Endpoint Detection and Response (EDR) Expansion Project

Overview

Implementing Endpoint Detection and Response (EDR) software addresses gaps, strengthens our cybersecurity posture, and defends against advanced cyber threats. Therefore, the Information Security Office (ISO) is expanding the use of (EDR) to all university-owned computers and servers.

EDR is required as part of UC President Michael Drake's campus information security investment plan to help manage and reduce cybersecurity risk.

Privacy Statement

Berkeley prioritizes privacy and data protection for individuals with Endpoint Detection and Response (EDR) software installed on university-owned computers and servers. Campus EDR is not intended for installation on personally owned devices.

The Campus Privacy Office and the Information Risk Governance Committee (IRGC) are reviewing our EDR program. The IRGC provides governance over IT monitoring activities under campus and systemwide privacy policies, including the Electronic Communications Policy

Additionally, we:

  • Minimize data collection 
  • Minimize data retention
  • Log and review access
  • Are developing transparency reporting
  • Review data collection with the Privacy Office

See our detailed Privacy Balancing Analysis and EDR Service article for more information.

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

EDR Project Milestones

Milestone

Due Date

Phase 1: EDR Deployment - Berkeley-managed computers

Aug. 2024

Phase 1.5: Development, Testing & Remediation

Sept. 2024

Phase 2: EDR Deployment - University-owned computers and servers

Oct. 2024 - May 2025

FAQs

collapse all expand all

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

How can I tell if EDR has been installed on my machine?

Berkeley IT uses Trellix for our Endpoint Detection and Response software. To see if Trellix has been installed on your university machine, follow these steps based on your operating system.

Apple machines:

Search for a file called “FireEye Helper” in the applications folder

- or -

Open terminal and run:

ps aux | grep xagt...

How do I know if my machine is managed?

In general, you can tell if your computer is centrally managed if you see the Self Service app on your Apple machine, or the BigFix Self Service app on your Windows machine.

I am an employee performing work functions on my personal computer. Can I install EDR?

We are only installing the EDR software on campus-owned machines. Additionally, we strongly encourage staff to utilize Berkeley-owned and managed machines because IT staff will be better able to support those devices and configurations.

What can I do to protect my privacy?

Although the UC Electronic Communications Policy allows for the incidental personal use of University electronic resources, and use of EDR-collected information is limited to what is required for analysis and remediation of security incidents, you may feel that you do not want your personal online activity included in EDR data collection that security analysts could review. We recommend conducting such personal online activity on a device not owned or managed by...

What data is analyzed by the EDR software?

EDR scans continuously and keeps a 10-minute record of your machine's activity, which is saved only if a security alert is triggered.

The regular scan includes:

Network activity, such as URL data and DNS lookups File activity, such as downloads Images loaded System processes and registry events (applications and tasks running on the device)

When a security alert is triggered, EDR takes a copy of a second 10-minute interval, including:

Applications running Web sites visited File activity, such as downloads Processes running on the machine

See our detailed...

What does EDR software do?

Once installed, the software runs seamlessly in the background while you do your regular work. It uses real-time information and machine learning to detect, contain, and respond to threats quickly to mitigate further damage.

Specifically, EDR uses several techniques, including:

Signature-based engine to find and block known malware (akin to traditional anti-virus and anti-malware software). MalwareGuard machine learning using seeded threat intelligence. Behavior-based analytics engine to stop advanced threats....

What is the difference between Trellix and FireEye?

Trellix was formerly named FireEye. You may see references to FireEye on your computer after this product is installed on your machine. The screenshot below shows a popup message you may receive on your Apple machine after Trellix is installed via BigFix.

When will EDR be deployed to my computer?

If your desktop or laptop computer is centrally managed by campus, EDR will automatically be installed on your machine. Beginning in October 2024, ISO will be working to roll out installation across campus for workstations.

If you wish to install EDR on your server before, please email us at endpoint-security@security.berkeley.edu

Who do I contact for help with Endpoint Detection & Response (EDR)?

For questions or issues with this installation, email endpoint-security@security.berkeley.edu

Who has been involved in approving EDR?

Berkeley prioritizes privacy and data protection for individuals with Endpoint Detection and Response (EDR) software installed on university-owned computers and servers. Campus EDR is not intended for installation on personally owned devices.

The Campus Privacy Office and the Information Risk Governance Committee (IRGC) are...