What is EDR?
Trellix Endpoint Detection and Response (EDR) is a technical defence that is available to help schools and non-school institutions to protect their IT systems. It focuses on detecting and responding to advanced cyber security threats. The service displays real-time alerts which allows UIS IT staff to quickly triage, investigate, and prevent a possible cyber-attack.
Trellix EDR monitors and records activity on devices to detect, investigate, and respond to threats in real-time. This helps to prevent malicious activities before they compromise the system. It maps threat behaviour to known tactics and techniques. It works in addition to antivirus software.
The service provides alerts in the event of any malicious activity. Alerts are monitored by the UIS Computer Security Incident Response (CSIRT) team who will contact local IT staff and, if agreed upon, can isolate infected devices and stop malicious processes, preventing further infection. Trellix EDR also allows CSIRT staff to see and decode malicious commands.
Benefits of the UIS EDR service
- It will provide you with cyber-security monitoring by a dedicated CSIRT team, to help you avoid malware or compromises.
- It is recommended by Jisc, the UK National Cyber Security Centre, and is considered industry best-practice.
- It will help you to meet the university’s Systems Management Policy (SMP) and associated technical standards. Installing Trellix EDR meets a requirement of the university’s anti-malware technical standard.
How to use the EDR application
You can find information on adding EDR on our service information for IT staff page.
To get EDR added to your endpoints they must be using the standard Trellix anti-malware application, and your institution must have been migrated to the new ePO SaaS platform. Once this has been done you can request EDR to be added to all, or some, of your endpoints by contacting anti-malware@uis.cam.ac.uk.
Installation is performed by UIS: the client is pushed to the device. It is quick and is transparent to the user of the device. There is no need to restart the device after installation.
UIS EDR service availability
The EDR service and Trellix client is available for any university-owned server, desktop, or laptop running the managed Trellix anti-malware agent. The service is not suitable for devices personally owned by individuals. This product is not currently recommended for use on Linux systems due to technical reasons. We hope to provide an alternative for Linux systems in the future.
The EDR service is provided for free to all University departments and non-school institutions. We do not currently offer this service to colleges or non-university institutions.
Note: UIS University Managed Devices (UMDs) do not use Trellix. Instead, they use Microsoft Defender as this integrates better with our Azure tenancy.
How we use the data EDR collects
The EDR client collects system and user activity data and sends them to the Trellix-hosted EDR server for analysis. System log data will include processes, sub-processes, scripts, and DNS queries. The log data will only be used to identify cyber-security attacks and will not be used for any other purpose.
The event log data is:
- Retained for 30 days
- It is only available to designated UIS Security Operations staff.
The EDR platform also contains a 6-month audit log of all UIS CSIRT staff actions on the EDR server.
Data collected is in line with the University IT Privacy Notice.
UIS CSIRT incident response
For further information on the UIS CSIRT incident response processes please visit here UIS CSIRT EDR processes
Further information
Trellix Endpoint Detection and Response product (external site)
University anti-malware technical standard