Well, good morning, ladies and gentlemen, welcome to another call webinar. My name is Alexei Balaganski. I'm the lead Analyst at Kuppinger call. And today I am joined by Chris MEK sales engineer, responsible for German speaking European region at CrowdStrike. Our topic for today is modern endpoint protection, automating prevention, detection, and response. And before we start just usual general information about keeping a call.
We are an independent and Analyst company based in Germany, but with a pretty global outreach from the us all the way down to Singapore and Australia, we've been on the market for 14 years already doing research in all areas, covering cybersecurity, identity management, governance and compliance are, and everything about digital transformation among other things we are doing are various events and conferences ranging from a simple free online webinar like this one on the way to pretty large scale physical conferences and our flagship event will be held in Munich next may or the European identity cloud conference.
And another, we have already officially announced will be for the first time held in Washington, DC in next October, and stay tuned for additional information. We will announce further events pretty soon on the usual guidelines for the webinar. You are all muted centrally, so you don't have to worry about it. We will make a recording and it will be published in our website, the latest tomorrow, and everyone will get a link to access the record indirectly. And as usual at the end of the webinar, we will have a Q and a session. And I encourage you to submit your questions at any time.
As soon as you have one using the questions box on the go to webinar control panel, you'll probably have on your screen on the right side, the agenda is pretty standard. It consists of three parts. First I would provide the generalized introduction to the topic of the modern endpoint security from the Analyst point of view.
And then I will handle what to Chris mining who will dive deeper into the correspond technologies and innovation and explain how they all are United in the particular security of the service platform. And as I mentioned at the end, we will have a Q and a session.
And without further ado, let's dive into the topic. So if you have been following the information security in general for the last quite a few years, you know that there has been this general paradigm shift from traditional perimeter focused protection in mind, if you will, or approach towards information security towards monitoring and analytics and trying to detect an existing security incident and contain it as quickly as possible myself. I rather see it as a acceptance on the fact that this whole battle between hackers and security researchers has been won by hackers, if you will.
And our modern state of information security simply does not allow us to maintain the same protection focused perimeter focused approach as we had 10 years ago.
And of course the same paradigm shift applies to the topic of endpoint security, which translates if you're be into this similar shift from traditional antivirus, again to the next generation endpoint detection and response solution.
However, before we dive into details, we have this million dollar question. We've probably heard a lot of people saying that antivirus is dead, but is it really? And why should we care? What's an antivirus anyway, and what's a virus if you will, or the problem of that or the virus if it was 30 years ago. And I guess I am old enough to remember the first antivirus which have appeared around 30 years ago. It just doesn't exist anymore. The whole environment, whole landscape of different threats, which are out there taking our infrastructures from outside or inside.
They are much more complicated and much more varied and no longer just the viruses on this slide.
I've listed just a few major malware types, which we have to deal with nowadays. I'll say viruses are really the list of our concerns. They stopped making them 20 years ago, if you will, or at warms and ran somewhere, that's being delivered by those key logs or root kits by and other types of malware, which is out here not to not, to not to break your infrastructure, but to silently steal your data. Botnets are who exploit you to harm others. There is a lot of things to take care about.
And of course the targets from malware have dramatically increased as well. It's no longer just our laptops and PCs. It's our servers, mobile devices are virtual desktop environments. Those smart things out there ranging from your fridge toward to the smart sensor inside your airplane or power generator. And of course those traditional SCADA manufacturing control devices in our factories, all that exponentially growing and really exploding complexity has led to a dramatic increase of total costs of malware incidents. If just four years ago, ware costs were around 300 something million.
Then just two years later, those costs have boomed towards 5 billion. And just next year, it'll be again a couple of hundred times more than that.
And again, this dramatic, I wouldn't even call it an evolution anymore. These dramatic developments have led to a major rethinking for customers and for vendors of how do we deal with those new types of attacks.
And there have been this really interesting, and for example, quite dramatic discussion, whether the traditional antiviruses, which focus on preventing malware threats are, are set to die out and to go and to be replaced by something really new and completely revolutionary focusing specifically on detecting those threats after they have already infiltrated your infrastructure. And instead of trying to prevent them, which is obviously impossible just to contain them as quickly as possible and to minimize the blast radios of their damage.
So we had this again, very dramatic discussion between old school antivirus vendors and again, the new next generation EDR endpoint detection, response vendors. And my position here was always, why not have both?
Why do you really have to choose between protection and detection? Why not have both? And the problem in that whenever this discussion arises, it's always about sticking labels and kind of naming names regarding a different product on the market.
On this slide, I've included a pretty rough picture of a typical process of detecting a piece of malware, which have entered your infrastructure or endpoint before you even execute. There is this old school signature heuristics engine, which will try to detect it as a known piece of malware. But after it's executed, there are additional technologies to actually try to analyze its behavior and understand whether it's doing something better or not. And even after the execution, there are additional steps to ensure that we know what has been done and how to minimize the damage.
