President Biden's Executive Order Remediating Known Exploited Vulnerabilities

“The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation's cybersecurity as a whole.”

Another aspect of the threat intelligence-sharing requirement that bears close watching is the whole issue around who exactly will be considered a service provider under the purview of the EO.- Jai Vijayan, Technology Reporter, Dark Reading

84%

of Americans believe public and private sectors should share info to prevent cyberattacks.

THE HARRIS POLL

Why It Matters

Section Summary

This section of the Executive Order discusses the need to:

Share threat information about the incidents they suffer with the federal government.
Collect and preserve data that could aid threat detection, investigation and response.
Perform technical activities — like network monitoring — to collaborate with agencies surrounding incident investigation and response.

Why This Is Needed

Historically, organizations have not shared threat information from the incidents they have suffered — and when they do, they tend to share the minimum information required to meet their compliance requirements.

The reason is simple: no organization wants to share bad news, especially when it comes to their cybersecurity capabilities. By sharing information about incidents that they have suffered, they risk damaging their reputation, losing their customers' trust, reducing their share price and making it seem like they wasted money on their current cybersecurity tools.

“The thought leaders who draft recommendations for new contractual language will have to refine the thresholds for reporting cyber intelligence to the government.”- Bradley Barth, Deputy Editor, SC Media

The Expected Impact

Staying silent about cybersecurity incidents is unsustainable and harms our broader community.

If an organization does not disclose information about their incidents, then other organizations will remain ignorant of that threat and remain at greater risk for suffering it themselves.

But if an organization rapidly shares information about their incidents, others can proactively hunt for indicators of that threat within their environment and raise defenses against it.

With this Executive Order, the federal government is creating a central authority to collect this threat information and share it publicly. But this approach will work only if organizations step up and rapidly share their incident information.

Tanium Take

How to Address This Section of the Executive Order

Part of this Executive Order is technical. You must develop the ability to:

Remove internal silos and create a single source of truth within your organization.
Collect and share timely, accurate and comprehensive threat information.
Metabolize information shared by the government to rapidly hunt for new threats within your environment and to harden your end-to-end defenses against them.

Did you know?

You may have IOCs in your environment for recently reported threats.

Tanium can help you find them.

DHS Orders Pipeline Operators to Report Cyberattacks, Review Security Posture Biden signs executive order aimed at shoring up US cybersecurity Biden's executive order aims to improve threat sharing by revising language in federal contracts Biden signs security-focused executive order meant to accelerate breach reporting, boost software standards Software, Incident Response Among Big Focus Areas in Biden's Cybersecurity Executive Order

How Tanium Can Help

With Tanium's comprehensive endpoint visibility, you can:

Collect real-time threat information from your endpoints for internal or external reporting.
Perform threat hunting through ad hoc searches of artifacts and indicators of compromise.

With Tanium's real-time endpoint control, you can:

Remediate any in-progress threats you find before they cause harm.
Harden your end-to-end environment against new, disclosed threat patterns.

More resources

The directive to move to the cloud and do so securely is the most important step that the president could possibly order.- Philip Reitinger, President and CEO, Global Cyber Alliance

Section 3

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government

“The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”

The directive to move to the cloud and do so securely is the most important step that the president could possibly order.- Philip Reitinger, President and CEO, Global Cyber Alliance

32%

cited lack of IT expertise as a challenge implementing Zero Trust.

Biden issues executive order to increase U.S. cybersecurity defenses Biden's Cybersecurity Executive Order: 4 Key Takeaways Biden issues Executive Order to strengthen nation's cybersecurity networks New Executive Order Seeks to Strengthen Security of Federal Government Networks

Why It Matters

Section Summary

This section of the Executive Order discusses the need to to modernize IT and cybersecurity standards across multiple dimensions. To do so, organizations must develop the ability to:

Move to secure cloud services.
Deploy multifactor authentication, data encryption.
Build Zero-Trust architecture within a centralized enterprise model.
Establish governance frameworks to coordinate incident response activities.
Catalog data in the environment, including each data's type, sensitivity and risk levels.
Drive cybersecurity analytics by centralizing and streamlining access to relevant data.

