FireEye is a next generation endpoint detection and response (EDR) software. FireEye is replacing Window System Center Endpoint Protection and Avast Antivirus as the antivirus software on campus.
The Division of Information Technology (DIT) is requiring each University of Maryland (UMD) department to switch to FireEye to strengthen our ability to prevent, detect, manage and respond to cyber threats system wide. With malware, phishing and other malicious threats becoming increasingly sophisticated, DIT has searched for the best tools at a competitive price to protect our networks and the sensitive data of our employees, students and patients. FireEye, chosen through a competitive request for proposal process, offers a multi-dimensional solution that helps the University more effectively manage its cyber risk profile. This improves the security of our entire campus population.
Due to the continued risk of data breaches, attacks from advanced persistent threats and ransomware that is specifically targeting research and higher education institutions, we are mandating that FireEye be installed on all University-owned computers (that is, endpoints and servers).
If you use your directory login and passphrase to login to your laptop, you must work with your local IT department to install FireEye by March 31, 2021. Departmental IT will contact you if you have a Windows and/or MacOS computer used for UMD business that does not use your Directory login information, as those devices must have FireEye installed by June 30, 2021. A decision about the use of FireEye on Linux will be made in the future. If you have questions about whether your computer is on the central Active Directory domain please contact your local departmental IT staff.
No. At this time we are only licensed for University-owned computers.
FireEye’s suite of tools, including its endpoint detection and response tools and advanced forensic tools, can provide the University with more detailed actionable information about detected security threats, including how the threat entered the network and why it succeeded. This will enable security professionals to respond faster and more effectively, and guard against future threats.
FireEye’s larger customer base equips the company with better intelligence on the types of threats that exist. FireEye possesses immense expertise with the threats that UMD routinely faces, as its customer base includes many universities, corporations, and research centers.
An EDR tool helps manage and reduce cyber security risk using real-time intelligence about advanced malware and cyber attackers. EDR tools focus on threat identification and noticing signs that a system has been compromised. This allows you to have the strongest protection whether working on campus or remotely.
FireEye searches for the following:
No. You will experience no difference when accessing your computer and files, searching online or conducting your research.
During install:
Upon alert of a malicious file or event the following is sent to the Division of IT Security Operations Center (SOC):
If departmental IT contacts have asked for malware alerts for their department the following information is sent to them:;
If the SOC needs more details around a suspected compromise or breach, FireEye can collect:
If DIT Security Operations Center (SOC) is performing any data acquisition with FireEye in relation to a potential IT security incident we make a best effort to notify the department ahead of time or as soon as possible about the data acquisition and will supply the following information:
This notification is dependent on departments providing DIT Security with an accurate list of their systems. This can be a standard naming scheme for hosts in their department or a list of hostnames for their systems.
FireEye allows us the ability to quickly gather information around a suspected IT security incident in an automated fashion allowing DIT to stop a compromise before it turns into a data breach or ransomware incident. Previously much of this information was available to us but it would often involve working with the local IT department and the user of the system to gain physical access to the computer of interest for investigation which took considerable time and allowed attackers to spread further on our network.
No. DIT respects the privacy of faculty, staff and students and does not use any tool to monitor employees or your online activity. FireEye is only used to detect and respond to cybersecurity threats based on the criteria described above. While FireEye, as a tool, is intended to be used for the purposes of incident response, the information to which it has access remains subject to federal and state law, as well as other legal obligations. Furthermore, your use of University information technology resources remains subject to the University of Maryland Policy on the Acceptable Use of Information Technology Resources. Therefore, the privacy of the information FireEye accesses is similarly subject to applicable federal and state law, including the Maryland Public Information Act, and the needs of the University to meet its administrative, business, and legal obligations.
Information about you and your device is generated when you install FireEye, and that information is stored in the FireEye Console to identify your device. As with all other information collected by FireEye, this information will be used for detection and response to cybersecurity threats. By default, FireEye does not store detailed information on your online activities. However, FireEye is used to gather and provide this information to the SOC when necessary for the purposes of incident response.
The University ensures that only individuals involved in the detection of and response to cybersecurity threats are granted access to information FireEye creates, gathers, or processes, and individuals are limited in the information they can access according to their roles. Only a subset of the DIT Security team can access the data FireEye collects. Most central DIT staff and all IT staff from departments and colleges are not provided access to the FireEye data or its collection system. Detailed logs are kept of all information gathered by FireEye and who gathered it. Further, the University Privacy Office audits any investigations performed on a regular basis to ensure information is accessed and used appropriately.
The University Privacy Office considers the following principles: respect, equity, relevance, accountability, and transparency. For example, Security Operations Center (SOC) members are required to consider and respect the rights, dignity, and expectations of the individuals their investigations may impact; SOC members are required to only access and use the information that is relevant to their investigations; SOC members’ are required to make the details of their investigations available to the Privacy Office; and SOC members are required to account for their access to and use of all information.
Generally, the University recognizes a reasonable expectation of privacy of its employees, affiliates, and students. However, this expectation of privacy is not unlimited. In particular, that privacy is subject to applicable federal and state law, including the Maryland Public Information Act, and to the needs of the University to meet its administrative, business, and legal obligations. In order to detect and respond to cybersecurity threats to the University and its community, the University may access and use certain information, including the data points described above. While this information is not used for monitoring your activity, it can and will be accessed for the purposes described above; you should not expect it to be entirely private.
You can reach DIT Security by emailing soc@umd.edu or by contacting the Service Desk.
FireEye does a quick scan (usually 2-3 minutes) of files recently touched when it receives a scan signature update, during the day, or at boot time. FireEye performs a scheduled weekly full scan at 7pm Sunday evenings.