One of the most vulnerable areas of a network is one of the most difficult to monitor and protect – the endpoint. This is true across the government, but with the distributed technology environment of the Department of Defense (DOD), it becomes even more challenging.
Lisa Belt, the acting cyber development executive for the Defense Information Systems Agency (DISA), defined this challenge during the agency’s industry day recently. Belt indicated that the DOD has been effective in securing traditional endpoints, but as the environment has become more complex, a next-generation approach is required.
“We have a phased approach because of the complicated environment,” Belt said. “Mobility has been expressly and intently built into that strategy as well as supervisory control and data acquisition (SCADA), Internet of Things and more non-traditional endpoints where we’ve done some work across the enterprise. But we really eventually under this phased approach will need to get after how all of the various endpoints security can come together.”
That is the key: how can the DOD rapidly search, identify and contain endpoints on-prem or in the cloud, wherever they might reside?
Integrating an Endpoint Detection and Response (EDR) Capability
To best maintain a defensible network architecture, the DOD of the future must be able to get insight, on demand, into what is transpiring within its networks, down to the endpoint. EDR technologies provide the deep level of insight that cyber operators need to identify and contain adversaries that have evaded traditional prevention technologies.
For the DOD, however, any EDR capability for driving hunt and forensics activities aimed at containing advanced, persistent threats must be scalable to millions of endpoints in all environments, including in low bandwidth areas and large-scale disconnected networks.
EDR solutions have progressed significantly, providing continuous recording of system activity to support full endpoint visibility and real-time queries. Symantec’s EDR platform, for example, provides a central console management capability that can remove malware and associated artifacts from impacted endpoints, and rapidly push counter measures directly to the devices. In addition, advanced machine learning and behavioral analysis functions are now integrated in EDR solutions, offering the ability to identify bad or suspicious files, as well as detect file-less attacks that make use of memory exploits.
These advances in EDR technology greatly enhance an investigator or analyst’s productivity by prioritizing incidents by risk, and automatically generating mitigation options for targeted attacks. Analysts can also proactively hunt for indicators of attack and perform rigorous endpoint analysis quickly and efficiently.
EDR and the DOD
The DOD established its Endpoint Security Solutions (ESS) program with the goal of preventing targeted and deliberate attacks against network operations. Even with this in place, Belt indicated during DISA’s Industry Day, a new endpoint security policy is on its way for the DOD. According to Belt, the new policy will incorporate lessons learned to more strategically converge traditional endpoint security with emerging requirements for mobile device and critical infrastructure protection, among others.
By looking at an industry-leading EDR solution, like Symantec’s, the DOD will gain:
- A deeper level of insight into adversary’s techniques and tactics
- Robust hunt and forensics capabilities, scalable to millions of endpoints
- Rapid search, identity and containment of endpoints on-prem or in the cloud
- Continuous recording of system activity to support rapid remediation from a single console
- Rapid remediation including file deletion, blacklisting and endpoint quarantine
Symantec’s EDR platform was recently selected as a Gartner Peer Insights Customers’ Choice for Best Endpoint Detection and Response Solutions of 2019. For more information, visit the Gartner webpage.