Why This Is Needed

Historically, organizations have kept most of their employees, endpoints and data on-premises, and they have used cybersecurity tools and models that created a hardened perimeter around their centralized workforces.

But employees, endpoints and data no longer live on-premises. The rapid move to work-from-home (WFH) and digital transformation trends have created distributed networks, dissolved security perimeters and made legacy cybersecurity tools and models obsolete. Organizations must rapidly acquire modern cybersecurity tools and models developed to secure today's environments — not yesterday's.

“In order to bank the returns on investment in digitization, including customer engagement and workforce flexibility, both public and private sector enterprises need to reimagine their cybersecurity capabilities, and the EO provides a valuable blueprint against which to critically assess their future cybersecurity strategies and investments – and with an appropriate sense of urgency.”- Gary Blair, Former CISO at Commonwealth Bank, NAB, Westpac,
Tanium Advisor

The Expected Impact

Legacy cybersecurity tools and models have contributed to a growing wave of breaches. These tools and models are often unable to create comprehensive visibility or real-time control over remote endpoints, leading to open vulnerabilities, easy exploits and insufficient incident response.

In short: relying on legacy cybersecurity tools and models will no longer work.

With this Executive Order, the federal government seeks to lead the way to increase the adoption of modern cybersecurity models and to drive the rapid acquisition of emerging cybersecurity technologies that move visibility and control away from the perimeter and onto the endpoint itself.

Tanium Take

How to Address This Section of the Executive Order

Cloud security, Zero-Trust architecture and data governance models are all necessary improvements that will dramatically improve cybersecurity for most organizations.

But on their own they do not represent true cybersecurity modernization, and they will not deliver meaningful results if they are simply bolted on to legacy security systems.

To truly modernize and improve their cybersecurity standards, organizations must fundamentally shift how they think about their defenses and rework their capabilities from the ground up. They must adopt a range of new models, principles and assumptions that include, but are not limited to:

The Endpoint Is the New Perimeter. Organizations now operate borderless environments and must directly manage and secure their endpoints — right where their endpoints live.
Cybersecurity Starts with IT Hygiene. Most security incidents begin when a malicious actor exploits a known endpoint vulnerability that the organization did not see or could not close in time.
Legacy Point Solutions Must Be Replaced. Point solutions increase complexity, cost and risk without delivering accurate visibility and control across modern endpoint environments.

"Tanium offers a good way to collect trusted telemetry from the endpoint and channel it into authentication and monitoring decisions. Tanium is an endpoint source of truth, which zero trust relies on." - Anton Chuvakin, Head of Security Solutions, Google Cloud

Did you know?

Zero Trust must validate more than just your users.

Tanium can help you validate their devices too.

Schedule your demo

How Tanium Can Help

Tanium delivers or supports each of the modernization initiatives outlined within this Executive Order.

With Tanium, you can adopt a modern endpoint management and security platform built to deliver comprehensive visibility and real-time control across distributed endpoint environments.

With Tanium's comprehensive endpoint visibility, you can:

Track and report security status across endpoints.
Collect comprehensive, real-time endpoint data to authenticate devices within Zero-Trust models, create catalogs of sensitive data and drive cybersecurity analytics.

With Tanium's real-time endpoint control, you can:

Close vulnerabilities, improve IT hygiene and raise the barrier to entry into your network.
Perform coordinated, collaborative incident response across endpoints within minutes.

More resources

Section 4

Improve Software Supply Chain Security

"The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an "energy star" type of label so the government — and the public at large — can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up."

What we can say is that best practice supply chain security should always start with visibility — into your IT assets and those of your partners.- Chris Hodson, Global Chief Information Security Officer, Tanium

59%

of Americans want more government spending on cyber.

