Endpoint Protection: Data Collection, Sensitive Data, and Privacy

CrowdStrike Falcon provides enhanced endpoint protection to laptops, desktops, and servers owned by U-M. CrowdStrike Falcon software installed on these systems is managed by ITS Information Assurance (IA) in partnership with unit IT. U-M takes many precautions to protect unit and individual privacy and security, and to ensure that the data collected by CrowdStrike Falcon is used appropriately.

What CrowdStrike Falcon Monitors and Records

CrowdStrike Falcon looks for suspicious processes and programs. To do this, it records details about who has logged in on a machine, what programs are run, and the names of files that are read or written.

For example, if you log in and open a Microsoft Word document called “example.doc,” CrowdStrike Falcon will:

  • Record the computer name and logged-in user name.
  • Record that Word was run and gather some details about the Word program itself.
  • Record the file name “example.doc,” but will not access or provide any information about the contents of that file.

CrowdStrike uses this information to detect and remediate potentially malicious activity in the U-M environment. Executable files identified as malicious may be uploaded to CrowdStrike servers. Documents and data files are not uploaded.

What CrowdStrike Falcon Does Not Record

The software does not record keystrokes. The software does not access or record the contents of:

  • Documents
  • Email messages
  • IM/chat communications.

CrowdStrike Falcon and Internet Access

CrowdStrike Falcon analyzes connections to and from the internet to determine if there is malicious behavior. It may record the addresses of websites visited but will not log the contents of the pages transmitted. This data is used to help detect and prevent malicious actions involving websites.

Where is CrowdStrike Falcon Data Stored

CrowdStrike provides secure storage on its cloud servers for the data it collects, and U-M retains ownership of the data. In some cases, IA staff members may store data collected for the purpose of investigating potential and actual IT security incidents.

Access to Data Collected by CrowdStrike Falcon

CrowdStrike uses Enhanced Endpoint Protection data to extract anonymized data about computer processes and malicious techniques to identify new patterns of malicious behaviors in order to dynamically protect customers. CrowdStrike limits its own employees’ access to customer data to those with a business need. (More detail can be found in the CrowdStrike Privacy Notice.)

ITS limits the information available in Enhanced Endpoint Protection to only what is needed to identify and halt malicious activity, and access is granted only to those who need it for their U-M work. Administrators are given training and reminded to use Enhanced Endpoint Protection only for its intended purpose in accordance with U-M policies.

Access to the data is governed primarily by the Privacy and the Need to Monitor and Access Records (SPG 601.11) and Information Security (601.27). Additional U-M policies and laws & regulations may apply.