Endpoint Detection and Response at Boston University

Founded in 1839, Boston University (BU) is an internationally recognized leader in higher education and research. With more than 34,000 students, it is the fourth-largest independent university in the United States. BU consists of 17 schools and colleges, along with the Faculty of Computing & Data Sciences and a number of multidisciplinary centers and institutes integral to the university's research and teaching mission. In 2012, BU joined the Association of American Universities (AAU), a consortium of 65 leading research universities in the United States and Canada.

The Challenge/Opportunity

Near the end of the 2010s, Boston University's incumbent endpoint protection tool could no longer meet the institutional needs to defend against a rapidly evolving threat landscape. The legacy system was file signature–based, requiring that endpoints receive updates regularly to guard against dangerous files. The hardware was managed on-premise, which involved added overhead and was not in keeping with BU's cloud-first strategy. Furthermore, BU had to manage endpoint agents across all devices within a moderately distributed administrative model, an issue that became difficult to manage as multiple versions of security policies evolved over time. Although this had worked well historically, the threat landscape changed so that zero-day threats and malicious scripts and actions that automatically changed with each distribution rendered the existing technology ineffective, if not obsolete.

By the time BU was considering its next-phase endpoint protection options, the security market was shifting toward the maturing behavior-based tools that focus not so much on what the file is but on what the file or program was doing. This new breed of endpoint protection tools also includes the ability to take actions to halt threats when they are detected and limit the damage they might otherwise cause. The marketplace was replete with vendors, both traditional and newer, whose products signaled a paradigm shift in security toward these endpoint detection and response (EDR) tools. In addition to the requirement that the new solution be behavior based, BU also had four primary features in mind for its new endpoint protection product.

First, the new solution needed to be cloud-based because BU wanted to move away from hosting and supporting infrastructure for endpoint protection. Moving to a software-as-a-service (SaaS) tool has proved to be particularly beneficial during the COVID-19 pandemic since one does not need to worry about being in the server room to implement updates or to use on-premise appliances to push out agents. Instead, it's all handled in the cloud by the vendor.

Second, the new solution needed to provide information security with intelligence that included visibility down to the process level of systems, the ability to hunt for threats across the entire protected environment, and tools to identify the full path of attack. BU needed a tool that would help the security and desktop engineering teams pinpoint, isolate, and remediate potential problems as they were occurring. Moreover, having a vendor that could provide additional oversight in the background to help sort through particular issues or potential major issues would provide peace of mind to staff at BU.

Third, the endpoint product would have to provide coverage for a mixed environment of Windows, Mac, and Linux systems; for all members of the BU community; and across all devices owned and used by individuals in the community. The protection of personal assets proved even more important under the conditions of remote work and learning, when individuals may not have been going through the traditional security controls that apply when working on-premise.

And, fourth, the solution needed to provide the capacity for real-time responses such as blocking processes and files, network quarantining systems, and direct interactive system access as needed. Given that malware and viruses can spread like wildfire throughout an environment, the ability to detect and prevent a potential spread that could compromise a large number of systems or servers was critical.

The EDR solution on which BU eventually settled was CrowdStrike, which checked all of the most important boxes. But how exactly did BU come to select CrowdStrike as its new EDR solution?

Process

The EDR project at BU was aligned with two key strategic plan goals: (1) sustainability and risk management, and (2) operational efficiency and effectiveness. This project was explicitly tied to driving down the institutional risk of having viruses wreaking havoc without being detected. Eliminating redundancies, resolving variances in policies, and providing even coverage with a single tool would increase the operational efficiency of the task of endpoint protection. The desire and need for an EDR application that would serve as a one-size-fits-all solution required that the centralized IT organization take steps to ensure that key stakeholders across the institution were included in the decision-making process from the outset.

BU has a large centralized IT organization, but it does not cover the entire university. A solution acceptable to and embraced by the smaller IT partners would provide a more cohesive and uniform approach, eliminating the need for multiple policies and the deployment of multiple versions of endpoint agents. As a result, the project implementation team included both internal stakeholders (e.g., information security, client services and support, network engineering, client technology services, and technology architecture) and external stakeholders (e.g., engineering, medical center, arts and sciences). All members of the team contributed to project decisions from implementation through completion, including product selection, testing rollout, and policy building. The collaborative efforts paid off in the selection, rollout, and implementation of a single, centralized cloud-based solution for EDR at BU.

Outcomes and Lessons Learned

Leaders of BU's EDR project identified several important outcomes and lessons learned that may be of particular interest to institutions considering new endpoint protection solutions or of general interest to those planning implementations of new institution-wide systems. Note that your mileage may vary.

First, partnerships are critical to the success of projects such as this one. From the outset, BU anticipated the importance of a partnership between the information security team and the desktop support team for a product like EDR. Sharing of administrative responsibilities and tools has helped identify false positives (e.g., when the information security team identifies a problem that desktop support understands as normal operating procedures). Additionally, partnerships established with other IT units across the institution at the beginning of the project increased levels of trust and cooperation with central IT for all downstream decisions regarding the implementation and deployment.

Second, the EDR tool has proven to be a huge benefit to the incident response team, which has been given more visibility into and control over the endpoint hosts than ever before. The new solution makes it possible to isolate systems from the network almost instantaneously, with direct access to the host device. With the previous endpoint protection system, isolating those system would have taken minutes, hours, or sometimes days.

Third, as part of the EDR solutions contract, BU negotiated a dedicated line of support. On the front end, having a regular technical account manager who is engineering focused and knows the product inside and out throughout the entire implementation process has been extremely valuable. Once the system was deployed, BU transitioned to a dedicated support manager who regularly meets with the EDR team, attends all meetings, and provides a direct level of support to the EDR solution.

Fourth, the shift from signature-based to behavior-based EDR requires an entirely different skill set of the information technology personnel. The amount of data produced by the new tools can be overwhelming; analysts need to be well versed in and prepared to interpret results, how to triage them, and address them properly as either an actual incident requiring follow-up or a false positive that can be ignored. Training for the new system was provided by CrowdStrike University, an online series of basic courses available to customers for free and advanced courses available for additional fees.

Fifth, the messaging campaign around the project was critical to its success. BU IT asked its communications team to create customized messaging that catered to targeted audiences across the institution in terms of the source of the message (e.g., direct support teams, deans, department heads) and the specific content (e.g., updates on progress, alerts to timing of deployment, invitations to reach out in case of problems). Post-deployment reports on the effectiveness of the EDR solution are shared mainly with institutional leadership.

Sixth, and finally, the products in this space are evolving but are currently uneven across operating systems. BU's Linux administrators were largely left out of the decision-making process and implementation because the products were mostly developed for Windows. Now, CrowdStrike has more to offer and is much more integrated into BU's Linux deployments. Understand that vendors may have uneven development patterns that prioritize Windows clients first, then Mac clients, and then Linux clients, which appears to be a function of supply and demand.

---

D. Christopher Brooks is Director of Research at EDUCAUSE.

Eric Jacobsen is Executive Director of Information Security at Boston University.

Mark Kimionakis is Director of Desktop Services at Boston University.

Tom Grundig is Associate Director of Information Security at Boston University.