The problem in that the typical new new school vendor will tell you that again, the old school antivirus, the EPP solution would end somewhere after the first step after the signature one, which I indicated with that solid red line on the left.
However, as we all know those antivirus, which just that cease to exist 20 years ago, and the modern protection focused antivirus actually does much more all the way up to the full stack of runtime analysis technologies, same applies to EDRs.
Although the first really radical detection only focused solutions indeed were probably somewhere on the right side, up behind the solid green line, but more, more and more sensible if you will solutions have evolved to incorporate many protection focused functionality as well. So my point here that whenever you are at the crossroads, whenever you are supposed to make a choice, should I replace my old school antivirus with something radically new?
Or should I be looking for a specific new marketing buzzword stop and start thinking in business problems instead of asking which product on the market is the best EDR should ask which product on the market will stop, ran somewhere attack against my infrastructure in the most sensible, because, and safest way or whatever other malware attack you are most worried about.
So unless you consider yourself a really hardcore experts, stop thinking about label, stop thinking about technologies and start thinking in business risks, however, or does it really mean that we should dismiss this whole discussion about next generation ware solutions and just continue using our existing ones? Not really.
There is, there has been quite a lot of interesting developments recently. And on this side, I've just listed a few of, in my opinion, the most interesting and most crucial ones. The first one is probably behavior analysis.
The, again, the traditional anti used static signatures to identify known pieces of malware of bed behaving executables. This is no longer enough because most the modern techs are using file less attack vectors, malicious scripts, or office macros power, shell scripts, you name it. They are actually using safe and well known binaries to execute malicious again, to execute Mo behavior.
And this is why modern tools are focusing on understanding what those binaries are doing actually, or is this particular action like opening a directory and suddenly encrypting all the files in directory.
Does it make any business sense? It probably doesn't. So this must be a ransomware client, even if it's not known yet logical continuation of that development are the so-called indicators of attack.
Again, the traditional approach was focusing on indicators of compromise. Again, this is some kind of an artifact shown that something might has already happened. Your file has been destroyed. Your disc has been corrupted. Your application is no longer starting. That's an indicator of compromise. It's reactive in nature.
What, what if, what if you could combine several such events or, and correlate them to malicious events outside of your infrastructure that I already known, like this particular domain is being used by a botnet or that particular IP address is associated to a known Iranian hacking group.
All those combined along with some behavior observations can indicate quite reliably that something bad is going on or rather is going to happen soon. So a hacker is prepared an attack. As soon as you have a reliable indicator that attack, you can stop it before it happens.
And of course, all this is nearly impossible without machine learning is probably already tired of hearing this term in just about every conference or event a webinar, but really our event security event correlation is probably one of the most well developed and nearly commoditized applications of machine loaded and security.
And basically it boils down to collecting those indicators of compromise and other security events across multiple sources inside and outside of your infrastructure and making sense of them and translating them into a small number of actionable indicators of attack, which you could just analyze and act upon quickly and almost in real time.
And of course our, the wisdom of the crowd or wisdom of the cloud, if you will, in the, the approach, which allows you to benefit from mistakes and past attacks, which are your peers have survived.
But if you are using the same ware vendor as they, you can, you don't have to repeat their mistake. You have to undergo the same attacks. The vendor will already make sense. Those attack across all the tenants of their security platform and protect you even before something that happens to you. And finally managed third hunting. You've probably heard about managed security operations.
So in the cloud, which has been all the rage for the recent years, but managed third hunting goes beyond that again, instead of letting someone to fix your problems after they happen, you let someone to watch your back and warn you in advance. Wouldn't it be great if your antivirus vendor would one, they call you and say, you know what?
You don't know it yet, but something bad is going to happen in your network. Do you want us to take care of that even better?
Of course, if this happens automatically. So without going into deeper details, which Chris will be doing later, here are my key takeaways for you from this webinar. So first of all, the additional antivirus is dead and better 20 years ago, forget this discussion. It doesn't make any sense. They don't make traditional viruses anymore.
Anyway, again, endpoint protection versus detection on antivirus versus EDR. It's, it's a false economy. You don't have to choose either. You can very well choose both. Ideally in one package, you should focus on capabilities and those capabilities translated into specific business risks. You are worried about. There is no single technology that will solve all of your security problems. You cannot just throw away everything you used to secure your network and end points before and buy one single product and be safe.
Doesn't work.
You always have to look beyond just wear because you still have to deal with vulnerability management and pension. You have to ensure that nothing can get into your endpoint through malicious us B and stuff like that. So device control is crucial network security in the age of pervasive connection to the internet is also important. You cannot just focus on one aspect of security and forget all the others when choosing a particular security vendor endpoint or whatever. You always have to look for an open platform.
Again, no single company, no matter how great and large and established they are, you'll ever be able to give you protection against everything. However, they can collaborate with other companies with other technologies and ensuring that your protection is seamless because it's integrated through APIs. So it's automated, and it's always up to date with the current intelligence and finally look for managed services, not just for response, not just for dealing with breach, which had already happened, but for proactive services, like third hunting and other daily security calculations.
