Crowdstrike is a next generation endpoint detection and threat response (EDTR) software. Crowdstrike is replacing Fireeye/Trellix endpoint detection and response software in use with university owned machines.
The Division of Information Technology (DIT) requires each University of Maryland (UMD) department to switch to Crowdstrike to strengthen our ability to prevent, detect, manage and respond to cyber threats system wide. With malware, phishing and other malicious threats becoming increasingly sophisticated, DIT has searched for the best tools at a competitive price to protect our networks and the sensitive data of our employees, students and patients. Crowdstrike, chosen through a competitive process, offers a multi-dimensional solution with improved threat intelligence that helps the University more effectively manage its cyber risk profile while using less resources on the endpoint machine. Using Crowdstrike vastly improves the threat protection landscape and offers us greater security of our entire campus population.
Due to the continued risk of data breaches, attacks from advanced persistent threats and ransomware that is specifically targeting research and higher education institutions, we are mandating that Crowdstrike be installed on all University-owned computers (that is, endpoints and servers).
You must work with your local IT department to install Crowdstrike by May 31st, 2025. Departmental IT will contact you if you have a Windows and/or MacOS computer used for UMD business that does not use your Directory login information, as those devices must also have Crowdstrike installed by May 31st, 2025. If you have questions about whether your computer is on the central Active Directory domain please contact your local departmental IT staff.
A Crowdstrike sensor is another name for the application software that runs crowdstrike on a machine. Sensor can also refer to the machine that is running the Crowdstrike software.
No. At this time we are only licensed for University-owned computers.
A customer install ID is a specific alpha-numeric string required for installation of a Crowdstrike sensor.
A maintenance token is an alpha-numeric string that is required to uninstall Crowstrike from a machine.
Crowdstrike’s suite of tools, including its endpoint detection and threat response tools, advanced forensic tools, and state-of-the-art threat intelligence infrastructure, provides the University with more detailed actionable information about detected security threats, including how the threat entered the network and why it succeeded or how it was prevented. This will enable security professionals to respond faster and more effectively, and guard against future threats.
Crowdstrike’s larger customer base equips the company with better intelligence on the types of threats that exist. Crowdstrike possesses immense expertise with the threats that UMD routinely faces, as its customer base includes many universities, corporations, and research centers across the globe.
An EDTR tool helps manage and reduce cyber security risk using real-time intelligence about advanced malware and cyber attackers. EDTR tools focus on threat identification and noticing signs that a system has been compromised. This allows you to have the strongest protection whether working on campus or remotely.
Crowdstrike searches for the following:
No. You will experience no difference when accessing your computer and files, searching online or conducting your research.
During install:
Upon alert of a malicious file or event the following is sent to the Division of IT Security Operations Center (SOC):
If departmental IT contacts have asked for malware alerts for their department the following information is sent to them:;
If the SOC needs more details around a suspected compromise or breach, FireEye can collect:
If DIT Security Operations Center (SOC) is performing any data acquisition with Crowdstrike in relation to a potential IT security incident we make a best effort to notify the department ahead of time or as soon as possible about the data acquisition and will supply the following information:
This notification is dependent on departments providing DIT Security with an accurate list of their systems. This can be a standard naming scheme for hosts in their department or a list of hostnames for their systems.
Crowdstrike allows us the ability to quickly gather information around a suspected IT security incident in an automated fashion allowing DIT to stop a compromise before it turns into a data breach or ransomware incident. Previously much of this information was available to us but it would often involve working with the local IT department and the user of the system to gain physical access to the computer of interest for investigation which took considerable time and allowed attackers to spread further on our network.
No. DIT respects the privacy of faculty, staff and students and does not use any tool to monitor employees or your online activity. Crowdstrike is only used to detect and respond to cybersecurity threats based on the criteria described above. While Crowdstrike, as a tool, is intended to be used for the purposes of incident response, the information to which it has access remains subject to federal and state law, as well as other legal obligations. Furthermore, your use of University information technology resources remains subject to the University of Maryland Policy on the Acceptable Use of Information Technology Resources. Therefore, the privacy of the information Crowdstrike accesses is similarly subject to applicable federal and state law, including the Maryland Public Information Act, and the needs of the University to meet its administrative, business, and legal obligations.
Information about you and your device is generated when you install Crowdstrike, and that information is stored in the Crowdstrike Console to identify your device. As with all other information collected by Crowdstrike, this information will be used for detection and response to cybersecurity threats. By default, Crowdstrike does not store detailed information on your online activities. However, Crowdstrike is used to gather and provide this information to the SOC when necessary for the purposes of incident response.
The University ensures that only individuals involved in the detection of and response to cybersecurity threats are granted access to information Crowdstrike creates, gathers, or processes, and individuals are limited in the information they can access according to their roles. Only a subset of the DIT Security team can access the data Crowdstrike collects. Most central DIT staff and all IT staff from departments and colleges are not provided access to the Crowdstrike data or its collection system. Detailed logs are kept of all information gathered by Crowdstrike and who gathered it. Further, the University Privacy Office audits any investigations performed on a regular basis to ensure information is accessed and used appropriately.
The University Privacy Office considers the following principles: respect, equity, relevance, accountability, and transparency. For example, Security Operations Center (SOC) members are required to consider and respect the rights, dignity, and expectations of the individuals their investigations may impact; SOC members are required to only access and use the information that is relevant to their investigations; SOC members’ are required to make the details of their investigations available to the Privacy Office; and SOC members are required to account for their access to and use of all information.
Generally, the University recognizes a reasonable expectation of privacy of its employees, affiliates, and students. However, this expectation of privacy is not unlimited. In particular, that privacy is subject to applicable federal and state law, including the Maryland Public Information Act, and to the needs of the University to meet its administrative, business, and legal obligations. In order to detect and respond to cybersecurity threats to the University and its community, the University may access and use certain information, including the data points described above. While this information is not used for monitoring your activity, it can and will be accessed for the purposes described above; you should not expect it to be entirely private.
You can reach DIT Security by emailing soc@umd.edu or by contacting the Service Desk.
Crowdstrike does not scan files like a traditional Antivirus or how Fireeye/Trellix performed scans.
It uses highly intelligent knowledge about files, programs, processes, interactions and behaviors to discern maliciousness or safety of operations on a machine.