cloud-enabled: the future of endpoint security
TRANSCRIPT
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CLOUD-ENABLED: THE FUTURE OF ENDPOINT
JACKIE CASTELLI, SR PRODUCT MANAGER
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 CrowdStrike Intro
2 Why Cloud Is The Future of Endpoint Security
3 Cloud Concerns
4 How CrowdStrike Does It
Cloud Delivered Endpoint Protection
MANAGEDHUNTING
ENDPOINT DETECTION AND RESPONSE
NEXT-GEN ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHY THE CLOUD IS THE FUTURE OF ENDPOINT SECURITY
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Better Performance And Better Protection
“SIMPLY PUT, CLOUD COMPUTING IS A BETTER WAY TO RUN YOUR BUSINESS.”
Marc Benioff, Founder, CEO and Chairman of Salesforce
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE CLOUD PROVIDES BETTER PERFORMANCE
Eliminates Deployment Burden
Lightweight Agent
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ELIMINATES DEPLOYMENT BURDEN
Faster and simpler deployment with the Cloud
§ No on premise hardware
§ Faster deployment
§ Eliminates complexity
§ SaaS scalability
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LIGHTWEIGHT AGENT
Lighten the agent with the Cloud
§ Lighten the agent by dividing the work between endpoint and the Cloud
§ Work in the Cloud when needed
§ Work on the sensor when needed
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE CLOUD PROVIDES BETTER PROTECTION
Protection Everywhere Intelligence Sharing Obscured from Attackers
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PROTECTION EVERYWHERE
Protection on and off the corporate network
§ On premise architectures are outdated and insufficient to protect today’s endpoints
MODERN ENTERPRISE ARCHITECTURE
CLOUD SECURITYMobile Worker
Public Cloud
Private Cloud
Remote Worker
Branch Office
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INTELLIGENCE SHARING
Every New Attack Feeds Into New Defenses For All
§ Learn from new attacks
§ Share that intelligence in real-time
§ Eliminate silos
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
OBSCURED FROM ATTACKERS
Eliminate operational burden with the Cloud
§ Well funded adversaries reverse engineer security solutions they can buy
§ Looking for vulnerabilities and ways to bypass those solutions
§ Cloud solutions escapes attacker scrutiny
THERE ARE STILL A LOT OF CONCERNS WITH THE CLOUDWHAT ARE PEOPLE CONCERNED ABOUT?
Factors DrivingSecurity ConcernsRegarding CustomerData Residing in the Public Cloud
Data Ownership 56%
51%
51%
47%
47%
46%
44%
42%
3%
Location of data
Shared Technology/multi-tenancy
Virtual Exploits
Lack of Strong access controls
Insecure interfaces APIs
Shadow IT (i.e., individual business units deploying unsactioned
cloud workloads
Distributed denial of service (DDoS) Attack affecting performance/uptime
Other
WHAT DATADO YOU HAVE
EXACTLY?
§ Event meta data – we do not need .exe
§ Examples: process start/stop times, network
connection activity, etc. as well as more
sensitive meta data such as filenames,
command line parameters
§ We do not want your personally identifiable
information (PII) & it’s unlikely we have it
§ Storing more data than needed is counter-
productive: it increases risk & it adds more
cost for us
•
When data is deleted it
follows NIST 800-88
for secure deletion of
sensitive data
•
Data handling
decisions are informed
by actual customer
usage– we listen & see
what people need &
make the best
decision possible
•
By default, we
retain most
data for 90 days in
the Falcon UI
•
The most detailed,
raw data is kept on
hand for 30 days
•
We archive data
for 1 year in case it
is needed & we
perform data
extractions by
request
HOW LONG DO YOU KEEP OUR DATA?
HOW DO YOU KEEP MY DATA
SEPARATE FROM OTHERS?
§ We designed Falcon to be multi-tenant
§ All data is tagged with unique, but
anonymous “Customer ID” & “Agent ID”
values
§ Customer ID is mapped in a separate
provisioning system to the customer name; it is
not stored anywhere in actual event data
§ Sensor to cloud comms are via an SSL-
encrypted tunnel that is pinned to our PKI
certificate to guard against MITM attacks or
injection of untrusted CAs on the device
HOW DO YOU KEEP MY DATA
SEPARATE FROM OTHERS?