And with that, I am handing over to Chris, ER, who will continue deeper and more technical presentation of the modern endpoint security platforms, Chris stage, the
Thank you Alexei. All right. So yeah. Thank you. My name is Chris.
ER, I'll go a little bit deeper into the technology and the coral stroke approach to preventing modern attacks. I briefly, who am I?
I, as you hear, I'm not actually, I don't probably don't. You probably hear that. I don't have a German accent. I'm from New York originally, but in Hamburg, been in German about 14 years. I security for those a little bit longer. I run three sales CrowdStrike for Germany, Austrians with, and previously hold held other leadership positions at security companies. But about me, I wanna talk about CrowdStrike.
I, our approach holistically is to stop breaches. I, and for us that means understanding the full attack life cycle, the full kill chain and putting different controls and preventions in I'm to detect and prevent, you know, the modern attacks, modern attackers. I briefly as a company, what do we do?
I, you know, starting at the bottom incident response and strategic advisory, I is, you know, absolutely a key part of what we do. You may have heard of crowd strikes, incident response capabilities in 2016, when we were called by the democratic party in the United States during the, the presidential election to respond to a suspected incident and discovered actually two different Russian threat actor groups in that environment, engagements like that, and many others. And I can't talk about many of them.
That's one that happened to be in the news or what allow us to produce very, you know, high level, high quality, unique threat intelligence. I, we, we serve both the commercial community, you know, enterprises and businesses, as well as the intelligence community with threat intelligence on the basis of those two platforms, we're able to build an endpoint protection. I solution that's what those we'll talk about.
Mostly today is our endpoint protection.
I that's, you're quite quite unique in the market. I, however, we also layer a managed threat hunting service on top of that. And that's what Alexei was mentioning a second ago, in terms of, you know, looking for vendors that provide a, you know, a full spectrum service offering.
And we have a threat hunting team that's worldwide based in, you know, based across the world, primarily coming from, you know, from public sector, from the intelligence community, as well as for the private sector who hunt for threats in our customer environments, 24 by seven, you know, designed to augment and extend capabilities that you might be able to have. Let me take a step deeper into endpoint protection specifically.
I, we use a single agent to provide all of the modules you see here. I it's all driven by the cloud, so you don't have to deploy any management infrastructure yourself.
We provide the management infrastructure and you simply have to deploy the agent.
We have, you know, artificial intelligence and AI, you know, as, as Alexei was saying a second ago, machine learnings become a buzzword. I, or it certainly is, but security incident management is a, is a, is a, is a, you know, field that lends itself to machine learning.
And so we, we have machine learning, artificial intelligence, across different modules of the platform you see here, next generation antivirus and point protection response are the two topics I'm gonna focus on today. Just so you're aware. And we also provide services around device control. So at a hardware level managing which USB devices are allowed to be used in the environment and which are, you know, prohibited, you know, at a technical level, I mentioned threat hunting.
You know, we provide threat hunting as a standard expansion module to your endpoint protection, service hygiene, and vulnerability management.
You know, these are both use cases that we can, you know, use EDR data. So reuse detailed telemetry about what's happening on an endpoint to move into related parts of security.
So into, you know, asset management, application, inventory, user log on management, into vulnerability management, you know, understanding which vulnerabilities are present, you know, in your environment and where I, and also, you know, I mentioned threat intelligence, which, you know, for us threat intelligence is both a, you know, a product you can, you know, buy threat feeds and buy long form reporting to, you know, on the current threat landscape. But it's also integrated into the platform.
I, and it's integrated, you know, both into the endpoint agent as well as via various automation hooks.
So for example, you know, via automation, we can pull new and unknown malware that was detected by Falcon, our NextGen aeration antivirus automatically load that into an offline, you know, asynchronous sandbox, detonated extract, IOCs ship, those IOCs back into the EDR portion, compare it to threat intelligence to, to determine if we can attribute that to a particular actor or actor group, compare it to existing malware, to automatically determine if this is possibly a new version of a known type of malware and ship that data back into the platform, into your SOC team.
As I say, our focus today will be next generation antivirus and EDR endpoint prediction response. I just wanted to give you a little sense of the breadth of our platform. And as I say, it's all done via a single lightweight agent about a, you know, 25 megabyte agent, 25 megabyte memory footprint. So with that, I'm gonna jump into a little bit of a technological review of you sort of, you know, what's new in next generation antivirus and, you know, EDR about our approach. And you know, how we look at these problems on the screen is, you know, we call it the pulse of legacy antivirus.
And I would imagine that many of you are familiar with this, you know, sort of daily routine, right? You get a, you get an AVS signature update and your protection is, you know, is up pop it's good. And then over the course of the day, new malware appears or is released by threat actors is, you know, sent to you by a person, your protective protection degrades over the course of the day as more and more malware is released and sent you get another signature update and your protection is good again, then it degrades and degrades in the degrades over the course of the day.
