Cyber Defense from the Internet to the Endpoint

From global defense operations to corporate networks, cyber threats are evolving at an unprecedented pace, turning the digital landscape into a battlefield. Cyber adversaries employ AI-powered tooling, malware, and automation to conduct sophisticated phishing campaigns, exploit zero-day vulnerabilities, and evade traditional detection methods. Staying ahead of these threats requires innovation, vigilance, and an understanding that in this new era, the cyberattack surface is rapidly expanding.

With deep experience delivering trusted cyber solutions, Leidos develops resilient, secure, and efficient cybersecurity capabilities designed to adapt, defend, and respond in real time. For the Defense Information Systems Agency (DISA), Leidos supports efforts to strengthen threat awareness and cyber defense hardening, proactively detecting and countering threats from DISA’s internet access points all the way to host devices and servers referred to as “endpoints.”

Traditional cyber defense measures have depended on network-based intrusion detection solutions. These systems typically monitor network traffic only at an enclave boundary or internet access point (IAP) and are limited by their reliance on perimeter defenses, often missing fileless malware attacks, insider threats, and lateral movement within compromised networks.  

Building defense beyond the perimeter 

To address these challenges, both government and industry are enhancing defense through more efficient, endpoint-based cybersecurity monitoring. This layered approach improves visibility and reduces incident response times and threat detection gaps while supporting Zero Trust compliance. As one of DISA’s major IT service providers, Leidos supports both the Department of Defense Information Network/Defense Information System Network (DODIN/DISN) and DISA’s DODNet. The DISN is the network backbone for secure voice, data, and video communications across military, intelligence, and other government operations worldwide. DODNet is the modernized, consolidated IT network for Defense Agencies and Field Activities. Both programs are delivered under two large indefinite delivery, indefinite quantity (IDIQ) contracts—Global Solutions Management–Operations II (GSM-O II) and Defense Enclave Services (DES). Together, the GSM-O II and DES programs are designed to provide unparalleled situational awareness and defensive capability spanning DISA’s complex, global operations from the IAPs to the endpoint.

Through the DES program, Leidos helps secure DISA’s endpoints on DODNet, including end user laptops, desktop computers, and servers. Utilizing an integrated endpoint detection and response system of sensors and cybersecurity automation, the DES team supports the evolution of an optimized infrastructure for DODNet end to end. Resilient and scalable, DODNet is expected to support approximately 370,000 users when fully implemented with increased efficiencies, reduced redundancies, and improved security posture.

DISA'S CYBER PRIORITIES OUTLINED AT BILLINGTON CYBERSECURITY SUMMIT

Securing every connection: from IAPs to endpoints 

As part of the GSM-O II program, Leidos defends local network enclaves and more than three million users across 3,000-plus DOD and federal sites. With telemetry and sensors deployed at the DISA IAPs, Leidos analysts work to protect the network boundary between the internet and DISN. They leverage custom signatures, behavioral analytics, and threat hunting for a proactive approach to cyber defense.

Leidos also provides cybersecurity services for two of the three authorized fee-for-service Cyber Security Service Providers (CSSPs). To strengthen the network defense of its mission partners and push toward DOD Zero Trust goals, the GSM-O II program harnesses the power of EDR. 

"Advanced EDR solutions open a larger window into potential cyber incidents so DISA analysts can see, investigate, and stop suspicious behavior right away," said Nicholas Reinartz, GSM-O II’s Transformation and Innovation Group Lead at Leidos.

Seeing more, responding faster: the power of Endguard

With DISA, Leidos’ GSM-O II team piloted a comprehensive endpoint solution called Endguard, a new, powerful service for DISA CSSP mission partners that leverages Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Servers (MDfS). This robust cyber defense solution leverages automated capabilities from MDE and MDfS to help ensure that every end user and server on DODNet acts as a sensor, collecting key security data, logs, and alerts aiming to counter malicious threats immediately at the access point.

Endguard’s live response capabilities leverage the direct connection to endpoints, enabling immediate response – as opposed to hours using traditional IDS. When used to automate alert triage, Endguard dramatically increases the accuracy of the alert.

To maximize cyber network defense, endpoint data can be contextualized and enriched with real-time threat intelligence, enhancing enterprise-level threat hunting for persistent threats not detectable by monitoring alone. This endpoint data is more effective in detecting the aggressive tactics and attack patterns of cyber adversaries than other types of security-relevant data. In a simulated pilot exercise conducted by the Leidos GSM-O II team for DISA CSSP, Endguard detected 100% of the Red Team’s compromised endpoints and 94% of their individual activities, a significant improvement over IDS.

As cyber threats evolve, “All roads lead to the endpoint,” said Darrell Fountain, DISA CSSP Branch Chief. 

Through the integration of advanced EDR solutions and services like Endguard, Leidos helps ensure its customers remain resilient, adaptive, and proactive in securing their digital assets at every point of entry—from the internet to the endpoint.

VIEW ALL LEIDOS CYBER CAPABILITIES