Endpoint Protection: Data Collection, Sensitive Data, and Privacy
Yale University runs an Endpoint Detection Response (EDR) software on many of the University owned laptops, desktops, and servers. This EDR tool provides enhanced protection against cybersecurity attacks involving malware. Malware is software specifically designed to disrupt, damage, or gain unauthorized access to a computer system and its data. EDR allows Yale to detect malicious activity early to prevent or intercept bad actors from stealing Yale data or disrupting systems that are critical to supporting our mission.
Learn about Yale's Endpoint Detection Response (EDR) tool and our commitment to privacy and security
Yale currently employs the Crowdstrike Falcon version of EDR software. The software is managed by the Information Security Office (ISO) in partnership with IT units across Yale. It is critical that we proactively protect Yale systems and their data while maintaining departmental and individual privacy and security. Yale takes many precautions to limit the data collected by our EDR software and ensure it is used appropriately.
What information Endpoint Detection Response (EDR) monitors and records
The EDR software looks for suspicious processes and programs to prevent cyber attacks. To do this, it records processes and details about programs that are run and names of files that are accessed. This includes details about:
- who has logged in on a machine
- what programs are run
- the names of files that are read or written
For example, if you log in and open a Microsoft Word document called "example.doc", the EDR software will:
- Record the computer name and logged-in NetID
- Record that Word was run and gather some details about the Word program itself
- Record the file name "example.doc"
What information Endpoint Detection Response (EDR) does not record
The EDR software does not access the contents of:
- Documents
- Email messages
- Instant message (IM)/chat communications
Endpoint Detection Response (EDR) and internet access
The EDR tool analyzes connections to and from the internet to determine if there is malicious behavior. It may record the addresses of websites visited but will not log the contents of the pages transmitted. This data is used to help detect and prevent malicious actions involving websites.
For example, if you visit the Yale homepage, the EDR tool will record https://www.yale.edu. The tool will not make a copy of or store the contents of the Yale website.
Where Endpoint Detection Response (EDR) data is stored
The EDR software provides secure storage on its cloud servers for the data it collects. Yale retains ownership of the data. In some cases, ISO security analysts may store data collected for the purpose of investigating IT security incidents.
Access to data collected by Endpoint Detection Response (EDR)
The EDR software uses enhanced endpoint protection to extract anonymized data about computer processes and malicious techniques. This works to identify new patterns of malicious behaviors to dynamically protect systems. CrowdStrike limits its own employees’ access to customer data to those with a business need. More detail can be found in the CrowdStrike Privacy Notice.
ISO limits the information available in enhanced endpoint protection to only what is needed to identify and halt malicious activity. Access is granted only to those who need it for their Yale work. Administrators receive training and periodic reminders to use enhanced endpoint protection only for its intended purpose in accordance with Yale policies.
Access to the data is governed primarily by Yale’s Appropriate Use Policy.
Privacy and Security Summary
EDR helps proactively protect Yale's critical data and systems from dynamic cyber attacks. For questions around collect, use, or privacy of this data please contact the ISO at information.security@yale.edu.