CrowdStrike Falcon

CrowdStrike is automatically installed on Windows and MacOS workstations, as well as Windows and Linux servers. It runs in the background, continuously monitoring the computer’s behavior for patterns that suggest malicious activity.

CrowdStrike also behaves like a traditional antivirus client, scanning the computer for known malicious software or files. When it detects a problem, the sensor will alert Information Security Office analysts and may prevent a malicious process from running or quarantine a malicious file.

CrowdStrike should not disrupt your work, nor noticeably affect your computer’s performance. On a workstation the software is largely invisible, and updates are automated, continuous, and do not require a reboot. The software uses only a very small fraction of your computer’s processing power, memory, and storage.

CrowdStrike records basic data about actions performed on your computer that it uses to identify threat behavior. This may include file and program names, network connections and website traffic, commands such as copying, deleting, renaming, or encrypting files, and the usernames used to access the device. It does not record file contents, actions taken while visiting websites, or the content of emails.

As with any other routinely collected data, the Information Security Office and CrowdStrike administrators will not inspect CrowdStrike data except in the case of a security investigation or incident or during routine maintenance activities.

In some limited circumstances, it may be necessary to exempt a UVM-managed endpoint from the deployment of the CrowdStrike sensor. Requests for exceptions will be reviewed by the Information Security Office on a case-by-case basis and will be granted only to meet a demonstrated need, not for individual preference. Exceptions are granted for one year with the expectation that, where possible, the requestor will work to resolve the conditions that require the exception. Granted exceptions will be reviewed annually and reauthorized if appropriate by the Information Security Office.

Exceptions may be granted in cases where:

• A critical application that runs on the endpoint is incompatible with CrowdStrike, and this conflict cannot be resolved with process or file system exclusions
• The endpoint runs an operating system or on hardware that is unsupported by CrowdStrike
• Contractual or legal restrictions prevent the installation of EDR software on the endpoint
• The device is already monitored by another EDR agent, such as Microsoft Defender for Endpoint, which may be installed on devices managed by LCOMTS
• Deployment of the CrowdStrike sensor has a significant, measurable impact on device performance. Because of the nature of EDR and CrowdStrike’s architecture, it is unlikely that CrowdStrike will have a noticeable performance effect on most workstations, servers, and workflows. CrowdStrike provides a suite of tools that help to diagnose and resolve such issues by excluding processes or files that conflict with the sensor. In the event that performance issues caused by sensor deployment cannot be resolved after working with CrowdsStrike administrators, an exception may be granted.

Exceptions to Crowdstrike sensor deployment must be approved by a Dean, Director, or Department Chair, or by an official authorized to accept risk on behalf of the university. Requests for exceptions may be made by emailing the Information Security Office at iso@uvm.edu with the following information:

• Primary endpoint user or responsible administrator
• Hostname (computer name)
• MAC addresses for wired and wireless interfaces, as applicable
• A description of why you are requesting an exception
• Sensitive data stored or accessed on the device (the definition of NPPD in the UVM Privacy Policy is a useful reference)
• Your assessment of risks to UVM systems, information, or other assets should the confidentiality, integrity, or availability of the endpoint be compromised

The Tech Team can help you gather this information if you need assistance.

In rare cases, legitimate and necessary processes running on managed endpoints may trigger CrowdStrike detection and response activities. It may be necessary to create an exclusion for these processes so that CrowdStrike doesn’t interfere with business requirements. Requests for these exclusions will be reviewed and facilitated by the Information Security Office on a case-by-case basis and will be granted only to meet a demonstrated need.

Exclusions will be created when the following criteria are met:

• CrowdStrike is alerting on or preventing an intentional and legitimate behavior
• The behavior cannot be disabled on the endpoint itself or, if disabled, would interfere with a required function
• The behavior can be clearly and consistently differentiated from a malicious process
• The exclusion would not introduce a vulnerability or other security risk
• The excluded process serves a documented business requirement
• The software running the excluded process does not perform the same function as other software provided by by UVM or another process that has already been excluded

Requests for process exclusions may be made by emailing the Information Security Office at iso@uvm.edu with the following information:

• Primary endpoint users or responsible administrator
• The hostnames of devices believed to be executing the affected process, or the case of a broadly deployed technology, the scope of the proposed exclusion (e.g., “all UVM-managed devices in RSENR”, or “all the workstations in Dr. Schmoe’s lab”)
• A description of why you are requesting an exclusion
• Sensitive data stored in or accessed by the software executing the excluded process (the definition of NPPD in the UVM Privacy Policy is a useful reference)
• Your assessment of risks to UVM systems, information, or other assets should the confidentiality, integrity, or availability of the endpoint running the software be compromised

The Tech Team can help you gather this information if you need assistance.