing the new capabilities prior to transition
  • Micro-training modules to help agency staff continuously improve their operational proficiency with the new EDR capabilities

While ÎÞÓÇ´«Ã½ minimizes the amount of customization needed for each EDR deployment, some degree of modification is typically needed to support each agency’s unique circumstances. This is where ÎÞÓÇ´«Ã½ relies heavily on its deep knowledge of federal missions, operations, and IT environments to ensure that EDR deployments successfully support each agency’s operational needs.

The Impact: Improved Cyber Visibility and Responsiveness for Client Federal Agencies

As of November 2023, ÎÞÓÇ´«Ã½ had deployed EDR capabilities at five agencies, covering almost 480,000 endpoints, providing those agencies with unprecedented visibility into their cyber activities, threats, and vulnerabilities. These agencies had unique operational requirements and were among the largest and most complex across the FCEB—and yet, ÎÞÓÇ´«Ã½ helped these agencies deploy EDR capabilities in just a matter of weeks instead of months or even longer, as was typical before. At one agency, ÎÞÓÇ´«Ã½ deployed an EDR capability in 30 days, covering 85% of the network.

The rollout of EDR capabilities at federal agencies is introducing a new era for CDM. Empowered by their EDR capabilities, federal agencies now have unprecedented visibility into their cyber environments and can collaborate rapidly across agencies to mitigate cyber vulnerabilities and threats as they arise, thereby minimizing any damage that may occur.

One of ÎÞÓÇ´«Ã½â€™s client agencies—a large, public-facing benefits agency—is subjected to roughly 144 million cyber events per day. Without the CDM EDR solution, the agency’s security operations center (SOC) would have had to manually review each event, which could have easily resulted in alert fatigue and human errors, perhaps helping an attacker gain a foothold in the network. Instead, the agency gained an EDR capability that detects suspicious scripts for review and decodes them automatically. This dramatically reduces the volume of events so the agency’s SOC can focus on malicious events, including insider threats.

At another ÎÞÓÇ´«Ã½ client agency—a large, critical infrastructure agency—ÎÞÓÇ´«Ã½ deployed and enhanced the CDM EDR solution across 42 unique agency field offices. This implementation provided the agency’s leadership with the ability to, from a centralized EDR instance, view and analyze EDR data enterprise-wide. This effort generated a significant shift in the agency’s endpoint data visibility—prior to ÎÞÓÇ´«Ã½â€™s support, each of the 42 field offices managed its own EDR solution and did not provide EDR data reporting to the agency leadership. Through ÎÞÓÇ´«Ã½â€™s rollout of a centralized EDR solution, agency leadership now has the endpoint data visibility needed to support proactive detection, threat hunt, incident response, and remediation of cybersecurity incidents across its field offices.

CISA’s effort to arm federal agencies with EDR capability—and ÎÞÓÇ´«Ã½â€™s role in helping accomplish this—is significantly improving federal agency cyber postures by delivering greater visibility, responsiveness, and the ability to collaborate in threat detection and remediation.

Learn More About Our Cyber Capabilities

Contact us to learn more about our cyber capabilities, data services management, and our success in helping civil agencies achieve federal cybersecurity objectives.