Against the backdrop of a significant rise in cyberattacks against the Federal government and private sector organizations, President Biden has made cybersecurity a critical focus of his administration. His Executive Order on Improving the Nation’s Cybersecurity (EO 14028) gives technology teams marching orders with aggressive deadlines for securing Federal networks, systems, and endpoints.
“With CIOs under pressure to meet the deadlines, technology teams may rush to implement disparate technology solutions to check the different cybersecurity mandate boxes,” says Bryan Palma, CEO of Trellix, the company forged from the recent merger of McAfee Enterprise and FireEye.
But good enough is not okay when it comes to Federal cybersecurity. MeriTalk recently sat down with Palma to discuss what the launch of Trellix means for Federal agency customers and how Federal teams can move beyond checking boxes to achieve holistic, effective cybersecurity.
MeriTalk: McAfee Enterprise and FireEye merged in October and you formally announced the launch of Trellix this month. Both organizations have done a lot of work with Federal agencies. What does the launch of Trellix mean for your government customers?
Palma: McAfee Enterprise has been working with the Federal government for over 30 years, and FireEye has been around for over a decade. Both organizations started as pure cybersecurity companies. We aren’t technology generalists – we are cybersecurity experts. Bringing these two organizations together as Trellix strengthens our capabilities. In other words, the sum is greater than the parts. Because we are singularly focused on cybersecurity and have combined our Federal experience and knowledge, our new organization can meet agencies’ mission requirements with open architecture solutions to enable zero-trust architectures, endpoint security, and security of compute functions happening on the edge. Through our native and open XDR platform, we are combining the best of our endpoint, email, network, cloud, and security operations capabilities into a single platform supporting these agencies’ needs.
MeriTalk: A platform-based approach to cybersecurity can help agencies tie together their existing cybersecurity investments, bolster their cyber capabilities, and streamline management of their cybersecurity tools. Please tell us about the Trellix platform’s capabilities and how those capabilities can help Federal agencies.
Palma: This is really at the core of how our combined organizations can benefit Federal technology teams. Across the entire Federal landscape, agencies have some of the most diverse endpoints. Whether they are traditional endpoints like servers, laptops, and phones, or unusual endpoints like weapons systems and satellites, they all need to be monitored, protected, and resilient in the face of the most sophisticated threat actors. Traditional security protocols involve endpoint detection and response (EDR) technology to monitor endpoints, and the EDR technology could be different from endpoint to endpoint. EDR data may feed into an endpoint protection platform (EPP) and then to an agency’s security operations center (SOC). Once there, security information and event management (SIEM) or security orchestration, automation, and response (SOAR) tools gather and analyze the information and respond to threats. Based on the type of endpoint, the technology could vary. It means SOC teams must look through data coming in from all those different endpoints, often from different technologies, and the data then needs to be analyzed and acted upon by another set of technology tools. It’s hard to keep up with it all.
With McAfee’s market leading EDR and EPP capabilities and FireEye’s security operations capabilities, Trellix delivers a holistic solution to bring all this information together on one platform – Extended Detection and Response (XDR). Trellix XDR will leverage threat intelligence from more than one billion threat sensors across our over 40,000 government and business customers to innovate and deliver new machine learning and advanced telemetry solutions. It’s also an open, interoperable platform, meaning it can accept data from a variety of vendor tools and networks. This gives agencies the flexibility to implement the exact defensive technologies they need to protect their unique operational environments with the ability to scale to support the demands of their unique missions. Together, these advantages provide agency SOC teams the analytics, automation, and resilience they need to respond more quickly and with greater confidence to critical security events.
MeriTalk: Let’s talk more about endpoint detection and response (EDR). It’s a foundational aspect of CISA’s Continuous Diagnostics and Mitigation program, and agencies have been working to improve their EDR capabilities for several years. What are the biggest challenges you see as agencies work to implement EDR across the enterprise?
Palma: First, I want to state the Federal government is going in the right direction with these mandates in the president’s executive order on cybersecurity. However, there are a couple of issues to overcome. Because of the accelerated timelines in the mandates, many agencies are rushing into EDR implementation absent a broader strategy, in which EDR is one component. While EDR is a necessary capability in a cybersecurity portfolio, it is not a lone silver bullet. Agencies are checking the mandate box without achieving holistic cybersecurity. Another challenge is agencies tend to have dozens of security tools that may not integrate with each other. It’s important those tools and data integrate into an open, interoperable platform which XDR provides.
