Background
UC’s Electronic Communications Policy (ECP) sets forth the University’s policy on privacy, confidentiality, and security in electronic communications and establishes the basic principles that the University follows for examining and disclosing electronic communications records. In recognition that security monitoring necessarily involves examination of electronic communication records in some manner, the ECP authorizes and directs the Chancellor to establish local practices and procedures defining permissible routine monitoring of electronic communications resources in collaboration with faculty, staff, and students. UC Berkeley has formalized the process of evaluating and approving such practices through its Information Risk Governance Committee (IRGC) in alignment with the UC Berkeley Privacy and Online Monitoring Policy. IRGC members include faculty, staff, and students and come from areas across the campus to ensure the committee adequately represents the interests of diverse campus constituents. The Chancellor has delegated IRGC formal authority to establish policies and practices balancing security and privacy, including those that speak to permissible routine monitoring.
Routine Monitoring Principles
The Information Security Office's (ISO's) monitoring of the Berkeley Campus network and other electronic communications resources shall conform to the requirements of the ECP as implemented on the Berkeley Campus, and the UC Berkeley Privacy and Online Monitoring Policy, and be performed only by authorized UC employees or contractors in accordance with these policies, all other UC and Berkeley Campus policies, and applicable laws, including specified privacy risk mitigations. Routine monitoring activities shall be limited to the least perusal and subject to the shortest retention period required and authorized to ensure the reliability and security of systems. Any additional monitoring activities beyond those listed must be granted approval from IRGC. IRGC will also periodically review routine monitoring to ensure such practices strike an appropriate balance between privacy and security. Any monitoring practices by the Information Security Office not approved by IRGC are prohibited.
Routine Monitoring Practices
Any deviations from the following practices will be recorded in the Routine Monitoring Deviations Transparency Report.
A. Routine Network Monitoring
In accordance with ECP Section II.D.2 and Section V.B., the following practices represent the Information Security Office's routine monitoring activities performed on the Berkeley Campus network and made possible by virtue of Berkeley operating the network; these activities monitor the reliability and security of systems.
Routine network monitoring activities consist of:
Summary |
Description |
Purpose |
Data Examined/Collected |
|---|---|---|---|
Network intrusion detection system (NIDS) data |
ISO operates network sensors that apply automated rules to identify and record suspicious network traffic. The rules used to identify traffic are typically purchased from security vendors, and in some cases, we manually adjust or create new rules. |
Identify devices which have been compromised or are under active attack Track information security threat landscape and identify campus trends Determine the scope and other details when investigating information security breaches |
The alerts generated by these sensors include source and destination information (IP addresses), rule triggering the alert, and the content of network communications flagged as suspicious including filenames, file types, and URLs These alerts are reviewed both through automated systems and manually by analysts.
Some alerts are sent to 3rd party for analysis[1]. |
Network traffic connection data |
ISO maintains appliances to generate network traffic connection data. This data specifies which Campus devices communicated with other devices connected to the Internet, and how much data passed between them. |
Identify suspicious network use patterns indicating a compromised system Correlate with lists of known bad hosts to find compromised campus systems Determine scope and verify containment when investigating and responding to information security breaches |
Data elements collected include time, source and destination IP addresses, protocols used, including application protocols (where available), network user (where available), URL category, and how much data was exchanged. The actual content of the communication is not captured, retained, or stored. This data is reviewed through automated systems for suspicious patterns indicating compromise and may be manually inspected while investigating information security incidents. |
Central authentication data |
Authentication to central Campus systems produces an audit record which is collected and monitored by ISO for suspicious patterns. Examples of systems that generate such authentication records include Calnet services (CAS/DUO), Active Directory, Network services (wireless/VPN/DHCP/firewalls), and bConnected services. |
Identify attacked or compromised credentials Identify unauthorized access to campus systems and services Determine the scope and other details when investigating information security breaches |
Data collected includes the time, user identity, user location, target service, the result of the authentication attempt, and DUO two-factor device identifier (may include phone number). Automated rules are used to identify suspicious patterns indicating a compromised account, and may be manually inspected while investigating information security incidents. |
System/application logs |
ISO provides a service to help departments meet policy requirements for collection and analysis of security logs for systems handling data classified as Protection Level P4. Data in this category typically consists of logs generated by firewalls, operating systems, web servers, and by specific application software. |
Identify systems under attack or successfully compromised Correlate attacks across a large number of systems to detect patterns Correlate with Network Intrusion data to gain insight into the impact of attacks Determine the scope and other details when investigating information security breaches |
Data collected varies based on the system generating logs, but may include time, target service, source and destination, error codes/messages, and result. Automated rules are used to identify suspicious patterns indicating attack or compromise, and may be manually inspected while investigating information security incidents. |
Network services and vulnerabilities |
ISO routinely scans devices connected to the campus network, to determine what devices are present, what services are available through the network, and whether these services may be vulnerable to known attacks. These scans are initiated from a dedicated network that many Campus units permit through firewalls, in order to get an “insider” view. ISO also collects publicly available information on campus systems, made available by security researchers, to identify campus systems available on the Internet which may be vulnerable to attack. |
Identify campus network systems which may be vulnerable to attack, and request action by those responsible to secure the system Identify private information which may be inadvertently shared, such as a file share made public Provide additional details when investigating information security breaches and ensure recovered systems are protected from future breaches |
What devices are connected to the campus network, what services are available through the network, and whether these services may be vulnerable to known attacks. |
Additional monitoring for hosts on protected data networks or high-security zonesNOTE: This designation is a department-level determination |
There is increased monitoring for hosts on protected data networks and high-security zones. Departments opt-in to this based on the sensitivity of the data that their systems store or access. Generally, additional monitoring consists of lower thresholds for investigating alerts, additional file types are tracked, and additional data is sent to third-parties for analysis. |
The purpose of this additional monitoring is to provide heightened scrutiny of potentially security-suspicious events for UC Berkeley’s most sensitive systems and data. |
Specific instances of additional monitoring include: Sending connection metadata and flow data to a 3rd party for analysis[1]. This includes the ability to capture full packets. |
B. Routine Host Monitoring
In accordance with ECP Section II.D.2 and Section V.B., "UC Endpoint Detection and Response (EDR) Standard" and UC's IS-3 policy (locally implemented as the "Minimum Security Standards for Electronic Information"), the following practices represent the Information Security Office's routine monitoring activities performed on Berkeley Campus owned, leased, or managed endpoints. These activities monitor the reliability and security of systems.
