Cloud-Enabled: The Future of Endpoint Security

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CLOUD-ENABLED: THE FUTURE
OF ENDPOINT
JACKIE CASTELLI, SR PRODUCT MANAGER

1 CrowdStrike Intro
2 Why Cloud Is The Future of Endpoint Security
3 Cloud Concerns
4 How CrowdStrike Does It

A QUICK INTRODUCTION TO CROWDSTRIKE

Cloud Delivered Endpoint Protection
MANAGED
HUNTING
ENDPOINT DETECTION
AND RESPONSE
NEXT-GEN
ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a
single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud

WHY THE CLOUD IS THE FUTURE OF ENDPOINT SECURITY
Better Performance And Better Protection

“SIMPLY PUT, CLOUD COMPUTING IS A
BETTER WAY TO RUN YOUR BUSINESS.”
Marc Benioff, Founder, CEO and Chairman of Salesforce

THE CLOUD PROVIDES BETTER PERFORMANCE
Eliminates Deployment
Burden
Lightweight Agent

ELIMINATES
DEPLOYMENT
BURDEN
Faster and simpler deployment with the Cloud
§ No on premise hardware
§ Faster deployment
§ Eliminates complexity
§ SaaS scalability

LIGHTWEIGHT AGENT
Lighten the agent with the Cloud
§ Lighten the agent by dividing the work
between endpoint and the Cloud
§ Work in the Cloud when needed
§ Work on the sensor when needed

THE CLOUD PROVIDES BETTER PROTECTION
Protection Everywhere Intelligence Sharing Obscured from Attackers

PROTECTION
EVERYWHERE
Protection on and off the corporate network
§ On premise architectures are outdated
and insufficient to protect today’s
endpoints

OLD ENTERPRISE ARCHITECTURE
O N P R E M I S E S E C U R I T Y

MODERN ENTERPRISE ARCHITECTURE
CLOUD SECURITY
Mobile
Worker
Public
Cloud
Private
Cloud
Remote
Worker
Branch
Office

INTELLIGENCE
SHARING
Every New Attack Feeds Into New Defenses For All
§ Learn from new attacks
§ Share that intelligence in real-time
§ Eliminate silos

OBSCURED FROM
ATTACKERS
Eliminate operational burden with the Cloud
§ Well funded adversaries reverse
engineer security solutions they can
buy
§ Looking for vulnerabilities and ways to
bypass those solutions
§ Cloud solutions escapes attacker
scrutiny

CONCERNS ABOUT THE CLOUD
My data…...

THERE
ARE STILL A
LOT OF
CONCERNS
WITH THE
CLOUD
WHAT ARE PEOPLE
CONCERNED
ABOUT?
Factors Driving
Security Concerns
Regarding Customer
Data Residing in the
Public Cloud
Data Ownership 56%
51%
51%
47%
47%
46%
44%
42%
3%
Location of data
Shared Technology/multi-tenancy
Virtual Exploits
Lack of Strong access controls
Insecure interfaces APIs
Shadow IT (i.e., individual
business units deploying unsactioned
cloud workloads
Distributed denial of service (DDoS)
Attack affecting performance/uptime
Other

WHAT DATA
DO YOU HAVE
EXACTLY?
§ Event meta data – we do not need .exe
§ Examples: process start/stop times, network
connection activity, etc. as well as more
sensitive meta data such as filenames,
command line parameters
§ We do not want your personally identifiable
information (PII) & it’s unlikely we have it
§ Storing more data than needed is counter-
productive: it increases risk & it adds more
cost for us

•
When data is deleted it
follows NIST 800-88
for secure deletion of
sensitive data
•
Data handling
decisions are informed
by actual customer
usage– we listen & see
what people need &
make the best
decision possible
•
By default, we
retain most
data for 90 days in
the Falcon UI
•
The most detailed,
raw data is kept on
hand for 30 days
•
We archive data
for 1 year in case it
is needed & we
perform data
extractions by
request
HOW LONG DO YOU
KEEP OUR DATA?

