Diane Phan of the Defense Information Security Agency believes commercial endpoint security solutions improve situational awareness.

Nov 19 2019

Agencies Can Boost Endpoint Security via Commercial Solutions

The products provide widespread network visibility and other mechanisms to help agencies secure their assets.

Increased mobile device use in recent years has multiplied the number of endpoints that federal agencies must monitor — and also boosted hackers’ interest in exploiting them.

The Defense Department, for example, rocketed from 30,000 mobile users to 120,000 between 2015 and 2018. NASA had more than 70,000 mobile users as of 2018, and the Department of Homeland Security currently has more than 90,000 devices in use.

To protect against file-based attacks and other exploits targeting those endpoints, some agencies have turned to commercial endpoint security solutions. “Servers used to be much more attractive targets than user endpoints,” says Chris Sherman, senior analyst at Forrester. “Today, data shows endpoint security is involved in more attacks.”

Nearly all federal agencies that participated in a survey by software supplier Lookout said they have a mobile security strategy in place. However, a report from the Center for Strategic and International Studies says there is room for improvement in the way agencies handle device-based endpoint security monitoring. As of 2018, more than 60 percent of government agencies had experienced a security incident involving a mobile device, according to Lookout.

Federal IT Requires a Wide Range of Security Responses

Endpoint protection challenges vary among the agencies, which have widely differing ­structures, deployment strategies and missions.

The Defense Information Systems Agency, for example, must consider how to tailor solutions to function within the unusual environments of the armed services branches, says Diane Phan, DISA endpoint security solutions chief.

“An Army brigade is not connected to a network during maneuver,” Phan says. “The sailor on a Navy ship needs to be able to bring the system back if it goes down, instead of calling home and waiting for us to send a particular vendor out there. The usability of the tool is important.”

CrowdStrike, Symantec, Sophos and McAfee are among the biggest players in the space, according to Sherman. 

Many endpoint solutions, he says, will integrate with other products within a system, utilize different forms of analysis, including machine learning applied to behavioral data, then ideally offer a preventive response. “They’re more strategic in that they look at threats holistically, versus single specific threats like a blacklisted executable,” Sherman says.


The percentage of federal IT respondents who believe their ­ agency’s ­endpoint mobile security solutions provide enough protection

Source: Lookout, “Policies and misconceptions: How government agencies are handling mobile security in the age of breaches,” February 2018

“We’re seeing endpoint detection and response tools give more context around alerts. As the tools become more effective and precise, they can take more action. Essentially, endpoint security is automatic.”

The endpoint protection software DISA currently employs utilizes capabilities such as cyberhygiene reporting and risk scoring to help monitor and protect DOD networks.

“Having a commercial endpoint security solution provides us with situational awareness of what malicious activities are going on in our network on a daily basis so we can respond accordingly,” Phan says. 

“It’s important for us to have situational awareness for who and what is connected to the DOD network, so we can identify that an endpoint is authorized to be on a component’s network and that it’s managed.”

DISA-supported agencies are also utilizing some of the security features in Windows 10. In 2015, well before the deadline for DOD’s migration to Windows 10, DISA and the National Security Agency established a Windows Secure Host Baseline, which included Windows 10 and its security features, plus additional secure preconfigured applications for uniformity.

“The majority of endpoints in the DOD are using Windows operating systems,” Phan says. 

“Deploying a framework helps us maintain protection and establishes a baseline for the department so we know if something happens, we can react in a timely and appropriate manner.

MORE FROM FEDTECH: Find out how file integrity monitoring can help feds improve cybersecurity.

Agencies Can Simplify Mobile Device Management

In March 2018, the Transportation Security Administration awarded McAfee a contract to provide cloud-enabled endpoint defense and threat response capabilities through its Endpoint Security, Active Response, Threat Intelligence Exchange, Server Security Suite and Advanced Threat Defense products.

McAfee states that the capabilities will let TSA “integrate and facilitate communication between more than 70 solutions from different vendors.”

Streamlining security operations in this way is valuable; having one endpoint security agent can help agencies avoid the amount of overhead required when using multiple tools, Sherman says.

It can also help facilitate efforts to ensure devices are patched against publicly known security vulnerabilities and are running the most current operating system. 

That’s the most important defense against mobile device security threats, according to the Department of Homeland Security’s Study on Mobile Device Security, published in 2017.

“High-level endpoint security is focused on threat prevention, detection and response,” Sherman says. “Suites on the market automate actions between those three things in ways that allow them to seamlessly work in concert; the outcome is, you’re protected against file-based attacks involving portable executables and generally against exploits.”

Photography by Randall Scott

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT