For decades, University has invested in Antivirus suites in the hopes of overcoming the challenges of IT security. Antivirus software offered a means of blocking known malware by examining or scanning files as they were written to disk on a computer device. If the file was “known” to the Antivirus scanner’s database of malicious files, the software would prevent malware file from executing.
Antivirus database consists of a set of signatures (hashes of a malware file and / or rules that contain a set of characteristics which the file must match). Such characteristics typically include things like human-readable strings or sequences of bytes found inside the malware executable, file type, file size and other kinds of file metadata.
Antivirus software also performs primitive heuristic analysis on running processes and checks the integrity of important system files. These “after-the-fact” or post-infection checks were added to the Antivirus software as signature updates.
As sophistication and prevalence of malware threats have grown over the past ten years, the shortcomings of Antivirus have become too apparent. Flood of new malware samples was released on a daily basis which outstrips Antivirus software product suppliers’ ability to keep their signature database updated.
Endpoint Detection and Response (EDR) approach focuses on collecting data from the endpoint and examining the data for malicious or anomalous patterns in real time in addition to having capabilities to block malicious files. EDRs offer visibility into what file modifications, process creations and network connections occurred in the endpoint which is vital for threat hunting and incident response.
Since 2022, University has invested in IT security infrastructure and Microsoft Defender for Endpoints (MDE) licenses to offer EDR protection to end user desktop and notebook.
Department newly purchased desktops and notebooks from contracted suppliers under University bulk purchase agreement will include EDR protection via “autopilot” enrollment mechanism.
The existing domain joined workstations and notebooks connected to campus network will be provisioned with MDE software and have EDR protection enabled in phases. ITS will be collaborating with departments' Computer Liaison Officers to trial EDR protection on the selected departmental machines in coming weeks with full rollout to all departments commencing November 2022.