you can't stop the breach without prevention and detection
TRANSCRIPT
![Page 1: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/1.jpg)
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
YOU CAN’T STOP THE BREACH WITHOUT PREVENTION AND DETECTION
CHRIS SHERMAN, SENIOR ANALYST, FORRESTER
ROD MURCHISON, VP, PRODUCT MANAGEMENT, CROWDSTRIKE
![Page 2: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/2.jpg)
Mastering the Endpoint: Leverage Forrester’s Targeted Attack Hierarchy Of NeedsChris Sherman, Senior Analyst
October 20th, 2016
![Page 3: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/3.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 3
The 90’s called, they want their endpoint security strategy backDespite…
Anti-Virus Application patching
80%
63%48%
42% of breaches
involved a software exploit over the past year
a 19% increase in costs associated with cyberattacks Y-Y
Base: 671 IT and IT security practitioners. Source: Ponemon 2013 State of the Endpoint SurveyBase: 881 IT Security Decision Makers. Source: Forrester BT Security Survey, Q3 2015
…Many organizations still rely heavily on antivirus.A New Approach Is Needed!
48%
Application control
55% 53%
Endpoint Visibility & Control
![Page 4: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/4.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 4
Organizations Must Refocus Their Endpoint Security Strategies
![Page 5: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/5.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 5
The Targeted-Attack Hierarchy Of Needs
![Page 6: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/6.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 1: An Actual Security Strategy
![Page 7: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/7.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 7
Expense in Depth
![Page 8: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/8.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 8
Return on Expense in Depth?
![Page 9: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/9.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 9
Components of a sound strategy› Adopt principals of the Zero
Trust model› Data driven security not alert
driven security› Data driven security is really
business driven security which is supported by executives
![Page 10: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/10.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 2: A Dedication To Recruiting And Retaining Staff
![Page 11: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/11.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 11
Double down on higher education› There is intense
competition between the emerging cyber programs
› Make them more competitive; join advisory board drive curriculum that produces capable graduates
![Page 12: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/12.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 3: A Focus On The Fundamentals
![Page 13: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/13.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 13
A Focus On The Fundamentals
![Page 14: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/14.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 4: An Integrated Portfolio That Enables Orchestration
![Page 15: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/15.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 15
Friction?› “Create friction for the
attacker. Slow them down and make their job more difficult.”
› What about all the friction we create for ourselves?
› Most orgs don’t have the resources to automate their InfoSec processes.
![Page 16: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/16.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 16
What can you do? › Invest in software
development staff › Prioritize vendors that
integrate and automate between the endpoint and network layers
› Pay attention to vendors who see the need and are developing solutions.
![Page 17: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/17.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 5: Prevention
![Page 18: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/18.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 18
Prevention is shifting› Traditional approaches to
prevention will continue › If you can prevent an
action, why not?› Prevention with threat
intelligence• Command and Control
indicators should be used to prevent communications
![Page 19: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/19.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 19
Prevention begins and ends with attack surface reduction
Photo credit: Jan Stromme, Bloomberg Business
![Page 20: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/20.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 6: Detection & Response
![Page 21: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/21.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 21
Detection› Detection is the only option
when dealing with higher tier adversaries
› No single control is your breach detection system
› Your aggregate controls and your people are your breach detection system
![Page 22: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/22.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 22
Response› Once you have
identified malicious activity, how do you respond?
› Is your remediation a reimage?
› Time to containment and remediation will never improve without automated response
![Page 23: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/23.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 23
To be successful, an endpoint security strategy must balance prevention with detection
![Page 24: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/24.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 24
Prevention
Detection
Control / Remediation
Endpoint Security Requires A Balanced Approach
![Page 25: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/25.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 25
Prevention
Detection
Control / Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
Endpoint Security Requires A Balanced Approach
![Page 26: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/26.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 26
Prevention
Detection
Control / Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
• Endpoint visibility and integration• Catches what gets through• Threat intelligence required
Endpoint Security Requires A Balanced Approach
![Page 27: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/27.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 27
Prevention
Detection
Control / Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
• Endpoint visibility and integration• Catches what gets through• Threat intelligence required
• Automated/assisted remediation reduces friction
• Ensures policy compliance
• Operationalizes threat intelligence
Endpoint Security Requires A Balanced Approach
![Page 28: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/28.jpg)
© 2016 Forrester Research, Inc. Reproduction Prohibited 28
Recommendations›Choose prevention technologies based on your risk appetite and impact to user experience. › Look to expand your detection capabilities beyond malicious process identification and IOC identification›Reduce your attack surface through a balance of prevention, detection, and remediation proficiency.
