Endpoint Detection and Response (EDR) Expansion Project

Overview

Implementing Endpoint Detection and Response (EDR) software addresses gaps, strengthens our cybersecurity posture, and defends against advanced cyber threats. Therefore, the Information Security Office (ISO) is expanding the use of (EDR) to all university-owned computers and servers.

EDR is required as part of UC President Michael Drake's campus information security investment plan to help manage and reduce cybersecurity risk.

Privacy Statement

Berkeley prioritizes privacy and data protection for individuals with Endpoint Detection and Response (EDR) software installed on university-owned computers and servers. Campus EDR is not intended for installation on personally owned devices.

The Campus Privacy Office and the Information Risk Governance Committee (IRGC) are reviewing our EDR program. The IRGC provides governance over IT monitoring activities under campus and systemwide privacy policies, including the Electronic Communications Policy

Additionally, we:

  • Minimize data collection 
  • Minimize data retention
  • Log and review access
  • Are developing transparency reporting
  • Review data collection with the Privacy Office

See our detailed Privacy and Process Documentation for more information.

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

EDR Project Milestones

Milestone

Due Date

Phase 1: EDR Deployment - Berkeley-managed computers

Aug. 2024

Phase 1.5: Development, Testing & Remediation

Sept. 2024

Phase 2: EDR Deployment - University-owned computers and servers

Oct. 2024 - May 2025

FAQs

collapse all expand all

Can I install EDR on my personally-owned computer?

Not at this time. We are only installing the EDR software on campus-owned machines and we strongly encourage staff to utilize university-owned and managed machines because IT staff will be better able to support those devices and configurations.

Note: Per UC-wide requirements, in future phases of the campus EDR project, personally-owned devices used to connect to University "trusted networks" and "enterprise systems" (to be defined by the campus) will also require EDR software.

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

How can I tell if EDR has been installed on my machine?

Berkeley IT uses Trellix for our Endpoint Detection and Response software. Trellix was formerly named FireEye, so you will see references to ‘FireEye’ on your computer after it’s installed.

To see if EDR has been installed on your university machine, follow these steps based on your operating system.

Operating system Easy way Technical way macOS (Apple)

Search for “FireEye Helper” in the Applications folder

...

How Does EDR Impact My Computer Performance?

EDR runs in the background and has minimal impact on performance. It does not interfere with your work, software, or internet browsing.Trellix was formerly named FireEye, so you may see references to ‘FireEye’ on your computer after it’s installed.

How does EDR work?

EDR runs seamlessly in the background while you do your regular work. It uses real-time information and machine learning to detect, contain, and respond to threats quickly to stop further damage.

What can I do to protect my privacy?

The use of EDR-collected information is limited to what is required for analysis and remediation of security incidents; you may feel that you do not want your personal online activity included in EDR data collection that security analysts could review. We recommend conducting such personal online activity on a device not owned or managed by the University.

What Data Does EDR Collect?

EDR monitors system activity, such as running processes, network connections, and security alerts. It does not track personal browsing habits, private files, or non-work-related activity. When a security alert is triggered, EDR captures info on:

Applications running

Web sites visited

File activity, such as downloads

Processes running on the machine

What is EDR and How Do I Get It?

EDR stands for Endpoint Detection and Response. It is a cybersecurity tool that monitors devices like laptops, desktops, and servers and helps our security team quickly find and fix any harmful activities. We offer standalone EDR installers for servers, and EDR is also part of our Berkeley Security...

What’s the simple version of how EDR Data Collection Works?

The software collects system activity data, primarily keeping it on your computer. Data is sent for analysis only if a security issue is detected and all handling follows strict privacy policies. Any security-related data is reported to Berkeley’s Privacy Office, and false alarms result in immediate data deletion.

Normal Process:

The software continuously documents recent system activity, like websites visited, names of files opened, and network connections. Data is stored on your computer for about 10 minutes, constantly updating as new activity replaces old...

Who Can Access EDR Data?

Only authorized Information Security Office (ISO) and EDR vendor analysts can review security alerts. Data access follows strict campus policies and privacy guidelines.

Who do I contact for help with Endpoint Detection & Response (EDR)?

For questions or issues with this installation, email endpoint-security@security.berkeley.edu

Why is EDR Required?

Cyberattacks on higher education are increasing. EDR enhances security by detecting and responding to threats in real-time, helping protect university data and systems.

Will I Be Notified of Security Alerts Found on My Computer?

Yes. If a security event occurs on your device, ISO will follow established procedures to notify you and provide guidance.