Endpoint Detection and Response

Overview

The Information Security Office offers endpoint detection and response (EDR) using a threat detection and identification tool, Trellix. Trellix Endpoint Security software (formerly known as FireEye HX) is designed to address sophisticated or advanced persistent threat (APT) attacks with features that go beyond the capabilities of traditional malware protection. 

Features of EDR

  • Available for University endpoint devices including servers, workstations, and laptops

  • Supported on Windows, MacOS, and Linux devices

  • Compliant with regulations such as PCI-DSS and HIPAA

Endpoint detection and response is currently getting rolled out to all campus machines via BigFix. Find additional details in our project details.

How to Enroll

FAQs

Exceptions

Expansion Project

Resources

How to Enroll

  • Managed University-owned machines: Starting July 2, 2024, EDR will be incrementally distributed to campus-managed machines using BigFix.

  • Self-managed, University-owned machines: Email endpoint-security@security.berkeley.edu 

FAQs

Who do I contact for help?

For questions or issues with this installation, email endpoint-security@security.berkeley.edu.

What is the difference between Trellix and FireEye?

Trellix was formerly named FireEye. You may see references to FireEye on your computer after this product is installed on your machine. The screenshot below shows a popup message you may receive on your Apple machine after Trellix is installed via BigFix.

 This image shows a popup desktop alert that says, ""FireEye Security Holdings US LLC" added items that can run in the background. You can manage this in Login Items Settings."

When will EDR be deployed to my computer?

If your desktop or laptop computer is centrally managed by campus, EDR will be installed onto your machine via BigFix in July, 2024. Due to the way software is distributed via BigFix, we cannot pinpoint the exact day the software will be installed on your specific machine.

I am an employee performing work functions on my personal computer. Can I install this software?

At this time, we are only installing the EDR software on campus-owned machines. Additionally, we strongly encourage staff to utilize Berkeley-owned and managed machines because IT staff will be better able to support those devices and configurations.

How do I know if my machine is managed?

In general, you can tell if your computer is centrally managed if you see the Self Service app on your Apple machine, or the BigFix Self Service app on your Windows machine.

How can I tell if Trellix has been installed on my machine?

Apple machines:

Search for a file called “FireEye Helper” in the applications folder

- or -

Open terminal and run:

ps aux | grep xagt

If you get a result that includes this in response to this prompt, Trellix is likely running:

/Library/FireEye/xagt/xagt.app/Contents/MacOS/xagt -M DAEMON 

Windows machines:

Look for this image on your taskbar:

This image shows a black and blue X icon on the taskbar

Linux machines:

Open terminal and run:

ps aux | grep xagt

If you get a result that includes this in response to this prompt, Trellix is likely running:

/opt/fireeye/bin/xagt -M DAEMON

What does EDR software do?

EDR runs in the background of a system to detect and block attacks using several techniques including:

  • Signature-based engine to find and block known malware (akin to traditional anti-virus and anti-malware software)

  • MalwareGuard machine learning using seeded threat intelligence

  • Behavior-based analytics engine to stop advanced threats

  • Real-time discovery of Indicators of Compromise (IOC) using frontline threat intelligence

Additionally, EDR enables automatic real-time monitoring and investigation of ongoing security events, greatly expediting incident response and containment.

In layman's terms, what does the above mean?

Once installed, the software runs in the background while you do your normal work. What's unique about this software (compared to other malware or antivirus programs) is that it uses real-time intel in conjunction with machine learning to quickly detect threats and immediately act to mitigate any damage.  

How is data collected and analyzed by EDR and the Information Security Office?

  • The application collects system information in 10 minute intervals including application processing information, such as website URL addresses.

  • IF an alert is triggered, another 10 minute interval is captured and both intervals are downloaded to a monitoring center for forensic purposes and reviewed by an ISO Security Analyst. Examples of what will trigger an alert include malware, ransomware, unauthorized remote control of your computer, and malicious downloads.

  • IF a security incident is determined, EDR will try to mitigate and/or block the attack. ISO will also proceed to gather additional forensic information from the system for the purposes of investigating the incident and containing the  compromise. ISO will notify you when additional forensic information is gathered, and inform you of steps you need to take, if any. If no security incident is determined the data is deleted.

What data is analyzed by the EDR software?

EDR scans continuously and keeps a 10-minute record of activity on your machine, which is saved if a security alert is triggered.

The regular scan includes:

  • Network activity such as URL data and DNS lookups
  • File activity such as downloads
  • Images loaded
  • System processes and registry events (applications and tasks running on the device)

When a security alert is triggered, EDR takes a copy of a second 10-minute interval, including:

  • Applications running
  • Web sites visited
  • File activity such as downloads
  • Processes running on the machine

Find more information in the detailed FireEye HX Data Collection Points PDF.

How does UC Berkeley protect my privacy?

UC Berkeley takes your privacy very seriously:

  • Security alert data collected from endpoint devices is only stored for the duration of the investigation of the alert or as required by law or policy. 

  • All data acquisition events are reviewed by the Information Security Office, logged, and follow guidelines established by the IT Policy Office and Campus Privacy Office to ensure the acquisition is warranted. Participants will be notified of security events according to ISO’s normal security operations processes. 

  • ISO security analysts and EDR Managed Defense analysts use the concept of least perusal in accordance with the UC Electronic Communications Policy (ECP) to perform only those searches that are necessary to confirm if there is a potential compromise or breach.

What can I do to protect my privacy?

Although the UC Electronic Communications Policy allows for incidental personal use of University electronic resources, and use of EDR collected information is limited to what is required for analysis and remediation of security incidents, you may feel that you do not want your personal online activity included in EDR data collection that could be reviewed by security analysts. We recommend that you conduct such personal online activity on a device that is not owned or managed by the University.

Note: Per UC-wide requirements, in future phases of the campus EDR project, personally-owned devices used to connect to University "trusted networks" and "enterprise systems" (to be defined by the campus) will also require EDR software.

Can I request an exception from EDR?

Most campus users are required to use EDR. Before requesting an exception, please review the exception requirements and process

Related Resources:

If you have any questions, including about the type of data collected, email us at: endpoint-security@security.berkeley.edu.

UC’s Threat Detection and Identification (TDI) initiative:

FireEye (Trellix)  HX Endpoint Security Data Sheet