And this, you know, continuing on 365 days a year, I in, in this model creates, you know, both operational costs in having to ensure that all endpoints have the daily signatures or all of your, you know, antivirus engines are up to date. It also creates incidents, you know, during that, you know, period of reduced protection where your signatures are getting old, you know, some, you know, malware may slip through some attacks that are sent to you may slip through and cause incidents, you know, our approach here is to replace that entire problem with a machine learning engine.
And what I have up on the screen is a, a, you know, a graphical representation, you know, as you can see, it goes from, you know, January 12th of this year through the end of may. So the first five months of the year, what we're looking at here is the catch rate of our machine learning engine.
That's being tested against all of the new malware that was distributed or came out on a particular day.
And as you can see over the course of five months, I, you know, the existing ML engines was a machine learning based engine that powers our next generation antivirus, you know, has a consistently high catch rate here in the, you know, the high nineties, you know, at some points it'll dip down into the mid 90%, but over five months, well, this is, this is with, to be clear with no update whatsoever, right? This is an engine from January that still has a 95, 90 8% catch rate at the end of may. Now the engine itself in production, would've been updated two times during this time period.
So I'm what I'm showing you is, you know, essentially, you know, in may an engine, that's two versions out of date, but is still able to catch, you know, well, over 90, 90, 5 of new threats were released that day.
So that's a great start for file-based attacks and for malware itself.
But, you know, as we've seen in our data, we saw something like 40% of attacks don't use malware anymore. And so we have a requirement for behavioral analysis as well. There are a few different fields here, right?
So one, you know, question is I have on the screen when good binarys go bad, right?
So you may have either an exploited and exploited, you know, process exploited program, or you may have, you know, simply a sort of, you know, what you might call dual use munitions, you know, PowerShell equally used by attackers and administrators, or, you know, Microsoft word, Microsoft word itself is not a dangerous program, but it's, you know, commonly instrument that our PDF readers or, you know, any, any standard software is commonly instrumented by attackers to become a platform for launching attacks, as well as, you know, script based attacks and, you know, malicious malicious activity after an attacker has found a foothold and has begun, you know, moving laterally in your environment.
So all these use cases call for behavioral analysis, our approach at CrowdStrike to behavioral analysis, what we call indicators of attack. I, and I have an example up here, you know, comparing indicators of attack to indicators of compromise, right? Indicators of compromise are.
Yeah, I think everybody, I'm sure everybody's familiar with them, right. An IP address. If I see this IP address on my firewall, I know that an internal machine is connecting to an attacker, C2 or a hash. If I see this hash is executed, I know this was a, I, maybe this was down rage, a classic fancy bear tool or X agent.
So I can, you know, I can use indicators a compromise to understand after the fact that I've been compromised, something bad has happened. We use indicators of attack earlier in the attack chain to understand that something bad is in the process of happening or going to happen. I have a simple example up here, you know, so we have an unknown process executing. It's reading out the file system, deleting backups. So deleting volume, shadow copies, calling encryption routine, right?
We can, you know, we can put together these individual events, which are not necessarily malicious individually or each in and of each one themselves, but you know, together, you clearly, I show a pattern for, for a ransomware attack.
We do this via a, you know, an automated hunting engine called threat graph.
This is a, you know, a cloud platform think is about three years to build this platform. I, you know, when we talk about cloud security, there's, there's a big difference between, you know, a true cloud platform and just putting some appliances in somebody else's data center.
You know, so at CrowdStrike, we're looking at a true cloud platform. This is a, you know, a scalable graphing graphing database that makes about 4.7, 5 million decisions per second, across our customer base, you know, versus about a trillion events per week, and is able to push decisions back down to the back down to the clients. I many decision trees are, are local on the sensor.
I, you know, including, you know, next generation antivirus machine learning, all that's on the sensor directly, but the cloud is able to support the decision making and put some of these more complex control flows into, into perspective.
And, you know, that leads to last last year, we in 2017, we prevented about 25,000 breaches. That number will be quite a bit higher this year.
I, but that's the, that's the fixed number for, for 2017. So putting that back into the example that I used a moment ago, I, so what we essentially see is a stream of events, right? And a single event, maybe a process being started a program. That's I moving just into memory areas that are not, that don't belongs injecting into other threads, registry changes, network connections, user log events. I processes starting process ending each one of these events, essentially flowing by and being monitored by the sensor.
And in the example I used earlier, when we pull out individual events and say, okay, unknown process, reading the file system, attempting to access volume, shadow copies, attempting to use crypto cryptographic routines from the operating system.
You say, okay, that's ransomware, let's shut it down. Or to take another example out of the same stream of events.
As I say, you know, each one of these events is, you know, something where we're making a decision upon whether this event is, is malicious or, or not. We see a remote log on executing PowerShell, downloading a script, touching LSAs that's local security star. I touching L SAS to, I start to access process memory. We can say, okay, there's credential thefts happening here and we can stop it. So that's just sort of the approach here with, with indicators of attack and how that works. I wanna talk briefly about why this approach is success is effective.
