Endpoint Security, CrowdStrike FAQ
- What problem does CrowdStrike solve?
- What are we proposing to do with CrowdStrike?
- What information does the software have access to?
- What information does the University have access to?
- How long is the information kept?
- How is the information protected?
- Will the software cause performance issues if I’m either working with very large files or very large numbers of files?
- How much network bandwidth does it consume in talking to the cloud?
- Will it have problems with specialized software that often have negative interactions with programs like anti-virus?
- How does CrowdStrike actually work?
CrowdStrike helps Campus Security respond quickly to advanced attacks, both those that use “malware” (malicious programs specifically designed to steal information) and those that do not use malware but instead use stolen credentials to move around a network and steal data. See “How does CrowdStrike actually work?” for more detailed information.
Per the University's Information Security Policy, members of the University community must "Maximize reasonable protection of Data and IT Resources from exploitation by malicious software, which includes, but is not limited to, malware, viruses, and spyware." CrowdStrike fulfills this requirement with its behavior-based detection capabilities. It increases responsiveness by supporting Windows, Mac, and Linux server and end user computers with a single agent, providing functionality for self-updating, and reporting back its findings for faster analysis and remediation.
By deploying CrowdStrike’s software, we will better protect research and student data that faculty may have as well as administrative data across the University. Quickly detecting these attacks also helps to protect individuals’ personal data and credentials (like online banking usernames and passwords).
CrowdStrike’s software is deployed as an “agent” on servers and end user computers. We propose to install this “agent” on all University-owned computers. In the future, we may also encourage its installation on any other computers used at the University.
CrowdStrike’s software records details about programs that are run and the names of files that are read or written. For example, if you open a Microsoft Word document called “example.doc”, the software will record that Word was run and gather some details about the Word program itself and will record only the name “example.doc” but not access or provide any information about the contents of that file. It also records information about the computer itself, including the machine name and logged in user name.
Similarly, CrowdStrike software analyzes connections to and from the Internet to determine if there is malicious behavior. It may record websites visited on the Internet but will not log the contents of data transmitted. This data is used only for determining if malicious behavior is occurring.
The software does not access the contents of documents, email messages, IM communications, etc. The information that the software records is transmitted and stored in a “cloud” server operated and protected by CrowdStrike that has been properly vetted by Campus Security. The University’s contract is clear that the information collected and transmitted belongs to the University.
IT Professionals in units across the University may have varying levels of access to the information recorded by CrowdStrike’s software after receiving training from Campus Security and signing privileged access agreements. In addition, a small number of trained and authorized individuals in Campus Security and Endpoint Services have access as well. They only access this information when they receive an alert about a security issue, as part of an authorized investigation into a security issue or to perform updates to alerts.
CrowdStrike archives data for 31 days for investigative purposes. The exception is for basic data related to detections and preventions, which is retained for 90 days. After either time frame, the data is securely deleted per NIST “Guidelines for Media Sanitization” (SP800-88). This is true of both the production and disaster recovery environments. Campus Security may also retain data in the University’s security information and event management (SIEM) system and other secure data stores for resolving incidents.
CrowdStrike uses industry standard security measures, including strong encryption. The purchase was done using State and University procurement review processes. In addition, the Big Ten Academic Alliance and Educause has reviewed the product as a part of their Higher Education Cloud Vendor Assessment and Campus Security has reviewed a SOC 2 report as required for all cloud products.
Will the software cause performance issues if I’m either working with very large files or very large numbers of files?
Generally not. CrowdStrike’s software records a file “hash” (signature) for executable program files but not for data files. Therefore, working with large data files does not incur a performance penalty. The software records data file names in memory only, so there is a very minimal additional CPU use if a program were to rapidly open and close large numbers of files.
On a standard user machine it consumes about 1MB over the course of 24 hours on a fairly continuous basis. By comparison, downloading the Illinois.edu homepage is about 8.5MB that is consumed in a second or two.
On a more active machine like a server, if consumes about 5MB over the course of 24 hours on a fairly continuous basis.
Will it have problems with specialized software that often have negative interactions with programs like anti-virus?
We do not expect it to. Because it does not do point-in-time scans and does not request “hashes” of large data files, there should be no impact or interaction. We are happy to work closely with anyone with concerns about this to ensure that there are no issues.
CrowdStrike monitors process executions, file read/writes, network activity and child/parent process relationships to create a situational model of what is occurring on a computer. Using this model, it leverages hash matching (“indicators of compromise”), pattern matching (“indicators of attack”), proprietary intelligence drawn from other incidents, machine learning and their CrowdStrike Security Operations Center to find malicious activity.