In March 2023, CrowdStrike was installed on all servers housed in Computing Services’ Secure and Integrated Infrastructure (SII) network and university-owned workstations (desktops and laptops) that use SII VPN services to connect to them.

As of August 31, 2023, CrowdStrike is mandatory for all servers used for university business, research, and education unless contracts, consent forms, or other agreements prohibit it. This mandate reflects the current tolerance for security risk by university leadership.

Beginning November 1, 2023, CrowdStrike is mandatory for university-owned workstations (desktops and laptops) that have access to University Restricted Data and/or support university operations.

See Verify CrowdStrike Is Running for steps to ensure CrowdStrike is installed and running on your computer. 

CrowdStrike is permitted on research computers unless consent, contract, or other agreement language prohibits the use of third parties or potential access by non-researchers. This applies to all research, including approved human subjects research data and research data concerning minors. CrowdStrike may actually help address common compliance requirements for research data protection.

If you are using CrowdStrike on a device that handles research data, you should ensure that any consent forms contain the following statement in the Confidentiality section, “Select Carnegie Mellon University staff or consultants may also have access to your research data for compliance, auditing or operations purposes."

Applications

CrowdStrike looks for suspicious processes and applications. To monitor computer activity, the system records login information, application usage, and file access.

The software does NOT record keystrokes or the contents of documents, email messages, or chat communications.

Internet

CrowdStrike analyzes connections to and from the internet to determine if there is malicious activity. It records IP addresses and server names.  It will not log the contents of the web pages. This data is used to detect and prevent malicious actions involving websites.

Other Information

CrowdStrike also collects information about your computer, like your device ID and serial number, software vulnerabilities, operating system, and network information (i.e., MAC/IP addresses).

If the software detects malicious activity, it may initiate additional data collection to understand the risk better and enable a timely response.

Example

If you log into your computer, open Chrome, and visit Amazon, CrowdStrike will:

1. Record the computer name and userID.
2. Record that Chrome was opened.
3. Gather some details about the Chrome application.
4. It will not record the URL or viewed items.

The Information Security Office (ISO) collaborates with the campus community to safeguard Carnegie Mellon University's computing and networking infrastructure against threats to our information resources.

Any data collected by CrowdStrike may be viewed by authorized personnel within the ISO and independent security units (i.e., NREC, PSC) only when necessary to perform their job duties in accordance with the University Computing Policy.

IT personnel with authorization may view a subset of CrowdStrike data for systems they support directly as part of their system management duties. This data includes installation status, sensor health, vulnerabilities, detections, and automated prevention.

In the event of an emergency, in accordance with the University Computing Policy, only trained ISO or independent security unit (i.e., NREC, PSC) staff may use CrowdStrike’s response capabilities which include Network Containment and Real Time Response.

Network Containment blocks normal network access for a CrowdStrike installed computer while allowing limited communication with the CrowdStrike controller and allowlisted systems for business continuity and timely investigation.

Real Time Response (RTR) is a purpose built, remote access command line interface used for remote investigation and/or remediation of a CrowdStrike installed computer. To ensure that RTR is used only when warranted, ISO staff must seek case by case authorization from an ISO supervisor to have access temporarily granted to the target computer. Once the remote investigation is complete, RTR access is revoked and notification is sent to the primary users of the computer and their local IT personnel informing them of the triggering security event and offering access to the RTR audit logs. RTR audit logs detail actions by ISO staff while remotely connected to a computer.

No. In order to view the data collected from your computer, you would need access to the CrowdStrike console. The console is restricted to authorized personnel within the ISO, independent security units (i.e., NREC, PSC) and authorized IT personnel for performing their job duties in accordance with the University Computing Policy.

CrowdStrike is designed to prevent behavior it determines to be malicious. If the sensor blocks an application, you will receive a pop-up notification that malicious behavior was detected. These notifications are simultaneously reported to the Information Security Office (ISO) for analysis.

If further investigation or remediation is necessary, an ISO or departmental security point of contact staff member will contact you. If the issue is causing a work stoppage, please contact the ISO. Otherwise, rest assured that CrowdStrike is doing its job and performing as intended.

A majority of data is stored for seven calendar days. Any exceptions to that policy are as follows:

• Identifying data for inactive devices is stored for up to forty-five days.
• Security detection events and incident data are stored for up to ninety days.
• Event-related data downloaded to local CMU storage may be retained for up to two years or longer as required for regulatory compliance and legal matters.

CrowdStrike is designed to prevent behavior it determines to be malicious. If the sensor blocks an application, you will receive a pop-up notification that malicious behavior was detected. These notifications are simultaneously reported to the Information Security Office (ISO) for analysis.

If further investigation or remediation is necessary, an ISO or departmental security point of contact staff member will contact you. If the issue is causing a work stoppage, please contact the ISO.

You should not experience any slowdown in the performance for everyday computer use. CrowdStrike does not perform full system scans or view file content which minimizes the impact. If you feel you are experiencing performance issues, please contact the Computing Services Help Center at it-help@cmu.edu or 412-268-4357 (HELP).

Carnegie Mellon performed extensive research to select the best option for combatting ever-evolving cybersecurity threats. Therefore CrowdStrike is the university's preferred cybersecurity solution. If you have a concern or specific use case that may require an exception, please contact the Computing Services Help Center at it-help@cmu.edu or 412-268-4357 (HELP) .

I have questions about CrowdStrike. Who can I contact?
For general inquiries, reach out to your college or departmental security point of contact. Please refer to the Security Points of Contact (SPoC) Directory.

If you have subsequent concerns about CrowdStrike, university policies related to CrowdStrike, or how CrowdStrike protects the university, contact the ISO.