Improved Endpoint Protection

Endpoint protection is the practice of securing endpoints (such as desktops and laptops) from being exploited by malicious actors and campaigns. The university is implementing improved endpoint protection through the use of two technology solutions (EDR, or endpoint detection and response; and DLP, or data loss prevention) that will help Virginia Tech mitigate cyber threats and maintain the security, integrity, and availability of the university’s information systems. This project includes implementation of a tool called Microsoft Defender for Endpoint. Microsoft Defender for Endpoint provides both EDR and DLP services on university-owned computers and other endpoints.  
 
We are currently at the beginning of a roll-out phase for Microsoft Defender for Endpoint where departments are opting in to implement the tool on Virginia Tech-owned computers assigned to their faculty and staff.

In this context, ‘endpoint’ refers to university-owned desktops and laptops that connect to the university network or to university resources. Virginia Tech’s online resources are expansive and include all our wired and wireless infrastructure for providing internet access, as well as our collaboration tools and software products that are integrated to work together or in parallel.  
 
We have strong protections at the edges of our network – the places where information passes in and out of the Virginia Tech space and out into the wider world — but we have been less protected against threats that come from inside our own network. When someone’s computer or device is infected with malware or compromised through a cyberattack, it often begins behaving in ways that expand the problem to other computers in the network. This can happen without the user’s knowledge, and sometimes it can be several days or weeks before the problem can be discovered and mitigated. That’s where improving endpoint protection is of particular help – it detects unusual activity that would indicate that an endpoint is susceptible to compromise or in fact IS compromised, which will help to contain and resolve incidents more quickly, and limit the damage created. The tool can also warn a user if they are sharing sensitive data.

Endpoint Detection and Response (EDR) is a cybersecurity solution that continuously monitors and responds to potential security vulnerabilities on endpoints. It provides real-time detection and response capabilities to identify and mitigate security incidents as well as to identify vulnerabilities that put a computer and the data stored on the computer at risk. It can identify both known cyber threats and can identify behaviors that are likely to be a new cyber threat.

Data Loss Prevention (DLP) is a security strategy that helps organizations prevent the unauthorized disclosure of sensitive data by monitoring, detecting, and preventing data breaches. DLP solutions can identify, track, and control the flow of sensitive data (for example, social security or credit card numbers) within an organization.  

Cyberthreats are pervasive and real. Parties with malicious intent are using increasingly advanced and automated cyberattacks. The university’s network and computers are under constant attack by organized criminals, nation-state entities, hackers, and anarchic or activist groups with goals of financial gain, espionage and theft of intellectual property, or to promote their sociopolitical goals.

In fall 2021, the university conducted a comprehensive IT Assessment and Cybersecurity Review. This review resulted in 20 recommendations, six of which focused on reducing cyber risk and strengthening our security posture. Implementing these increased cybersecurity protections as part of the IT Transformation Program is a high priority for Virginia Tech.  

The university must take action to protect intellectual property, financial information, the personal information of employees and students, and other sensitive data. We have had measures and tools in place to do this for many years, but as the threat landscape evolves, our protections must also evolve. We are in the process of increasing our use of technical tools and capabilities that will mitigate cyber risk to protect the university’s assets as well as the privacy of our community members. Virginia Tech is not unique in taking these steps – EDR and DLP are widely implemented in most corporations and government agencies, as well as at many universities.

Antivirus software is still an important part of our cyber-defense strategy, but it’s not the same thing as EDR or DLP. Antivirus software is designed to identify and remove known viruses and malware from your devices.  
 
Microsoft Defender for Endpoint and our other endpoint protection solutions focus instead on detecting and responding to suspicious activities occurring on a computer using advanced behavior-based analysis and machine learning algorithms that enable a response to previously unknown threats.

Being the victim or target of a successful cyberattack is a painful personal experience, and can result in significant financial, reputational, and theft-related exposure both for the person whose computer is breached, and for the university. Even if it is possible to curtail the damage to funds, data, and other resources, you and your contacts still will lose significant time while the issue is quarantined and resolved. These types of damage are what we are working to prevent on an individual level.  
 
At the university level, a successful cyberattack could create widespread and long-lasting disruption of critical services, impede instruction, cause outages of online resources, and result in the loss of money, research or administrative data, or intellectual property. The reality of these possibilities cannot be ignored.
 
You may never be aware of the number or extent of the problems that the implementation of these tools will prevent in your work life, just as you may never know how and when other safety measures are keeping you safe in other areas of your life – but statistical evidence shows that these tools, like other safety technologies, are needed and provide a substantial benefit.

Protecting privacy and freedom of inquiry is of critical importance to everyone in the university community. 