I IOCs are very easy to change and I'll show on the next slide, you know, a sampling of what I mean by that. I'm, but, you know, changing an IOC, an IP address, or a hash can be, you know, trivial changing an IA, an indicator of attack, you know, behavioral patterns is much more difficult.
If I want to dump passwords for memory, I have to talk to the part of memory that have, that has those passwords. I don't need to know which malware is being used, or which process has been injected into or migrated into, or which user it is.
I don't need to know anything in order to understand that, you know, certain activities, as I say, talking, you know, in these example, talking, you know, pulling particular memory blocks or I'm, you know, editing particular parts of the registry, you know, so, so, so called auto start extension points, you know, modifying those where I can put a back door, there's a very large number of options of how an attacker can perform these actions, but it is limited. It's not a, you know, there's not an infinite number. So our approach with IASS is to cover, you know, known and evolving attacker TTPs.
So, you know, TTPs tactics, techniques, and procedures. I coming back to, when I talk about integrated threat intelligence, we're not just talking about integrating IOCs, we're talking about understanding how modern attackers operate, how they typically are able to achieve their objectives and putting up monitoring to look for those types of actions rather than specific malware or specific IOCs. I've got an example here. What's called the pyramid of pain. This was a pretty well known blog post back in 2013, you know, talking about this essential problem.
I, so look at IOCs, right? Hash values are trivial to change, right? I can just change a single bite and change the hash value. IP addresses are easy to spin up and down.
You know, domain names. There's a little bit more tracking there, but I can easily change the domain name, network host artifacts to, you know, to, to bypass IDs signatures or to bypass signature based malware are, you know, fairly, or, you know, they're annoying, but they're fairly simple to change.
And that's where you see, you know, PowerShell, obfuscation and different types of Packers being used on malware. Changing tools is challenging, but not impossible.
You can always write a new tool to achieve the same objective, but it's very hard to the objective that you're, you're on the, on having of the backgrounds about how we apply these technologies or these approaches to detect attacks. So starting out here, I just have a common, you know, simple, straightforward attack pattern. So I've got a web browser here. The user has, you know, gone and clicked on a link and a few things are happening.
You know, it's written an executable file to disk. It's opened to PowerShell directly from the web browser. That's accessing the registry modifying accessibility options. That's a particular part of the registry that's commonly used for back doors.
You know, PowerShell has opened to handle into LSAs local security store has read memory out of LSAs later on there's a windows log on which launches an unknown process.
That process makes a network connection and pulls a payload from the internet injects itself into a trusted process, loads a D into the memory. And at this point it's game over for that particular endpoint, I right, the attacker now has full control and they can begin lateral movement.
As I say, I'm just using this as a, you know, a sample classic attack. So what can we do? How can we detect this?
I, so we can apply machine learning or, you know, equally, you know, any, any antivirus approach we use machine learning. I, you can apply an antivirus type approach to the two file components of this attack, right? So we're writing a file from the web browser where we can look at that file and later the windows log on and starting a process. So we can look at the process, the, the image that's used to start.
That file. If I don't capture it there, all the rest of the attack can happen, you know, with, with, with no prevention.
If I add indicators of attack, I to really created a defense in depth situation, right? I have a number of more opportunities to detect this attack is happening.
You know, so when the web browser is starting a power shell, I have suspicious, I have a suspicious memory stack. I may see shell code.
I that's, you're quite suspicious. The power shell process itself is suspicious, right? You don't normally have web browsers, executing power shell.
You do, you know, in some cases you do, but you know, we, we, we understand when it's normal and when it's suspicious, I, we have PowerShell touching the registry, specifically touching registry options or registry areas that are commonly used for back doors. We have PowerShell, especially accessing L SAS later on this unknown process is injecting into a trusted process.
We see the payload being loaded. So we have a whole set of additional points during that attack chain, you know, through, throughout the, you know, this is, this is essentially the local kill chain, right?
This is the, you know, exploitation and establishing persistence part of the classic kill chain. We have a whole number of areas or of points where we can detect that happening. So I'll show you what this looks like briefly in our, in the, in the crowd track interface.
I, here, I have a simple example of an attack tree, so we can see there's, you know, power shell has been started. Power shell has performed a number of malicious actions, and I can can see here on the right. We have a critical severity gaining access via credential dumping. So we see this PowerShell process has been looking into the LSAs memory area and loaded a DLL reflectively.
We see, that's also looking into the Sam in the Sam hive locally to pull credentials from disk. And we can see this entire attack chain of what the attacker is doing throughout the, this is, this is combination of your classic EDR understanding what's happening on the endpoint with a focus on detection prevention. I'll get into it a so we can see, you know, power shells started to they've, they've spawned from their C2, more command lens, right? Who am I? So do I have administrator rights, or am I a user route?
You know, where, how do I get outta this network, our path? You know, how big is the subnet that I'm in? What subnet am I in? I was still launching a script here and executing ANZ, which is most likely a backdoor, right?
