Office of the Chief Information Security Officer

Trellix is the only UC-approved endpoint detection and response (EDR) software and is required by the UC Office of the President to run on all systems, including personal devices, that are used for university business. Trellix enables better response and investigation capabilities, and is a critical capability to support today's hybrid workforce with transient systems and devices.

The UC System selected Trellix as the systemwide Threat Detection and Identification (TDI) solution several years ago. Initially, the primary focus was on deploying network detection capabilities but those technologies do not extend beyond the campus network and did not address issues at the local IT system level. Additionally, with more and more Internet traffic being encrypted, network-based detection solutions are somewhat limited in their effectiveness.

Because Trellix HX is installed locally, it solves those problems. The protection provided by Trellix HX continues no matter where the IT system is located. Additionally, because Trellix HX operates at the system level, it can detect malicious activity that may occur even if the inbound or outbound network traffic is encrypted.

Because Trellix HX is part of the existing TDI platform, the campus benefits from the 24x7x365 Mandiant Google Security Operations Center monitoring and the collective intelligence of the entire platform. This combined with the cost savings of having the solution subsidized by UCOP and the benefit of a "single pane of glass" for our security team provides efficiencies and improvements in security posture.

The Trellix HX agent delivers advanced detection capabilities that will help UCLA Information Security and IT professionals to respond to threats that bypass traditional endpoint technologies and defenses. It uses detailed intelligence to correlate multiple discrete activities and uncover exploits. Endpoint visibility is critical to identifying the root cause of an alert and conducting a deep analysis of a threat to determine its impact and risk. 

The functions of the agent include: 

Malware Detection/Protection

Trellix's Endpoint Security Agent malware protection feature guards and defends your host endpoints against malware infections by automatically scanning all files (upon read/write/execution) on your host endpoint for malicious code. Malware includes viruses, trojans, worms, spyware, adware, key loggers, rootkits, and other potentially unwanted programs (PUP). Malware protection uses malware definitions to detect and identify malicious artifacts. 

File Quarantine 

Malware protection has two components: malware detection and quarantine. Malware detection, which includes MalwareGuard, utilizes two scanning engines to guard and defend your host endpoints against malware infections, the Antivirus engine, and the MalwareGuard engine. Quarantine isolates infected files on your endpoint and performs specific remediation actions on the infected file. This is similar to traditional off-the-shelf antivirus solutions. 

Exploit Detection/Protection (Not Supported for macOS or Linux) 

This is a Windows-only engine. Exploit detection uncovers exploit behaviors on your host endpoints that occur during the use of Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. The following are examples of the exploit types that can be detected in these applications: 

• Return-oriented programming (ROP) attacks
• Reverse shell attempts in Windows environments
• Heap spray attacks
• Application crashes caused by exploits
• Structured Exception Handling Overflow Protection (SEHOP) corruption of programs
• Null page exploits
• Microsoft Office macro-based exploits
• Java exploits
• Access token privilege escalation detection
• First stage shellcode detection
• Drive-by downloads

Real-Time Indicator Detection 

Threat activity intelligence is collected by Trellix and made available to the Endpoint Agent products as indicators of compromise (also referred to as indicators or IOCs) through Trellix’s Dynamic Threat Intelligence (DTI) cloud. Endpoint Security uses the Real-Time Indicator Detection (RTID) feature to detect suspicious activities on your host endpoints. RTID monitoring uses Trellix indicators to detect the following: 

• Unauthorized use of valid accounts
• Command and control activity
• Known and unknown malware
• Suspicious network traffic
• Valid programs used for malicious purposes
• Unauthorized file access
• Trace evidence and partial files

Host Containment

The host containment feature is a function that will ONLY be performed with the approval of the Information Security Office manager and/or CISO in the event of a high severity detection, and the Security Office is unable to engage the system administrator for immediate containment action. This function enacts a host firewall that will restrict all network access to the host with the intention to prevent lateral movement or data exfiltration by the threat actor. 

Incident Response Triage Acquisition 

This is a function that allows Information Security and Mandiant analyst(s) to execute acquisition scripts on the host as it pertains to a detected threat. The scripts vary in content based on the operating system (OS), but only contain log information that is normally collected on your machine. This acquisition does not contain any file acquisitions. 

