Yale University Network Monitoring Privacy Statement

In accordance with Yale’s Information Technology Appropriate Use Policy (Policy 1607), Yale University proactively protects systems through monitoring and detection tools. This allows Yale to detect malicious activity early and prevent cybercriminals from stealing Yale data or disrupting systems that are critical to supporting the University’s mission. Access to collected data is strictly monitored, audited and restricted to authorized, trained information security engineers with clear risk based need.

For questions or more detail on University network and systems monitoring, please contact information.security@yale.edu.

Routine network monitoring activities consist of:

Description	Purpose	Data Examined/Collected
Security detection data The Yale Information Security Office (ISO) operates network sensors that apply automated rules to identify and record suspicious network traffic. The rules used to identify traffic are typically purchased from security vendors, and in some cases, we manually adjust or create new rules. ISO operates security detection sensors that apply rules to identify and record suspicious activities. The rules used to identify those activities are typically purchased by security vendors (e.g. EDR, Microsoft-provided protections, etc.), and in some cases, we manually adjust or create new rules.	Identify devices and users which have been compromised or are under active attack. Track information security threat landscape and identify campus trends. Determine the scope and other details when investigating information security breaches.	The alerts generated by these sensors include source and destination information (IP addresses), rule triggering the alert, anomalous behaviors, and the content of network communications flagged as suspicious including filenames, file types, and URLs. These alerts are reviewed both through automated systems and manually by analysts.
Network traffic connection data ISO maintains appliances to generate network traffic connection data. This data specifies which campus devices communicated with other devices connected to the Internet, and how much data passed between them.	Identify suspicious network use patterns indicating a compromised system. Correlate with lists of known bad hosts to find compromised campus systems. Determine scope and verify containment when investigating and responding to information security incidents.	Data elements collected include time, source and destination IP addresses, protocols used, including application protocols (where available), network user (where available), URL category, and how much data was exchanged. This data is reviewed through automated systems for suspicious patterns indicating compromise and may be manually inspected while investigating information security incidents.
Central authentication data Authentication to central campus systems produces an audit record which is collected and monitored by ISO for suspicious patterns. Examples of systems that generate such authentication records include CAS, DUO, VPN, Active Directory, cloud service providers, etc.	Identify attacked or compromised credentials. Identify unauthorized access to campus systems and services. Determine the scope and other details when investigating information security incidents.	Data collected includes the time, user identity, user location, target service, the result of the authentication attempt, and DUO two-factor device identifier (may include phone number). Automated rules are used to identify suspicious patterns indicating a compromised account and may be manually inspected while investigating information security incidents.
System/application logs Logs for critical IT applications and systems are collected for security alerting and detection. Data in this category typically consists of logs generated by operating systems, web servers, and by specific application software.	Identify systems under attack or successfully compromised. Correlate attacks across a large number of systems to detect patterns. Correlate with network intrusion data to gain insight into the impact of attacks. Determine the scope and other details when investigating information security incidents.	Data collected varies based on the system generating logs, but may include time, target service, source and destination, error codes/messages, and result. Automated rules are used to identify suspicious patterns indicating attack or compromise and may be manually inspected while investigating information security incidents.
Network services and vulnerabilities ISO routinely scans devices connected to the campus network to determine what devices are present, what services are available through the network, and whether these services may be vulnerable to known attacks. ISO also uses Cyber Threat Intelligence and vulnerability scan data to identify campus systems which may be at risk of attack.	Identify campus network systems which may be vulnerable to attack and request action by those responsible to secure the system. Identify private information which may be inadvertently shared, such as a file share made public. Provide additional details when investigating information security incidents and ensure recovered systems are protected from future incidents.	What devices are connected to the campus network, what services are available through the network, and whether these services may be vulnerable to known attacks.
Applications and versions being used on the network ISO collects data including basic device configuration, installed software and versions, and whether these configuration items and software versions may be vulnerable to known attacks. This information is processed and used similarly as data collected through network vulnerability scanning but offers a much more complete picture of the status of systems on the campus network than is possible through network-based scans. Limited application information is also collected through network sensors.	Identify campus managed systems running software which may be vulnerable to attack and request action by those responsible to secure the system. Provide additional details when investigating information security incidents and ensure recovered systems are protected from future incidents.	Basic device configuration, installed software and software versions, and whether they may be vulnerable to known attacks.
Additional monitoring for hosts on protected data networks or high-security zones There is increased monitoring for hosts on protected data networks and high-security zones. Additional monitoring consists of lower thresholds for investigating alerts and tracking additional file types.	The purpose of this additional monitoring is to provide targeted protection of systems determined to be of high security value by the ISO.	Specific instances of additional monitoring include but are not limited to connection metadata and flow data used for advanced analysis and alerting.
O365 Microsoft's 0365 contains native security monitoring and detections for anomalous or malicious activities within all of Microsoft’s applications.	O365 provides critical applications to all of Yale’s users. This monitoring ensures its availability and security.	O365 data collected varies based on the application, but generally collects end user actions, configuration changes, and modifications to data.
Email data collected (Investigations SOP for email and files) Microsoft’s Defender for E-mail provides e-mail security detections for anomalous or malicious activities within our Microsoft e-mail environment.	Defender for e-mail provides security against common e-mail-based cybersecurity attacks.	Defender for e-mail collects and analyzes end user e-mails for use in cybersecurity attack investigations by authorized security engineers.
CrowdStrike CrowdStrike endpoint detection and response (EDR) monitors Yale managed workstations, servers, cloud assets, and virtualized hosts.	CrowdStrike EDR provides security against common endpoint-based cybersecurity attacks.	CrowdStrike collects various endpoint telemetry data for its analysis.
Forcepoint Forcepoint provides Data Loss Prevention controls on Yale endpoints and cloud applications.	Forcepoint ensures compliance with regulatory requirements around the safeguarding of certain types of data.	Forcepoint monitors and collects endpoint telemetry for specific types of data and implements additional controls to prevent its misuse.

