Exploring the EO’s Endpoint Detection and Response (EDR) Requirement

The Executive Order mandates that agencies have an EDR solution for threat visibility, detection and response capabilities.  Interestingly, it mandates that the solution be centrally located and meet requirements that will be determined by the OMB and DHS in the future.  It appears that there will be access granted to CISA without previous authorization from the downstream agencies for response to threats via the EDR solution that is being mandated.  

Most agencies have an EDR solution in place and will, for now, assume that what they have meets this requirement already.  It will be interesting to see what solutions are deemed to meet the coming requirements.  Some “EDR” solutions that federal agencies have purchased do not collect and maintain the same data that is traditionally defined as an EDR, possibly forcing replacement of those solutions.

What is not clear is what responsibility each agency will have to monitor and respond through their EDR solution.  This might be a good time for agencies to look at a Managed Detection and Response (MDR) offering that can do initial triage of logs and alerts created by an EDR.  By leveraging an MDR solution,  agencies will be able to reduce alert fatigue and, if chosen well, an expertise of endpoint security monitoring beyond what an agency SOC can provide.  Many agency SOC analysts are spread too thin across many types of tools and consoles, as well as the logging and alerting from SIEMs.