U.S. Patent and Trademark Office CISO, Don Watson, discusses how endpoint detection and response better protects agencies and helps prevent attacks.

Jun 08 2022

Endpoint Detection and Response Helps Agencies See Potential Attacks More Clearly

Endpoint detection and response gives agencies a wider view into possible cyberattacks.

Late in 2021, as word spread of the vulnerability in the open-source Log4j utility, the U.S. Patent and Trademark Office knew its endpoint detection and response system was standing guard at every doorway to its network, watching for intruders and ready to sound the alarm.

The Log4j weakness allowed bad actors into an agency’s network to steal information or plant malicious content. The PTO, however, had put endpoint detection and response (EDR) in place earlier that year to fortify every access point, from employees’ laptops to its on-premises servers and cloud functions.

“We’re able to use our EDR to look for any type of anomalous behavior based on what the exploitation would be,” explains Don Watson, the PTO’s CISO.

Federal agencies including the Office of Personnel Management, the Navy and even the United States Holocaust Memorial Museum in Washington, D.C., have deployed endpoint detection methods as part of their cybersecurity strategies.

Click the banner below to get access to customized content by becoming an Insider.

With a largely remote workforce since the start of the COVID-19 pandemic and with employees’ laptops scattered offsite, federal IT teams today have more endpoints than ever to defend against potential attackers. The PTO alone has 26,000 endpoints, Watson says.

“What’s really great about EDR is that you can see activity on every endpoint,” he says. “It really augments, and in some cases replaces, your traditional intrusion prevention, malware protection and vulnerability scanning capability, because it’s right there on the endpoint.”

EXPLORE: How should federal agencies think about endpoints?

The Nuclear Regulatory Commission uses extended detection and response (XDR), which not only examines endpoints but also sweeps the agency’s network, cloud services and other infrastructure components.

XDR offers a holistic view and constant, automated analysis of activity, incorporating new information about system behaviors in the process, explains Garo Nalabandian, the NRC’s acting CISO.

The system is “a critical factor in enabling proactive response to the changing threat environment,” Nalabandian says. “Our EDR tools provide a foundation for detection and response through comprehensive data analysis, utilizing advances such as machine learning and analytics to provide enterprise-level visibility into threats targeting our IT infrastructure and systems.”

Don Watson
EDR is really good in today’s world and with today’s emerging threats, because it’s not looking just for some piece of malware.”

Don Watson CISO, U.S. Patent and Trademark Office

Understanding the Value of Endpoint Detection

Endpoint detection is the latest evolution of traditional anti-virus programs that track and remove malware such as Trojan-type infections and worms from a network. Like its predecessors, EDR catches and flags suspicious activity and potential trespassers.

Endpoint detection, though, can recognize and contain risks at the perimeter before they infiltrate an agency’s system. It’s keeping an eye out for trouble on the horizon, not waiting until it reaches the front door.

“EDR is really good in today’s world and with today’s emerging threats, because it’s not looking just for some piece of malware,” Watson says. “It’s using a combination of artificial intelligence, behavioral detection and machine learning algorithms, so that threats can be anticipated and immediately be prevented. It’s more of a threat-based approach.”

Once EDR identifies a problem, it will isolate it at the endpoint and prevent its spread to other network operations. It will block the potential hazard as soon as it’s discovered without waiting for a patch to be released, Watson says.

DIVE DEEPER: Extending cybersecurity defenses with XDR.

EDR captures the entry sites of all the PTO’s servers and cloud assets, Watson says, and works even on legacy platforms such as Unix. It’s especially valuable with traffic that uses network encryption, such as HTTPS, coming in and out of the PTO environment.

“You can apply it from a centralized manager,” Watson says of EDR, “and all of the endpoints are now protected, looking for that malicious behavior and blocking those exploits, regardless of what environment they’re in within your organization.”

Based in the cloud, EDR can automatically push out updates, tools and heuristics to respond to new threats and behavioral triggers. The platform provides real-time monitoring with agents at each endpoint. Even for routine security scans, EDR conducts them with agent-based scanning rather than tying up the agency’s network, Watson says.

“We get a recording of artifacts, of what actually happened even in the past, and then it reduces time to respond,” Watson says.

Adapting to New IT Environments in the Federal Government

The PTO shifted to an all-remote workforce when the COVID-19 pandemic began in March 2020, but prior to that, about 80 percent of its examiners already were telecommuting, Watson says. The agency was allowing employees to work one to five days a week out of the office.

“With a remote workforce, and with a cloud environment, you want to make sure that you are focused on protecting your high-value assets,” Watson says. “Whatever is connecting to your network and to your systems, there is no implicit trust just because they’re within the network.”

President Biden’s cybersecurity executive order required agencies to plan for zero-trust strategies to boost security, and specified EDR as a mechanism to accomplish that goal.

The PTO handles plenty of sensitive information from businesses and individuals applying for patents and trademarks. It must balance its workers’ ease of entry with protection of that data, ensuring that users have permission and credentials to access only specific assets or resources. They don’t have carte blanche inside the network.

DISCOVER: The benefits of endpoint detection in federal agencies.

Watson brings that need for layered security closer to home with an analogy: “You can lock up all your doors and windows, but if your back screen door is open and you don’t lock any of your internal rooms, including the place in your master bedroom where you keep all your jewels, eventually, someone who can get in through the back door can get into everything across your entire house.”

EDR allows the NRC to monitor its remote workers’ laptops and catch irregular behavior even when they aren’t connected to its secure network, Nalabandian says. That helps agencies block an intensifying number of “endpoint risks” such as supply chain disruptions, complex ransomware and sophisticated phishing attempts. Those are the potential attacks that would shut or slow down an agency’s operations.

“We support some pretty important products here at PTO,” Watson says. “We can’t stop issuing patents and registering trademarks, and so it’s very important we keep those systems up and running.”

Jimell Greene

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.