CrowdStrike

CrowdStrike is a next-generation computer protection tool that uses pattern recognition to help Penn identify and respond quickly to modern cyber security threats.  While prior generations of antivirus software generally relied on looking for known bad programs, CrowdStrike improves on this approach by using pattern recognition techniques to identify viruses and other malicious activities even if they have not been previously seen or do not rely on malicious software.  For example, CrowdStrike can help identify when a user’s password has been stolen or if a cyber-attack is being attempted by sending malicious commands to a computer.

CrowdStrike has been reviewed and vetted prior to its use to ensure that it complies with the principles established in Penn’s Privacy in the Electronic Environment Policy and Guidelines on Open Expression. 

In order to function, CrowdStrike records and analyzes details about programs that are run, the logged-in user account, the name of the computer being used, how programs interact with other computers on the internet, and the names of files that are read or written.  The content of files, emails, instant messages, etc. is not accessed or recorded. 

For example, if Microsoft Word is used to edit a file called project.docx, CrowdStrike will record technical data about Microsoft Word and the name of the file, “project.docx.”  The content of the document will not be reviewed or recorded.

No, CrowdStrike does not access the content of emails.  As noted above, CrowdStrike monitors currently running programs at a technical level but does not look at content.  So, for example, if a PDF document attachment is downloaded from email and opened, CrowdStrike will know that the PDF reader was opened and the name of the PDF document, but will not access the content of the document.  If the PDF document has been modified to attack the computer, as is sometimes the case, CrowdStrike will attempt to detect this attack, but does not and will not use the content of the document to do this.

CrowdStrike uses a secure cloud computing environment to analyze the information it collects to look for patterns that could indicate a cyber-attack against Penn.  When a potential attack is identified, an alert is sent to trained and vetted CrowdStrike IT staff to review who can then pass the alert to Penn.  Within Penn, information and alerts related to a particular school or center are only available to the IT team for that school or center, and within each IT team, only a small number of authorized individuals can access CrowdStrike.  Penn’s Office of Information Security can view alerts across all of Penn in order to help provide coordinated responses to attacks that target more than one School or Center.  This approach is governed by Penn’s Privacy in the Electronic Environment Policy. 

As you would expect, the cyber-security threats to Penn continue to evolve, and in order to address those threats, Penn’s cyber-security measures need to evolve as well. CrowdStrike specifically helps enhance Penn’s ability to better detect the way a modern hacker would attempt to move from one compromised computer to another and attacks that leverage normally benign computer tools for malicious purposes.

CrowdStrike is designed to have a very low impact on computer performance.  CrowdStrike can be much more efficient than previous generations of antivirus style software because it does not scan the whole computer for virus files and because it does not access the content of files.  Instead, CrowdStrike monitors current computer activity for indicators that it is malicious. Because of this, CrowdStrike is very efficient regardless of the size of files in use and should generally not have any noticeable impact on computer performance.

For a standard user computer, CrowdStrike only transmits about 1MB of data over the course of 24 hours.  For context, this is less than the amount of data transmitted to load a single normal web page.  For computer servers running CrowdStrike, about 5MB of data would be transmitted in the course of a day, still on the order of magnitude of loading a single web page over the internet.

It is not anticipated that CrowdStrike will cause problems with other programs, and initial deployments to hundreds of computers have not resulted in reports of problems.  CrowdStrike has been deployed at many of our IvyPlus peer institutions without issue.  Similarly, CrowdStrike has been deployed alongside existing antivirus successfully without issue in Penn’s tests, initial deployments and at organizations outside of Penn.

The data CrowdStrike initially collects is retained for up to thirty days, after which time it is securely deleted. Certain data points are retained longer, such as alerts around potentially malicious computer activity that might indicate an attack is in progress. The longest that CrowdStrike will retain this narrower set of data is one year.  

The CrowdStrike Prevention Policy Settings is posted to PennBox for easy access to protected information.