SentinelOne (S1) is a comprehensive threat detection and response product that involves endpoint protection. This requires an S1 agent to be installed on University-owned endpoint devices. These agents send information about the device to the platform server, where security-based events and information are analyzed for threats and vulnerabilities.

S1 detects and responds to cyber threats like malware and ransomware by analyzing data collected from device operating systems. The analysis is primarily automated using S1’s global cloud-based threat intelligence, enabling security teams to rapidly detect and respond to attacks and device compromises. Every threat is reviewed, acted upon, documented and escalated as needed. In most cases, SentinelOne will interpret and escalate threats to U of T in about 20 minutes.

SentinelOne has been implemented to support the rapid detection and response of any suspicious activities or events that affect University systems, devices and networks.

S1 primarily uses automated analyses of data to enable quick detection of and response to attacks and device compromise. It uses this data to actively monitor endpoint devices and alert the security team of any suspicious activities or events that may be occurring on a device. The following types of data are tracked and monitored by SentinelOne:

The following personal information is collected:

• UTORids associated with the University-owned devices and User IP addresses: These are required to identify, track and mitigate suspicious activities on devices and for other security monitoring purposes.

S1 collects various types of device information to help identify the false positives from actual suspicious activities including the following:

• Hardware and configuration information of the devices and the installed applications
• User, file and process operations information, including process activity, timestamps, etc.
• Live network monitoring information, including login attempts, source/target connections, etc.

Our data collected will not be retained for more than 90 days unless and until required by the court of law as part of an ongoing investigation.

All University data will be hosted and processed in servers within the Canadian borders.

Information is accessible only to limited administrative users within the University’s respective departments and is controlled through role-based access. There are limited global admins within the IS – ITS department for overall administration and investigation purposes. Individuals with access are required to sign a University confidentiality agreement as part of a formal access request and approval process.

The information collected through SentinelOne is only used for the purposes of identifying, detecting and investigating advanced threats, compromised identities and malicious actions directed at the University; uses outside of these purposes are strictly prohibited through the confidentiality agreement. Information may be used when required to comply with legal requests and to support investigations related to academic integrity and criminal cases. The University will not use information collected to support investigations into productivity, employee attendance/activity and/or any other general monitoring of behaviour not directly associated with security threat protection at the University.

Information is only accessed by authorized personnel in cases where a threat or suspicious activity is detected. Respective site admins may be expected to intervene and actively review the logs to investigate the high likelihood of advanced threats, compromised devices and potential data breaches.

SentinelOne may use aggregate data for service improvement purposes but only in a manner that is not linked to any identifiable individual.

Please reach out to security.response@utoronto.ca if you have any questions or concerns.