EDR Tools Can Enhance Election Cybersecurity Monitoring
EDR is designed to “provide a strong complement to existing Albert Network Monitoring services, as well as provide increased security posture in a standalone deployment,” according to CIS. Albert sensors make “use of open-source software in combination with the expertise of CIS’s 24/7 Security Operations Center, providing enhanced monitoring and rapid notifications for much of the malicious traffic that election agencies may encounter,” StateTech reports.
As the Associated Press reports, 30 state election offices have already integrated the EDR tools via a DHS pilot program that launched in March. EDR software is expected to be rolled out in at least nine more states by November, according to the AP, though fewer than 100 local government agencies have signed on to the program.
Oregon is one of the states that has deployed EDR tools. “We have that installed at the secretary of state in all of our election infrastructure, and across our whole network,” Peter Threlkel, director of information services for the Oregon Secretary of State, tells StateTech. “But we’re also looking to get that deployed out to the counties as well.”
“Under the program, CIS analysts would receive alerts of suspicious activity, allowing them to monitor and track suspicious activity across jurisdictions with the goal of early detection and mitigation,” the AP reports.
As cybersecurity firm CrowdStrike notes, EDR should ideally provide “real-time visibility across all your endpoints [to] allow you to view adversary activities, even as they attempt to breach your environment, and stop them immediately.”
Another key aspect of EDR, according to CrowdStrike, is access to “massive amounts of telemetry collected from endpoints and enriched with context so it can be mined for signs of attack with a variety of analytic techniques.”
EDR should also provide organizations with “behavioral protection” that looks for indicators of attacks so that IT security leaders and professionals are “alerted of suspicious activities before a compromise can occur.”
EDR tools should integrate threat intelligence to “provide context, including details on the attributed adversary that is attacking you or other information about the attack,” CrowdStrike notes.
Ideally, EDR will provide fast and accurate responses and be cloud-based to “ensure zero impact on endpoints, while making sure capabilities such as search, analysis and investigation can be done accurately and in real time,” according to CrowdStrike.
“The threat actors are creating over a million new strings of malware a day,” Michael Atkinson, manager of Mandiant Solutions at FireEye, tells the AP. “If you don’t have the capacity to search in your endpoint infrastructure for the bad guys and have human cybersecurity experts work on that for you, in the end, compromise will likely be inevitable.”