Enhanced Endpoint Protection Service

With the increase in remote work for many employees, the need for remote visibility and early detection of malicious activity is greater than ever. That is why the university is complementing our existing security tools by providing a new service called the Enhanced Endpoint Protection Service (EEPS). This service improves the protection of our endpoints and institutional data.

The Enhanced Endpoint Protection Service (EEPS) is a service hosted by Enterprise Security. The service provides an Endpoint Detection and Response (EDR) tool that monitors connections to potentially malicious networks and potentially malicious application behaviors on university systems (e.g., desktops, laptops, and servers). It then applies enhanced protections including but not limited to quarantine infected systems from others if malicious behavior is detected. 

To preserve your privacy and keep information confidential, EEPS tools monitor endpoint activity at a technical level.

For example, if a PDF document attachment is downloaded from email and opened, these tools will detect the PDF reader was used and the name of the PDF document but will not access the content of the document. If after opening the PDF there were attempted unwanted changes to the system or the PDF reader behaved suspiciously the tool could help detect this threat and then defend you from an attack without accessing the content of the document.

FAQ

Why do we need EEPS?

With the increase in remote work for many employees and the increase in ransomware activity world-wide, the university needs more tools to offer better protection of our institutional data and systems from malicious actors. Our approach is to use a tool called Endpoint Detection and Response (EDR) to obtain visibility into system behavior. EDR tools help detect malicious activity, even in a remote work environment, and rapidly mitigate or isolate the activity to prevent further disruption to your work and university systems.

What is an EDR tool?

Endpoint Detection and Response (EDR) tools are used to detect malicious behavior of bad actors who have gained or are attempting to gain unauthorized access to university systems. EDR tools allow security teams to quickly detect malicious behavior and take swift action to mitigate and reduce the impact of security incidents.

Will this service impact my privacy?

Enterprise Security is committed to protecting institutional data and computing resources. Our dedicated security professionals follow university policies. Likewise, when you use university computing resources, your activities are monitored. Computing Resources may include: information systems, networks, and mobile devices, and the institutional data they contain. 

What data is collected?

The CrowdStrike Falcon sensor collects endpoint events and current state configuration with a focus on identifying compromised /  infected systems. These endpoint events would be similar to what you might see today in the SEP, SCCM / Jamf or Windows Event logs.  Example events would be:

•          when a process or application is started
•          when a file is created (includes fields like type of file, path and file name but not the contents)
•          network connection information (this would include IP addresses, domain name but not the contents of any https traffic)
•          when a registry key is added or modified
•          general information on the endpoint (includes hostname, operating system, model, IP address, MAC address)

If data is collected where is it stored?

This information is stored for a limited period of time in the hosted CrowdStrike environment in US datacenters. ORIS has a separate CrowdStrike Falcon environment that is not shared with any other unit.

Who can see the data collected?

ORIS staff granted access by ORIS approvers can see events identified as being related to malicious activities / attempts to compromise the machine and general information about the endpoint where the sensor is installed. Enterprise Security’s Intrusion Detection and Incident Response, Information Protection and Security Intelligence staff also have access to the endpoint events.

Will this tool be replacing an existing security tool on my computer?

The Enhanced Endpoint Protection Service offers multiple security tool components including NGAV (Next Generation Anti-Virus), Firewall management, and USB Device Control. In an effort to manage fewer tools, to simplify use, streamline resources and leverage a cost savings, we will be implementing the new toolset as a replacement of the existing Symantec Endpoint Protection anti-virus tool over the next several months. 

Will this tool cause my computer to run slower?

No, EEPS is utilizing a toolset known as Endpoint Detection and Response (EDR) which is designed to have as little impact on your system as possible.