What is Endpoint Security?
I consider an endpoint to be an Operating System Instance on a network. Providing Endpoint Security is the next level of defense in depth after Network Security. There are some protections provided by the network for endpoints and some protections provided by endpoints for the network. But most endpoint security is focused on protection of the endpoint.
Who is Roy “Mac” Kincaid?
I have been involved with Endpoint Security since the first McAfee STIGs were written about 11 or more years ago. For old timers like me that was US Cybercom directive FRAGO 13 (as in 2013). That was when we did ECV audits rather than CCRIs. I have known, learn from, or taught all HBSS/ESS STIG writers from the first to almost the last. However, I have not had a chance to meet the current ESS STIG writer. I was also asked to update the US CYBERCOM directive evaluation spreadsheet to reflect OPORD 16-0080 for DISA. So, you can blame me. Thanks to SecureStrux, Jen Cottle and I have been providing customers with ESS inspections and more importantly, provided implementation assistance for organizations to increase their inspection scores and yes, even increase their security posture. Most of my technical experience has been with McAfee Enterprise Policy Orchestrator (ePO) which is now Trellix Threat Detection and Response.
What is the future of EndPoint Security within the DoD?
Per CCRI 3.0 and the ESS working Group guidance the Technologies used for Endpoint Security will consists of Trellix/Microsoft Defender Endpoint, Tanium, Nessus/ACAS and either CISCO ISE or Forescout. The end of DoD license for Trellix will be the end of this calendar year, 2024; To be replaced with Microsoft Defender Endpoint. Currently, CCRI guidance places emphasis on rolling up data from the endpoint technologies to Constant Monitoring Risk Scoring (CMRS) data base which will become Big Data Platform (BDP) data base sometime soon. Because this data is rolled up from local organizations to CMRS/BDP, Labelling of Data (known as OA TAGGING) must be done in order for the data to have context and be of value.
What impact will cloud computing have on Endpoint Security?
Most products have cloud services available. As organizations evolve from on-prem to IaaS to PaaS, and then finally SaaS, more responsibility for all functionality, to include security moves from the user to the provider of services in the cloud. If there is an Operating System Instance on a network, Endpoint Security for that OS should be provided by the user. I assume that once an organization evolve to Software as a Service (SaaS), the cloud provider will provide Endpoint Security for the OS in the background and report to the user Security Posture of the OS as appropriate.
Now for the Pitch!
Having the great fortune of working with talented people in this field, I have learned a lot of technical information regarding the implementation of Endpoint Security to meet DoD regulations. I have also had positive feedback from our customers regarding my “ePO Whisperers’” email distribution list. I know it’s old fashioned, but for the most part it is a way for me to distribute lessons learned out in the field. If you would like to be added to my distribution list, email me at mac.kincaid@securestrux.com. Here is a list of past lesson’s learned:
Email Subject |
Topic Covered |
Date Sent |
|---|---|---|
| ePO Whisperers’: CCRI 3.0 Alert – cheat sheet attached. | Endpoint Security Requirements in plain english | February 2024 |
| Standing up a new DoD ESS image | Regarding DB License for DoD image | February 2024 |
| ePO Whisperers’: CCRI 3.0 Alert – authorization boundary tag | OA Tagging Hints | February 2024 |
| ePO Whisperers’: CCRI 3.0 Alert – AppLocker alone may no longer be sufficient to meet CCRI 3.0 AWL requirements | Application Whitelisting | December 2023 |
| ePO Whisperers’ CCRI 3.0 Alert: Install DATT sensor on all managed clients | CCRI 3.0 Hint for windows managed clients | December 2023 |
| ePO Whisperers’ who whisper LINUX: OAS Setting | ON/OFF OAS hint for Linux. | December 2023 |
| ePO Whisperers’ – ALERT new ENS check V-258460 | Operational impact of STIG change | November 2023 |
| Update: ePO Whisperers’: Review, Software Catalog | Alternative to Patches | October 2023 |
| UPDATE: ePO Whisperers’ -> set up SPLUNK to manage ESS Event data, 3RD SOP | Update on how to push ESS Event data to SPLUNK. | September 2023 |
| ePO Whisperers’ – AHA Config and new baseline image | Heads up on unannounced DoD changes to configuration guidance | September 2023 |
| ePO Whisperers’ who whisper Linux, 2nd Update: McAfee/Tellix products are NOT signed when installed and may not function properly if not signed | Linux Hints regarding product installation | September 2023 |
| ePO Whisperers’ – Windows Event ID 4625 (FIMCLI.EXE) fills up security log | Management of security logs | August 2023 |
Roy “Mac” Kincaid
CISSP, SANS GWEB
Endpoint Security Practice Lead
As Endpoint Security Practice Lead at SecureStrux, Roy “Mac” Kincaid fortifies clients’ cybersecurity defenses, offering expertise in risk management, FISMA assessments, ST&E, and CCRI. With over 20 years of experience in cybersecurity, Roy “Mac” Kincaid specializes in configuring and deploying McAfee’s ePO, HBSS/ENS, and ESS, earning recognition as a Subject Matter Expert. Formerly an instructor at DISA, he traveled worldwide to train DoD security professionals on deploying and securing ESS. Kincaid is passionate about automation, particularly in PowerShell and WMI technologies. Certified as CISSP, Oracle Professional DBA, and GIAC Web Application Defender, he holds an M.S. in Computer Science and M.A. in Business Administration from West Virginia University, along with a B.S./B.A. in Accounting.
The latest in Cybersecurity
Enter your email to get the latest news, updates,
and content on cybersecurity.
"*" indicates required fields
