By Matt Marsden, Vice President, Technical Account Management, Federal, Tanium
Endpoint detection and response (EDR) was put on center-stage when the Office of Management and Budget (OMB) released a memo requiring that agencies must collaborate during the development and deployment of their EDR solutions.
The OMB memo intends to create government-wide visibility through a centrally located EDR initiative, implemented by the Cybersecurity and Infrastructure Security Agency (CISA), to support host-level visibility, attribution, and response across federal information systems.
Within 90 days of the memo’s release, agencies are required to provide CISA with access to their current and future EDR tools, and CISA is to provide recommendations for accelerating EDR adoption. Within 120 days, agencies must analyze their EDR solutions with CISA and identify any gaps.
A recent report stated that since the shift to working-from-home, 79 percent of IT teams have seen an increase in breaches at the endpoint. There is a dire need for useful EDR solutions within the federal government, especially in the era of remote work, as they will improve “the ability to detect and respond to increasingly sophisticated threat activity on Federal networks.”
What is EDR?
EDR is a capability that identifies and responds to cyber threats by combining real-time continuous monitoring of data and endpoint collection with rules-based automated response and analysis capabilities. EDR tools have gained a significant amount of popularity among IT security operations teams due to their ease of use and the understanding that endpoints can provide the richest data about intruders.
- Automated, simple pattern detection of known bad-attack types, leading to triage and investigation of those alerts
- Automated response in the sense that pre-determined actions can be configured from the detection rules
- Centralization of endpoint log and telemetry data in the cloud for offline analysis
While useful, EDR technology only locates certain types of activity, or “known bad” activity. Most EDR tools limit the activity they record to reduce bandwidth and storage. So, what happens when there is an “unknown bad” in a network? This vulnerability gap creates plenty of blind spots for attackers to enter, but it is possible to diminish those issues through other solutions.
What should agencies look for in a solution?
Skilled attackers are aware of the EDR capabilities and know how to get around them. If agencies pair a threat hunting solution with their EDR technologies, they will have a deeper, more comprehensive visibility over their endpoints.
When looking for the right threat hunting platform, it is crucial that agencies keep certain criteria in mind – adaptability, scalability, and extensibility. It is also important to use a platform that is fully powered by accurate data and can respond to threats in seconds. Here are some elements to look for when choosing an EDR solution:
- Continuous monitoring of endpoints. Legacy security solutions tend to employ a collection of incompatible point solutions tied together in a SIEM, resulting in a data set that is weeks old, and doesn’t include unmanaged, offline, or off-network endpoints. Instead, it is important to have a comprehensive platform to gather in-depth endpoint data, giving agencies the ability to collect accurate, real-time data in minutes, not months
- Formatted, organized data. Many tools require you to export data from different sources, normalize output, then attempt to combine it all into one report. It is important for agencies to streamline this process through a solution that provides actionable data that is already in the correct format for use
- Zero-trust architecture. Achieving a strong endpoint defense requires complete visibility into the entire operating environment. Agencies should look for a platform with a zero-trust architecture that continually monitors device health and checks whether it is patched, secure, compliant, and managed
An endpoint security and management platform solution can dig deeper into the suspicious activity detected by EDR to understand the threat and protect any additional machines that may have been compromised. A single platform of this nature gathers in-depth endpoint data, giving agencies the ability to collect accurate, real-time data in minutes.
The time to improve cyber is now, and everyone plays a part in this process. The federal government has set the precedent with this memo, and agencies understand the importance of the guidance. Agencies must implement a strong EDR solution and enhance their EDR capabilities to improve their security posture and response capability.
About the Author
Matt Marsden is the Vice President, Technical Account Management, Federal at Tanium. He is a career cyber professional with more than 24 years of experience working with the Federal government. Matt began his federal service in the United States Navy supporting submarine operations afloat and transitioned to Civil Service where he supported the DoD and Intelligence Communities prior to joining Tanium. Matt can be reached online at LinkedIn and at our company website https://www.tanium.com/solutions/federal-government/