Standard: Endpoint Protection

• All employees (faculty and staff), employed students, and others that use University-owned devices including computers, lab equipment, servers, laptops, desktop computers, mobile devices, cellular devices, software containers, or virtual machine images
• This standard applies to all University campuses and all other University-related locations
• This standard applies to all University owned devices

Purpose

The University is implementing an effective and modern software safeguard to better protect our institutional data and systems from malicious actors. With the increased cyber threat landscape and ransomware activity worldwide, the University is employing a tool called Endpoint Detection and Response (EDR) to recognize and quickly respond to malicious system behavior. EDR tools help detect malicious activity, even in a remote work environment, and rapidly mitigate or isolate the activity to prevent further disruption to employees’ work and University systems.

Standard

• Miami University's EDR protection offers multiple security tool components including: next generation anti-virus, threat intelligence, and around-the-clock detection and response. This tool helps the University respond quickly to advanced attacks that use malware (malicious programs specifically designed to steal information) or stolen credentials to move around a network and steal data
• In keeping with MUPIM Responsible Use of University Resources policy, the University employs various measures to protect the security of University computing resources and user's accounts, and the use of these measures have been approved by the Chief Information Officer (CIO). EDR tools monitor endpoint process executions, the act of writing and reading of files, network activity, and process relationships to create a model of what is happening on a computer. Using this model, an EDR tool can leverage hash matching (indicators of compromise), pattern matching (indicators of attack), proprietary intelligence drawn from other incidents, machine learning, and a staffed operations center to detect malicious activity
• By deploying this tool, we are better able to protect data that faculty may have, as well as administrative data across the University. Quickly detecting these attacks also helps to protect individuals' personal data and credentials, like online banking usernames and passwords
• EDR agent software installed on endpoints must not be removed or tampered with
• Responsibilities for monitoring and response to alerts, notifications, events, and incidents discovered by the tool shall be defined elsewhere in procedure documents specific to our implementation of the EDR solution

Computing Assets

• This tool shall be deployed on all Miami University-owned computers, lab computers, servers, laptops, desktop computers, mobile devices, cellular devices, software containers, and virtual machines
• Exemptions will be available for devices that would be negatively impacted. For example, manufacturing machines or devices that use or contain computers from the factory may or may not allow or accommodate an EDR solution. Another exemption example could be computer security laboratories with a controlled environment containing sample malicious content or behavior
• Exemptions will be available for devices running Operating Systems incompatible with the EDR agent, though additional mitigating controls may be required in such circumstances
• Exemptions will be approved on a case by case basis by the Information Security Office (ISO) and reviewed for renewal annually
• This tool will not be deployed on networking infrastructure devices, IoT devices (vending machines, laundry machines, door swipes), SCADA equipment, instrumentation devices, air-gapped computers or servers, crestron devices, cash registers, mobile police devices, parking scanners, personal devices, or personal cellular devices that employees receive stipends for, etc.
• While devices are 'offline' the agents will continue to collect data to be sent on to the EDR console when back online. Devices that are 'off network' will continue to send data to the EDR console

Application Installation and Management

• Where possible, installation of the tool will be done automatically by IT Services' centralized management tools. For devices not under centralized management, the responsible local IT support staff will be responsible for manual installation
• The ISO is responsible for auditing compliance and informing local IT support groups of instances of non-compliance for remediation
• Local IT support groups are responsible for maintaining and providing an inventory of assets under their support to the ISO for compliance auditing
• SLA requirements for response to events discovered by the tool will be risk-based and defined in the implementation standard
• All communication between endpoint software agents and the EDR console will require ensuring host-based firewalls are configured to allow this traffic. Where possible, these configurations will be done through IT Services' centralized management tools. For devices not under centralized management, the responsible local IT support staff will configure manually

Licensing, Maintenance and Support

• IT Services will sponsor and manage licensing, configuration, maintenance, and support

Audit Controls and Management

• EDR logs, events, and alerts must be centrally monitored and regularly maintained
• Data gathered by the EDR software agents will be encrypted in transit and at rest
• Access to data gathered by the EDR software agents will be limited to those in need of the data to perform responsibilities in accordance with the principle of least privilege, including IT Services and responsible local IT support staff

Exceptions

• Exceptions to any provision of this policy or supplemental standards, requirements, guidelines, and practices must be approved by the Chief Information Security Officer

Standard Administration

Next Review Date

• 12/01/2024

Responsible Officer

• Vice President for Information Technology & Chief Information Officer

Contact

• Assistant VP for IT Services Security, Compliance, and Risk Management

Approval(s) and Date(s)

• Initial Approval: 22 November 2022