SentinelOne (S1) is a comprehensive threat detection and response product that involves endpoint protection. This requires an S1 agent to be installed on University-owned endpoint devices. These agents send information about the device to the platform server, where security-based events and information are analyzed for threats and vulnerabilities.

S1 detects and responds to cyber threats like malware and ransomware by analyzing data collected from device operating systems. The analysis is primarily automated using S1’s global cloud-based threat intelligence, enabling security teams to rapidly detect and respond to attacks and device compromises. Every threat is reviewed, acted upon, documented and escalated as needed. In most cases, S1 will interpret and escalate threats to U of T in about 20 minutes.

S1 has been implemented to support the rapid detection and response of any suspicious activities or events that affect University systems, devices and networks.

S1 primarily uses automated analyses of data to enable quick detection of and response to attacks and device compromise. It uses this data to actively monitor endpoint devices and alert the security team of any suspicious activities or events that may be occurring on a device. The following types of data are tracked and monitored by S1:

The following personal information is collected:

• UTORids associated with University-owned devices and user IP addresses

This information is required to identify, track and mitigate suspicious activities on devices and for other security monitoring purposes.

S1 collects various types of device information to help identify the false positives from actual suspicious activities, including the following:

• Hardware and configuration information for the devices and installed applications.
• User, file and process operations information, including process activity, timestamps, etc.
• Live network monitoring information, including login attempts, source/target connections, etc.

Our collected data will not be retained for more than 90 days unless and until required by the court of law as part of an ongoing investigation.

All University data will be hosted and processed on servers within the Canadian borders.

Information is accessible only to limited administrative users within the respective departments within the University and is controlled through role-based access. There are limited global admins from the Information Security team within the Information Technology Services division. Individuals with access are required to sign a University confidentiality agreement as part of a formal access request and approval process.

Information is only accessed by authorized personnel in cases where a threat or suspicious activity is detected. Respective site admins may be expected to intervene and actively review the logs to investigate the high likelihood of advanced threats, compromised devices and potential data breaches.

Uses outside of these purposes are strictly prohibited. S1 may use aggregate data for service improvement purposes, but only in a manner that is not linked to any identifiable individual.

Please reach out to security.response@utoronto.ca if you have any questions or concerns.