When I work with customers and potential customers on their endpoint detection response (EDR) capabilities, I tend to ask four questions about the current state of their security systems:
- If your network was compromised today, would you be able to identify the pivoting lateral movement and identify the attacker’s last set of actions and location?
- How much visibility do you have into your own enterprise network and endpoints?
- Is each system protected against the most current attack vectors?
- How are you anticipating breaches and how quickly can you respond?
It’s rare, unfortunately, for all four of these questions to be answered confidently. But every day at GDIT we work with customers to change that. The hardest thing for many agencies to do once something has been detected is to quickly pivot and make the adjustments necessary to prevent it from happening again.
Anticipating breaches and responding quickly
GDIT’s proactive approach to next-generation EDR is grounded in the belief that as cyber criminals’ capabilities become more nefarious and more sophisticated, survival is going to increasingly depend on the speed of an organization’s response.
“...as cyber criminals’ capabilities become more nefarious and more sophisticated, survival is going to increasingly depend on the speed of an organization’s response.”
The security threat landscape is constantly changing with new verticals and vulnerabilities appearing almost daily. Malicious programs can perform a variety of functions, such as exfiltrating, encrypting, or deleting sensitive data; altering or hijacking core computing functions; command and control; lateral movement; and monitoring users' computer activities for further reconnaissance.
Our cyber teams strive to meet the common 1-10-60 approach, meaning: one minute to detect an attack; ten minutes to fully understand the scope of the attack; and 60 minutes to respond and to contain it. Yet a recent survey of 1,900 senior cyber professionals showed that 95 percent failed to detect attacks within a minute; and it takes the average organization approximately seven days to understand its scope, respond and contain an attack.
Creating visibility into attacks
Within our Cyber Stack, we rely on artificial intelligence and machine learning (AI/ML), and behavior-based and signature-less correlations that enable us to quickly predict where, when, and how cyber-attacks will occur and to block them before they can cause harm.
During and following an attack, we create a graphical replay of the tactics, techniques, and procedures (TTP) that occurred so that we can create a visual trail of breadcrumbs showing lateral movements through a network. This enables us to then look at a customer’s entire network – from A to Z – and identify how to improve an agency’s overall security posture.
As an enhanced integrator, we also perform API Integration with known vendors in our Cyber Stack that accelerate response times, and we use our Security Orchestration Automation and Response (SOAR) capabilities to further accelerate our detection and response times. We deploy enhanced cyber threat intelligence practices and leverage the MITRE ATT&CK and Defend Frameworks to continually improve our ability to anticipate and respond to breaches as well. Our teams also use Automated Vulnerability Management, which requires no scanning overhead and further enhances the speed with which we can secure customer networks and endpoints.
Staying ahead of the curve
Enhanced cyber threat intelligence and robust EDR capabilities are key elements to any next gen modern cybersecurity strategy. And for good reason. There is a limited and shrinking-all-the-time window in which cyber teams can identify and respond to an attack before serious damage is inflicted. In mission-critical environments across the Federal government, EDR is therefore not just important, it’s essential.
This is why the 2021 Executive Order on Cybersecurity included multiple references to EDR, among them: modernizing and implementing stronger cybersecurity standards in the federal government; improving the detection of cybersecurity incidents on federal government networks; and improving the investigative and remediation capabilities government wide. Moreover, the order called on the United States to lead in government-wide EDR deployments and robust intra-governmental information-sharing.
Without question, the Executive Order placed new attention and a redoubled priority on proactive cybersecurity. It aligns with the many agencies’ move to zero trust architectures, within which, next generation EDR capabilities are key. Zero trust requires the use of policies to whitelist and grant access, based on a user’s endpoint device, their credentials, and their behaviors so that authorization and authentication can be continually applied at the device-level and at the user-level for each session.
Legacy systems that relied on anti-virus solutions and a “trust but verify” model have failed us. “Never trust, always verify” is our new mantra: you should never assume trust, but instead continually validate each access request and point to effectively secure users, devices, and data resources.
Looking ahead, in a “survival of the fastest” cyber environment, EDR done well enables another layer of finding and correlating information in a way that is accurate and actionable. The organizations with the most enhanced cyber threat intelligence and robust EDR capabilities will be safer, more resilient, and better positioned to adopt continually emerging technologies designed to further strengthen their cybersecurity posture.
They’ll be better able to answer my four questions, too.