MeriTalk: As you noted, EDR is also a key component of the Biden administration’s cybersecurity executive order, and Office of Management and Budget (OMB) guidance to agencies on implementing the EDR directive sets aggressive timelines for Federal agencies broadly, and CISA specifically. How can industry help agencies address this and other requirements laid out in the OMB guidance?
Palma: Federal agencies need to look at industry as true partners. They should think about us as a partner instead of a company who is providing a product. As a partner, we make sure we provide the appropriate design architecture and integration of services around the deployment of a cybersecurity solution. We also help to operationalize and run it, ensuring the agency’s technology teams are benefiting from all the solution’s capabilities. One of the biggest things agencies can do to meet the aggressive mandates from CISA, the cyber EO, and other mandates handed down to them, is to bring in experienced partners.
MeriTalk: The cyber EO pushes agencies toward implementing zero trust. What role does EDR play in a zero trust architecture?
Palma: EDR is fundamental to implementing a strong zero trust architecture. Zero trust is the notion that nobody can be trusted, but you need a system of trust that grants access to those who need it. Trust comes down to telemetry. EDR solutions provide telemetry, giving insights to allow teams to assign trust and trust levels. Once complete, action can be taken at the endpoint appropriate to the agency’s zero trust architecture and policies. Zero trust can’t be fully realized without strong EDR solutions.
MeriTalk: How can emerging technologies like artificial intelligence (AI) help agencies secure their endpoints and meet zero trust security mandates?
Palma: A zero trust architecture relies on agencies issuing and enforcing underlying policies and decisions. The only way to achieve it effectively is to employ automated analytic capabilities. AI is a force multiplier. It doesn’t replace humans; it makes humans more effective. A foundation of data science and automation is fundamental to the overall success of zero trust.
MeriTalK: CISA recently issued an RFI asking for industry guidance on critical EDR solution capabilities – for today and into the future. What should agencies be looking for in an EDR solution that can meet their needs today – and evolve to address increasingly sophisticated threats?
Palma: Many traditional EDR solutions generate too many false positives, which means too many alerts are coming into the SOC. With the significant cybersecurity workforce shortage government technology teams are facing, the current workforce is overtaxed and overwhelmed with alerts. They need to increase their efficiency and productivity, which can be done through automation and analytics. We call it guided investigation. Agencies should look for EDR solutions offering automation and analytics. EDR solutions should be able to take the highest priority alerts, analyze and correlate them, and then quickly present where the team should intervene.
Agencies should also look for solutions offering open architectures. In today’s environment, proprietary doesn’t work. Technology needs to be open to ingest data from a variety of tools.
The other thing to consider is contextual threat intelligence, which is having actionable intelligence, allowing agencies to remediate a threat before it becomes an issue.
Finally, Federal teams need to move beyond EDR and consider XDR. EDR capabilities are an important part of the XDR solution, but XDR takes security farther by getting into the attack chain and making sure you’re correlating cloud, network, endpoint, user, email – all data into a single place and then driving a response. It is how agencies can achieve holistic cybersecurity that truly works.
MeriTalk: What are the unique cybersecurity capabilities of Trellix, and how can they help agencies address the requirements of the cyber EO?
Palma: Trellix leverages collective expertise from the McAfee Enterprise and FireEye teams to drive the development of our XDR platform. XDR goes beyond the traditional EDR capabilities to incorporate security operations. Making the SOC more efficient, effective, and productive with data collected from different tools and environments is fundamentally key to achieving the mandates.
Another key capability is our cloud native security operations tool allowing us to offer guided investigation. With this tool, we correlate data from different systems in what traditionally would be seen as disparate events – like email data correlated with endpoint data presented in our guided investigation. This kind of information is actionable to an analyst and the SOC team.
Trellix can also provide large-scale threat intelligence. We see across software and endpoints from millions of customer endpoints in both government and business and through the McAfee consumer solutions. The intelligence is ingested into our products, giving us unparalleled insight for better threat intelligence. Our partnership with Mandiant ensures our products utilize the cyber intelligence produced by their incident response practice, which serves over 1,000 high-profile customers each year. Mandiant’s solutions rely on the intelligence generated by our sensors deployed around the world.
Looking ahead, our combined organizations will continue to invest in data science around AI to ensure our systems are being driven by automation to better support Federal technology teams.