So, so based on you, single indicator of attack and any one of the items that I showed earlier enough is, or earlier is enough to determine this entire attack or this entire process tree.
I is an attack. I now of course, I'm showing you a, a simple, you know, simplified version of, well, you not disposable, it's a fairly modern attack, but just to give you an idea of what this type of attack looks like when we detect it and report on it, of course, normally you would want to be able to, to block such attacks, which is also something we provide.
And I, I just have a sample here of, you know, how the configuration interface looks, right? So we've got, you know, for malware protection, various different, you know, execution, blocking options, blocking suspicious power, shell strips and commands, blocking suspicious processes, blocking intelligence, source threats, custom blocking for specific hashes that you may want to block list in your environment. I also have some back, some, some samples here of behavior based protection, right?
Drive by downloads code injection exploitation, JavaScript by run DLL, various different options of how to block behavior like this.
And I'll just show you a quick example of what a blocked attack looks like for us. So here has a much simpler chain, right?
I, I can go back a little bit farther on this one because we have more space on the screen, but so we're, we're going back to the, you know, windows process being started windows log on user and knit Explorer. We have a, you know, a backdoor being executed and we don't know what's a backdoor.
This, we have a malicious file being executed, right? So here we see what's happening is the, you know, it's, it's a medium severity prevention and it's been detected by machine learning via on censor ML. So it means the, the on censor agent has detected this previously unknown file as being malicious and due to our configuration, we've been able to blow both block the process itself, and also quarantine the malware.
Now, at this point, going back to what I was talking about earlier on the, with the modules, we could also automatically move that malware into a sandbox, into an asynchronous sandbox, detonate it, extract IOCs, ship, those IOCs back into the EDR platform. That's all more than we'll talk about here directly today.
I, I wanted to show you what these, what these IAS look like. Oh, and one thing I wanted to mention as well, I, the taxonomy.
So how do, how do we categorize these types of events? I, so you can see here, objective, tactic and technique. So those terms come from the minor attack framework.
I, if you're not familiar with attack, I it's a framework for describing security events, describing attack patterns. And so we have implemented attack within our UI in order to categorize and explain what's happening, right? So we see what's happening.
The attackers tend to gain access, attempt to gain credential access, and they're using credential dumping in order to achieve that goal.
I right, in this case, we see we're using machine learning. This is, this is outside of the attack framework. There's no specific objective for machine learning. We're using machine learning. In this case to, on the sensors, this is local to the end point to determine that a particular file is bad. So recently just the end of last week, I might, or if you're in Germany, it may look more to like I mire it's, it's an external third party agency.
This is, you know, the same only created the attack framework. I did did some testing of six different products.
I, there are seven different products. I, a mistake there, there are, there are actually two more coming out where they ran a full attack versus every attack platform, stimulating a particular, a P T in this case, Gothic Panda, that's a Chinese threat actor.
You may know a P T three, as I, you know, for that particular actor running the exact same attack against the major EDR solutions out there.
And, you know, determining what was visible of that attack, which parts were visible, telemetry, which parts had proactive detections. What we saw in this attack is that, you know, at CrowdStrike, we detected 69 of the actions that might are took as part of that full attack tree.
I, you know, end game Microsoft, both of the high thirties, carbon black, about 15 or 15 counteract and seven one both under 10. I, so just, you know, what we see is the, you, this, this effectiveness of the IA approach, right? Cause we're looking again, we're looking at attack patterns used by real attackers to, to penetrate networks.
I, so yeah. Then we got link here to the blog, but you can also at Mir go and look into the detailed data.
There's, you know, a couple hundred I, or not a couple hundred, but there's, there's about a hundred, I think, different actions they took and they have details for each system what was, and was not detected. How was it detected when was detected? There's a lot of data in there if you're a, you know, a data type person. All right. So we talked about technology here and we have this, you, this great approach with IAS, we detect, detect things very well.
I, as we, you know, as we saw in the minor testing, we detect things better than I, you know, the major solutions out there. I, but, you know, monitoring and people process technology. I don't wanna forget the people and process part of that triad. So I wanna talk about briefly is what we call breakout time.
I, the breakout time as I have written on the screen is the average time that intruder needs be between initial compromise.
So when they get on the first system and when they start to move laterally to other systems in the network, right, they, they usually the attacker doesn't usually land on the system. They want maybe they land on the system of a salesperson, but they really want to get into the database server, right? So they'll start to move laterally to get where they want to go.
What we've seen an hour data is it's about a hundred an hour in 58 minutes, just under two hours is the average time that it, that it intru needs to start moving laterally. Once lateral movement has begun, you know, cleanup becomes much more costly and much more difficult once you start to have to do, you know, IR on multiple different systems and determine with each system where the attacker move from that system. The next one I, so our approach here is what we call the one ten sixty year rule.
I it's about speed and ensuring that, you know, people process technology are able to react, you know, quickly and effectively. What we see here is, you know, 1 10 60 time to detect one minute, right? So you need to be able to detect and attack within a minute.