Description

Purpose

Data Examined/Collected

Security detection data

The Yale Information Security Office (ISO) operates network sensors that apply automated rules to identify and record suspicious network traffic. The rules used to identify traffic are typically purchased from security vendors, and in some cases, we manually adjust or create new rules.

ISO operates security detection sensors that apply rules to identify and record suspicious activities. The rules used to identify those activities are typically purchased by security vendors (e.g. EDR, Microsoft-provided protections, etc.), and in some cases, we manually adjust or create new rules.

Identify devices and users which have been compromised or are under active attack.

Track information security threat landscape and identify campus trends.

Determine the scope and other details when investigating information security breaches.

The alerts generated by these sensors include source and destination information (IP addresses), rule triggering the alert, anomalous behaviors, and the content of network communications flagged as suspicious including filenames, file types, and URLs. These alerts are reviewed both through automated systems and manually by analysts.

Network traffic connection data

ISO maintains appliances to generate network traffic connection data. This data specifies which campus devices communicated with other devices connected to the Internet, and how much data passed between them.

Identify suspicious network use patterns indicating a compromised system.

Correlate with lists of known bad hosts to find compromised campus systems.

Determine scope and verify containment when investigating and responding to information security incidents.

Data elements collected include time, source and destination IP addresses, protocols used, including application protocols (where available), network user (where available), URL category, and how much data was exchanged. This data is reviewed through automated systems for suspicious patterns indicating compromise and may be manually inspected while investigating information security incidents.

Central authentication data

Authentication to central campus systems produces an audit record which is collected and monitored by ISO for suspicious patterns. Examples of systems that generate such authentication records include CAS, DUO, VPN, Active Directory, cloud service providers, etc.

Identify attacked or compromised credentials.

Identify unauthorized access to campus systems and services.

Determine the scope and other details when investigating information security incidents.

Data collected includes the time, user identity, user location, target service, the result of the authentication attempt, and DUO two-factor device identifier (may include phone number).

Automated rules are used to identify suspicious patterns indicating a compromised account and may be manually inspected while investigating information security incidents.

System/application logs

Logs for critical IT applications and systems are collected for security alerting and detection.

Data in this category typically consists of logs generated by operating systems, web servers, and by specific application software.

Identify systems under attack or successfully compromised.

Correlate attacks across a large number of systems to detect patterns.

Correlate with network intrusion data to gain insight into the impact of attacks.

Determine the scope and other details when investigating information security incidents.

Data collected varies based on the system generating logs, but may include time, target service, source and destination, error codes/messages, and result.

Automated rules are used to identify suspicious patterns indicating attack or compromise and may be manually inspected while investigating information security incidents.

Network services and vulnerabilities

ISO routinely scans devices connected to the campus network to determine what devices are present, what services are available through the network, and whether these services may be vulnerable to known attacks. ISO also uses Cyber Threat Intelligence and vulnerability scan data to identify campus systems which may be at risk of attack.

Identify campus network systems which may be vulnerable to attack and request action by those responsible to secure the system.

Identify private information which may be inadvertently shared, such as a file share made public.

Provide additional details when investigating information security incidents and ensure recovered systems are protected from future incidents.

What devices are connected to the campus network, what services are available through the network, and whether these services may be vulnerable to known attacks.

Applications and versions being used on the network

ISO collects data including basic device configuration, installed software and versions, and whether these configuration items and software versions may be vulnerable to known attacks. This information is processed and used similarly as data collected through network vulnerability scanning but offers a much more complete picture of the status of systems on the campus network than is possible through network-based scans. Limited application information is also collected through network sensors.

Identify campus managed systems running software which may be vulnerable to attack and request action by those responsible to secure the system.

Provide additional details when investigating information security incidents and ensure recovered systems are protected from future incidents.

Basic device configuration, installed software and software versions, and whether they may be vulnerable to known attacks.

Additional monitoring for hosts on protected data networks or high-security zones

There is increased monitoring for hosts on protected data networks and high-security zones. Additional monitoring consists of lower thresholds for investigating alerts and tracking additional file types.

The purpose of this additional monitoring is to provide targeted protection of systems determined to be of high security value by the ISO.

Specific instances of additional monitoring include but are not limited to connection metadata and flow data used for advanced analysis and alerting.

O365

Microsoft's 0365 contains native security monitoring and detections for anomalous or malicious activities within all of Microsoft’s applications.

O365 provides critical applications to all of Yale’s users. This monitoring ensures its availability and security.

O365 data collected varies based on the application, but generally collects end user actions, configuration changes, and modifications to data.

Email data collected (Investigations SOP for email and files)

Microsoft’s Defender for E-mail provides e-mail security detections for anomalous or malicious activities within our Microsoft e-mail environment.

Defender for e-mail provides security against common e-mail-based cybersecurity attacks.

Defender for e-mail collects and analyzes end user e-mails for use in cybersecurity attack investigations by authorized security engineers.

CrowdStrike

CrowdStrike endpoint detection and response (EDR) monitors Yale managed workstations, servers, cloud assets, and virtualized hosts.

CrowdStrike EDR provides security against common endpoint-based cybersecurity attacks.

CrowdStrike collects various endpoint telemetry data for its analysis.

Forcepoint

Forcepoint provides Data Loss Prevention controls on Yale endpoints and cloud applications.

Forcepoint ensures compliance with regulatory requirements around the safeguarding of certain types of data.

Forcepoint monitors and collects endpoint telemetry for specific types of data and implements additional controls to prevent its misuse.