cloud-enabled: the future of endpoint security

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

CLOUD-ENABLED: THE FUTURE OF ENDPOINT

JACKIE CASTELLI, SR PRODUCT MANAGER


1 CrowdStrike Intro

2 Why Cloud Is The Future of Endpoint Security

3 Cloud Concerns

4 How CrowdStrike Does It

A QUICK INTRODUCTION TO CROWDSTRIKE


Cloud Delivered Endpoint Protection

MANAGEDHUNTING

ENDPOINT DETECTION AND RESPONSE

NEXT-GEN ANTIVIRUS

CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud


WHY THE CLOUD IS THE FUTURE OF ENDPOINT SECURITY


Better Performance And Better Protection

“SIMPLY PUT, CLOUD COMPUTING IS A BETTER WAY TO RUN YOUR BUSINESS.”

Marc Benioff, Founder, CEO and Chairman of Salesforce



THE CLOUD PROVIDES BETTER PERFORMANCE

Eliminates Deployment Burden

Lightweight Agent


ELIMINATES DEPLOYMENT BURDEN

Faster and simpler deployment with the Cloud

§ No on premise hardware

§ Faster deployment

§ Eliminates complexity

§ SaaS scalability


LIGHTWEIGHT AGENT

Lighten the agent with the Cloud

§ Lighten the agent by dividing the work between endpoint and the Cloud

§ Work in the Cloud when needed

§ Work on the sensor when needed


THE CLOUD PROVIDES BETTER PROTECTION

Protection Everywhere Intelligence Sharing Obscured from Attackers


PROTECTION EVERYWHERE

Protection on and off the corporate network

§ On premise architectures are outdated and insufficient to protect today’s endpoints

OLD ENTERPRISE ARCHITECTURE

O N P R E M I S E S E C U R I T Y

MODERN ENTERPRISE ARCHITECTURE

CLOUD SECURITYMobile Worker

Public Cloud

Private Cloud

Remote Worker

Branch Office


INTELLIGENCE SHARING

Every New Attack Feeds Into New Defenses For All

§ Learn from new attacks

§ Share that intelligence in real-time

§ Eliminate silos


OBSCURED FROM ATTACKERS

Eliminate operational burden with the Cloud

§ Well funded adversaries reverse engineer security solutions they can buy

§ Looking for vulnerabilities and ways to bypass those solutions

§ Cloud solutions escapes attacker scrutiny

CONCERNS ABOUT THE CLOUD


My data…...

THERE ARE STILL A LOT OF CONCERNS WITH THE CLOUDWHAT ARE PEOPLE CONCERNED ABOUT?

Factors DrivingSecurity ConcernsRegarding CustomerData Residing in the Public Cloud

Data Ownership 56%

51%

51%

47%

47%

46%

44%

42%

3%

Location of data

Shared Technology/multi-tenancy

Virtual Exploits

Lack of Strong access controls

Insecure interfaces APIs

Shadow IT (i.e., individual business units deploying unsactioned

cloud workloads

Distributed denial of service (DDoS) Attack affecting performance/uptime

Other

WHAT DATADO YOU HAVE

EXACTLY?

§ Event meta data – we do not need .exe

§ Examples: process start/stop times, network

connection activity, etc. as well as more

sensitive meta data such as filenames,

command line parameters

§ We do not want your personally identifiable

information (PII) & it’s unlikely we have it

§ Storing more data than needed is counter-

productive: it increases risk & it adds more

cost for us

•

When data is deleted it

follows NIST 800-88

for secure deletion of

sensitive data

•

Data handling

decisions are informed

by actual customer

usage– we listen & see

what people need &

make the best

decision possible

•

By default, we

retain most

data for 90 days in

the Falcon UI

•

The most detailed,

raw data is kept on

hand for 30 days

•

We archive data

for 1 year in case it

is needed & we

perform data

extractions by

request

HOW LONG DO YOU KEEP OUR DATA?

HOW DO YOU KEEP MY DATA

SEPARATE FROM OTHERS?