And this, you know, this is the technology part, right? Your technology stack needs to be able to detect a new attack, get it through all of your monitoring into the so or into incident response team quickly enough that within a minute, there's an alert on somebody's screen somewhere now, for what people, people perspective, time to investigate within 10 minutes, that person, or, you know, the assigned Analyst needs to be able to start looking at the threat, right? That means you, you need to have 24 by seven monitoring.
You need to have sufficient staffing in your SOC or analysis center to, you know, they have time within 10 minutes to look at a new alert, determine whether or not it is in fact, you know, is this a major incident or a false positive, what are we seeing?
And then within 60 minutes, you have to be in a position to remediate contained with Carls. We pro we provide both a one click network containment, as well as, you know, detailed on endpoint remediation functionality.
I, but you know, you somehow need to be able to act within 60 minutes at a very, you know, at the maximum, in order to, you know, on average prevent lateral movement from, from occurring. So these, these are the goals that, you know, we see the best companies in the world striving to, and, you know, enriching and with our technology solutions, we help them do that. So the last couple of thoughts here, before we wrap up and go into questions, you know, complexity and operating cost is complexity and operating cost is always, you know, a huge issue for, for customers.
No, nobody has infinite money, infinite resources, you know, our approach to save money and resources they have on the screen is, you know, agent consolidation and, and cloud delivery, right?
So we provide a platform that's all linked into a single all purpose agent.
You know, every module that I'll show the modules getting the second is linked into the same agent. There's no installation deployment necessary.
You know, we, we run the graphic databases, a massive infrastructure in order to, you know, reliably detect tax. I control infrastructure architecture is integrated, right?
So you, you are essentially responsible for deploying agents. We can do everything else delivered as we say from the cloud. So there's no, there's no more, you know, signature updates, nothing.
You know, every agent is constantly online, constantly up to date. Of course, we provide, you know, service offering around that, whether this is, you know, incident response, advisory services, red team, red, blue, you know, adversary simulation. We have a whole host of services around that platform in order to provide you a, a full, full service security partner.
I showed earlier, I'll show you the modules again here very briefly, right?
Next generation, antivirus prediction, response, USB device control, threat, hunting it hygiene, right to application inventory, asset inventory, vulnerability management, Intel automation, by high speed malware search and asynchronous sandboxing, all of these ride on top of the Falcon platform and the single agent, which is, you know, driven by incident response. And also by APIs, I don't have a slide about the integrations today, but, you know, we generally, you know, generally speak.
We integrate into every SIM, every instant management software, every threat intelligence platform, every security orchestration, you know, most of your major security tools we have direct integration into.
And you know, that that's what drives our ecosystem and drives value for the customer. Deployment is very simple. As you don't have to do any infrastructure, we provide all the management infrastructure.
You know, if you become a customer on Monday, you can start installing agents on Tuesday and be protected immediately. There's no rule writing, no tuning that's necessary for detection mode.
You know, so we can, you know, shorten your project to not have to think about deploying infrastructure and how many appliances and which locations get in appliance and which ones don't etcetera, that that's all taken care of for you. You install the agent, verify that it's working. There's no reboot necessary also on updates. There's no reboot necessary, no signature updates, no disc scan. Then you can, you know, proceed to remove legacy products, you know, as you wish.
I last, last quick note, if we're getting to Q and a, if that sounds like a lot of work, I, you know, these large companies have SOC teams, instant response teams, you know, many cases worldwide.
You know, if that's not you, we also offer what we call endpoint protection complete, which is a full service, you know, full service managed service. And what's unique about our offering is that we do remote response and remediation 24 by seven.
So unlike many managed service offerings where, you know, event triage is performed, but then you, as the, as the, as the end customer, just get an alert, you need to clean up this or that endpoint. We will actually go and clean up the endpoint for you 24 by seven to ensure you'll check about the breakout time earlier that you know, a compromise or, you know, or a minor incident, doesn't turn into a major Zin breach with that.
I'll say, thank you very much. I appreciate your time for listening and we can move over to the Q and a.
Okay, well, thanks a lot, Chris. It was a seriously thorough introduction to the whole stack of technologies in your platform. And indeed, let's move on to the Q and a session and please submit your questions or onto the appropriate window on the go to control panel. And we already have, if you in the list and the first one is I guess, pretty obvious, or if all your detection happens in the cloud, will it work offline?
Yeah, we absolutely do work offline. I'm sorry. I maybe wasn't quite clear enough.
I, so machine learning and many detections are, are offline. If you look at the threat vector offline, the threat vector is existing malware on the endpoint. You don't have hands-on keyboard attackers, you don't have C2 connections. You don't have, you know, any type of actual attackers moving. And so all of the things to combat offline threats, machine learning, indicators of attack, random wear protection, those are all offline.
Then when you go online, you get additional intelligence, additional machine learning from the cloud, but you are protected offline for all of the types of threats that an offline user might encounter.