THE HARRIS POLL

Why It Matters

Section Summary

This section of the Executive Order discusses the need to:

Establish baseline security standards for the development of third-party software.
Require suppliers to demonstrate the security of their development environment.
Make security data for software suppliers publicly available and accountable.
End procurement of legacy software developed out of compliance with these standards.

Why This Is Needed

Historically, organizations have lacked visibility into the security of their suppliers. They have relied on overly simplistic audits to manually track each of their supplier's security and risk, or they have fallen back on trust and assumed that their suppliers maintained effective defenses.

This approach was never ideal, and it's spiraling out of control as supply chains become more complex.

The result: organizations often perform supply chain security governance too late in their onboarding process. They often fail to regularly reappraise the security of their suppliers, and they typically lack meaningful end-to-end visibility into the risks their supply chain carries.

"The U.S. government and industry must work together to achieve the trusted, secure, and reliable global supply chain that is necessary to encourage economic growth, protect national security, and harness U.S. innovation."- Jason Oxman, President and CEO, Information Technology Industry Council

The Expected Impact

Software supply chain attacks have emerged as one of today's most significant threats, best exemplified by the recent SolarWinds attack that compromised hundreds of organizations, including dozens of federal government agencies.

With this Executive Order, the federal government seeks to create a more secure and accountable vendor ecosystem. To do so, they are using their purchasing power to incentivize third-party suppliers to implement secure software developer standards and to report their compliance with evidence.

Tanium Take

How to Address This Section of the Executive Order

If you are a software developer, the importance of this section is clear. You now have a new set of security standards that you must meet to compete in the marketplace.

These standards will raise the security of your supply chain and make it easier to validate each of your supplier's risk postures.

To mitigate your supply chain risk, you will still need to define your own minimum set of security requirements and embed them within your contracts. These may include:

A comprehensive catalog of your suppliers' assets and their security status.
A picture of your suppliers' approach to threat modeling and security architecture.
A clear understanding of your suppliers' process for breach notification and response.

"There is still a belief by some IT people that the cloud is less secure. They also fear loss of control. Tanium can help with this by making it easier and demonstrating that they can maintain control and visibility during and after the move of assets to the cloud."- Scott Goodhart, Former CISO at AES, Tanium Advisor

Did you know?

Many vendors still provide manual, incomplete audits of their environment.

Tanium can reveal all of your suppliers’ assets.

Biden signs executive order demanding supply chain security review 5 questions CISOs should be able to answer about software supply chain attacks  Supply Chain Security Is Tough: So What Should Good Look Like? How Government CIOs Can Play Tougher D Biden signs security-focused executive order meant to accelerate breach reporting, boost software standards   If you think your software is secure, get ready to prove it.  

How Tanium Can Help

With Tanium's comprehensive endpoint visibility, you can:

Develop an accurate catalog of third-party software within your environment, including their patch, update and configuration status.
Find legacy software in your environment that may not comply with the Executive Order's new standards and thus is a candidate for a more secure replacement.

With Tanium's real-time endpoint control, you can:

Defend against supply chain attacks by rapidly finding and remediating instances of recently compromised third-party software in your environment.
Manage and secure third-party software without obstructing its usage or adoption.

More resources

The Cyber Safety Review Board’s future findings and recommendations are likely to influence companies across the economy.- Global Law Firm Mayer Brown

Section 5

Establish a Cybersecurity Safety Review Board

“The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.”

The Cyber Safety Review Board’s future findings and recommendations are likely to influence companies across the economy.- Global Law Firm Mayer Brown

21%

of companies lack the skills to accurately detect breaches in real time.

TANIUM STUDY

Why It Matters

Section Summary

This section of the Executive Order discusses the need for a federal Cybersecurity Review board that will be co-chaired by government and private sector leads to:

Continuously review and assess threat activity.
Convene following significant cybersecurity incidents to analyze them.
Provide recommendations on how organizations can improve their security.
Provide functions similar to the National Transportation Safety Board.

“The order offers several sections of direct outreach to businesses, including its intent to make the incident review board a public private partnership headed by industry. That has the potential to be transformative. It may give stakeholders a chance to avoid mistakes by learning from attacks.”- Joe Uchill, SC Magazine

Why This Is Needed

Historically, the federal government has lacked a centralized authority on cybersecurity to receive information on incidents, analyze what happened and provide recommendations for remediation and security improvement.

In addition, there has been no formal partnership between cybersecurity leaders within the federal government and the private sector.

The result: organizations have lacked a single source for clear guidance on cybersecurity matters — both on developing incidents and baseline security measures.

“Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements.”- Maria Henriquez, Security Magazine

The Expected Impact

Cybersecurity incidents are growing in size, volume and complexity. Organizations need credible information on emerging threats and recent incidents to secure themselves before they become victims themselves.

With this Executive Order and the creation of this board, the federal government seeks to provide fast, consistent and practical guidance on all things cybersecurity.

In addition, they highlight the simple fact that piecemeal solutions to cybersecurity are no longer viable and that centralized visibility, investigation, analysis, and action have become the table stakes to combat today’s threats.

Tanium Take

How to Address This Section of the Executive Order

At a base level, organizations will gain a new source of centralized guidance on cybersecurity.

At a deeper level, organizations must follow the spirit of this mandate and consider ways they can create their own centralized processes to respond to incidents and emerging threats.

To do so, organizations must:

Create their own centralized hub that all cybersecurity information funnels into.
Ensure that the hub receives current, active and trusted information that pulls relevant information directly from endpoints at the perimeter at the moment it’s required.
Collect information beyond vulnerabilities and incidents and include expanded data on when systems need to be updated or will reach non-compliance or end-of-life.

Ultimately, organizations must follow the Executive Order’s lead and recognize that their cybersecurity is never a 100% solved problem. Instead it must be addressed through continuously evolving analysis and action delivered through formal, centralized and empowered processes.

Did you know?

Most endpoint security tools are point solutions that don’t work well together.

Tanium can reveal all of your suppliers’ assets.

Biden Issues Executive Order to Bolster Nation’s Cybersecurity Biden signs much-anticipated cybersecurity executive order The New Cyber Executive Order Is a Good Start, But Needs a Supercharge from Congress In executive order, federal security provides impetus for far-reaching cyber implications President Biden signs executive order to strengthen U.S. cybersecurity defenses

How Tanium Can Help

Tanium gives organizations a unified platform that collects comprehensive real-time data from endpoints and provides a single-source-of-truth for most management and security activities.

With Tanium’s comprehensive endpoint visibility, you can:

Metabolize information and guidance on emerging threats from the new federal Cybersecurity Review board and rapidly search for indicators of compromise.
Create a centralized view of critical endpoint data across the environment, and perform incident investigations and analysis with both real-time and historical telemetry.

With Tanium’s real-time endpoint control, you can:

Rapidly follow the guidance provided by the federal board to respond to incidents or to harden your environment against emerging threats.
Perform centralized control of endpoints in your environment — including the applications on those endpoints — to respond to and remediate incidents in minutes.

More resources

Section 6

Create a Standard Playbook for Responding to Cyber Incidents

“The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.”

The goal of the requirement is to ensure that federal agencies take uniform steps and measures to detect and respond to cyber incidents. The playbook will include standards developed by NIST for incident response, as well as guidance on how to use the playbook.- Jai Vijayan, Dark Reading

68%

of respondents say real-time data is very or extremely important to network visibility.

Software, Incident Response Among Big Focus Areas in Biden’s Cybersecurity Executive Order Everything You Need to Know About the New Executive Order on Cybersecurity President Biden Issues Executive Order to Improve Nation’s Cybersecurity Biden signs executive order aiming to prevent further cybersecurity disasters President Biden signs executive order to strengthen U.S. cybersecurity defenses

Why It Matters

Section Summary

This section of the Executive Order discusses the need to:

Create standardized playbooks and definitions for vulnerability and incident response.
Achieve equal maturity levels around response plans across the entire organization.
Execute uniform steps with consistent results to identify and mitigate threats.

