Endpoint Detection and Response

Crowdstrike EDR (Endpoint Detection & Response)

OIT recently converted to the MCNC version of CrowdStrike via their Vital Cyber program. This CrowdStrike instance is a Government version and covers all the devices in the data centers. 

Key Features/Benefits

  • Agent for Windows, Linux and Mac
  • Falcon Prevent – Next Generation Antivirus
  • Falcon X – Threat Intelligence
  • Falcon Insight – Endpoint detection and response (EDR)
  • Falcon Overwatch – Threat Hunting
  • Falcon Discover – IT Hygiene
  • MCNC will monitor our CrowdStrike instances 24×7 for any detections

Definitions

  • CrowdStrike –  is an Endpoint, Detection and Response (EDR) agent that provides protection to NC State resources. 
  • Data Centers – The main NC State data centers are MCNC, EDC and DC2. Also included are OIT assets that are deployed in Azure, AWS, and Google Cloud.
  • CLS – Campus Linux Services
  • SCCM – System Center Configuration Manager
  • JAMF – Third party CMS application to manage Mac computers. 

EDR requirement

All computers on the NC State network are required to have endpoint protection via RUL 08.00.18 (Endpoint Protection Standard). While encouraged, CrowdStrike isn’t currently required for all systems.  However, for systems without an approved AV solution to meet the Endpoint Security Standard, like Mac and Linux, this is an ideal solution to meet those needs.

CrowdStrike Benefits

  • CrowdStrike is a next-generation antivirus that provides behavior-based protection on your computer.  CrowdStrike does not actively scan all the files on your computer.  CrowdStrike analyzes what activity is happening on your computer, and then if it notices any activity that is outside the normal baseline, it will report a detection. This model allows CrowdStrike to offer protection while not taking up resources. 
  • Most of the incidents reported to Security and Compliance (S&C) are from monitoring tools that S&C uses or may be reported from other agencies (outside of NC State).  CrowdStrike could prevent these types of incidents before they happen. 
  • There have been several instances where we’ve now used Crowdstike to mitigate incidents, and it’s become a part of our standard Incident Response playbook.  

Deployment of CrowdStrike

Currently, the deployment is taking place in multiple ways. We need your active participation in the deployment.  While encouraged, CrowdStrike isn’t currently required for all systems.  However, for systems without an approved AV solution to meet the Endpoint Security Standard, like Mac and Linux, this is an ideal solution to meet those needs.  The installation of Crowdstrike on university-owned systems will decrease the likelihood of impacted threats such as ransomware.  Installation priority should be given to systems with access to sensitive data.  

  • OIT is actively installing CrowdStike agents on all DataCenter virtual systems and all OIT managed Desktops and servers.  
  • There is a $30/year charge per client.  We have created an intake form in ServiceNow to collect the required information for the license.  S&C will work with your IT personnel to set up the deployment and ensure we have the correct contact information for the Incident Response team. 

Deployment packages are available in Windows SCCM, JAMF, and Linux CLS.  Standalone installs can be provided if needed for systems not in a standard CMS. 

Access the ServiceNow request form

  • As incidents arise on the NC State network, S&C will reach out to the Department or College and assist in resolving the issue. As part of this remediation, S&C will require the Department or College to purchase a CrowdStrike license for the impacted machine or for multiple machines depending on the incident.  The Incident Response team will reach out to the affected unit(s) and collect the information needed to deploy the agents immediately.  We will follow up by gathering the billing information for those systems. 

For Discussion: Feedback is needed regarding a campus deployment plan (e.g., purple/red/yellow systems, research devices, servers, etc.) with a target date for all assets to be complete.