Belated January Newsletter: Endpoint Detection and Response (EDR) and you!
I’ve got a few updates and timelines related to the CELS General Computing Environment, but I’ll go over them in a follow-up next week. Right now, I want to let you know about some updated requirements that have come to us from Washington. Executive Order 14028 from May 2021 required all agencies to improve their Cybersecurity posture, and OMB M-22-01 from October specifically deals with Endpoint Detection and Response (EDR), setting out timelines to accomplish these improvements.
For the past few years, we’ve been relying on a suite of tools to pretty much meet this need, but they’re not deployed as widely as required (we can’t even run McAfee on a linux machine), and their capabilities no longer meet the standards of this enhanced EDR requirement. Argonne now has a new tool to deploy, and the project to start that deployment is under way. I’ll go over the pieces of what will be deployed, and what you can expect.
Crowdstrike Falcon is (generally) going to replace McAfee as the malware and threat protection software. BIS has provided a Frequently Asked Questions page for the software here. I’ve been running this software on my computers since the start of the testing process last May, and I’ve encountered no issues due to it. CELS Systems will manage the deployment of this software to the directorate, and as noted on the FAQ the software and service will be supported by BIS and the Cyber Security Program Office (CSPO). As noted in the FAQ, it will be required on all government-owned computers (macOS, Windows, and Linux), with exceptions for HPC compute nodes or any incompatible systems.
Already widely installed, Jamf Self Service will continue to be deployed to all CELS Macs. This software provides a curated menu of software packages you can install with a single click, as well as ensure the proper security policies are enabled on your computer. These policies include screen saver timeout limits with screen lock, DOE privacy warning on the login page, remote wipe capability should the laptop get lost/stolen, and enable FileVault (with recovery key escrow). Eracent software license auditing is also installed for tracking lab-licensed software. This setup is unchanged from what we’ve been doing, and all managed/co-managed Macs have this configuration. I mention it here to encourage owners of machines not already enrolled to do so. Generally, all Macs ordered since 2020 have this automatically deployed. If you have a “Self Service” app in your Applications folder, you’re good to go.
For our Windows users, a pared down version of McAfee will still be installed on managed Windows machines to provide key escrow for disk encryption. I believe we may be able to remove this for macOS, but need to do a little more testing.
What can I expect?
If you have a fully managed machine from BIS (typically a Windows Desktop), they will handle the rollout and update of any of the software listed above. If any action is required of you, BIS will work with you on it.
If you have a managed or co-managed macOS machine owned by Argonne, you should have no action. We will be rolling the packages out via Jamf and will follow up with anyone who doesn’t get it automatically.
We will also be rolling Crowdstrike out to all of the Linux endpoints we manage, including desktops, servers, and login nodes. As noted above, HPC compute nodes will not get this software installed.
If you have a self-managed computer, we will be providing instructions on how to install Crowdstrike on your computer. Another announcement will be sent with pointers to the instructions when they are ready. You should not install any of this software on computers not owned by Argonne.
Below is a concise list of links with more information if you didn’t hit any of them in-line.
- Crowdstrike on My Argonne
- Crowdstrike FAQ
- How to enroll in Self Service on a Mac
- Executive Order 14028
- M-22-01 (PDF – deals specifically with EDR)