Enabling Federal Cybersecurity with EDR Deployments

In 2018, CISA contracted Booz Allen to assist federal agencies in all aspects of CDM implementation, including EDR deployments. CISA needed an industry partner that could help agencies quickly acquire and deploy commercial EDR capabilities. This job came with considerable challenges. For example, there are many EDR solutions (five in the CDM program alone) and EDR technologies are advancing rapidly. This meant that Booz Allen had to possess a deep technical understanding of the full range of tools in the marketplace to match the right tools to any given agency.

Moreover, each federal agency is unique in terms of its IT environment, organizational complexity and size, and cyber operations maturity. Booz Allen combined technical expertise with a deep knowledge of federal environments and operations to configure, integrate, and deploy EDR tools rapidly and seamlessly to suit each agency’s unique circumstances. 

These EDR deployments are now transforming how federal cybersecurity teams identify, assess, and remediate malicious activity. With improved operational visibility enhanced by EDR, these client agencies can now more quickly and easily identify an active exploit threatening a network and share that threat intelligence with CISA and other agencies so the threat can be rapidly remediated, and any damage can be minimized—all automatically. This capability enables CISA and its client federal agencies to adopt a more collaborative and proactive cybersecurity posture.

To implement EDR solutions rapidly, consistently, and successfully for their agency clients, Booz Allen used a repeatable framework that is adaptable to unique customer environments and can be leveraged to deploy any industry-leading EDR solution. Included in this framework are several activities that go beyond the normal acquisition and distribution of licenses. These activities include but are not limited to:

• Capitalizing on Booz Allen’s data-quality efforts to validate the number of endpoints at each agency
• Inclusion of readiness assessments for each organization to avoid shelfware and waste in the deployment process
• Establishment of clear roles and responsibilities among system integrators, original equipment manufacturers (OEM), and agency administrators

We worked with agency endpoint management teams to ensure that EDR software is automatically included in all new computers moving forward and that retired computers have their EDR licenses reclaimed for use on future endpoints.

Booz Allen also leveraged:

• Internal test labs where the team was able to deploy multiple EDR solutions across many endpoints with various operating systems—this allowed our teams to familiarize themselves with various EDR capabilities, as well as explore and test configurations, deployment methods, operational scenarios, and more
• Pre-development of custom configurations, as needed, to accelerate deployments on Day One and ensure that the initial baseline configurations established the necessary foundation to meet CISA EDR requirements for the CDM program
• Implementation of a Peered Services Request System (PSRS) process where Booz Allen subject matter experts supplemented OEM professional services by providing Tier 1 and 2 support to agency stakeholders as needed while allowing the OEMs the ability to focus on Tier 3 and other targeted issues—this enabled a more streamlined approach for agency personnel to receive the most effective level of support for a new system
• Development and implementation of deployment scorecards designed to serve as a "peer review" of EDR agent deployments (regardless of whether an OEM, agency, or system integrator deployed)—these ensured key deployment and configuration goals were met, providing a way to track progress achieved over the course of the project
• Curated training to ensure agency staff were capable of fully utilizing the new capabilities prior to transition
• Micro-training modules to help agency staff continuously improve their operational proficiency with the new EDR capabilities

While Booz Allen minimizes the amount of customization needed for each EDR deployment, some degree of modification is typically needed to support each agency’s unique circumstances. This is where Booz Allen relies heavily on its deep knowledge of federal missions, operations, and IT environments to ensure that EDR deployments successfully support each agency’s operational needs.