What is SentinelOne and why do we need it?

SentinelOne (S1) is a comprehensive threat detection and response product that involves endpoint protection. This requires an S1 agent to be installed on University-owned endpoint devices. These agents send information about the device to the platform server, where security-based events and information are analyzed for threats and vulnerabilities.

S1 detects and responds to cyber threats like malware and ransomware by analyzing data collected from device operating systems. The analysis is primarily automated using S1’s global cloud-based threat intelligence, enabling security teams to rapidly detect and respond to attacks and device compromises. Every threat is reviewed, acted upon, documented, and escalated as needed. In most cases, S1 will interpret and escalate threats to U of T in about 20 minutes.

What data is collected and for what purpose?

S1 has been implemented to support the rapid detection and response of any suspicious activities or events that affect University systems, devices, and networks.

S1 primarily uses automated analyses of data to enable quick detection of and response to attacks and device compromise. It uses this data to actively monitor endpoint devices and alert the security team of any suspicious activities or events that may be occurring on a device. The following types of data are tracked and monitored by S1:

Personal information

The following personal information is collected:

  • UTORids associated with the University-owned devices and User IP addresses – These are required to identify, track, and mitigate suspicious activities on devices and for other security monitoring purposes.

Device information

S1 collects various types of device information, to help identify the false positives from actual suspicious activities, including the following:

  • Hardware and Configuration information of the devices and the installed applications.
  • User, file and process operations information, including process activity, timestamps, etc.
  • Live network monitoring information, including login attempts, source/target connections, etc.

How long is our data retained for?

Our data collected will not be retained for more than 90 days unless and until required by the court of law as part of an ongoing investigation.

Where is our data stored or processed?

All University data will be hosted and processed in servers within the Canadian borders.

How is access to our data managed?

Information is accessible only to limited administrative users within the respective departments within the University and is controlled through role-based access. There are limited global admins from the Information Security (IS) department within the Information Technology Services (ITS) division. Individuals with access are required to sign a University confidentiality agreement as part of a formal access request and approval process.

Information is only accessed by authorized personnel in cases where a threat or suspicious activity is detected. Respective site admins may be expected to intervene and actively review the logs to investigate the high likelihood of advanced threats, compromised devices, and potential data breaches.

Uses outside of these purposes are strictly prohibited. S1 may use aggregate data for service improvement purposes but only in a manner that is not linked to any identifiable individual.

For further questions, please contact below.

Please reach out to security.response@utoronto.ca for any questions or concerns.