The Trellix HX Agent is being deployed to all UCLA owned systems (workstations and servers). Personal devices that are used for university business also need to have Trellix installed.

It is important to understand that installing the TES agent on a personally-owned device will give UCLA Information Security staff and Trellix staff access to the same level of information on these devices as they would have on a UCLA owned device. This does reduce your personal privacy on that device but provides you with additional protection as well.

UCLA Trellix HX installation can be completed primarily in two ways:

1. Contact your local IT department for assistance installing Trellix HX
2. If you are installing on a personally owned machine used for university business or have local administrator rights to your machine, please complete the Trellix Installation Form to obtain access to the installer

Trellix HX supports all modern Windows and macOS operating systems and most distributions of Linux. Full platform support can be reviewed on Trellix's support matrix webpage.

Mobile devices and non-Windows tablets are not currently supported by Trellix.

The Trellix Endpoint Security (HX) solution is designed to replace traditional anti-virus software (e.g. Sophos) and provide enhanced security and privacy through its use of multiple product engines:  

• Indicator of Compromise (IOC) collects real-time events continuously on each endpoint (e.g. changes to file system, live memory, registry persistence, DNS lookups, IP connections, URL events, etc.) to instantly confine a threat and investigate the incident without risking further infection.
• Exploit Guard applies behavioral analysis and machine intelligence techniques to evaluate individual endpoint activities and correlate this data to detect an exploit.  It allows for rapid response to new threats and false positives (e.g. heap spray, ROP, web shell exploits, crash analysis, Java exploits, Office macro exploits, SEHOP corruption analysis, unattended download, null page exploits, network events, special strings, OS behavior analysis, etc.)
• Anti-Virus—powered by BitDefender—allows for a real-time or scheduled scan of all files for Windows and MacOSX.
• MalwareGuard uses machine learning classification of new/unknown executables. It is signature-less with a small client footprint and works in conjunction with the Anti-Virus engine. It has a disconnected model that does not require cloud lookups or constant model updates.

Yes, Trellix will recognize the behaviors of ransomware and prevent it from encrypting files.

The Trellix HX client uses a small amount of system resources and should not impact your daily activities. However, each application and system is unique, and Information Security encourages all admins to install and test the agent in their own environment to validate that system and application performance remains acceptable.

In some situations, the Trellix HX agent may be impractical to install and maintain. While these situations are likely limited, we do have an exception process that can be utilized to request and exception from implementing the Trellix HX agent.

When a situation arises where Trellix HX is impractical, the Unit IT personnel can request an exception. Once the Unit IT has filled out the exception request the Unit Head (typically the Vice Chancellor, Vice Provost, Dean or University Librarian) will review the request and authorize it for consideration. The exception request will then be presented to the Campus Chief Information Security Officer (CISO) for review. If the risk posed by the exception request is reasonably mitigated, the CISO can approve the risk. In cases where the risk is not sufficiently mitigated, the CISO will forward the request to the Cyber-Risk Responsible Executive (CRE) for review. The CRE has the final authority on granting or rejecting an exception request.

Yes, the client will protect against malware threats when the device is disconnected from the internet.

Attacks that start at an endpoint can spread quickly through the network. After the identification of an attack, Trellix HX enables Information Security to isolate compromised devices via the containment feature from the management console in order to stop an attack and prevent lateral movement or data exfiltration. Essentially, this feature allows UCLA Information Security to isolate a single computer, preventing it from communicating with any other devices until the investigation has been completed. Information Security will then conduct a complete forensic investigation of the incident without risking further infection or data compromise. 

Generally speaking, once the Trellix HX agent is put into blocking mode it can not be stopped or removed by anyone other than the Information Security team.

If the agent blocks a legitimate service or application, the local Unit IT team can work with the Information Security team to restore the service or application. If mission-critical systems are impacted, local IT can also request a "break glass" password to remove the agent and restore services but only after it is confirmed that no legitimate threat exists.

Extreme caution should be taken when using the "break glass" process. This can expose your system to compromise and could expose the campus to additional security exposure. It is important that the local IT team work with the Information security team to restore the TES agent to normal operation as soon as possible. 

The Trellix HX agent only collects logs normally created on your system. The types of logs collected are:

-Image load events                           -Registry event
-Process Lifecycle events                 -DNS lookup event
-File Write event                                -Network event
-URL event                                        -Endpoint IP address change

This data does not leave your system unless an event is detected and usually only stays on your device for 1-6 days. If an event is detected, a subset of the logs are sent to the Trellix HX Appliance, a UCLA owned and operated, physical server in our data center. This data is referred to as alert data. In some circumstances, the agent will pull a snapshot of system activity 10 minutes prior to the incident and 10 minutes after the incident. This data is referred to as security event metadata (this is also referred to as a triage package). Data sent to our HX appliance is retained for a period of 1 year. 

Mandiant security operations also receive alert data and security event metadata sent to our internal appliance. This information is provided to Trellix and UCLA Information Security for investigation. No additional data can be reviewed without confirmation of an incident and specific authorization/approval consistent with the UC Electronic Communications Policy and UCLA Policy 410 : Nonconsensual Access to Electronic Communications Records. 

If an investigation is warranted, the UCLA Security team can pull a full triage package using the TES agent. This capability allows our internal investigators to pull all of the log data available in the local system buffer (typically 1-6 days worth of logs). This only includes the log information in the table above, and does not include individual files. This data is not automatically shared with Trellix, it is only available locally.

The Trellix HX console does provide the ability to acquire an individual file, however, this is a manual process and only done in consultation with the local IT contacts in connection with a security event detection. Consent is required or authorization under UCLA Policy 410 before files are acquired. Any files that are acquired by the internal security team are not shared with the Trellix team unless they are engaged to provide support during a significant security incident. Trellix only supports multiple file copies via API commands or recursive raw disk capture (Windows-only) which would first require hands-on enumeration of physical disks within a system (via Command Line Interface). This approach is not only extremely time-consuming but impractical from a storage limitation and bandwidth perspective. Neither of these methods would be part of any routine process.

Trellix HX does not have the capabilities to do a full disk copy. Any investigation that requires a full disk image would require either the consent of the individual or authorization under UCLA Policy 410 : Nonconsensual Access to Electronic Communications Records. The acquisition of a complete disk image, if authorized, would not be performed by TES due to the limitations and lack of completeness cited above.

The Trellix console provides a full audit trail for any information that is accessed by Trellix or the Information Security Office. This audit trail can be inspected by our internal auditors and campus leadership or other governing bodies determined appropriate by leadership.

All data sent to Trellix during the course of operations is retained in their US data centers for a period of one year. Any access to UCLA data is governed by our Electronic Communications Policy and contractual provisions which require a "least invasive" review. 

Responding to subpoenas is governed by UCLA Policy 120 : Legal Process - Summonses, Complaints and Subpoenas and UCLA Procedure 120.1 : Producing Records Under Subpoena Duces Tecum and Deposition Subpoena. Any legal process served to the Information Security Office is immediately forwarded to Campus Counsel for disposition. We do not release security-related information to law enforcement or other entities unless directed to do so by counsel. If and when legal counsel authorizes a release of information, counsel reviews the information before providing it to outside agencies.   

Internally, at the campus or system level, this data is not released except in the course of an authorized audit, and even in those cases, great care is taken to release only the minimum necessary data. Provisions are being made to allow authorized individuals from a Unit to request a review of any access logs pertaining to systems or users within that Unit.

The data collected by TES is generally considered 'Computer Security Sensitive Information' which may be exempt from public records disclosure. This data is not released without consultation with legal counsel. 

When a situation arises where Trellix HX is impractical, the Unit IT personnel can request an exception. Once the Unit IT has filled out the exception request the Unit Head (typically the Vice Chancellor, Vice Provost, Dean or University Librarian) will review the request and authorize it for consideration. The exception request will then be presented to the campus Chief Information Security Officer (CISO) for review. If the risk posed by the exception request is reasonably mitigated, the CISO can approve the risk. In cases where the risk is not sufficiently mitigated, the CISO will forward the request to the Cyber-Risk Responsible Executive (CRE) for review. The CRE has the final authority on granting or rejecting an exception request.

URL and browser history will not be automatically collected by Trellix. If there is an investigation of a device, if needed, URL and browser history may be collected with the consent of the device owner.

Trellix will not impact your ability to instruct students or conduct research. In fact, through Trellix, student instruction and research will have increased protection against cyber threat actors (e.g., recreational hackers, nation-states). If any issues arise because of Trellix installation, contact your local IT immediately and the issue will be resolved within 48 hours