If I'm at on that from myself, or how long can your client stay offline without seriously compromising the protection level.
I mean, it can, you know, as I showed with the, with the ML model earlier, it can stay offline, practically indefinitely. You know, I saw, I showed you, you know, essentially the, the ML slide that I showed is essentially a client that was offline for five months and was still, I was still well protected.
I'm now, if you look at the, the threat model, if you're offline for a week or a month or two months, you're not getting any new threats. Right. Cause you're staying offline.
I, and so, you know, I would say you could stay offline indefinitely when you come back online, you may be subject to new threats, but you'll also be you'll get your updates and the most current protection.
Okay. The next question is, let me read it just for a moment. Okay. So you've shown this MI test earlier against other EDR solutions, but do you participate in third party antivirus tests as well?
How do, how does your solution stack against traditional antiviruses?
Yeah, absolutely.
I mean, we, we, we participate in, you know, as many antivirus forums as you know, as are out there. I, you know, so we, our philosophy is public unpaid testing. We do not participate in pay to play by antivirus testing.
You know, there's, there's AV comparatives testing that we use. We're also tested by se labs.
I, so there's a number of different public tests you can find, and you can find all that on our website. I, I'm not sure what the exact URL is. If you Google, you know, CrowdStrike, AV comparatives, you'll find our direct list with all the different public testing that we do.
Okay. Next question.
Are, is there antivirus technology use your own or do you partner with some third party?
Great question.
Yeah, so many of the newer vendors that we see are actually licensing technology. That's not their own.
I, you know, we, we create our own technology. We have had a data science team in place. That's been doing this for, for several years. We have the most insights into, you know, due to our cloud approach. We're the only vendor that's doing this with a true cloud platform. We have the most data. And as you know, with machine learning who he has the most data wins, I, so we, you know, it's all our own technology. It's our own engine.
We, you know, we, man, we manage monitor, update, do everything with it. I'd recommend if you're looking at this type of technology, you know, ask if your vendor is in fact licensing somebody else's technology or if it's their own.
Okay. Right. The next one is again about the cloud. So a solution like yours, like in the EDR platform usually sends quite some, quite a few data bits into the cloud. How do you ensure that this data is compliant with all this regulations like GTR?
Like, do you have a cloud in Germany, for example, within the EU?
Yeah. Good question.
I, so, so first off, you know, all data is encrypted in motion and at rest, you know, it's on, it's on self encrypting SSDs at rest. We're using it's encrypted in motion. There's various, you know, we have various different from so twos to privacy shields, to all different types of certifications.
I, you know, four hour data security in terms of the data location. We're just in the process of building an EU cloud. I it's gonna be in Frankfurt, it'll be opening in the first quarter of 2019.
I, and so it will be in the EU, but currently the data's in the us, as I say, we've got, you know, various different privacy shields are to all the different certifications you would expect. I, you know, the data itself is secure.
As I say, an EU option will be coming in the first quarter of 2019. We're just literally in the process right now of building out the data centers.
Okay. And the follow up on that, how long do you retain that data in your cloud?
Yeah, so the data is retained. Detailed data is retained by default for seven days.
I, you know, as a customer, if you want to have your data retain longer, you, you can contract up to, you know, 90 days detection data is retained for 90 days anyway, where it's the detailed threat hunting data is seven days. Normally detection data is 90 days, hard IOC data.
I, you know, which IP address, which endpoint I, which hash value is retained for a year. I, as well as audit logging is for a year. But by default, you know, the really detailed through hunting data. I that's also, you know, the data that may have, I know the subject to privacy concerns is deleted.
I, you know, on a, on a rolling basis when it's seven days old.
Okay. Makes sense. And I think we have a minute left for one last question. That question would be you talk about multiple products in your platform. Does it mean that you can actually replace multiple legacy legacy products, which your customers may already having? Does it only relate to an antivirus or does it cover other solutions as well?
Yeah. So in what we see in a lot of cases, you know, a lot of customers come to us and they, they, you know, they say we have too many agents.
I, we may have one agent for antivirus, one for EDR, one for vulnerability assessment, possibly one for threatened intelligence, possibly one for remote remediation. And these often come from a variety of vendors.
So many, in many cases, when we come to a customer, you know, and some vendors may have multiple products, you know, multiple agents themselves, you know, there are some vendors in the EDR space that use up to three different agents, right? And so typically when, when we come into a, a customer environment, we're able to replace at least one or two, if not three or four agents, you know, individual agents, I within the project, you know, and our agent is, you know, lightweight, it's about 25 megabytes installed 25 megabytes of, of, of, of memory.
And so the customers not only reducing agents, but they're getting some of the resources of the computer back that have been previously, you know, essentially wasted by, you know, by other, you know, local agents.
Okay, great.
Well, we have just reached the top of the hour, which mean that we have to wrap up our today's webinar. Thanks lot, Chris, for being with us today.
Thanks.
Thank you, Alexei,
And have a nice day.