§ Cloud data is protected on a VPN requiring
2FA & with strict data privacy & access
control
§ All data access within the system is managed
through constrained APIs that require a
customer-specific token to access only that
customer's data
§ Data at rest is encrypted
§ Our analysis engines act on the raw event
data, so they only leverage the anonymized
CID and AID values for clustering of results
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TRUE BIG DATA SCALE
§ 30 billion events a day
§ 2 Petabytes of data
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT WE DO IN THE CROWDSTRIKECLOUD
§ DEPLOY
§ STORE
§ ANALYSE
§ SHARE
§ LEARN
§ HUNT
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BENEFITS OF THE CROWDSTRIKE CLOUDBetter performance – Better protection
Intelligence sharing and Community immunity
Unrivaled visibility Managed Hunting
Lightweight sensor Immediate time to value
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
What needs the cloud is in the cloud. What needs to be on the sensor is on the sensorLIGHTWEIGHT SENSOR
§ MACHINE LEARNING§ INDICATORS OF ATTACK
PREVENTION§ EXPLOIT BLOCKING§ CUSTOM HASH BLOCKING§ CONTINUOUS MONITORING
§ MACHINE LEARNING§ THREAT INTELLIGENCE§ MANAGED HUNTING§ THREAT GRAPH
ENDPOINT PROTECTION
CLOUD PROTECTION§ No more daily signature updates
§ Small footprint20MB on disk
§ No impact sensor
§ No reboots
1 - DISCOVER ATTACK PATTERN
ATTACK PATTERN
2 - ATTACK PATTERN SENT TO CLOUD
3 - ATTACK PATTERNS CONFIRMED
MATCH! ORG #1
ORG #2
ORG #3
MATCH!
MATCH!
COMMUNITY IMMUNITY
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WE SEE NEARLY 2 INTRUSIONS/MAJOR INCIDENTS EVERY HOUR…
24 hours a day, 7 days a week!
MANAGED HUNTING
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Retail CustomerTHE TRUE VALUE OF THE CLOUD
PROBLEM
SOLUTION
RESULTS
Active incident with multiple criminal and nation-state adversaries
Existing AV, FW, IPS and IOC scanning failed
(AV, FWs, IPS, IOC scanning - all failed to prevent the breach)
100+ countries, $50M in costs – adversary persisted
No visibility into endpoint activities
Inability to find customized malware
Insufficient resources & expertise (Hunters)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Retail CustomerTHE FULL VALUE OF THE CLOUD
PROBLEM
SOLUTION
RESULTS
Deployed Falcon Host sensors in under 10 seconds per host with no reboot
Falcon identified dozens of breaches
50+ compromised systems & stolen credentials
Falcon Intelligence attributed the attacks to nation-state and criminal groups
Falcon Overwatch provided 24/7 coverage and crucial notifications, preventing further compromises
CrowdStrike Services took over the remediation process and investigation to remove the adversaries
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Retail CustomerTHE FULL VALUE OF THE CLOUD
PROBLEM
SOLUTION
RESULTS
Prevented further breaches, massive reputation damage and regulatory headaches
Saved million of dollars in IR and legal costs
Frictionless deployment— Immediately Time to Value
Identified adversary activity and malwaremissed by other solutions and forensics teams
Dramatically reduced response & remediation time & costs
No hardware to purchase or additional resources to maintain & manage, saving time and money
Provided Tier 1 Hunting, freeing up valuable SOC resources 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CLOUD ENABLED ENDPOINT PROTECTION
§ Goes beyond deployment
§ Uses the full power of the cloud to provide better performance and better protection
§ Crowdstrike solutions are Cloud enabled by design
Questions?Please submit all questions in the Q&A chat right below the presentation slides
Contact UsWebsite: crowdstrike.comEmail: [email protected]: @CrowdStrike