SERVICES

Information Security

Report an Incident

Defender for Endpoint (formerly Defender ATP)

Defender for Endpoint is an enterprise endpoint security platform designed to help enterprises prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint is available for any Penn State-owned machine running a recent version of Windows, macOS or specific flavors of Linux distributions.

Once a device is added to the Defender for Endpoint console, data that was only available locally on the device becomes available in a centralized console. This provides security analysts with a more holistic view of the current threat landscape within Penn State-owned endpoints.

training

INSTALLATION / CONFIGURATION INSTRUCTIONS

These instructions have been moved to the Unit Security Dashboard:
https://security.psu.edu/agents

FAQs

HELP

required

ENCLAVE SYSTEMS

In order to assist the Security Operations team, please ensure that all ATO and enclave machines have an “RHS” tag applied so they can be properly monitored. Failing to do so will also negatively impact your ATO checklist items and future risk assessments to maintain your ATO.

Tags can either be applied manually from the Defender for Endpoint console or to the registry via GPO. Device tagging is also available in JAMF for Mac devices. If you need help with device tagging, click HERE for Microsoft’s documentation. 

GROUP POLICY SETTINGS

To enhance the security posture of University owned workstations and servers, we recommend applying the PSU-Defender ATP Settings GPO to devices running Windows Defender. The additional settings in this GPO improves our ability to detect and respond to alerts and vulnerabilities identified devices. This policy will also lock the ability for end users to tamper with the Windows Defender security settings. Users will not be able to add risky exclusions for files or folders or fully disable Defender from running on the endpoint.

At this time, we do not intend to make any changes to the GPO as it stands today. If at some point additional settings need to be added or removed, we will make sure the changes are fully tested before being pushed to PSU-Defender ATP Settings GPO. Once testing is complete, an announcement will go out to all stakeholders before any change is made to the policy.

LINUX SUPPORT

Defender for Endpoint supports common Linux flavors and has been installed on 200+ Linux servers at the University with no known issues. If you do experience any issues please contact support using the above link.

IS certainly understands there are situations where the real-time nature of Defender for Endpoint may not be desirable for performance reasons, e.g. a data-heavy system such as Splunk indexers.  In those situations, we typically recommend you follow these steps:

  1. Try adding exclusions and then gauge the performance impact in a dev/test environment.
  2. Resort to scheduled scans, which still have the advantage of providing key telemetry to support threat detection and incident response.