Nov 12 2021

EDR vs. XDR and EPP: How Should Federal Agencies Think About Endpoint Security?

As agencies move to meet new governmentwide requirements on protection, here’s what they need to know about different approaches.

In addition to spurring a shift to zero-trust architectures for cybersecurity, an executive order from May also requires federal agencies to deploy endpoint detection and response tools.

The order requires agencies to deploy EDR to “support proactive detection of cybersecurity incidents” within federal IT infrastructure, “active cyber hunting, containment and remediation, and incident response.”

On Oct. 8, the Office of Management and Budget issued a memo that clarifies how agencies should move forward on deploying EDR tools. The memo lays out next steps for both the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency as well as agencies more broadly.

As FedScoop reports:

CISA has 90 days to develop a continuous performance monitoring process and coordinate with the Chief Information Officer Council on both recommendations for accelerating EDR adoption and publishing a technical reference architecture and maturity model. CISA and the council have 180 days to release a playbook on best practices for EDR solution deployments.

Meanwhile, agencies have 120 days from the issuance of the memo to “assess the current status of their EDR capabilities by identifying any gaps in existing EDR deployment.” They also need to “coordinate with CISA for current and future EDR solution deployments to confirm that the solution aligns with CISA’s technical reference architecture and appropriate data is gathered from the widest number of endpoints.”

As agencies move ahead on deploying EDR, IT leaders should also consider extended detection and response (XDR), which offers a wider range of capabilities than EDR.

EDR vs. MDR vs. XDR: What Is XDR?

As the OMB memo notes, EDR platforms combine “real-time continuous monitoring and collection of endpoint data (for example, networked computing devices such as workstations, mobile phones, servers) with rules-based automated response and analysis capabilities.”

EDR provides increased visibility compared with traditional cybersecurity solutions, the OMB memo notes, and can better position agencies to “respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats (APTs), and phishing.”

EDR is also seen as an “essential component” for transitioning to zero-trust architecture, the memo states, “because every device that connects to a network is a potential attack vector for cyber threats.”

Meanwhile, managed detection and response is the human component that augments EDR platforms. As Mandiant notes on its site, MDR provides “24/7 continuous threat monitoring, detection and response activities — including proactive threat hunting — across all threat vectors: endpoint, network, cloud, email and logs.”

RELATED: How can agencies stay on top of evolving security threats?

As the name implies, XDR tools represent an extension of traditional EDR platforms.

“Many agencies are already using an EDR solution, but it’s important for them to think more broadly about how endpoint security fits into their zero-trust journey,” Drew Epperson, senior director of federal engineering and chief architect at Palo Alto Networks, tells FedTech. “XDR provides a far more robust view across networks, cloud workloads, servers and endpoints. One of the limitations that we see with focusing solely on EDR (endpoints) versus XDR (endpoints, cloud, networks, etc.) is that it requires the security team to do the work manually that XDR automates.”

XDR solutions are also “designed to simplify enterprise network security management,” as a post on Check Point’s website notes.

“XDR solutions integrate security visibility across an organization’s entire infrastructure, including endpoints, cloud infrastructure, mobile devices, and more,” the post notes. “This single pane of glass visibility and management simplifies security management and enforcement of consistent security policies across the enterprise.”

XDR tools focus on security integration and aggregating data from across organizations to provide the context needed to detect sophisticated and distributed attacks, according to Check Point: “XDR systems can also apply data analytics and threat intelligence to this aggregated data to identify trends and known threats. Finally, security aggregation decreases the workload for security analysts, enabling them to better focus their efforts.”

EXPLORE: How does network behavior monitoring enable zero trust?

EDR vs. EPP: What Is EPP?

Another avenue agency IT leaders can explore is endpoint protection platform.

An EPP is an “integrated suite of endpoint protection technologies — such as antivirus, data encryption, intrusion prevention, and data loss prevention — that detects and stops a variety of threats at the endpoint,” a post on McAfee’s site notes. “An endpoint protection platform provides a framework for data sharing between endpoint protection technologies. This provides a more effective approach than a collection of siloed security products that lack the ability to communicate can offer.”

EPP is a term that is used interchangeably with “endpoint security,” according to Epperson. “These are software products installed on endpoint devices (like servers, phones, laptops and other devices that use the network) that secure them against cyberattacks,” he says, adding that EPP solutions have historically focused on prevention.

For agencies, an EPP solution is designed to prevent malicious activity, Epperson says.

“EDR is intended to detect and respond to the activity that EPP didn’t prevent,” he says. “XDR takes that a step further and pulls data and telemetry from all sources and presents actionable intel to the security team.”

MORE FROM FEDTECH: What are best practices for securing devices used for teleworking?

What Endpoint Security Solution Is Right for Your Agency?

Agencies are required to deploy EDR solutions but do not have to stop with just those tools.

“I use the metaphor of choosing between a nice utility knife or a Swiss Army knife,” Epperson says. “Like a Swiss Army knife, XDR offers the same capabilities as EDR, but provides many others in addition.”

EDR simply refers to software that can detect and investigate threats on endpoints, he says, including servers or laptops. Meanwhile, “XDR is a new, holistic approach to EDR that breaks siloes in traditional threat detection and response with visibility across networks, clouds and endpoints,” he explains.

XDR also uses analytics and automation for threat detection and response, reducing the time it takes to discover, hunt, investigate and respond to threats.

EDR tools tend to focus only on endpoint data, which can result in missed detections, more false positives and longer investigation times, according to Epperson.

“Additionally, XDR solutions use machine models to deliver behavioral analytics to assist security teams in detecting anomalous activity,” he says.

DIVE DEEPER: What are best practices for securing devices used for teleworking?

Federal agencies can reduce detection and response times by combining artificial intelligence–powered analytics from XDR tools with support from leading MDR service providers, Epperson says.

“MDR service providers offer experienced teams who can provide around-the-clock threat monitoring using XDR platforms,” he adds. “The best providers also offer expert threat hunting and forensic specialist support.”

gorodenkoff/Getty Images