§ We designed Falcon to be multi-tenant

§ All data is tagged with unique, but

anonymous “Customer ID” & “Agent ID”

values

§ Customer ID is mapped in a separate

provisioning system to the customer name; it is

not stored anywhere in actual event data

§ Sensor to cloud comms are via an SSL-

encrypted tunnel that is pinned to our PKI

certificate to guard against MITM attacks or

injection of untrusted CAs on the device

HOW DO YOU KEEP MY DATA

SEPARATE FROM OTHERS?

§ Cloud data is protected on a VPN requiring

2FA & with strict data privacy & access

control

§ All data access within the system is managed

through constrained APIs that require a

customer-specific token to access only that

customer's data

§ Data at rest is encrypted

§ Our analysis engines act on the raw event

data, so they only leverage the anonymized

CID and AID values for clustering of results

THE CROWDSTRIKE CLOUD



TRUE BIG DATA SCALE

§ 30 billion events a day

§ 2 Petabytes of data


WHAT WE DO IN THE CROWDSTRIKECLOUD

§ DEPLOY

§ STORE

§ ANALYSE

§ SHARE

§ LEARN

§ HUNT


BENEFITS OF THE CROWDSTRIKE CLOUDBetter performance – Better protection

Intelligence sharing and Community immunity

Unrivaled visibility Managed Hunting

Lightweight sensor Immediate time to value


What needs the cloud is in the cloud. What needs to be on the sensor is on the sensorLIGHTWEIGHT SENSOR

§ MACHINE LEARNING§ INDICATORS OF ATTACK

PREVENTION§ EXPLOIT BLOCKING§ CUSTOM HASH BLOCKING§ CONTINUOUS MONITORING

§ MACHINE LEARNING§ THREAT INTELLIGENCE§ MANAGED HUNTING§ THREAT GRAPH

ENDPOINT PROTECTION

CLOUD PROTECTION§ No more daily signature updates

§ Small footprint20MB on disk

§ No impact sensor

§ No reboots

IMMEDIATE TIME TO VALUE DEMOSensor Deployment


1 - DISCOVER ATTACK PATTERN

ATTACK PATTERN

2 - ATTACK PATTERN SENT TO CLOUD

3 - ATTACK PATTERNS CONFIRMED

MATCH! ORG #1

ORG #2

ORG #3

MATCH!

MATCH!

COMMUNITY IMMUNITY


UNRIVALED VISIBILITY DEMOHunting for attackers


WE SEE NEARLY 2 INTRUSIONS/MAJOR INCIDENTS EVERY HOUR…

24 hours a day, 7 days a week!

MANAGED HUNTING


Retail CustomerTHE TRUE VALUE OF THE CLOUD

PROBLEM

SOLUTION

RESULTS

Active incident with multiple criminal and nation-state adversaries

Existing AV, FW, IPS and IOC scanning failed

(AV, FWs, IPS, IOC scanning - all failed to prevent the breach)

100+ countries, $50M in costs – adversary persisted

No visibility into endpoint activities

Inability to find customized malware

Insufficient resources & expertise (Hunters)


Retail CustomerTHE FULL VALUE OF THE CLOUD

PROBLEM

SOLUTION

RESULTS

Deployed Falcon Host sensors in under 10 seconds per host with no reboot

Falcon identified dozens of breaches

50+ compromised systems & stolen credentials

Falcon Intelligence attributed the attacks to nation-state and criminal groups

Falcon Overwatch provided 24/7 coverage and crucial notifications, preventing further compromises

CrowdStrike Services took over the remediation process and investigation to remove the adversaries


Retail CustomerTHE FULL VALUE OF THE CLOUD

PROBLEM

SOLUTION

RESULTS

Prevented further breaches, massive reputation damage and regulatory headaches

Saved million of dollars in IR and legal costs

Frictionless deployment— Immediately Time to Value

Identified adversary activity and malwaremissed by other solutions and forensics teams

Dramatically reduced response & remediation time & costs

No hardware to purchase or additional resources to maintain & manage, saving time and money

Provided Tier 1 Hunting, freeing up valuable SOC resources 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.


CLOUD ENABLED ENDPOINT PROTECTION

§ Goes beyond deployment

§ Uses the full power of the cloud to provide better performance and better protection

§ Crowdstrike solutions are Cloud enabled by design

Questions?Please submit all questions in the Q&A chat right below the presentation slides

Contact UsWebsite: crowdstrike.comEmail: [email protected]: @CrowdStrike