Sep 23 2021

The Benefits of Endpoint Detection and Response Tools in the Federal Government

EDR can help agencies defend endpoints from advanced forms of malware.

Federal agencies are ramping up efforts to implement endpoint detection and response (EDR) systems as required by President Joe Biden’s May 12 executive order on cybersecurity.

Vendors are already seeing an uptick in interest even before final recommendations have been handed down by civilian and military IT leaders.

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors,” the order states.

The order covers a range of cybersecurity measures, with an emphasis on vulnerability detection. It tasks the Cybersecurity and Infrastructure Security Agency and the National Security Agency with making EDR recommendations to civilian agencies and military branches, respectively. Those suggestions have yet to be made public.

EXPLORE: How does network behavior monitoring enable zero trust?

What Is EDR Security?

Endpoint detection and response is an integrated endpoint security solution combining real-time, continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

The term endpoint threat detection and response was coined by Anton Chuvakin at the research firm Gartner in 2013. EDR also includes forensic tools to analyze attacks while ongoing or after they have occurred to identify security weaknesses and help anticipate future exploits.

Benefits of EDR Security Tools

There are many benefits federal agencies can reap by deploying EDR tools throughout their IT environments.

As a post from Palo Alto Networks notes, EDR tools provide broad visibility into threats for organizations and use machine learning tools to detect attacks. “The foundation for detection and response is rich data. Look for detection and response tools that collect comprehensive data and provide enterprise-wide visibility,” the post notes. “Ideal solutions offer a comprehensive set of machine learning and analytics techniques to detect stealthy threats.”

EDR tools also provide “simplified investigations with root cause analysis, intelligent alert grouping and incident scoring,” giving security analysts access to “rich investigative details” that help reduce response times.

Security operations center workers cannot realistically guard against every possible attack. EDR systems use artificial intelligence to watch for odd behaviors — or unusual activity that matches a known exploit — and then send an alert.

“Anywhere you can automate is key,” says Drew Epperson, senior director of federal engineering for Palo Alto Networks. “Today, bad actors are using machine speed.”

Palo Alto’s Cortex XDR solution has uncovered and busted numerous cyberattacks. On March 2, its managed threat hunting team found multiple vulnerabilities being exploited by the Hafnium hacker group. EDR systems also automatically quarantine and isolate suspicious or infected items, first to protect the network, and then to allow for later analysis.

RELATED: How can agencies stay on top of evolving security threats?

EDR vs. Anti-Virus: Can It Replace Anti-Virus Solutions?

For those curious whether EDR platforms can replace anti-virus software, the answer is a simple no. Anti-virus software is programmed to recognize and stop known threats. EDR is a real-time monitoring system that detects malicious activity, including exploits that aren’t easily recognized or even yet defined by anti-virus platforms.

However, EDR and ant-virus solutions do work together.

“EDR and anti-virus are complementary,” says Adam Licata, director of product management for Broadcom.

Anti-virus systems are the first line of defense for a network. EDR is the next barrier of protection, with automated responses to known and unknown attacks. “EDR is like the security camera at the door,” Licata adds, noting that it’s always watching for something new and suspicious.

DIVE DEEPER: What are best practices for securing devices used for teleworking?

Top EDR Security Tools for Federal Agencies to Consider

Many large federal agencies have already deployed some form of EDR, including the National Science Foundation. “We have used FireEye HX since early 2017 and it has been a highly effective part of our IT security stack,” says spokesman Michael England.

FireEye offers a multipronged approach to protection. It blocks common malware with a signature-based engine, halts application exploits with the behavior analysis engine and protects the network from new threats with several tailored endpoint security modules.

“We have a deep understanding of threat artifacts,” says Robert Kusters, senior product marketing manager for FireEye. “A lot of other companies came from the protection realm and tacked on EDR. We started on the investigations side.”

The company works with more than 50 medium and large agencies across the federal government, including several that manage more than 100,000 endpoints each.

FireEye is perhaps best known for its discovery of the massive SolarWinds attack in December 2020. Ironically, the company found itself the victim of a highly sophisticated theft of tools it uses to simulate attacks. FireEye realized quickly that the hack rode on software updates from SolarWinds. The exploit, which the U.S. government attributes to Russian intelligence, compromised parts of nine federal agencies and about 100 private sector companies.

EXPLORE: Zero trust depends on role-based access management.

Many companies are now using the term XDR to denote extended detection and response, a wider approach to monitoring threat surfaces. For example, the Sophos Intercept X platform integrates network, email, cloud and mobile data sources on top of endpoint and server information. The company also suggests using cloud storage to look back in time to understand how an attempted breach began and conduct real-time investigations.

“Attackers are smart, and they know detection takes time,” says Dan Schiappa, chief product officer for Sophos. “They’re going back to the old-fashioned smash and grab.” He says agencies need a wider aperture now to see the whole threat picture. The endpoint is just one element of the attack.

Palo Alto’s Epperson says traditional EDR “isn’t the right solution for today’s world.” Instead, he says, “you leverage all the investments you have made and bring it all together.” That means integrating multiple data sources, even from non-Palo Alto products. “We put analytics on top of it to make meaningful insights,” he says.

Broadcom’s Symantec division offers a full EDR platform powered by its Global Intelligence Network. The network applies AI to analyze more than 9 petabytes of security threat data, much of it from its own customer base of 15,000 companies. Symantec says the system allows it to discover and block advanced targeted attacks that would otherwise go undetected. That includes information correlated from 175,000 endpoints and 126,000 attack sensors.

All that detection muscle is quite useful, but there is one basic hurdle. “EDR in and of itself is useless if you don’t have the skilled staff to manage it,” says Licata. That refrain is common among EDR vendors. EDR platforms generate alerts often, and it takes knowledge at the SOC to know how to interpret them.

“You need the talent,” agrees Anand Ramanathan, vice president of product management for McAfee.

McAfee’s MVISION EDR is a cloud-delivered service providing continuous data collection and advanced analytics to help detect suspicious behavior on customer networks. The platform supplies alert ranking and data visualization to reduce the expertise and effort needed to perform investigations.

Many vendors are now offering managed EDR services to help fill the knowledge gap at the SOC and take that burden off customers’ shoulders.

monsitj/Getty Images