The Executive Order on Improving the Nation’s Cybersecurity (EO 14028) provides clear, time-bound changes that the US Federal Government must make to foster a more secure cyberspace. Incorporating lessons learned from the SolarWinds breach in early 2021, a key requirement of EO 14028 is in keeping data actionable for longer periods of time so that dwelling attacks can be found and mitigated promptly.
With endpoint security and event logging unified on a single platform, Elastic stands ready to help our US Federal Government customers meet or exceed EO 14028 requirements with an affordable business model that keeps all agency data actionable. We also understand that cybersecurity personnel thrive in coding and forensics, not necessarily in standards and requirements. That’s why we’ve outlined a few areas you can tackle immediately to have an enduring impact on your agency’s digital infrastructure protection.
Endpoint security coupled with event logging
Section 7 of EO 14028 calls for Federal Civilian Executive Branch agencies to deploy Endpoint Detection and Response (EDR) capabilities to support early and proactive detection of cyber incidents, active cyber hunting, containment and remediation, and incident response. Likewise, Section 8 calls on agencies and their IT service providers to collect information from network and system logs on Federal Information Systems for investigation and remediation purposes.
The bottom line here is that agencies need to deploy a proven endpoint security tool, and amplify its effectiveness with telemetry from EDR and event logging for longer periods of time. Just as importantly, older data must be actionable, with the ability to query it in seconds or minutes rather than days or weeks. This way, agencies can search, correte, perform outlier analysis, run machine learning jobs, and investigate across all agency data — whether multi-cloud or multi-cluster — in real time, thereby eliminating attacker dwell time.
A single platform, a more affordable business model
At Elastic, we’ve unified endpoint security and event logging on a single platform, deployable on a FedRAMPed cloud or on premises. Our eXtended Detection & Response tool, referred to as Limitless XDR and recognized in the Forrester New Wave™ for XDR report, allows users to ingest data from any source, with hundreds of integrations ready for all of your IT and security telemetry or logs.
Using this ingested data, we apply numerous detection layers from threat intelligence sources and remediate through automated policy enforcement and incident response with detailed case management. This includes automatically quarantining malicious files and stopping ransomware in its tracks.
What makes Limitless XDR so powerful in contending with dwelling threats (like those we saw with the SolarWinds breach), is that Elastic keeps older logging data actionable for security investigations or regulatory compliance. We use frozen tier storage to retain older data, and searchable snapshots to query frozen-tier data. See it in action in this recent demo of frozen tier querying at ElasticON Global 2021.
Not only can query results be at your analyst’s fingertips in minutes, but frozen tier is also more affordable than rehydrating older data. With this business model, storage costs go down significantly as a result of using frozen tier – as much as 90% less than hot or warm tiers and 80% less than the cold tier.