Endpoint Prevention, Detection, and Response (EPDR)
The endpoint prevention, detection, and response service combines a software solution, CrowdStrike, for detecting and stopping malware and malicious behavior with centralized alerting, monitoring, and response services. It allows Computing Services to identify and stop suspicious behavior, investigate it, contain damage, and return to normal operations.
Our Security Solution
CrowdStrike is a lightweight security solution providing advanced protection from malware, viruses, and other malicious activity for servers, desktops, and laptops. It assists with forensic investigation when security events occur and helps the information security and IT staff respond quickly with minimal impact on the computer's user.
CrowdStrike provides additional features to support information security, IT professionals, and various compliance obligations, including threat hunting, file integrity monitoring, vulnerability, and hygiene scanning.
Download and install CrowdStrike
Is CrowdStrike Mandatory?
CrowdStrike is mandatory for all servers used for university business, research, and education unless contracts, consent forms, or other agreements prohibit it. CrowdStrike is mandatory for university-owned workstations (desktops and laptops) with access to University Restricted Data and/or support university operations. This mandate reflects the current tolerance for security risk by university leadership. This software will be pushed automatically to Desktop Support Customers (DSP). Departmental IT support providers may likewise automatically install CrowdStrike for their customers. Check with your Security Point of Contact for further instructions.
Students may request permission to use CrowdStrike on personal devices in cases where there is a university compliance need or business use case.
Use on a Personal Device
Installing CrowdStrike on a personally owned device makes it subject to the University Computing Policy, allowing CMU direct access in an emergency.
Frequently Asked Questions (FAQs)
Is CrowdStrike mandatory?
In March 2023, CrowdStrike was installed on all servers housed in Computing Services’ Secure and Integrated Infrastructure (SII) network and university-owned workstations (desktops and laptops) that use SII VPN services to connect to them.
As of August 31, 2023, CrowdStrike is mandatory for all servers used for university business, research, and education unless contracts, consent forms, or other agreements prohibit it. This mandate reflects the current tolerance for security risk by university leadership.
Beginning November 1, 2023, CrowdStrike is mandatory for university-owned workstations (desktops and laptops) that have access to University Restricted Data and/or support university operations.
How do I verify that CrowdStrike is installed?
See Verify CrowdStrike Is Running for steps to ensure CrowdStrike is installed and running on your computer.
Is CrowdStrike permitted on computers that process research data?
CrowdStrike is permitted on research computers unless consent, contract, or other agreement language prohibits the use of third parties or potential access by non-researchers. This applies to all research, including approved human subjects research data and research data concerning minors. CrowdStrike may actually help address common compliance requirements for research data protection.
If you are using CrowdStrike on a device that handles research data, you should ensure that any consent forms contain the following statement in the Confidentiality section, “Select Carnegie Mellon University staff or consultants may also have access to your research data for compliance, auditing or operations purposes."
What information can CrowdStrike access?
Applications
CrowdStrike looks for suspicious processes and applications. To monitor computer activity, the system records login information, application usage, and file access.
The software does NOT record keystrokes or the contents of documents, email messages, or chat communications.
Internet
CrowdStrike analyzes connections to and from the internet to determine if there is malicious activity. It records IP addresses and server names. It will not log the contents of the web pages. This data is used to detect and prevent malicious actions involving websites.
Other Information
CrowdStrike also collects information about your computer, like your device ID and serial number, software vulnerabilities, operating system, and network information (i.e., MAC/IP addresses).
If the software detects malicious activity, it may initiate additional data collection to understand the risk better and enable a timely response.
Example
If you log into your computer, open Chrome, and visit Amazon, CrowdStrike will:
- Record the computer name and userID.
- Record that Chrome was opened.
- Gather some details about the Chrome application.
- It will not record the URL or viewed items.
Who can view the data that CrowdStrike does collect?
The Information Security Office (ISO) collaborates with the campus community to safeguard Carnegie Mellon University's computing and networking infrastructure against threats to our information resources.
