Topics Map > Safety and security > Malware protection
Endpoint Security, CrowdStrike Falcon, FAQ
Jump To:
- What problem does CrowdStrike solve?
- What are we doing with CrowdStrike?
- What information does the software have access to?
- Does CrowdStrike access, transmit, or see sensitive data contents from my files, such as FERPA-protected or health/HIPAA data?
- Does CrowdStrike ever access the content of files?
- What information does the University have access to?
- How long is the information kept?
- How is the information protected?
- Will the software cause performance issues if I’m either working with very large files or very large numbers of files?
- How much network bandwidth does it consume in talking to the cloud?
- How does it interact with specialized software?
- How does CrowdStrike work?
What problem does CrowdStrike solve?
CrowdStrike helps Technology Services respond quickly to advanced attacks that use malware (malicious programs specifically designed to steal information) and those that use native tools to move around a network and steal data. See How does CrowdStrike work? for more detailed information.
Per the University's Information Security Policy, members of the University community must "Maximize reasonable protection of Data and IT Resources from exploitation by malicious software, which includes, but is not limited to, malware, viruses, and spyware." CrowdStrike fulfills this requirement with its behavior-based detection capabilities. It increases responsiveness by supporting Windows, Mac and Linux server and end user computers with a single agent, providing functionality for self-updating, and reporting back its findings for faster analysis and remediation.
CrowdStrike can help us to better protect university research, student data and administrative data. Quickly detecting these attacks also helps to protect individuals’ personal data and credentials such as usernames and passwords.
What are we doing with CrowdStrike?
CrowdStrike’s software, Falcon, is deployed as an agent on servers and workstations (desktop and laptop computers). All university computers are required have this agent installed.
What information does CrowdStrike have access to?
Falcon records details about programs that are run and the names of files that are read or written. This is commonly referred to as metadata. For example, if you open a Microsoft Word document called “example.doc”, the software will record that Word was run and gather some details about the Word program itself and will record only the name “example.doc” but not access or provide any information about the contents of that file. It also records information about the computer itself, including the machine name and logged in user name.
Similarly, Falcon analyzes connections to and from the internet to determine if there is malicious behavior. It may record websites visited on the internet but will not log the contents of data transmitted. This data is used only for determining if malicious behavior is occurring.
Falcon primarily focuses on the behavior of of software running on a computer rather than the contents of files. The information that Falcon records is securely transmitted and stored in cloud servers operated and protected by CrowdStrike that have been properly vetted by Technology Services. The university’s contract is clear that the information collected and transmitted belongs to the university.
Does CrowdStrike access, transmit or see Sensitive or High Risk data from my files, such as FERPA-protected or health/HIPAA data?
Falcon records and processes details about programs that are run and the names and directories of files that are read or written. FERPA and HIPAA data should never be saved as filenames or directories.
Does CrowdStrike ever access the content of files?
Normal operations include only the analysis of metadata as described above.
When a file, email or other content shows indicators of malicious activity, Technology Services, or other authorized employees may access the content directly to analyze the nature of the attack, mitigate damage, establish containment and perform eradication of the threat actor. This access may be done via CrowdStrike or other IT administration tools.
Who at the university has access to the information gathered by CrowdStrike?
A small number of trained and authorized individuals within Technology Services may access the information recorded by Falcon. IT professionals in units across the university may have limited access after receiving training from Technology Services. They are only permitted to access this information when they receive an alert about a security issue, as part of an authorized investigation or to maintain the software.
How long is the information kept?
Data related to CrowdStrike events is retained for 90 days. After this time frame, the data is securely deleted per the National Institute of Standards in Technology (NIST) “Guidelines for Media Sanitization” (SP 800-88). Technology Services may also retain specific incident data in the university’s security information and event management (SIEM) systems.
How is the information protected?
CrowdStrike uses industry-standard security measures, including strong encryption. The software was acquired using state and university procurement review processes. In addition, the Big Ten Academic Alliance and EDUCAUSE have reviewed the product as a part of their Higher Education Cloud Vendor Assessment and Technology Services has reviewed a SOC 2 report as required for all cloud products.
Will the software cause performance issues if I’m either working with very large files or very large numbers of files?
Generally not. Falcon records a file hash (signature) for files it observes. Therefore, working with large data files does not incur a performance penalty. The software records data file names in memory only, so there is a very minimal additional CPU use if a program were to rapidly open and close large numbers of files.
If you experience a performance impact related to Falcon, please contact securitysupport@illinois.edu.
How much network bandwidth does it consume in talking to the cloud?
On a standard user machine it consumes about 1MB over the course of 24 hours on a fairly continuous basis. By comparison, downloading the illinois.edu homepage is about 8.5MB that is consumed in a second or two.
On a more active machine like a server, it consumes about 5MB over the course of 24 hours on a fairly continuous basis.
Falcon requires software updates approximately once a month, similar to other software.
How does it interact with specialized software?
Generally not. In the last five years of use at the university, the number of negative impacts has been very low. Because it does not regularly perform point-in-time scans and does not generate hashes of large data files, there should be no negative impact.
If you experience a negative impact to software related to Falcon, please contact securitysupport@illinois.edu.
How does Falcon work?
Falcon monitors process executions, file read/writes, network activity and child/parent process relationships to create a situational model of what is occurring on a computer. Using this model, it leverages hash matching (“indicators of compromise”), pattern matching (“indicators of attack”), proprietary intelligence drawn from other incidents, machine learning and manual review from the CrowdStrike Security Operations Center to find malicious activity.