NEVERHACK Estonia
13. nov. 2025
In Estonia, cybersecurity is not a slogan or a department. It is part of how the country runs. From digital identity to e-governance, Estonia has become a model for secure digital transformation. But even in one of the most advanced digital nations, the most complex challenge remains the same as everywhere else: protecting the last mile.
This episode of CyberCast, recorded live at the Nordic-Baltic Security Summit 2025, explores how Estonia unified endpoint security across nearly 9,000 users and close to 100 public institutions. Host Ronnie Jaanhold sits down with Andri Rebane from the Estonian IT Center and Indrek Turmen from Trend Micro to talk about how a national EDR rollout really happens in practice — what worked, what didn’t, and what others can learn from it.
The Challenge: One Nation, Thousands of Endpoints
The Estonian IT Center, or RIT, provides the digital workplace and cloud environment for the country’s public sector. It manages hardware, software, collaboration tools, and of course, security. According to Andri, RIT currently supports about 8,500 users and expects that number to grow to 15,000 within a year. “The user is our biggest risk,” he says. “They click links, open attachments, and plug in USB drives. The same behavior as twenty years ago, only now multiplied by thousands.”
RIT’s task was to consolidate digital workplaces under one secure, centralized system. That meant unifying policies, platforms, and protections. For Andri, this was where the concept of “last-mile security” came alive — securing the point where people and technology meet. “Our threat surface doesn’t come from public databases or national systems,” he explains. “It comes from users and their endpoints. That’s where the effort has to go.”
Building Visibility with EDR
To protect that last mile, RIT adopted Trend Micro’s endpoint detection and response technology. Indrek compares EDR to installing cameras in a building. “You can lock your doors and windows, but when someone gets in, you want to know what they did and where they went,” he says. “Without endpoint telemetry, it’s impossible to know.”
EDR tracks process executions, file changes, and network connections across devices, giving defenders a complete view of what’s happening. “It’s not about replacing antivirus,” Indrek clarifies. “You need both protection and visibility.” That visibility also helps shorten response times and improve decision-making when incidents occur.
Choosing the Right Partner and Approach
When Estonia began planning the rollout, RIT invited several major vendors to present their solutions. The result was a familiar discovery: most offered about 80 percent of the same features. “We applied the 80–20 rule,” Andri says. “We wanted 80 percent of the value with 20 percent of the cost and effort.”
Trend Micro stood out because of its strong research background and consistent local support. “Cybersecurity is a trust business,” Indrek adds. “You build trust by being open about your research and by delivering results.”
He points to Trend Micro’s Zero Day Initiative as an example. The program rewards researchers for responsibly disclosing vulnerabilities before attackers can exploit them. “Last year we helped close 73 percent of all publicly known vulnerabilities,” Indrek explains. “That information goes directly into our products, giving customers protection before attackers move.”
From Pilot to Nationwide Rollout
Implementing an EDR solution for an entire government network was not a single event but a continuous process. “We started with a few hundred machines to test functionality,” Andri recalls. “Once we knew it worked, we scaled to 3,000 devices in a few weeks.”
RIT expanded module by module, adding vulnerability management, removable device control, and email scanning, followed later by cloud and Kubernetes security features. Each phase took three to six months to tune, test, and gather feedback. “You can’t install everything at once,” Andri says. “You need to learn how it behaves, collect feedback from users, and adjust.”
Indrek agrees that large-scale deployments depend as much on coordination as technology. “You must understand who owns what, from Windows to Linux to endpoint operations,” he says. “Trust and communication between teams are critical.” He credits the collaboration with NEVERHACK as a key success factor in bridging technology and implementation.
Measurable Improvements
The impact of the rollout was immediate. “We now have real visibility,” Andri says. “If someone downloads questionable software, we see it instantly. If a malicious email gets through, it can be pulled back automatically.”
Phishing remains the most common threat, but automation has reduced response time from hours to minutes. “We rarely see ransomware anymore,” Andri adds. “Phishing happens daily, but we can stop it before it spreads.”
Indrek notes that while public and private sector threats often look similar, the motivations differ. “In government, you’re dealing with state-sponsored attackers who want disruption or intelligence. In the private sector, it’s usually about money. The techniques, however, are starting to overlap.”
Lessons for Others
For organizations planning similar projects, both guests emphasize a few key lessons: start small, build trust, and scale carefully. Visibility is more important than volume. Define ownership early, and let the technology evolve alongside processes and people. “It’s not a single project,” Andri says. “It’s a continuous process.”
The Bigger Picture
Estonia’s experience shows that national cybersecurity is built from the ground up. The last mile, where people and devices connect, is where defenses are tested every day. This story is not about technology alone. It is about collaboration, discipline, and the constant improvement that keeps a digital nation secure.
As Andri and Indrek agree, cybersecurity strength comes from awareness, trust, and the will to keep learning. Securing endpoints might not sound exciting, but it is where resilience begins.
Listen to the full CyberCast episode to hear the full story of how Estonia secured its last mile — one endpoint at a time.
