What is CrowdStrike?
Crowdstrike is a next generation endpoint detection and threat response (EDTR) software. Crowdstrike is replacing Fireeye/Trellix endpoint detection and response software in use with university owned machines.
Why is UMD changing its existing EDR solutions to Crowdstrike?
The Division of Information Technology (DIT) requires each University of Maryland (UMD) department to switch to Crowdstrike to strengthen our ability to prevent, detect, manage and respond to cyber threats system wide. With malware, phishing and other malicious threats becoming increasingly sophisticated, DIT has searched for the best tools at a competitive price to protect our networks and the sensitive data of our employees, students and patients. Crowdstrike, chosen through a competitive process, offers a multi-dimensional solution with improved threat intelligence that helps the University more effectively manage its cyber risk profile while using less resources on the endpoint machine. Using Crowdstrike vastly improves the threat protection landscape and offers us greater security of our entire campus population.
When is Crowdstrike required?
Due to the continued risk of data breaches, attacks from advanced persistent threats and ransomware that is specifically targeting research and higher education institutions, we are mandating that Crowdstrike be installed on all University-owned computers (that is, endpoints and servers).
You must work with your local IT department to install Crowdstrike by May 31st, 2025. Departmental IT will contact you if you have a Windows and/or MacOS computer used for UMD business that does not use your Directory login information, as those devices must also have Crowdstrike installed by May 31st, 2025. If you have questions about whether your computer is on the central Active Directory domain please contact your local departmental IT staff.
What is a Crowdstrike Sensor?
A Crowdstrike sensor is another name for the application software that runs crowdstrike on a machine. Sensor can also refer to the machine that is running the Crowdstrike software.
Can I install Crowdstrike on my personal computer?
No. At this time we are only licensed for University-owned computers.
What is a Customer Install ID (CID)?
A customer install ID is a specific alpha-numeric string required for installation of a Crowdstrike sensor.
What is a Maintenance Token
A maintenance token is an alpha-numeric string that is required to uninstall Crowstrike from a machine.
What will Crowdstrike offer that the previous antivirus solutions did not? What makes Crowdstrike better?
Crowdstrike’s suite of tools, including its endpoint detection and threat response tools, advanced forensic tools, and state-of-the-art threat intelligence infrastructure, provides the University with more detailed actionable information about detected security threats, including how the threat entered the network and why it succeeded or how it was prevented. This will enable security professionals to respond faster and more effectively, and guard against future threats.
Crowdstrike’s larger customer base equips the company with better intelligence on the types of threats that exist. Crowdstrike possesses immense expertise with the threats that UMD routinely faces, as its customer base includes many universities, corporations, and research centers across the globe.
What is an Endpoint Detection and Threat Response tool?
An EDTR tool helps manage and reduce cyber security risk using real-time intelligence about advanced malware and cyber attackers. EDTR tools focus on threat identification and noticing signs that a system has been compromised. This allows you to have the strongest protection whether working on campus or remotely.
What cyber risks do EDTR tools detect and how will it respond to them?
Crowdstrike searches for the following:
· Malware, including advanced malware (created for a specific target and purpose), crimeware and ransomware.
· Known malicious IP addresses and domain names.
· Traffic to malicious command-and-control nodes, which are how an attacker can control and manipulate an infected computer.
· Indicators of compromise, which are pieces of information and signals that reveal a system has been compromised. These can come in multiple forms including known bad IP addresses, use of covert channels of communication, or metadata flagged as dangerous.
· Behavioral analysis based on a vast threat intelligence and learning network
Will switching to Crowdstrike change the way I access my computer, my files, the Internet or conduct my research?
No. You will experience no difference when accessing your computer and files, searching online or conducting your research.
What kind of information does Crowdstrike collect about my computer?
During install:
· System name and the AD domain it is joined to (if any).
· OS Version.
· Primary user.
· IP address(es).
· MAC address(es).
· Processor speed.
· Memory total/available.
· Current version of Crowdstrike and protection signatures.
Upon alert of a malicious file or event the following is sent to the Division of IT Security Operations Center (SOC):
· Host name.
· Action taken.
· Malware name.
· Infection type.
· File name.
· User accessing file.
· File creation time.
· File last accessed time.
· File hash.
· Running processes from the time of the incident.
· Network connections from the time of the incident.
· File events from the time of the incident.
If departmental IT contacts have asked for malware alerts for their department the following information is sent to them:;
· Host.
· Action taken.
· Malware name.
· Infection type.
· File name.
· User accessing file.
· File creation time.
· File last accessed time.
If the SOC needs more details around a suspected compromise or breach, FireEye can collect:
· System logs.