Why This Is Needed

Historically, vulnerability and incident response has often been siloed, fragmented and ad hoc activities within organizations, performed using varying procedures to identify, remediate and recover from cybersecurity problems.

The result: organizations have lacked a shared understanding of their cybersecurity status and how to improve it. They have struggled to perform consistent vulnerability and incident response activities, maintain compliance with industry standards like the National Institute of Standards and Technology (NIST) Cybersecurity Framework and ensure you have maximum awareness of where vulnerabilities exist and a mechanism and a process to remediate them quickly.

“For the federal government, the uniform playbook is intended to help coordinate incident response. For the private sector, the standardized playbook will be a potentially valuable reference point as companies evaluate their own incident response policies and procedures.”- Global Law Firm Mayer Brown

The Expected Impact

To cause a breach, a malicious actor needs to find only one gap in an organization’s cybersecurity posture. If an organization cannot agree internally about what an incident looks like, how to prevent one, and how to respond if one occurs, then malicious actors will find many gaps to exploit.

Further, once an incident does occur, different groups within the organization will struggle to rapidly collaborate on remediation, furthering the spread and impact of the incident.

These standardized definitions and playbooks are also required to empower centralized cybersecurity authorities by giving them benchmarks to evaluate internal compliance against.

With this Executive Order, the federal government encourages organizations to standardize their response efforts and provides them with a template to model their new playbooks after.

Tanium Take

Organizations must develop extensible playbooks capable of handling both known threats and the next unknown zero-day attack.

To do so, playbooks must establish risk-based decision processes that use trusted and up-to-date enterprise-wide data.

Playbooks must use enough data to answer the “what” and “how” of unknown attacks and give operators enough agility to instantly scope the attack, understand the risk it carries and remediate it at scale.

“The endless array of FCEB agencies apparently have an endless variety of incident response playbooks... [makining] it more difficult for CISA, as the centralized defensive lead, to ensure compliance effectively. In this way, Section 6 contributes to the ongoing process of moving CISA further out front as the central cybersecurity organization for FCEB agencies.”- Robert Chesney, Trey Herr, Lawfare

Did you know?

Legacy security tools create siloed fragmented security controls.

Tanium can unify your incident response.

Schedule your demo

How Tanium Can Help

Organizations can use Tanium to collect this critical endpoint data and provide it directly to operators. Tanium can continuously monitor endpoint behavior to spot changed configurations, identify vulnerabilities, visualize lateral movement and adapt to provide data when operators need it most.

With Tanium’s comprehensive endpoint visibility, you can:

Collect information and identify threats at the speed and scale required by these playbooks.
Use a comprehensive view of endpoint data across the environment to enable incident investigations and reduce dwell time.

With Tanium’s real-time endpoint control, you can:

Respond to incidents and remediate your environment against emerging threats.
Centralize control of endpoints on one platform from a single source of truth.

More resources

[The order] focuses on the need for enterprise-wide visibility and control as proven by recent cyber events, federal agencies cannot rely on detection and prevention from EDR/EPP capabilities as the only solution.- Matt Marsden, Vice President of Technical Account Management-Federal, Tanium

Section 7

Improve Detection of Cybersecurity Incidents on Federal Government Networks

"The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential."

[The order] focuses on the need for enterprise-wide visibility and control as proven by recent cyber events, federal agencies cannot rely on detection and prevention from EDR/EPP capabilities as the only solution.- Matt Marsden, Vice President of Technical Account Management-Federal, Tanium

68%

of respondents say real-time data is very or extremely important to network visibility.

Why It Matters

Section Summary

This section of the Executive Order discusses the need to:

Increase visibility into vulnerabilities and accelerate detection of cybersecurity incidents.
Establish enterprise-wide Endpoint Detection and Response (EDR) capabilities.
Develop centralized threat hunting, containment and remediation capabilities.

Why This Is Needed

Historically, organizations have focused threat detection capabilities around simply spotting malware with known signatures. This approach has left organizations unable to detect new threats that use unknown attack patterns until it's too late.