![Page 29: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/29.jpg)
THE YING & YANG OF ENDPOINT PROTECTION
§ You need to see Prevention & Detection in a holistic way
§ There needs to be a virtuous approach - one feeds the other and vice-versa
§ You need to have a vision, from the outset to build this, you can’t just make this up as you go along
PREVENTIONDETECTION
![Page 30: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/30.jpg)
Cloud Delivered Endpoint Protection
MANAGEDHUNTING
ENDPOINT DETECTION AND RESPONSE
NEXT-GEN ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered via the cloud
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 31: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/31.jpg)
PREVENTIONBENEFITS
PREVENTS ALL TYPES OF ATTACKSProtect against Known/Unknown Malware
Protect Against Zero-Day Attacks
Eliminate Ransomware
No Signature Updates
No User Impact—Less than 1% CPU overhead
Reduce re-imaging time and costs
BUSINESS VALUE
MachineLearning
IOABehavioral
Blocking
Block Known Bad
ExploitMitigation
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 32: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/32.jpg)
CLASSIC EDR JUSTIFICATION: THERE IS NO SUCH THING AS 100% PREVENTION
§ Attacks will always get through
§ Even with 99% efficacy you still need something to deal with the 1%
§ So, you need EDR to deal with this and solve the ‘silent failure’ problem
1% missed
99%stopped
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 33: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/33.jpg)
WHAT 99% CAN MEAN…
33
Cha
nce
of a
t lea
st o
ne su
cces
s fo
r adv
ersa
ry
Number of attempts
1%
>99%
500
Bottom line: change the binary 500 times and with 99% detection efficacy -you will get one file thru
![Page 34: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/34.jpg)
PREVENT AGAINST
SILENT FAILURE
DVR FOR ENDPOINT
BUSINESS VALUE
5 Second Enterprise Search
No Hardware or Storage Costs
Full Spectrum Visibility
ReducedTime to Remediation
BENEFITS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DETECTION AND RESPONSE
![Page 35: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/35.jpg)
FINDING THE ADVERSARYSo You Don’t Have To
BREACH PREVENTION SERVICES
Team of Hunters Working for You
24 x 7
BUSINESS VALUE
Force Multiplier
Community Immunity
BENEFITS
Reduce Alert Fatigue:Focus on What Matters!
Stop the “Mega” Breach
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MANAGED HUNTING
![Page 36: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/36.jpg)
SO YOU GOT DETECTION AND PREVENTION, WHY ARE YOU STILL DISAPPOINTED?
§ You can’t just slam two things together - detection & prevention
§ You can’t just tick a list of features where you check-off features
§ This is tough stuff, you need to be thoughtful and considered in how you architect a prevention and detection solution
§ You can’t see prevention and EDR as two separate things
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 37: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/37.jpg)
SO, WHERE DOES PREVENTION END & DETECTION START?
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PREVENTIONDETECTION
![Page 38: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/38.jpg)
OVERVIEW OF WHAT’S REQUIRED TO PROPERLY UNIFY NEXT-GEN AV AND EDR
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Complete and accurate
visibility
Analysis capacity
1 2 3
Ability to turn data into information and insight
![Page 39: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/39.jpg)
COMPLETE AND ACCURATE VISIBILITY
§ Data: Need lot’s of it
§ Scalability: In the Cloud
§ Power: Storage, throughput and compute power
§ Integrity: High fidelity
§ Usefulness: Insightful
§ Flexible Capture: distributed/mobile/BYOD and or on/off network
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 40: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/40.jpg)
ANALYSIS CAPACITY
§ Organize and analyze big data
§ You need to analyze this at massive scale
§ You need to ‘glue’ all this data together
§ That’s why a ‘Graph’ is the answer
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 41: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/41.jpg)
ABILITY TO TURN DATA INTO INFORMATION AND INSIGHT
§ Piecing data together and establishing the relationships between drives ‘Context’ - the more data you have the ‘richer the context’
§ Understanding context let’s you understand behavior and that allows you to get to IOA
THREAT GRAPHIndicators of Attack
EDR
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
![Page 42: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/42.jpg)
WHICH IN TURN MAKES BOTH PREVENTION AND EDR BETTER
§ IOA’s = better ‘prevention’
§ IOA’s = defeat attackers who are ‘living of the land’
§ Traditional malware and security approaches inadequate
§ IOA’s = better EDR and better EDR = better IOA’s
![Page 43: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/43.jpg)
SUMMARY
§ You need to see Prevention & Detection in a holistic way
§ There needs to be a virtuous approach - one feeds the other and vice-versa
§ You need to have a vision, from the outset to build this, you can’t just make this up as you go along
![Page 44: You Can't Stop The Breach Without Prevention And Detection](https://reader031.vdocument.in/reader031/viewer/2022030304/587743741a28ab342e8b75a7/html5/thumbnails/44.jpg)
NEW FORRESTER WAVE
The Forrester Wave™: Endpoint Security, Q4 2016 The 15 Providers That Matter Most And How They Stack Up
§ CrowdStrike will be sending a copy to ALL webcast registrants
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.