What Is Endpoint Detection and Response?
Endpoint detection and response (EDR) is part of a layered security strategy for agencies. EDR tools can provide agencies with enhanced visibility into threats.
EDR solutions “provide continuous and comprehensive real-time visibility into what is happening on an organization’s endpoints — including desktops, laptops, mobile phones, servers, tablets, and virtual environments — or any remote device that is connected to and communicates with a network,” Thomas Etheridge, senior vice president of services at CrowdStrike, writes in GCN. “By applying behavioral analysis and actionable intelligence to endpoint data, EDR solutions can stop an incident from turning into a breach.”
Steve Faehl, federal security CTO at Microsoft, writes in a company blog post that “outdated endpoint protection strategies based on static prevention-focused capabilities like antivirus are ineffective.”
“Today’s next-generation anti-malware capabilities — powered by advanced machine learning and behavioral monitoring — are critical to helping organizations stop threats,” he writes. “EDR then goes a step further beyond prevention to provide detailed telemetry that provides additional visibility and enables dynamic analytics and automation to discover and remediate more sophisticated threats at scale.”
The cybersecurity order is ultimately aimed at “ensuring agencies have the tools necessary to address the full spectrum of endpoint protection, detection and response,” Faehl writes.
“As cyberattacks have advanced in their ability to evade first-layer defenses, such as endpoint protection platforms, and mask their presence, security teams benefit from EDR in gathering and correlating multiple endpoint signals to detect attacks that were not initially detected and thwarted, and then respond to prevent the attack from advancing further,” says Michael Suby, research vice president for security and trust at IDC. “In addition, scripted (i.e., search for a known pattern or sequence of signals) and unscripted (i.e., tailored and progressive search) threat hunting capabilities included in EDR assist security analysts in proactively detecting highly sophisticated attacks (e.g., advanced persistent threats, APTS).”
DIVE DEEPER: What are best practices for securing devices used for teleworking?
What Is Managed Detection and Response?
Managed detection and response is connected to EDR but is a different tool for agency IT security teams.
MDR, Suby says, “is the human talent side of EDR,” and could be especially useful for smaller agencies that don’t have large cybersecurity teams. As Mandiant notes on its site, MDR provides “24/7 continuous threat monitoring, detection and response activities —including proactive threat hunting — across all threat vectors: endpoint, network, cloud, email and logs.”
“MDR service benefits organizations that lack in-house talent to utilize the EDR tool to the extent they require to meet their cyber risk mitigation objectives,” according to Suby. “The MDR engagement can be tailored to the organization. The alternatives range from fully outsourced to augmentation.”
According to a blog post from security firm Arctic Wolf, MDR is aimed at small and midsize organizations with limited investments in cybersecurity tools and staff, and midsize organizations “that already invest in security resources, but seek partners to augment in-house capabilities.”
Craig Robinson, program director for security services at IDC, adds that early versions of MDR encompassed “the human element and threat hunting surrounding EDR and other technologies to give a fuller detection and response capability” to organizations
Managed security service providers and MDR providers have since evolved their MDR offerings “to account for telemetry beyond that endpoint, such as network, cloud, operational technology and other sources of telemetry,” Robinson says.
“MDR services may provide their own EDR capabilities, but more frequently they support more than one to allow them to reach a greater pool of organizations that are reluctant to swap out their EDR,” Robinson says.
EXPLORE: CISA is helping develop new cybersecurity protections for the government.
The Benefits of MDR for Government
There are many security benefits for government agencies that choose to avail themselves of MDR. A 2020 report from IDC on the topic notes that MDR is appealing because it provides CISOs and IT leaders the ability to be more proactive in their cybersecurity and incident response.
“Armed with the knowledge that some attacks will inevitably make their way into an organizations’ infrastructure, CISOs are coming around to the realization that having a proactive rapid response solution is just as important as having a strong defensive perimeter,” the report notes.