Any data collected by CrowdStrike may be viewed by authorized personnel within the ISO and independent security units (i.e., NREC, PSC) only when necessary to perform their job duties in accordance with the University Computing Policy.
IT personnel with authorization may view a subset of CrowdStrike data for systems they support directly as part of their system management duties. This data includes installation status, sensor health, vulnerabilities, detections, and automated prevention.
Who can use CrowdStrike's response capabilities?
In the event of an emergency, in accordance with the University Computing Policy, only trained ISO or independent security unit (i.e., NREC, PSC) staff may use CrowdStrike’s response capabilities which include Network Containment and Real Time Response.
Network Containment blocks normal network access for a CrowdStrike installed computer while allowing limited communication with the CrowdStrike controller and allowlisted systems for business continuity and timely investigation.
Real Time Response (RTR) is a purpose built, remote access command line interface used for remote investigation and/or remediation of a CrowdStrike installed computer. To ensure that RTR is used only when warranted, ISO staff must seek case by case authorization from an ISO supervisor to have access temporarily granted to the target computer. Once the remote investigation is complete, RTR access is revoked and notification is sent to the primary users of the computer and their local IT personnel informing them of the triggering security event and offering access to the RTR audit logs. RTR audit logs detail actions by ISO staff while remotely connected to a computer.
Can I see the information collected from my computer?
No. In order to view the data collected from your computer, you would need access to the CrowdStrike console. The console is restricted to authorized personnel within the ISO, independent security units (i.e., NREC, PSC) and authorized IT personnel for performing their job duties in accordance with the University Computing Policy.
Can I verify issues reported by CrowdStrike?
CrowdStrike is designed to prevent behavior it determines to be malicious. If the sensor blocks an application, you will receive a pop-up notification that malicious behavior was detected. These notifications are simultaneously reported to the Information Security Office (ISO) for analysis.
If further investigation or remediation is necessary, an ISO or departmental security point of contact staff member will contact you. If the issue is causing a work stoppage, please contact the ISO. Otherwise, rest assured that CrowdStrike is doing its job and performing as intended.
How long is data stored on CrowdStrike's servers?
A majority of data is stored for seven calendar days. Any exceptions to that policy are as follows:
- Identifying data for inactive devices is stored for up to forty-five days.
- Security detection events and incident data are stored for up to ninety days.
- Event-related data downloaded to local CMU storage may be retained for up to two years or longer as required for regulatory compliance and legal matters.
Will CrowdStrike affect my work?
CrowdStrike is designed to prevent behavior it determines to be malicious. If the sensor blocks an application, you will receive a pop-up notification that malicious behavior was detected. These notifications are simultaneously reported to the Information Security Office (ISO) for analysis.
If further investigation or remediation is necessary, an ISO or departmental security point of contact staff member will contact you. If the issue is causing a work stoppage, please contact the ISO.
Will CrowdStrike slow down my computer?
You should not experience any slowdown in the performance for everyday computer use. CrowdStrike does not perform full system scans or view file content which minimizes the impact. If you feel you are experiencing performance issues, please contact the Computing Services Help Center at it-help@cmu.edu or 412-268-4357 (HELP).
Can I use an alternative application?
Carnegie Mellon performed extensive research to select the best option for combatting ever-evolving cybersecurity threats. Therefore CrowdStrike is the university's preferred cybersecurity solution. If you have a concern or specific use case that may require an exception, please contact the Computing Services Help Center at it-help@cmu.edu or 412-268-4357 (HELP) .
I have questions about CrowdStrike. Who can I contact?
I have questions about CrowdStrike. Who can I contact?
For general inquiries, reach out to your college or departmental security point of contact. Please refer to the Security Points of Contact (SPoC) Directory.
If you have subsequent concerns about CrowdStrike, university policies related to CrowdStrike, or how CrowdStrike protects the university, contact the ISO.