Election Security Spotlight – Endpoint Detection and Response (EDR)

What it is

Endpoint Detection and Response (EDR) is security software that is deployed on workstations and servers, commonly referred to as “endpoints.” EDR collects technical data is from these endpoints, and then transmits it back to the vendor or a local server. The data is then analyzed for suspicious patterns and threats. If a threat is identified, it is blocked and an alert is generated. Administrators can typically view alerts through a vendor control panel or a connection to their own security platform. Also, many EDR solutions include a traditional antivirus functionality and the ability for responders to remotely access compromised systems for remediation.

 

EDR.PNG

Why it matters

EDR expands the security capabilities of election offices by automating work traditionally performed by IT departments, especially benefiting SLTTs with limited resources. Many EDR platforms further simplify security management by consolidating several common functions in a single place. For instance, investigators can use security log data collected by EDR software for further analysis to trace the origin and severity of incidents, while responders clean the affected system using remote access functionality. The improved analysis and data collection in next generation EDR make it an essential part of any defense in depth strategy, which protects election data from both internal and external threats.
Election offices can use EDR to:

  • Detect and stop active attacks on election infrastructure.

  • Protect against malware.

  • Disable and restrict the ability of suspicious users on your network to cause harm.

What you can do

  •  Deploy EDR on systems throughout your network.

    • Review the CIS Guide for Ensuring Security in Election Technology
      Procurement for best practices in crafting proposals and other necessary
      documents.

  •  Best practices for EDR:

    • Take advantage of vendor-offered user training.

    • Delegate personnel to monitor and act on detection.

    • Export information regularly from the control panel to local hardware backups, so you always have access to data needed for audits and investigations.

    • Consider available staffing resources to support any new security infrastructure and the associated responsibilities. Many EDR providers offer solutions supported by a 24×7 team to manage and respond to identified incidents.

    • Refer to the EI-ISAC Cyber Incident Checklist to manage security events.

Learn More

U.S. election entities can learn more or request more information about Endpoint Detection and Response (EDR)services by contacting us at elections@cisecurity.org or 518-880-0699.

Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to elections@cisecurity.org to request a topic.