CrowdStrike Falcon Endpoint Protection

Summary

CrowdStrike Falcon provides enhanced endpoint protection to laptops, desktops, and servers owned by the University of Delaware. CrowdStrike Falcon software installed on these systems is managed by IT Professionals within each unit in partnership with UD Information Technologies.

Body

CrowdStrike Falcon provides Endpoint Detection and Response (EDR)  protection to laptops and desktops owned by the University of Delaware. CrowdStrike Falcon software installed on these systems are managed by specific IT Professionals within each unit in partnership with UD Information Technologies. 

Using an EDR solution is part of a multi-faceted approach to better protect the University from cybersecurity threats and to meet the requirements of UD’s cybersecurity insurance. 

In order to be compliant with University policy and risk mitigation strategies developed in consultation with our cyber insurance provider, enhanced endpoint protection is required on all University-owned machines. Even if your desktop or laptop is not UD-managed, it is still required to have CrowdStrike installed if UD funds (including grant funds) were used to purchase the device.

Contents
What is CrowdStrike?
Monitoring and Logging
How to Get Help
FAQs
     What devices are included?

What is CrowdStrike?

CrowdStrike Falcon is an enhanced endpoint protection software. It is designed to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware, ransomware and much more. In addition, CrowdStrike

  • Monitors for suspicious system events—processes, events, and activities—that indicate possible compromise, infection, or attack.
  • Blocks known viruses and malware.
  • Detects and defends against ransomware activity.
  • Identifies and prevents other cyber threats.
  • Sends detection and incident data, in encrypted form, to a cloud-based account for UD.

Monitoring and logging

UDIT takes unit and individual privacy and security very seriously and has precautions in place to protect and ensure that the data collected by CrowdStrike Falcon is used appropriately.

For example, if you log in and open a document called “UD_example.docx,” CrowdStrike Falcon will:

  • Record the computer name and logged-in user name.
  • Record that the program was run and gather some details about the program itself. 
  • Record the file name "UD_example.docx," but will not access or provide any information about the contents of that file. 

The software does not access the contents of: 

  • Documents
  • Email messages
  • IM/chat communications

How to get help

Contact your unit’s IT Professional for any questions or assistance. If your unit does not have an IT Professional, send a message to askit@udel.edu.

Frequently Asked Questions (FAQs)

What data does CrowdStrike analyze?

CrowdStrike analyzes code as it runs on a device to detect suspicious events. CrowdStrike collects additional information about the context of suspicious events to help our security professionals determine if the event is malicious. CrowdStrike does not scan the contents of email messages, websites, documents, instant message (IM) / chat messages, or video calls.

When does the University analyze data collected by CrowdStrike?

The University only analyzes data that has been identified in CrowdStrike to be malicious. 

Who has access to CrowdStrike data?

UD Information Technologies (UDIT) Information Security team, which is responsible for cybersecurity at UD, including threat detection and response, are the primary administrators of CrowdStrike. The UDIT Information Security team manages the access controls and permissions within CrowdStrike.

UDIT Information Security has set up sub accounts for appointed college and administrative unit IT Professionals who are responsible for deploying CrowdStrike to University-owned devices in their respective units. The appointed IT Professional(s) for each unit will also be able to manage the security policies applied to the devices in their unit, view threats that have been detected, and provide support for their users.

Can CrowdStrike data be used for anything beyond IT security purposes?

Device data that is logged by CrowdStrike will not be accessed by University employees unless there is an active cybersecurity incident involving the device. UDIT Information Security limits the information available in Enhanced Endpoint Protection to only what is needed to identify and halt malicious activity, and access is granted only to those who need it for their UD work. Administrators are given training and reminded to use Enhanced Endpoint Protection only for its intended purpose in accordance with UD policies.

Where is CrowdStrike data stored?

CrowdStrike data is stored in a secure data center run by CrowdStrike, hosted by Amazon Web Services.

Why is CrowdStrike required for all UD-owned devices?

In order to be compliant with university policy and risk mitigation strategies developed in consultation with UD’s cyber insurance provider, enhanced endpoint protection is required on all University-owned devices.

What devices are required to have CrowdStrike?

All University-owned devices (e.g., laptops, PCs) are required to have CrowdStrike installed. Phones are not included in this requirement at this point. University-owned means all devices purchased with UD-funds (including grant funds) regardless of whether they are 'managed' by the University or 'self-managed'. 

Please be aware that personal devices should not be used for official University business. Please talk to your unit’s IT Professional or supervisor about acquiring a device through the University for your work.

What are the system requirements for installing CrowdStrike?

CrowdStrike cannot be installed on an OS that no longer receives security patches (i.e. macOS 10.13 or earlier and Windows 10 version 21H1 or earlier). It is also against UD's policy to use an unsupported OS. Chromebooks and other ChromeOS devices are not supported by CrowdStrike at this time.

The device must also be connected to the internet so that CrowdStrike can install, update, and manage the application. 

See a full list of supported operating systems in CrowdStrike's FAQ.  

Will CrowdStrike slow down my computer?

You should not see any performance issues on your device with CrowdStrike. However, if you do detect any performance issues on your device, you should contact your unit’s IT Professional for assistance.

How will I know if CrowdStrike has blocked something on my device?

You will see a small notification appear on your device with a brief description of what was blocked or quarantined due to malicious behavior.

Windows Notification:

Windows CrowdStrike Falcon Sensor notification: a process was terminated because malicious behavior was detected.

Mac Notification:

Mac CrowdStrike Falcon Sensor Notification: A process was blocked because malicious behavior was detected.

What if CrowdStrike blocks a site or file I need for my research or work?

If CrowdStrike has blocked a site or file on your device that you believe is not malicious, contact your unit’s IT Professional for assistance.

Can I uninstall CrowdStrike from my device?

In order to uninstall CrowdStrike from your device, an exception must be requested by completing a policy exception request. If your exception has been approved, your IT Professional or UDIT will get an uninstall token and assist you in removing CrowdStrike from your device.

An uninstall token is required to prevent malicious programs from disabling CrowdStrike on your computer.

Who should I contact if I have a problem or concern with CrowdStrike?

Contact your unit’s IT Professional for any questions or assistance. If your unit does not have an IT Professional, send a message to askit@udel.edu.