In addition, this approach has de-emphasized the importance of identifying and closing known endpoint vulnerabilities in the environment — though many incidents begin with a malicious actor exploiting one of these vulnerabilities.

“Threat-hunting aficionados will recall that Congress actually granted CISA expanded centralized threat-hunting authority in the National Defense Authorization Act. In a sign of importance of that fresh authority, the EO calls for CISA to produce a report in 90 days explaining how they are putting this authority to work and also requires additional reporting every quarter describing its ongoing use.”- Robert Chesney, Trey Herr, Lawfare

The Expected Impact

To defend against new threats and raise the barrier to entry into their environment, organizations must extend detection beyond malware to encompass threat hunting and vulnerability checks.

If organizations fail to do so, they will remain at risk for novel threat patterns, such as the SolarWinds attacks and Microsoft Exchange Server incidents.

With this Executive Order, the federal government seeks to lead organizations to adopt proactive and expanded threat detection through enterprise-wide EDR deployments.

But while organizations must evolve their approach to threat detection, EDR may not offer the ideal way forward.

Tanium Take

Organizations have not been able to overcome their complex cybersecurity threats with siloed tools and point solutions.

Fundamentally, these approaches cannot scope attacks in real time across the enterprise, and they cannot remediate these attacks at scale.

SolarWinds proved this — EDR tools did not alert on code that was signed by a trusted source, and they weren't able to rapidly remove the exploited vulnerability.

"The time it takes to detect, investigate and ultimately remediate or resolve a security incident is seen by most organizations as a key metric for measuring success. Historically, we have witnessed organizations fail to reduce the time required to close the loop in one or more of these areas."- Tyler Oliver & Ben Crocker, Tanium

Did you know?

Many breaches occur when known vulnerabilities are exploited.

Tanium can help you extend detection beyond malware.

President Biden signs executive order to strengthen U.S. cybersecurity defenses Everything You Need to Know About the New Executive Order on Cybersecurity What President Biden's New Executive Order Means for the Cybersecurity of the United States EDR Matters: How to Reduce Time-to-Detect Modernizing Security Operations Centers With Integrated Threat Detection and Response

How Tanium Can Help

Tanium gives organizations a new approach. Tanium provides a comprehensive endpoint management and security platform that delivers identification, protection, detection, response and recovery at speed and scale that exceeds the capabilities of advanced threat actors.

Scalable architecture and extensible capabilities enable organizations to detect threats, investigate and hunt across the enterprise while gathering critical forensic data.
Cybersecurity operators are enabled to remediate malicious activity through quarantining, removing files, killing processes, changing configuration settings and many other prevention mechanisms.

More resources

Section 8

Improve Investigative and Remediation Capabilities

“The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.”

Organizations often face challenges in detecting and remediating incidents due to limited logging information available, and the lack of information tracked in real time through Endpoint Detection and Response services.- Chris Hallenbeck, CISO for the Americas, Tanium

27%

of respondents report they never have complete visibility over their IT environments.

Everything You Need to Know About the New Executive Order on Cybersecurity President Biden Issues Executive Orders to Improve Nation’s Cybersecurity President Biden signs executive order to strengthen U.S. cybersecurity defenses EDR Matters: Embracing a Proactive Approach to Cyber Hunting

Why It Matters

Section Summary

This section of the Executive Order discusses the requirements for robust and consistent cybersecurity event logging by developing standard practices for logging and creating mechanisms to enforce those practices.

Why This Is Needed

Historically, many organizations use systems that lack robust and consistent logging.

The result: many organizations have a limited ability to detect cybersecurity incidents, remediate those incidents, and perform accurate and effective analysis to determine each incident’s spread and root cause.

“As emphasized by some of the most pointed criticism of vendors in the aftermath of SolarWinds/Sunburst, the amount (and nature) of data recorded to network logs, and how that data is retained and accessed, can have a major influence on the speed and success of cyber incident response.”- Robert Chesney, Trey Herr, Lawfare

The Expected Impact

Recent incidents — most notably the SolarWinds attack — made it clear just how important log data is when a major incident occurs.

