What is CrowdStrike Falcon?
CrowdStrike Falcon is an advanced, cloud based endpoint protection tool for Windows, Mac, and Linux systems. Crowstrike Falcon replaces Windows Defender, Sophos, and SentinelOne on university systems.
What does CrowdStrike Falcon Do?
CrowdStrike Falcon provides enhanced protection from malware, viruses, and other malicious activity for a variety of U-M IT systems/endpoints (laptops, desktops, and servers) and operating systems (Windows, MacOS, Linux). It assists with investigations and forensics when an incident occurs, and helps IT staff respond quickly to advanced threats and attacks with a minimum of interruption to affected community members.
Why did U-M deploy CrowdStrike Falcon?
CrowdStrike Falcon provides much better and broader around-the-clock protection and capabilities compared to U-M’s previous anti-virus tools, and is better at countering the more advanced threat actors that seek to steal data, install ransomware, and disrupt U-M operations. Along with user awareness and Duo, it is perhaps the most important tool U-M has to protect the university’s data, systems, resources, and services from attacks. Falcon allows IT security staff to respond more quickly when there is an IT security incident, significantly reducing the likelihood of disruption to critical research and instruction activities.
Refer to Enhanced Endpoint Protection for U-M Computers for more information on how CrowdStrike Falcon protects U-M.
Does Crowdstrike work, and how has it benefited U-M?
Yes, Crowdstrike prevents malicious activity on a daily basis, and has thwarted or mitigated some very significant attacks against the university. Falcon is deployed on nearly 100,000 systems across the university and identifies about 70 potentially malicious events per day on average. The types of systems being targeted and the severity of the activity vary, but false positives are generally less than five percent.
Crowdstrike is part of a range of mitigations to protect university data and systems. Refer to Information Assurance Capabilities for more information.
Does Crowdstrike Falcon scan the contents of my files, email, IM/Chat, or track what websites I visit?
No. CrowdStrike does not scan the contents of data files, websites, email messages, IM/Chat communications and does not perform keystroke logging.
Crowdstrike does identify malicious use of legitimate programs by analyzing executable files, scripts, and the context within which these files and scripts are used.
What CrowdStrike tools does U-M use?
U-M uses the following CrowdStrike Apps, and anticipates adding additional modules over time as the need arises:
- Falcon Prevent: An ani-virus/anti-malware solution.
- Falcon X: Advanced malware analysis for accelerated triage and response.
- Falcon Insight: Real-time activity analysis to proactively identify threats as well as detailed forensic information to assist in incident response. This includes real-time incident response capabilities that allow U-M incident response staff to investigate incidents without having to physically collect the computer.
- Falcon Discover: Provides device and application detail to identify suspicious programs or vulnerable configurations.
- Falcon Overwatch: A human threat detection engine operating to find and stop most sophisticated hidden threats.
What types of data does CrowdStrike Falcon access or collect?
Like most advanced endpoint solutions, CrowdStrike Falcon:
- Looks for suspicious processes and programs, in order to identify, and in some cases block, malicious activity that could lead to system and work disruptions, corruption or loss of critical data, or other harm.
- Records details about accounts used to access a machine to help identify unauthorized access.
- Analyzes the contents of executable programs and scripts to detect malicious code.
- Records program execution details to identify malicious patterns of activity and facilitate efficient and less disruptive investigation of potentially malicious activity.
- Records file names if they are associated with potentially malicious activity.
- Records network activity to identify remote systems being utilized for malicious software installation, remove control, etc.
CrowdStrike does not scan the contents of data files, websites, Email messages, IM/Chat communications, does not log the contents of web pages that are viewed, and does not perform keystroke logging.
How is CrowdStrike data used?
CrowdStrike data is used to identify and block potentially malicious activities, and alert IT security staff when further analysis and/or action are needed. It is also used for IT security, and legal and compliance-related investigations. Anonymized information may be used by CrowdStrike to improve detection capabilities and improve their services.
Who runs CrowdStrike at U-M?
ITS Information Assurance is the top-level administrator of CrowdStrike Falcon. Local IT staff within schools, colleges, and units are responsible for deploying CrowdStrike Falcon on unit systems and providing ongoing support for their deployment. ITS Information Assurance is responsible for carefully selecting appropriate access controls to help ensure that IT staff are only given the level of access needed to provide support for their units and protection to individuals, systems, and data.
Who has access to CrowdStrike Falcon Data?
CrowdStrike Falcon data is available only to select ITS Information Assurance staff members who administer the tool and lead U-M threat detection and incident response efforts. In addition, approved unit IT CrowdStrike Falcon administrators who have completed required data privacy training can access information about malicious activity in the systems they support. ITS Information Assurance staff responsible for information security incident response and threat detection work have access to more complete system activity information.
Access to the data is governed primarily by the Privacy and the Need to Monitor and Access Records (SPG 601.11) and Information Security (SPG 601.27). Additional U-M policies and laws & regulations may apply.
What data does CrowdStrike the company have access to?
Crowdstrike has access to the same information as approved ITS Information Assurance staff, which allows them to provide necessary analysis and take action to automatically reduce harm by updating the Falcon software. Any information the software records and transmits is stored securely by CrowdStrike. CrowdStrike uses industry-standard security measures, including strong encryption, and has been vetted using U-M’s requirements for high-sensitivity data. U-M’s agreement with CrowdStrike includes provisions about data ownership (U-M owns the data), as well as other routine, contractual privacy and security provisions.
What privacy protections are in place around the CrowdStrike deployment?
U-M IT staff who administer CrowdStrike Falcon are required to:
- Use U-M resources only for their intended purpose.
- Access only the data they need in order to do their U-M work.
- Share data only with other U-M staff who are authorized to access the data and need it for their U-M work.
- Complete DCE 101: U-M Data Protection and Responsible use training.
Can CrowdStrike data be shared or used beyond IT security purposes?
Detailed CrowdStrike Falcon data is not shared with other university officials or community members without approval from ITS Information Assurance, in consultation with appropriate stakeholders. Approved use cases include official U-M investigations and where required by law.
Is CrowdStrike Falcon optional?
In general, no. CrowdStrike Falcon is the standard U-M endpoint protection tool. Using CrowdStrike Falcon protects individual users, and also protects the university and the university community.
CrowdStrike Falcon helps detect and prevent not only malicious activity coming from outside of U-M networks, but also attacks from compromised devices within U-M networks. In particular, it is a critical component in defending against ransomware.
Who do I talk to if CrowdStrike Falcon is potentially interfering with my work?
Contact the ITS Service Center. ITS Information Assurance will work with units with the goal of minimizing impact to research and system performance while maintaining a high level of protection.