Purpose

The purpose of the Device Threat Protection Standard is to establish threat protection controls for ISU systems to ensure they remain secure, stable, and compliant with regulatory requirements through a structured approach threat protection. 

Scope

This standard applies to all systems owned or managed by or on behalf of the University ("systems") where the device operating system is supported by Defender², including but not limited to servers and endpoints. This standard is relevant to all University departments and units that manage, maintain, or use University systems including utilizing vendor management of these systems.

Scope Exemptions

Devices exclusively running Google Android, Apple iOS, or Apple iPadOS as the device operating system are exempt from this standard.

Devices exclusively running an appliance image⁴ as the device operating system are exempt from this standard.

Standard

University teams and departments ("teams") managing systems or access within this standard's scope must meet the following criteria:

1. Systems must utilize a standardized naming convention resulting in unique system hostnames¹.
2. Defender must be locally installed and onboarded to Defender Cloud services.
3. Local Defender agents must have the supporting team's device tag applied³.
4. Defender must be set to Active AntiVirus mode⁵.
5. Locally-installed Defender components must be maintained up-to-date including the Engine, Platform, and Security Intelligence (Definitions).
6. The following Defender services must be locally enabled on devices:
   1. Antivirus Services
   2. Behavior Monitoring
   3. Cloud Protection
   4. Potentially Unwanted Application (PUA) Protection
   5. Real Time Protection
   6. Tamper Protection
   7. Periodic Scans
7. Teams must have a process to document, review, and approve business cases for adding local file/folder path scan exceptions.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office through the University’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• The information technology team and functional business units associated with the exception request
• Systems affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The Information Security Office will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. Standardized Naming Conventions and unique hostnames ensure that every device is uniquely identifiable from other devices within the Defender security system and Information Security Office reports. Systems that frequently rebuild with a reused hostname, such as virtualized endpoints (VDI), should utilize the non-persistent Defender agent to prevent object duplication inside the Defender portal.
2. Defender-supported operating systems can be found here: Defender Supported Operating Systems.
3. Local Device Tags are applied to local agents and denote system owner in the Defender management portal. Instructions for applying tags can on the Machine Tag Microsoft page. The names of each tag can be found on the Team Attribute Naming Convention page. The tag format is "isuabcd".
4. Systems running an appliance image (full system firmware/software image) may not support Defender due to vendor OS customizations even if the parent OS is supported by Microsoft for Defender. Further, a lack of administrative access to the underlying operating system or revocation of support after underlying operating system changes create significant challenges for installing Defender on appliances (ex: Cisco appliances).
5. Defender AntiVirus can be set to Active or Passive mode. Active is the normal operation mode, and Passive mode disables a number of features.

Roles & Responsibilities

Compliance

The Information Security Office will report on remote access status to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

Microsoft Defender for Endpoint: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

10.1 Deploy and Maintain Anti-Malware Software: Deploy and maintain anti-malware software on all enterprise assets.

10.2 Configure Automatic Anti-Malware Signature Updates: Configure automatic updates for anti-malware signature files on all enterprise assets.

10.4 Configure Automatic Anti-Malware Scanning of Removable Media: Configure anti-malware software to automatically scan removable media.

10.5 Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

10.6 Centrally Manage Anti-Malware Software: Centrally manage anti-malware software.

13.7 Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

10.7 Use Behavior-Based Anti-Malware Software: Use behavior-based anti-malware software.