Endpoint Detection and Response

Overview

The Information Security Office offers endpoint detection and response (EDR) using a threat detection and identification tool, Trellix. Trellix Endpoint Security software (formerly known as FireEye HX) is designed to address sophisticated or advanced persistent threat (APT) attacks with features that go beyond the capabilities of traditional malware protection. 

Features of EDR

  • Available for University endpoint devices including servers, workstations, and laptops

  • Supported on Windows, MacOS, and Linux devices

  • Compliant with regulations such as PCI-DSS and HIPAA

Endpoint detection and response is currently getting rolled out to all campus machines via BigFix. Find additional details in our project details.

How to Enroll

FAQs

Exceptions

Expansion Project

Resources

How to Enroll Today

  • Managed University-owned machines: Starting July 2, 2024, EDR will be incrementally distributed to campus-managed machines using BigFix.

  • Self-managed, University-owned machines: Email endpoint-security@security.berkeley.edu 

FAQs

What is the difference between Trellix and FireEye?

Trellix was formerly named FireEye. You may see references to FireEye on your computer after this product is installed on your machine. The screenshot below shows a popup message you may receive on your Apple machine after Trellix is installed via BigFix.

 This image shows a popup desktop alert that says, ""FireEye Security Holdings US LLC" added items that can run in the background. You can manage this in Login Items Settings."

When will EDR be deployed to my computer?

If your desktop or laptop computer is centrally managed by campus, EDR will be installed onto your machine via BigFix in July, 2024. Due to the way software is distributed via BigFix, we cannot pinpoint the exact day the software will be installed on your specific machine.

How do I know if my machine is managed?

In general, you can tell if your computer is centrally managed if you see the Self Service app on your Apple machine, or the BigFix Self Service app on your Windows machine.

How can I tell if Trellix has been installed on my machine?

Apple machines:

Search for a file called “FireEye Helper” in the applications folder

- or -

Open terminal and run:

ps aux | grep xagt

If you get a result that includes this in response to this prompt, Trellix is likely running:

/Library/FireEye/xagt/xagt.app/Contents/MacOS/xagt -M DAEMON 

Windows machines:

Look for this image on your taskbar:

This image shows a black and blue X icon on the taskbar

Linux machines:

Open terminal and run:

ps aux | grep xagt

If you get a result that includes this in response to this prompt, Trellix is likely running:

/opt/fireeye/bin/xagt -M DAEMON

What does EDR software do?

EDR runs in the background of a system to detect and block attacks using several techniques including:

  • Signature-based engine to find and block known malware (akin to traditional anti-virus and anti-malware software)

  • MalwareGuard machine learning using seeded threat intelligence

  • Behavior-based analytics engine to stop advanced threats

  • Real-time discovery of Indicators of Compromise (IOC) using frontline threat intelligence

Additionally, EDR enables automatic real-time monitoring and investigation of ongoing security events, greatly expediting incident response and containment.

In layman's terms, what does the above mean?

Once installed, the software runs in the background while you do your normal work. What's unique about this software (compared to other malware or antivirus programs) is that it uses real-time intel in conjunction with machine learning to quickly detect threats and immediately act to mitigate any damage.  

What data is analyzed by the EDR software?

How is data collected and analyzed by EDR and the Information Security Office?

  • The application collects system information in 10 minute intervals including application processing information, such as website URL addresses.

  • IF an alert is triggered, another 10 minute interval is captured and both intervals are downloaded to a monitoring center for forensic purposes and reviewed by an ISO Security Analyst. Examples of what will trigger an alert include malware, ransomware, unauthorized remote control of your computer, and malicious downloads.

  • IF a security incident is determined, EDR will try to mitigate and/or block the attack. ISO will also proceed to gather additional forensic information from the system for the purposes of investigating the incident and containing the  compromise. ISO will notify you when additional forensic information is gathered, and inform you of steps you need to take, if any. If no security incident is determined the data is deleted.

How does UC Berkeley protect my privacy?

UC Berkeley takes your privacy very seriously:

  • Security alert data collected from endpoint devices is only stored for the duration of the investigation of the alert or as required by law or policy. 

  • All data acquisition events are reviewed by the Information Security Office, logged, and follow guidelines established by the IT Policy Office and Campus Privacy Office to ensure the acquisition is warranted. Participants will be notified of security events according to ISO’s normal security operations processes. 

  • ISO security analysts and EDR Managed Defense analysts use the concept of least perusal in accordance with the UC Electronic Communications Policy (ECP) to perform only those searches that are necessary to confirm if there is a potential compromise or breach.

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

Related Resources:

If you have any questions, including about the type of data collected, email us at: endpoint-security@security.berkeley.edu.

UC’s Threat Detection and Identification (TDI) initiative:

FireEye (Trellix)  HX Endpoint Security Data Sheet