Endpoint detection and response. That’s cybersecurity jargon for knowing what devices are on your agency’s network, and what to do if one of them goes rogue. And now the latest missive from the White House is ordering federal agencies to install endpoint detection and response, or EDR, pretty quickly. For how you might respond, Federal Drive with Tom Temin turned to the senior vice president for public sector at McAfee Enterprise, Ken Kartsen.
Tom Temin: Ken, good to have you on.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Ken Kartsen: Thank you very much for having me, I appreciate it.
Tom Temin: Let’s begin with defining the terms because in the world of endpoints, the cyber world and the technology world is sort of bifurcated into mobile devices that have mobile operating systems, and then in PCs that are just simply anywhere – laptops, and they could be on the VPN, or in the office on the ethernet. So it looks like this is encompassing everything in this latest October 8 memo from OMB. How do you see it?
Ken Kartsen: I see it very similarly, we are focused on endpoints in totality, protection of those endpoints and to go into a next generation of security capabilities and architecture, in order to protect those endpoints and not just those individual endpoints themselves, but traffic and malicious activity we may see coming from other entities or other endpoints that exist on your infrastructure or outside of your infrastructure. One of the most interesting things as you think about compute today, is in this almost potentially post COVID environment, we are no longer sitting on just the internal network or VPNing into the internal network, our devices are everywhere. And we’re connecting through almost any internet connection, whether that be legacy type of laptop, or a mobile solution that you pointed out earlier.
Tom Temin: And in this age of mass teleworking, which seems to be lasting quite persistently no matter what we do, there’s another variant and so forth. So the agencies are still teleworking to a pretty large degree relative to normal. The implication here is that the mobile device management systems, which a lot of agencies have for the mobile devices, is only really a part of the solution here, they can’t really give you that comprehensive view that you just described.
Ken Kartsen: Yeah, exactly. And when I think of mobile devices, and MDMs, as you noted, that’s really more of a policy management solution. EDR is definitely focused on more of your endpoint laptop, desktop solutions, server based solutions. And it’s critical that you leverage the latest in technology in order to protect your infrastructure, whether it be sitting inside of your data center in the cloud, or at somebody’s home office, and leveraging next generation technologies such as EDR. But underlying that EDR, machine learning and artificial intelligence to promote capabilities that leverage all the things that exist externally and internally to see if there is any malicious intent or activity, and being able to protect your environment from such.
Tom Temin: And this executive order, or this memo I guess is probably a better way to put it, because it came from OMB and not directly signed by President Biden. It says EDR combines real time continuous monitoring and collection of endpoint data. As you mentioned, it’s more than just the endpoints, network computing devices such as workstations, mobile phones, and servers. So that could say your cloud in some ways, is an endpoint device.
Ken Kartsen: It definitely is in some capacity. The compute that our government does is vast, it is reaching a broad range of infrastructure, whether it’s in legacy networks, legacy environments, home use, cloud environments, and being able to integrate all that information, protect at the endpoint, where most of your critical information lies. If you think about your data, and how you get into exfiltrate data, the endpoint potentially as your most vulnerable aspects, and by leveraging capabilities that exist today with EDR, and machine learning, and artificial intelligence, and being able to scale that across the government and do that continuous diagnostics and monitoring, to give DHS or CISA in this example, the ability to see what’s going on across the.gov environment and being able to protect. If you look at legacy attacks, such as SolarWinds, which we’re so all encompassing, inside of our government networks, the ability to have that visibility is paramount.
Tom Temin: We’re speaking with Ken Kartsen. He’s senior vice president for public sector at McAfee Enterprise. And the order here again, gives agencies 90 days to do a lot of things, but basically get their EDR plans in place and their EDR programs in place, and then in a half a year supposedly there’ll be a playbook for those that haven’t done it yet. What do you need to do to go from where you might be now as an agency to full bore EDR?
Ken Kartsen: There are some lucky agencies and departments who have moved forward with EDR technologies over the past year or two. I think the vast majority of agencies and departments are still evaluating different technologies and solutions. In this order, I think it’s incredibly important that agencies start to kind of peel back the onion, look at the types of technologies and capabilities that are out there first. What type of programming architecture would they utilize in order to develop that sudo-architecture inside of their environment? And then go about, what’s always important in the federal government, how would they leverage budget activities in order to fund a lot of those efforts, a? And then pass that collaborating with DHS, CISA, the CDM program, in order to enforce a lot of those policies that they’re going to be taking advantage of.
Tom Temin: Does an EDR solution require an agent on every endpoint?
Ken Kartsen: Traditionally, or typically, it does. If you look at some of the architectures that exist with some of the security capabilities that are out there, you can leverage endpoint agents that are already potentially in your ecosystem, and add that capability on, which provides a much easier deployment and management capability. So you’re essentially leveraging the infrastructure that you’ve already invested in previously. If you look at McAfee Enterprise, for example, in the .gov, environment, and then if you add in .mil, we’re on millions of endpoints today. And adding the EDR capability would give you a host of different, no pun intended, there are a host of different advantages in your protection capabilities and easily scaled to an enterprise environment.
Tom Temin: And at the other end of all of this, is there some sort of a dashboard, pane of glass, whatever word you want to use, such that the information security staff can have a easy way to find out what is in fact going on in the environment?
Ken Kartsen: Yeah, exactly. By using centralized management platforms that exist on-prem or in the cloud, leveraging these EDR solutions, you have a very, very clean dashboard effect in order to see if there are any intrusions taking place, be able to take mitigation efforts, above and beyond that, correlating to something that may exist at CISA, where you have the full dashboard of the entire.gov environment. And it gives you a very, very quick response time in order to thwart these attacks. Additionally, one of the things that these dashboards can help provide, and McAfee Enterprise as an example, is to assist with guided investigations, because the next step when you see that there is intrusion or misuse is to do the forensics component and investigate that. And one of the biggest issues that we have in most environments is the amount of manpower it takes. And the labor, the shortage of security resources is abundant. So having a technical capability to do guided investigations is ultimately what you’re looking for.
Tom Temin: And finally, do EDR solutions have the capability of protecting people against themselves, because like they say in the car industry, the one part you can’t fix is the nuts behind the wheel. And people click on things and they go searching on things that can result in all sorts of problems like ransomware. So is that a component of a good EDR is to somehow prevent people from well meaning people from doing harm?
Ken Kartsen: Absolutely, it is. As much as we do training and advise individuals if you don’t recognize the sender of the email, if it’s from an outside organization, there’s a lot of potential that it’s a type of phishing attack. It’s malicious in intent. Ultimately, humans make mistakes. Human error is by far probably the biggest vulnerability we have in security. And having a technology and capability that will prevent those types of attacks in the event of a human error is incredibly important. And that is an example of how EDR can assist an organization.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: Alright, people so you got to get going here. Ken Kartsen is senior vice president for public sector at McAfee Enterprise. Thanks so much for joining me.
Ken Kartsen: Thank you very much. I really appreciate it.