GDL-3000.07G: Endpoint Malware and Threat Protection Guidelines

Guideline Summary

Intended Audience: University personnel responsible for deploying and managing Endpoints
Guideline Owner: Director of Information Security

Definitions

Endpoint

Any server, workstation, or mobile device managed by the University or connected to the University’s network.

Malware

Forms of malicious software including but not limited to computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software (OCIO 141.10). 

Threat 

Any circumstance or event (human, physical, or environmental) with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service by exploiting a Vulnerability (OCIO 141.10). 

Vulnerability 

A point of risk that could result in penetration of a security barrier. Awareness of potential vulnerabilities is key to designing more effective defenses against attack by unauthorized parties (OCIO 141.10). 

Vulnerability Assessment 

A comprehensive analysis that attempts to define, identify, and classify the security holes (vulnerabilities) in a system, network, or communications infrastructure (OCIO 141.10). 

Introduction

All University network-connected Endpoints should be protected from Threats and Malware. Infected Endpoints are dangerous to University systems and data; they may result in interrupted University operations, loss of institutional reputation, legal problems, and financial loss. 

University Endpoints

To ensure Endpoint protection, the University’s Information Technology Services (ITS) work unit provides and supports an enterprise Malware and Threat protection solution for University-managed devices. This solution also provides advanced Endpoint detection and response capabilities and is referred to as an Endpoint Detection and Response (EDR) solution. This solution provides: 

  1. Real-time scanning of files, folders, and processes.
  2. Automated detection and response to infections and attacks.
  3. Removal of infected files by quarantining or deletion.
  4. Vulnerability Assessments (scanning) and risk scoring.
  5. Centralized management and integration with other University security tools.
  6. Role-based access control.
  7. Automated signature definition updates.
  8. Detection of infections by use of machine learning.
  9. Integration with the vendor’s intelligence.
  10. Pre-configured dashboards and reports.
  11. Automated and custom alerting.
  12. System software inventory.
  13. Monitoring of the health of deployed clients.

EDR Client Installation and Configuration for University-Managed Endpoints

The University’s EDR solution is a software-as-a-service (SaaS) application that relies on deployment of an Endpoint client. Business owners and technicians are responsible for ensuring clients are deployed to all University-managed Endpoints. The client should: 

  1. Be installed on every Endpoint.
  2. Be installed during the system build process.
  3. Configured in such a way to prevent disabling of the client. 

EDR client configurations are centrally managed. Local configuration overrides are possible and permitted if system performance is impacted or there is the potential for data corruption. The possible configuration changes include excluding files and directories from scanning, excluding individual processes from scanning, or limiting the amount of resources used by the client. Uninstall of the client is not recommended. Waivers should be filed with the Information Security Office, and mitigation measures deployed. 

EDR Operations Management

ITS will: 

  1. Configure the EDR system. 
  2. Provide support and training to technicians. 
  3. Sort devices into device groups and scope user access. 
  4. Configure system roles and add users to those roles. 

Technicians should: 

  1. Monitor and respond to security incidents. 
  2. Monitor the health of clients and ensure they are functioning correctly. 
  3. Review security recommendations and follow ITS guideline GDL-3000.07D: System Patching Guidelines

Non-University Owned Endpoints 

Non-University owned Endpoints that connect to the University’s network and resources should have Malware and Threat protection software installed. The software should be configured for: 

  1. Real-time scanning of files, folders, and processes.
  2. Automated detection and response to infections and attacks.
  3. Removal of infected files by quarantining or deletion.
  4. Automated signature definition updates. 

Misconfigured or Compromised Devices

University IT personnel have the option to disconnect misconfigured or compromised devices from the University network. 
 

For the complete guideline, click “Full Document” tab at top of page. 

Full Document

Intended Audience: University personnel responsible for deploying and managing Endpoints 
Guideline Owner: Director of Information Security 

1. Definitions 

Endpoint 

Any server, workstation, or mobile device managed by the University or connected to the University’s network. 

Malware 

Forms of malicious software including but not limited to computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software (OCIO 141.10). 

System Custodian 

An individual responsible for the technical management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They implement the best practices defined by the System Steward and perform operational duties. 

System Steward 

An individual responsible for management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They may create and enforce management and access policies. They are often referred to as Business Owners. 

