The evolution of endpoint security

DISA’s Endpoint Security Program engaged industry and Department of Defense partners to discuss user needs and new endpoint security approaches as part of two different networking sessions at the Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium in Baltimore May 15-17.

The goal is to generate interest and gather inputs as DISA leads in modernizing the endpoint security ecosystem, said Fredrick Cook, chief of DISA’s Endpoint Security Branch.

“Bottom line upfront, with evolving threats to endpoint security, we need to refine our requirements so that instead of just moving away from HBSS, we are moving toward solutions the department needs,” Cook said.

The Host Based Security System (HBSS), developed more than 10 years ago, is designed to provide a flexible, modular design that enables expansion of the tool by incorporating additional security capabilities, integrating existing security products, and eliminating redundant systems management processes.

Cook said his approach for developing future endpoint security capabilities starts with defining requirements, identifying technologies, and phasing capabilities into the cybersecurity endpoint ecosystem. He also downplayed an approach that focuses on replacing HBSS as the first priority.

“We don’t want to be in the practice of what we often call ‘tech refresh,’ where people are constantly replacing technology and never asking if it’s even needed,” he said. “So I try to caution people when they say ‘get rid of HBSS.’ The way it may evolve, there may not be any more HBSS left, but the resulting endpoint security solution will address department requirements.”

DOD’s Chief Information Officer tasked DISA to perform lab and pilot assessments in fiscal year 2018 to test two endpoint security capabilities – containment and endpoint detection and response (EDR).

“Containment solutions are kind of like sandboxes for untrusted applications, where whatever that application does can't harm the endpoint device,” Cook said. “EDR assumes you've already been breached and helps to find anomalies and correlate them with similar behavior of other endpoint devices in the network so that everything can be inoculated at once.”

DISA began testing eight endpoint detection and response and application containment technologies at the Army Research Laboratories at Adelphi, Maryland, in February. EDR and application containment are two technologies that may prove instrumental in the near term for hardening the endpoint, said Cook. DISA is set to begin piloting candidates from the ARL tests on the DODIN in June.

Going forward, Cook said he’s seeking innovative capabilities and open standards for threat sharing from industry partners.

“We are trying to build an endpoint security structure,” he said. “We need industry solutions to communicate using open standards, and we’re going to work with our mission partners to ensure reporting is standardized across the different solutions. Open standards will help reduce complexity. The adversary knows that complexity is inherently insecure,” Cook said.

Posted May 31, 2018