· Command line activity.
· PowerShell history.
· A copy of your computer’s memory (RAM).
· Files that have been downloaded on your computer.
· Web browser history.
· Registry key information.
· Network activity logs.
· DNS lookups.
· Services running on your computer.
· Remote Desktop (RDP) login activity.
· Additional information about processes running on your computer.
What are the SOC’s rules for taking a data acquisition with Crowdstrike?
If DIT Security Operations Center (SOC) is performing any data acquisition with Crowdstrike in relation to a potential IT security incident we make a best effort to notify the department ahead of time or as soon as possible about the data acquisition and will supply the following information:
· A summary of what has occurred and why we are interested in gathering additional data
· The name of the system we are taking data from
· The user name of the user currently logged in
· Current IP address information for the system we are taking data from
· A timeline of the incident as we currently know it
This notification is dependent on departments providing DIT Security with an accurate list of their systems. This can be a standard naming scheme for hosts in their department or a list of hostnames for their systems.
How is this different from what DIT did previously?
Crowdstrike allows us the ability to quickly gather information around a suspected IT security incident in an automated fashion allowing DIT to stop a compromise before it turns into a data breach or ransomware incident. Previously much of this information was available to us but it would often involve working with the local IT department and the user of the system to gain physical access to the computer of interest for investigation which took considerable time and allowed attackers to spread further on our network.
Will the University use Crowdstrike to monitor my online activities, including which websites I visit and what transactions I make?
No. DIT respects the privacy of faculty, staff and students and does not use any tool to monitor employees or your online activity. Crowdstrike is only used to detect and respond to cybersecurity threats based on the criteria described above. While Crowdstrike, as a tool, is intended to be used for the purposes of incident response, the information to which it has access remains subject to federal and state law, as well as other legal obligations. Furthermore, your use of University information technology resources remains subject to the University of Maryland Policy on the Acceptable Use of Information Technology Resources. Therefore, the privacy of the information Crowdstrike accesses is similarly subject to applicable federal and state law, including the Maryland Public Information Act, and the needs of the University to meet its administrative, business, and legal obligations.
Will my private information, including my name and which websites I’ve visited, or any similar information be stored somewhere within Crowdstrike?
Information about you and your device is generated when you install Crowdstrike, and that information is stored in the Crowdstrike Console to identify your device. As with all other information collected by Crowdstrike, this information will be used for detection and response to cybersecurity threats. By default, Crowdstrike does not store detailed information on your online activities. However, Crowdstrike is used to gather and provide this information to the SOC when necessary for the purposes of incident response.
What does the University do to protect the privacy of the data Crowdstrike collects?
The University ensures that only individuals involved in the detection of and response to cybersecurity threats are granted access to information Crowdstrike creates, gathers, or processes, and individuals are limited in the information they can access according to their roles. Only a subset of the DIT Security team can access the data Crowdstrike collects. Most central DIT staff and all IT staff from departments and colleges are not provided access to the Crowdstrike data or its collection system. Detailed logs are kept of all information gathered by Crowdstrike and who gathered it. Further, the University Privacy Office audits any investigations performed on a regular basis to ensure information is accessed and used appropriately.
What principles does the University Privacy Office employ in evaluating the University’s collection and use of information?
The University Privacy Office considers the following principles: respect, equity, relevance, accountability, and transparency. For example, Security Operations Center (SOC) members are required to consider and respect the rights, dignity, and expectations of the individuals their investigations may impact; SOC members are required to only access and use the information that is relevant to their investigations; SOC members’ are required to make the details of their investigations available to the Privacy Office; and SOC members are required to account for their access to and use of all information.
What expectation of privacy do I have with regard to the information Crowdstrike access, gathers, or processes?
Generally, the University recognizes a reasonable expectation of privacy of its employees, affiliates, and students. However, this expectation of privacy is not unlimited. In particular, that privacy is subject to applicable federal and state law, including the Maryland Public Information Act, and to the needs of the University to meet its administrative, business, and legal obligations. In order to detect and respond to cybersecurity threats to the University and its community, the University may access and use certain information, including the data points described above. While this information is not used for monitoring your activity, it can and will be accessed for the purposes described above; you should not expect it to be entirely private.
I have questions about Crowdstrike and its implementation. Where can I go to learn more?
You can reach DIT Security by emailing soc@umd.edu or by contacting the Service Desk.
When does Crowdstrike scan my machine?
Crowdstrike does not scan files like a traditional Antivirus or how Fireeye/Trellix performed scans.
It uses highly intelligent knowledge about files, programs, processes, interactions and behaviors to discern maliciousness or safety of operations on a machine.