Laserfiche WebLink
r aJ r� -i FI <br />INDIAN RIVER COUNTY, FLORIDA <br />MEMORANDUM <br />TO: Jason E. Brown, County Administrator <br />L DEPARTMENTAL <br />FROM: Dan Russell, Information Technology Director <br />SUBJECT: End Point Protection (EPP) / End Point Detection & Response (EDR) and Managed <br />Detection & Response Procurement Recommendation <br />DATE: January 12, 2021 <br />BACKGROUND: <br />On October 22, 2020, the Indian River County (IRC) Board of County Commissioners (BoCC) <br />network was the target of a cyber -attack. Fortunately, the IRC Information Technology (IT) <br />Department staff discovered the attack in progress and were able to successfully mitigate the attack <br />with no loss of data. The IRC BoCC staff did experience a limited, self-imposed, loss of certain <br />technology services while a forensic investigation was conducted to ensure that any unauthorized <br />access to the network was eradicated. Subsequent to completing the forensics investigation, the <br />IRC IT staff examined the attack vectors that were deemed contributory to the attack and determined <br />that the current end point protection (EPP) & anti-virus (AV) software should be upgraded to assist <br />with detection and response to future cyber -attacks. <br />ANALYSIS <br />The EEP & AV software currently in use is signature based. This type of anti-virus software relies <br />upon pre -distributed malware signatures to detect anomalous computing or network behavior. <br />Signatures are updated on a recurring basis; however, the detection capabilities of this type of legacy <br />software are limited to known malware attacks and do not provided protection against new or <br />previously unknown malware attacks. Cyber criminals are constantly innovating the techniques used <br />to conduct their attacks. Legacy AV software is inherently disadvantaged when it comes to detecting <br />attacks for which signatures have yet to be developed. Next generation (Nextgen) EEP & AV <br />software solves this dilemma via the additional of Extended Detection & Response (EDR) <br />functionality. <br />EDR is an integrated end point security solution that combines real-time continuous monitoring and <br />collection of endpoint data with rules -based automated response and analysis capabilities to enable <br />cyber security teams to quickly identify and respond to threats. The primary functions of an EDR <br />security system are to: <br />1. Monitor and collect activity data from end points that could indicate a threat. <br />2. Analyze that data to identify threat patterns. <br />3. Automatically respond to identified threats to remove or contain them, and to notify <br />cybersecurity personnel. <br />4. Provide forensics and analysis tools to search for/research suspicious activities. <br />EDR tools work by monitoring endpoint and network events and recording the information in a central <br />database where further analysis, detection, investigation, reporting, and alerting take place. A <br />software agent installed on the host system provides the foundation for event monitoring and <br />reporting. Most EDR tools address the "response" portion through sophisticated analytics that <br />identify patterns and detect anomalies, such as rare processes, strange or unrecognized <br />connections, or other risky activities flagged based on baseline comparisons. This process can be <br />End Point Protection (EPP) / End Point Detection & Response (EDR) and Managed Detection & Response Procuremept4 <br />Recommendation b <br />