Organizations that retained sufficient log data in an easily accessible manner were more effective at remediating this incident than their counterparts.

With this Executive Order, the federal government seeks to lead the way in collecting and maintaining a sufficient volume of log data.

But the centralized approaches and Endpoint Detection and Response (EDR) solutions discussed within the Executive Order may not provide the optimal approach toward logging data to mitigate modern threats and vulnerabilities.

Tanium Take

Organizations cannot rely on the centralized logging used by EDR solutions and big data platforms. These logs are heavily filtered and often cannot capture the “known good” or “living-off-the-land” activity that many threat actors use today.

These centralized data stores become warehouses for old and irrelevant systems data. Centralization methodologies consistently fail when a new attack appears that can be investigated and remediated only using a data set the organization did not know they would need and thus never collected.

“The executive order spells out how to mature the cybersecurity of not only our government systems, but also how companies doing business with the government can mature their cybersecurity posture, and furthermore how any company can mature their cybersecurity program. I think it's within the realm of possibility that these directives will trickle down to all companies doing business in and with US companies, so start the planning now.”- Steve Neiers, Former CISO at Chevron, Tanium Advisor

Did you know?

Centralized data collection creates a stale, inaccurate picture of your endpoints.

Tanium gives you real-time endpoint data.

Schedule your demo

How Tanium Can Help

Tanium gives organizations a unified platform that collects comprehensive real-time data from endpoints and provides a single source of truth for most management and security activities.

Tanium uses a scalable architecture and distributed logging capability that lets organizations review past- and current-state data in real time.

Tanium gives operators the known state of endpoints, from which they can accurately enforce configuration changes, quarantine systems, remove malicious files and prevent future attacks by rapidly applying missing patches and software updates.

More resources

Article

Biden Administration Orders Agencies to Patch Hundreds of Cyber Flaws

On November 3rd, the White House issued a sweeping directive for federal agencies to fix nearly 300 known cyber vulnerabilities that hackers can use to infiltrate and damage government computer networks. Here's how federal agencies can fix it fast.

Tanium Community

CISA’s Binding Operational Directive 22-01: How Tanium Can Help

This Tanium Community article provides guidance on how to report and remediate vulnerabilities listed in CISA’s Binding Operational Directive 22-01 (Known exploited vulnerabilities).

White Paper

Stopping Ransomware: Protecting Your Business From a Growing Cyber Threat

Ransomware attacks are growing more expensive and more frequent, and no industry is exempt. All organizations must now consider themselves a potential target. Read more to learn why legacy security tools fall short and discover how to defend your organization in five steps.

Tanium Perspective

Executive Order on Improving the Nation’s Cybersecurity

This Tanium Perspective breaks down sections of the executive order and how Tanium is positioned to help federal agencies implement these bold changes.

Research

Harris Poll Survey: Cybersecurity Investments and Priorities

Prompted by the long-undetected and massive compromise caused by a software supply chain attack on SolarWinds, and made more urgent by the Colonial pipeline attack, Tanium partnered with The Harris Poll to survey American attitudes around cybersecurity investments and priorities.

Blog

Biden’s Executive Order Stresses Need for Federal Government to Make “Bold Changes” in Cybersecurity

Learn how Tanium can help federal agencies answer the call for bold change in the President’s executive order on cybersecurity.

Article

The Executive Order That Will Create Cyber Resilience

A White House directive is aimed at strengthening software security standards, breach notifications, and information sharing. Here’s how CISOs are preparing.

Article

What the Biden Executive Order Means for Tech Executives

Recent cyber attacks have provoked massive change in how the government responds to nation-state hacks.

Tanium Community

5 Ideas to Build Digital Resilience using Tanium

How can you become more resilient? It all goes back to the tools you use. Tanium is one of the most powerful information technology tools that can add business value and make your organization more resilient.