Routine host monitoring activities consist of:
Summary |
Description |
Purpose |
Data Examined/Collected |
|---|---|---|---|
Basic device configuration, installed software, and versions being used on the network |
ISO receives data feeds from central client management/patching infrastructure tools, such as BigFix or Trelix agents, including basic device configuration, installed software and versions, and whether these configuration items and software versions may be vulnerable to known attacks. This information is processed and used similarly as data collected through network vulnerability scanning, but offers a much more complete picture of the status of systems on the Campus network than is possible through network-based scans. Limited application information is also collected through network sensors. |
Identify campus managed systems running software which may be vulnerable to attack, and request action by those responsible to secure the system Provide additional details when investigating information security breaches and ensure recovered systems are protected from future breaches |
Basic device configuration, installed software and software versions, and whether they may be vulnerable to known attacks. |
Endpoint Detection and Response (EDR) on university owned, leased, or managed endpoints |
In compliance with the "UC Endpoint Detection and Response (EDR) Standard" and in cooperation with the UC Systemwide Threat Detection and Identification Initiative, ISO manages a host based EDR system. This includes installation of a software program on university-owned endpoints (including laptops and desktops) that collects and records system and usage data for the purpose of monitoring for signs of intrusion, and creates alerts when any are detected. EDR software may also be configured to block malicious activity, and monitor for other signs of intrusion. |
To detect compromises that may not be visible to the Network Intrusion Detection system, either because of encryption or by attacks that don't utilize the campus network, including Work From Home situations. |
Data Elements collected routinely include system information (operating system, network addresses, system name, logged in user(s), etc.). When suspicious activity is detected, additional information (called a Triage collection) is collected including running processes, the username associated with running processes, recent system changes (new files, registry changes, etc.), running services /daemons, and a small segment of memory associated with the suspicious activity. If further review of the Triage collection discovers malicious activity, additional information may be acquired including files, the full system memory, task schedules, event logs, recent network activity, etc. This data can be examined by ISO, UCOP TDI staff, or UCOP TDI's managed SOC services. Additionally, if the managed SOC service detects malicious activity in other locations or customers, they may do a "Threat Hunt" which is an active search for things of concern. |
C. Records Retention
Records of the above activity are retained for the following periods:
- Routine Network Monitoring - 1 year
- Routine Host Monitoring:
- Record of Acquisition and Alert - 1 year
- Collected data - 30 days unless Analysts request longer retention (for up to one year) or as directed by legal counsel
Scope of This Notice
This notice does not include:
- Monitoring conducted by the UC Office of the President under the Coordinated Threat Detection and Identification Initiative[1]. However, UC Berkeley's implementation of UC's TDI conforms to this notice.
- Service-specific monitoring conducted by and on behalf of non-ISO providers of electronic communication services, which providers must document and publish under ECP Section IV.C.2.b. (The bConnected transparency report is a model for how service providers communicate that information.)
Current Issues
As the information security threat landscape continually evolves and new technologies emerge, IRGC will continually evaluate the balance of privacy and security to define the scope of permissible monitoring.
Questions
Questions about the Routine Network Monitoring practices?
- Please contact the Information Security Office by sending an email to security@berkeley.edu
Questions about the Routine Host Monitoring practices?
- Please contact the Information Security Office by sending an email to endpoint-security@security.berkeley.edu
Questions about the Electronic Communications Policy?
- Please contact the Campus Privacy Office at privacyoffice@berkeley.edu
Questions about the Minimum Security Standards for Electronic Information (UC Berkeley's implementation of IS-3)?
- Please contact the Information Security Office at security-policy@berkeley.edu
Endnotes:
[1] UC Systemwide Threat Detection and Identification Initiative: https://security.ucop.edu/services/threat-detection-and-identification/i...
Change Log:
- Oct 2024: Adjusted terminology to clarify that these practices implement campus and UC policy; they are not, themselves, policy.
- Nov 2024: Added Endpoint Detection and Response (EDR) routine monitoring, approved by IRGC Nov 2024. Update included new "Routine Host Monitoring" section and other consistency changes.