CrowdStrike Endpoint Detection and Response Software

Last updated: December 18, 2024
Audience: IT Staff / TechnicalDecision Makers

How to get CrowdStrike Falcon

UW-IT is currently in an early adopter roll-out of CrowdStrike Falcon endpoint detection and response software. All UW departments can request this software, at this time, at no cost to the department and with the understanding that support requests are during business hours. Requests must go through UW-IT, which holds the UW license for this service.

Request a CrowdStrike Falcon instance

About CrowdStrike Falcon

CrowdStrike Falcon, which also includes anti-virus protection, offers some of the most advanced cybersecurity features to address sophisticated security threats — for UW servers as well as workstations, including laptops and desktops.

The cloud-based platform, which requires a lightweight agent on the endpoint device, works with Windows, Mac and Linux systems, and is supported on all major cloud platforms, including Azure, Amazon Web Services, and Google Cloud Platform.

Endpoint detection offers a modern solution to emerging threats

Endpoint detection is a critical component of CrowdStrike Falcon. Endpoint refers to the last connected device in any network, including desktops, laptops, tablets, smartphones, servers and other connected devices. Endpoints can also be on-premises servers.

By some industry estimates, these endpoints represent one of the greatest threats to any organization — with about 70 percent of successful breaches by cybercriminals coming through them. Once an endpoint has been compromised, an attacker can use it to access an organization’s assets, execute code and exploit any other vulnerabilities. In a worst-case-scenario, an entire organization may be shut down by a cybercriminal until ransom is paid.

At a typical University, tens of thousands of endpoint devices are actively connected to the network at any given time, which is why an attack can quickly cause major damage. Protecting endpoint devices has become even more critical in today’s work environment, as a larger percentage of the workforce connects from home or other remote locations. The UW also has global operations, with students, faculty and staff spread across the world.

How endpoint detection works

The typical role of antivirus software is to detect and respond to malicious activity. But in today’s environment, that’s not enough. Endpoint detection takes into consideration the entire security infrastructure landscape and provides a unified approach to manage and secure endpoint devices.

CrowdStrike Falcon offers a centralized management system that allows a security administrator to monitor, protect and investigate vulnerable points across endpoint devices and servers. CrowdStrike Falcon also actively works in the background to identify emerging risks — using artificial intelligence, machine learning and other technologies to detect and respond to threats.

Important notice for IT administrators

Your incident response process may change once CrowdStrike Falcon is installed in endpoint devices. These are recommended steps to take with your end users:

  • Ensure that your users know how to contact you if they encounter a problem with their devices.
  • When a user reports that a device has lost connectivity, first determine whether this is due to a CrowdStrike Falcon containment before escalating further.
  • If a user report is made, check your email for a critical escalation/OverWatch alert.
  • If you are a UW Connect user, you can search for the device name in UW Connect, in assignment group “OIS EDR Incident.”
  • If CrowdStrike Falcon has contained the device, please call UW-IT’s service desk at 206-221-5000 and request escalation due to a CrowdStrike containment.

Frequently Asked Questions

Is CrowdStrike Falcon meant to replace UW-IT’s Sophos Central service?

Yes, the University’s contract with Sophos ends in August 2025. Any UW department currently using Sophos Central needs to contact UW-IT about acquiring CrowdStrike Falcon. While you may continue to use Sophos Central until August 2025, converting to CrowdStrike Falcon as soon as possible is strongly encouraged.

Will I have the same dashboard visibility for my fleet that I currently do with Sophos Central?

Yes, similar functionality is available to IT administrators in the Falcon console.

What’s an endpoint device?

Endpoint refers to any device that is connected to a network but isn’t just passing traffic for other devices. This includes laptops, mobile devices, tablets, Internet of things (IoT) devices, gaming consoles and printers, among many others. It doesn’t include things like routers, switches and wireless access points. Initial CrowdStrike Falcon deployment will prioritize higher-risk servers, laptops and workstations.

How does CrowdStrike Falcon work in an endpoint device?

When CrowdStrike Falcon is deployed, a lightweight sensor is installed in the device, such as a department-issued laptop. This sensor works silently and unobtrusively in the background, scanning for threats by monitoring and analyzing activities — such as program executions, file interactions and network behaviors — for any signs of improper activity, including malware. If a threat is identified, it acts to stop it. This sensor does not affect a device’s speed or performance.

How will CrowdStrike Falcon affect privacy?

Protecting a department’s privacy, its work, its devices and the University from external threats is of vital importance. CrowdStrike Falcon is not designed to open and read files, documents, emails or inspect other personal data; track or report details of online activity; or police internet usage. CrowdStrike Falcon will only act if it identifies a specific threat to a device.

How will I know if CrowdStrike Falcon has taken some action on one of my endpoints?

As part of the onboarding process, contact information will be associated with your host group. That contact will be notified of any remediation actions. It is the department’s responsibility to ensure that the contact list is current.

What do I do if CrowdStrike Falcon notifies me of remediation action taken?

If malware was removed and your service is still operating, you don’t need to do anything unless the Office of Information Security contacts you for follow up. If Falcon takes action to quarantine your host (isolates it from the network), and if this is a critical service, you may contact the UW-IT Service Desk at 206-221-5000 and request immediate escalation.

Where can I go for help?

If your questions are not answered by this document, email help@uw.edu with CrowdStrike Falcon on the subject line.