These security initiatives will be implemented with transparency. As per Policy 7035, tools will not be used in ways that are inappropriate or that do not comport with Virginia Tech’s commitment to academic freedom.

Access to employees’ electronic data is governed under Policies 7010, 7105, and 7035. Here’s a summary of the guidelines provided:

1. Access will occur only for legitimate business or IT security compliance purposes;
2. Access must be authorized by one or more appropriate and accountable authorities;
3. Except as described in these policies, the university will obtain consent before an employee’s information is accessed;
4. Access will be limited to the minimum degree necessary to accomplish the specified cybersecurity-related purpose;
5. Within the limits of our storage capacity, records will be kept for a limited time to enable a review of compliance with these policies, but will then be deleted; and
6. Information describing the process for access is available to all persons affected by these policies.

A very limited number of university IT personnel will manage the tools and the data. The people holding the specific positions that have access to this data are held to the highest expectations of integrity, professionalism, and ethics, and many have non-disclosure agreements in effect. This means that these IT personnel would be subject to disciplinary action or additional penalties if unauthorized treatment of data ever occurred.

Data is stored for 180 days.

Yes. These endpoint protection tools are increasingly becoming essential for business continuity, security, risk mitigation, compliance, and data protection in the higher education community. Many of our peer universities across the U.S. are currently utilizing some or all of these tools and their use continues to increase, including in corporations and government agencies. We need to match the level of protections in place at these corporations, universities, and government bodies, lest we become an ever-more appetizing target for cyberattacks.

You should work with your local IT support personnel to know if these tools are being activated on your university-owned endpoints. You may need to assist with that. You should be aware that when using university-owned endpoints (computers and other devices) and/or accessing university-owned or university-managed IT systems (including Google Workspace and Microsoft M365), the automated security tools are activated. Each of us has a responsibility to protect our information and resources and to be aware of cyber risks. You can review university information technology policies, standards and guidelines at the Division of IT website - it.vt.edu/policies.

Data from personally-owned devices is also subject to security monitoring when connected to the university network infrastructure, including Wi-Fi, or when accessing services provided by the university. The devices themselves are not included in security monitoring, only the data that goes over the university’s network. 

No, this new technology does not compromise the ability of researchers to comply with Institutional Review Board (IRB) requirements to maintain the confidentiality of the data that is collected. Protocols required by the IRB mandate that adequate provisions be made to protect the privacy of research participants and to maintain the confidentiality of the data. This new technology will offer additional protections and further minimize the risk of data and security breaches. Researchers that collect sensitive information that is potentially identifiable, protected health information, or research health information should consult with the Privacy and Research Data Protection program (prdp@vt.edu) to discuss options for secure data storage.

No. There is no connection between the two -- the Division of IT does not administer the FOIA process, and the FOIA process is entirely separate from the Improved Endpoint Protection effort. 

For more information about FOIA, visit the university’s FOIA policy page. 

Microsoft Defender for Endpoint (MDE) is designed to help the university prevent, detect, investigate, and respond to advanced cybersecurity threats. It works in three ways:

• MDE checks to see if programs or files are being accessed in unusual ways. It collects and sends this data to private, isolated, and protected cloud storage.

• MDE analyzes the data to determine if active threats are present, and if so, how severe the issue is and what the response should be.

• Members of the cybersecurity community in the government, commercial and private sectors provide reports on the internet-based threats and attacks they are encountering, and these reports are all collected to help MDE better identify, notify, and rectify attacks against your data.

For more information, visit https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide.

Microsoft Defender for Endpoint (MDE) uses AI for adaptive device protection. When MDE (running in the background on a computer) detects a security anomaly, threat information is shared with a cloud service that uses the device’s security status to adjust how aggressively to block the potential threat. This is particularly useful where a human operator is attacking the computer with ransomware and adapting the attack to conditions on the computer. For more information, visit https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ai-driven-adaptive-protection-in-microsoft-defender-for-endpoint/ba-p/2966491

The endpoint detection and response (EDR) component of IEP is endpoint-based, which means that once installed, it will monitor network traffic in and out of the device (endpoint), regardless of the network it is connected to.

If you have questions, please send them to askaboutIEP-g@vt.edu

(Original question: How are students, prospective students, and their parents being made aware that email exchanges with their instructors will no longer be private?)

The privacy of email exchanges between students, instructors, and parents will not change as a result of this implementation. This cybersecurity implementation will follow university policies that strictly limit who can access this information, the type of information collected, the ways that information is used, and how long the information is retained. 

Microsoft Defender for Endpoint takes specific measures to limit the type of threat indicators that are sent from an endpoint and to protect the security and privacy of that information. University IT personnel will be involved only in response to a likely cybersecurity incident and will follow university policies to protect privacy in doing so. For more information, see https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide.

The original question includes a mistaken assumption that employees previously had an expectation of complete privacy in their workplace communications. This has never been the case, as per Commonwealth of Virginia policy. 
 
Notifications related to the implementation of these tools have already been shared and additional messages will follow as needed. 
 
Side note: When sending email, instructors should be careful with any high-risk or moderate-risk data, including FERPA protected data. See the Standard for High-Risk Digital Data Protection (please refer to https://it.vt.edu/content/dam/it_vt_edu/policies/Standard-for-High-Risk-Digital-Data-Protection.pdf).

(Original question: What steps are being taken to safeguard against a chilling effect and ensure the academic freedom and free speech rights of VT faculty and employees?)

With respect to academic freedom and privacy, this cybersecurity implementation will follow university policies that strictly limit who can access this information, the type of information collected, the ways that information is used, and how long the information is retained. Academic freedom, free speech rights, and freedom of inquiry and expression will be protected.
 
Virginia Tech believes strongly in supporting academic freedom and the free speech rights of students, faculty, and employees. Our Principles of Community, Policy 7035 and other official university statements safeguard and affirm these core values. See Policies and Handbooks for Employees for additional information at https://www.hr.vt.edu/onboarding/policies-handbooks.html

Note that Virginia Commonwealth Policy: 1.75 – Use of Electronic Communications And Social Media states that Virginia Tech’s [the agency's] responsibilities and requirements include stipulations that "No user shall have any expectation of privacy in any message, file, image or data created, sent, retrieved, received, or posted in the use of the Commonwealth’s equipment and/or access.  Agencies have a right to monitor any and all aspects of electronic communications and social media usage. Such monitoring may occur at any time, without notice, and without the user’s permission.

In addition, except for exemptions under the Act, electronic records may be subject to the Freedom of Information Act (FOIA) and, therefore, available for public distribution."

(Original question: What constitutes a “cyber-security” threat? Who gets to decide? What is the protocol if the A.I. reports identifying one?)

The National Institute of Standards and Technology (NIST 1800-15B) defines a cyber security threat" as 'Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.’ The definition also includes ‘the potential for a threat-source to successfully exploit a particular information system vulnerability.’ That is the standard the university is required to follow.

The incident response procedure is not changing with the use of Microsoft Defender for Endpoint (MDE). Incident response is the same whether an incident report comes from MDE, or through any other method we use for detecting a cybersecurity incident. The IT Security Office (ITSO) is responsible for responding to cyberattacks against the university. Once an incident report is verified, the ITSO and distributed IT staff will notify the owner of the affected computer and help them (and in some cases their department) take appropriate actions to contain the attack and remediate any damage to the system.

(Original question: Who decided on this policy? Why is this being implemented at VT but not other universities across the state?)

In answering this question, we’re going to assume that by ‘policy,’ the original submitter intended something closer to ‘practice’ or ‘action.’ The actions the university is taking in implementing improved endpoint protections are necessitated by the increasing frequency, sophistication, and severity of the cyberattacks that the IT Security Office is seeing and preventing each day. The decision to move forward with this implementation was recommended by the IT Transformation Program working in conjunction with the IT Security Office and a project steering committee with members from across the university.  
 
Virginia Tech is not alone in taking this action. In fact, many other universities and colleges in Virginia and worldwide have implemented Endpoint Detection and Response (EDR) and Data Loss Prevention (DLP) tools on their university-owned systems using Microsoft Defender for Endpoint or a similar tool. Almost every other public university in Virginia has utilized these tools over the past decade.

(Original question: Would VT be implementing disciplinary action against students or employees as a result of information gathered as a part of this policy?)

The short answer is no, these tools are not used to target individuals for disciplinary action. ‘Disciplinary action’ is not within the goals or the scope of the Improved Endpoint Protection project, which is specifically aimed at improving the university’s cybersecurity posture. 
 
Microsoft Defender for Endpoint does not inspect the contents of files for disciplinary purposes. User files are not copied or exported by the endpoint protection tools, which are designed to look for anomalies in how specific types of protected data are being stored or shared, or for indications of a cyberthreat. If the tools flag a particular endpoint for suspicious activity, any additional information gathered would focus solely on the presence of those indicators.

Of course, as Commonwealth of Virginia employees, we are obligated to state that in the event that a cybersecurity incident response uncovered apparent evidence of a violation of federal, state, or local law, that information would be referred to the appropriate authority in accordance with university policy, but it is not the purpose of Microsoft Defender for Endpoint or other cybersecurity tools to look for such violations.