Understanding CrowdStrike Falcon

Falcon is advanced endpoint protection installed on workstations and servers. Among its many roles, it serves as traditional antivirus/anti-malware that detects and prevents potentially malicious activity. Falcon administrators in ITS and in units use the Falcon console to investigate and remediate issues. Information Assurance acts as the top-level administrator of Falcon, with sub-tenants for unit IT to help administer their own unit's systems as needed.

CrowdStrike Falcon helps meet the obligations listed in Information Security (SPG 601.27), in particular, Protection of Data and Information Assets, which states, "The university will optimize its ability to protect institutional data, systems, resources, and services from unauthorized access and other threats or attacks that could potentially result in harm to the university or to members of the university community."

CrowdStrike Falcon helps IT staff respond quickly to advanced attacks, both those that use “malware” (malicious programs specifically designed to steal information) and those that do not use malware but instead use stolen credentials to move around a network and steal data.

By deploying Falcon, we will better protect research and student data that faculty may have as well as administrative data across the University. Quickly detecting these attacks also helps to protect individuals’ personal data and credentials (like online banking usernames and passwords).

Falcon replaces existing U-M antivirus tools. Other antivirus and anti-malware software on U-M systems are being replaced by Falcon in early 2021, including Windows Defender, Sophos, and Malwarebytes.

Note that it is a CrowdStrike Falcon best practice to disable real-time protection in any other endpoint protection tool (for example, traditional antivirus/anti-malware) on the same machine.

U-M owned systems should have Falcon installed. U-M owned systems (Windows, Mac, and Linux operating systems, whether workstations or servers) should install CrowdStrike Falcon. IA will work with unit IT staff to ensure as many systems as possible are protected.
Falcon is not for use with personally owned systems. CrowdStrike Falcon is only for use on UM-owned systems and will not be installed on your personal computers or devices. Some good resources for protecting your personal systems can be found in Secure Your Devices. Remember to follow guidance for Sensitive U-M Data on Personal Devices if you use personal devices for U-M work.
ITS-managed systems are already protected by CrowdStrike Falcon. ITS staff are already using Falcon to protect MiServer managed servers (Windows and Linux) and MiWorkspace managed desktops (Windows and Mac), including virtual machines.
Falcon uses a multi-tenant structure with Information Assurance as the top level tenant. ITS Information Assurance (IA) staff administer the university’s top level tenant. The MiWorkspace team administers the MiWorkspace sub-tenant. The MiServer sub-tenant is administered by ITS. Some unit IT staff may be Falcon administrators within their units. Administrators of separate sub-tenants see only their own tenant(s).

Falcon is light and unobtrusive. There is no perceptible performance impact on your computer, and all updates are performed silently and automatically.
Consult ITS before running more than one endpoint protection tool. For most systems, Falcon will be the only endpoint protection tool needed.  If your unit wishes to maintain a second endpoint protection tool, you should consult with ITS during implementation.