Threat 

Any circumstance or event (human, physical, or environmental) with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service by exploiting a vulnerability (OCIO 141.10). 

Vulnerability 

A point of risk that could result in penetration of a security barrier. Awareness of potential vulnerabilities is key to designing more effective defenses against attack by unauthorized parties (OCIO 141.10). 

Vulnerability Assessment 

A comprehensive analysis that attempts to define, identify, and classify the security holes (vulnerabilities) in a system, network, or communications infrastructure (OCIO 141.10). 

2. Introduction 

All University network-connected Endpoints should be protected from Threats and Malware. Infected Endpoints are dangerous to University systems and data; they may result in interrupted University operations, loss of institutional reputation, legal problems, and financial loss. 

3. University Endpoints 

To ensure Endpoint protection, the University’s Information Technology Services (ITS) work unit provides and supports an enterprise Malware and Threat protection solution for University-managed devices. This solution also provides advanced Endpoint detection and response capabilities and is referred to as an Endpoint Detection and Response (EDR) solution. 

3.1 EDR Capabilities 

OCIO 141.10: 5.7(3), 5.7(4), 5.7(5) 

Key features of the EDR solution include: 

  1. Real-time scanning of files, folders, and processes.
  2. Automated detection and response to infections and attacks.
  3. Removal of infected files by quarantining or deletion.
  4. Vulnerability Assessments (scanning) and risk scoring.
  5. Centralized management and integration with other University security tools.
  6. Role-based access control.
  7. Automated signature definition updates.
  8. Detection of infections by use of machine learning.
  9. Integration with the vendor’s intelligence.
  10. Pre-configured dashboards and reports.
  11. Automated and custom alerting.
  12. System software inventory.
  13. Monitoring of the health of deployed clients.

3.2 EDR Client Installation and Configuration 

OCIO 141.10: 5.7(1), 5.7(2) 

The University’s EDR solution is a software-as-a-service (SaaS) application that relies on deployment of an Endpoint client. System Stewards are responsible for ensuring clients are deployed to all University-managed Endpoints, and System Custodians are responsible for the actual client deployments. 

3.2.1  Installation of EDR Client 

OCIO 141.10: 5.7(1) 

The EDR client should: 

  1. Be installed on every Endpoint.
  2. Be installed during the system build process.
  3. Configured in such a way to prevent disabling of the client. 

3.2.2  EDR Client Configuration Overrides 

EDR client configurations are centrally managed. Local configuration overrides are possible and allowed if system performance is impacted or if there is the potential for data corruption. Possible configuration changes include excluding files and directories from scanning, excluding individual processes from scanning, or limiting the amount of resources used by the client. Uninstall of the client is not recommended. Waivers should be filed with the Information Security Office, and mitigation measures deployed. 

3.3 EDR Operations Management 


3.3.1  ITS Responsibilities 

ITS will: 

  1. Configure the EDR system.
  2. Provide support and training to System Custodians.
  3. Sort devices into device groups and scope user access.
  4. Configure system roles and add users to those roles.

3.3.2  System Custodian Responsibilities 

System Custodians should:

  1. Monitor and respond to security incidents.
  2. Monitor the health of clients and ensure they are functioning correctly.
  3. Review security recommendations and follow ITS guideline GDL-3000.07D: System Patching Guidelines. 

4. Non-University Owned Endpoints 

Non-University owned Endpoints that connect to the University’s network and resources should have Malware and Threat protection software installed. The software should be configured for:

  1. Real-time scanning of files, folders, and processes.
  2. Automated detection and response to infections and attacks.
  3. Removal of infected files by quarantining or deletion.
  4. Automated signature definition updates.

5. Misconfigured or Compromised Devices 

University IT personnel have the option to disconnect misconfigured or compromised devices from the University network. 

6. Authority 

  1. University policy POL-U3000.07 - Securing Information Systems
  2. Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards 

7. References 

  1. NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 
  2. OCIO 141: Securing Information Technology Assets 
  3. Information Technology Services guideline GDL-3000.07D: System Patching Guidelines 

Change Log 

Revised 

Version 

Author 

Approver 

Change 

07/30/2021 

1.0 

Beth Albertson 

ITS Standards & Guidelines Committee 

Original Version