Frequently Asked Questions: FireEye

What is a threat detection and identification (TDI) tool?
A TDI tool helps manage and reduce cyber security risk using real-time intelligence about advanced malware and cyber attackers. TDI tools focus on threat identification and search for signs that a system has been compromised.  This allows UC computer security professionals to respond quickly to these incidents.

Why is UC changing its TDI tool?
UC is encouraging each university location to switch to a new TDI tool called FireEye to strengthen our ability to prevent, detect, manage and respond to cyber threats systemwide. With malware and other malicious threats becoming increasingly sophisticated, UC is constantly searching for the best tools at a competitive price to protect our networks and the sensitive data of our employees, students and patients. FireEye, chosen through a competitive RFP process, offers a multi-dimensional solution that helps the university more effectively manage its cyber risk profile. This improves the security of our employees, students, and patients.  The university’s contract with FireEye provides for each campus to adopt FireEye for TDI, with the option to install additional FireEye tools to provide greater capabilities for detecting, identifying and responding to threats.

What will FireEye offer that the previous system did not? What makes FireEye better?
FireEye’s suite of tools, including its advanced forensic tools, can provide the university with more detailed actionable information about detected security threats, including how the threat entered the network and why it succeeded. This will enable security professionals to respond faster and more effectively, and guard against future threats.

FireEye’s larger customer base equips the company with better intelligence on the types of threats that exist. FireEye possesses immense expertise with the threats UC routinely faces, as its customer base includes many universities and medical centers.

What cyber risks do TDI tools detect and how will it respond to them?
FireEye searches for the following:

• Malware, including advanced malware (created for a specific target and purpose), crimeware and ransomware
• Known bad Internet addresses
• Command-and-control traffic nodes, which are how an attacker can control and manipulate an infected computer
• Indicators of Compromise, which are pieces of information and signals that reveal a system has been compromised. These can come in multiple forms including known bad Internet addresses, use of covert channels of communication, or metadata flagged as dangerous.

Upon threat detection, FireEye’s forensic tool attaches relevant information about the attack.  This includes a snapshot of traffic related to attack for a limited amount of time to help reconstruct what happened during the attack or breach. This provides valuable information to security professionals for the investigation toward developing an effective response.

When will the improved TDI tool launch?
Implementation is beginning now, with UCSF, UC Riverside and UCLA as part of an initial phase in the Fall of 2016. The remaining locations will determine when they will migrate from the existing TDI tool to FireEye. To learn more about your location’s schedule, contact your location’s Chief Information Officer or Chief Information Security Officer.

Will every campus and medical center implement the same TDI tool?
Consistent and coordinated threat detection is critical to the UC’s obligation to protect the data asset with which it is entrusted. The greatest value in threat detection and reducing cyber risk is realized when all locations use a common TDI solution. The majority of the UC locations have indicated a desire to move to the new TDI tool.  A location that wishes to stay on the current solution rather that move to the new TDI tool is encouraged to fully understand the impact that will have on the cyber-risk posture  of both their location and the UC system..

Will switching to FireEye change the way I access my computer, my files, the Internet or conduct my research?
No. You will experience no difference when accessing your computer and files, searching online or conducting your research.

Will the university use FireEye to monitor my online activities, including which websites I visit and what transactions I make?
No. UC respects the privacy of its faculty, staff and students and will not use the tool to monitor employees or their online activity. Implementation of the new TDI tool complies with the university’s Electronic Communications Policy, which protects the privacy of employees’ communications while allowing for reasonable security measures to protect data from unauthorized access. The Office of General Counsel has reviewed the university’s contract with FireEye and confirmed that it is in compliance with the Electronic Communications Policy.

Will my private information, including my name and which websites I’ve visited, be stored somewhere within TDI tools?
No. The TDI tool scans overall network activity for threats; it does not monitor individual users. If TDI tools detect a security threat, limited additional information may be collected to investigate the cyber threat and any compromise or breach that has occurred. The information will not be used for any other purpose.

How will the university protect the privacy of my personal information and online activities from FireEye administrators?
The university’s contract with FireEye requires that they comply with UC’s Electronic Communications Policy to protect the privacy of users. FireEye’s administrators have the responsibility to review and respond to alerts of cyber threats, advanced malware and attacks, especially those that affect multiple locations; they do not monitor the activities of individual users.

I have questions about FireEye and its implementation. Where can I go to learn more?
To learn more about your location’s schedule, contact your location’s Chief Information Officer or Chief Information Security Officer.