HOW DO YOU
KEEP MY DATA
SEPARATE
FROM OTHERS?
§ We designed Falcon to be multi-tenant
§ All data is tagged with unique, but
anonymous “Customer ID” & “Agent ID”
values
§ Customer ID is mapped in a separate
provisioning system to the customer name; it is
not stored anywhere in actual event data
§ Sensor to cloud comms are via an SSL-
encrypted tunnel that is pinned to our PKI
certificate to guard against MITM attacks or
injection of untrusted CAs on the device

HOW DO YOU
KEEP MY DATA
SEPARATE
FROM OTHERS?
§ Cloud data is protected on a VPN requiring
2FA & with strict data privacy & access
control
§ All data access within the system is managed
through constrained APIs that require a
customer-specific token to access only that
customer's data
§ Data at rest is encrypted
§ Our analysis engines act on the raw event
data, so they only leverage the anonymized
CID and AID values for clustering of results

THE CROWDSTRIKE CLOUD

TRUE BIG DATA SCALE
§ 30 billion events a day
§ 2 Petabytes of data

WHAT WE DO IN THE
CROWDSTRIKE
CLOUD
§ DEPLOY
§ STORE
§ ANALYSE
§ SHARE
§ LEARN
§ HUNT

BENEFITS OF THE CROWDSTRIKE CLOUD
Better performance – Better protection
Intelligence sharing and
Community immunity
Unrivaled visibility Managed Hunting
Lightweight sensor Immediate time to value

What needs the cloud is in the cloud. What needs to be on the sensor is on the sensor
LIGHTWEIGHT SENSOR
§ MACHINE LEARNING
§ INDICATORS OF ATTACK
PREVENTION
§ EXPLOIT BLOCKING
§ CUSTOM HASH BLOCKING
§ CONTINUOUS MONITORING
§ MACHINE LEARNING
§ THREAT INTELLIGENCE
§ MANAGED HUNTING
§ THREAT GRAPH
ENDPOINT PROTECTION
CLOUD PROTECTION
§ No more daily signature updates
§ Small footprint
20MB on disk
§ No impact sensor
§ No reboots

IMMEDIATE TIME TO VALUE DEMO
Sensor Deployment

1 - DISCOVER ATTACK PATTERN
ATTACK PATTERN
2 - ATTACK PATTERN SENT TO CLOUD
3 - ATTACK PATTERNS CONFIRMED
MATCH! ORG #1
ORG #2
ORG #3
MATCH!
MATCH!
COMMUNITY IMMUNITY

UNRIVALED VISIBILITY DEMO
Hunting for attackers

WE SEE NEARLY 2 INTRUSIONS/MAJOR
INCIDENTS EVERY HOUR…
24 hours a day, 7 days a week!
MANAGED HUNTING

Retail Customer
THE TRUE VALUE OF THE CLOUD
PROBLEM
SOLUTION
RESULTS
Active incident with multiple criminal and
nation-state adversaries
Existing AV, FW, IPS and IOC scanning failed
(AV, FWs, IPS, IOC scanning - all failed to
prevent the breach)
100+ countries, $50M in costs – adversary
persisted
No visibility into endpoint activities
Inability to find customized malware
Insufficient resources & expertise (Hunters)

Retail Customer
THE FULL VALUE OF THE CLOUD
PROBLEM
SOLUTION
RESULTS
Deployed Falcon Host sensors in under 10
seconds per host with no reboot
Falcon identified dozens of breaches
50+ compromised systems & stolen
credentials
Falcon Intelligence attributed the attacks to
nation-state and criminal groups
Falcon Overwatch provided 24/7 coverage and
crucial notifications, preventing further
compromises
CrowdStrike Services took over the
remediation process and investigation to
remove the adversaries2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Retail Customer
THE FULL VALUE OF THE CLOUD
PROBLEM
SOLUTION
RESULTS
Prevented further breaches, massive reputation
damage and regulatory headaches
Saved million of dollars in IR and legal costs
Frictionless deployment— Immediately Time to
Value
Identified adversary activity and malware
missed by other solutions and forensics teams
Dramatically reduced response & remediation
time & costs
No hardware to purchase or additional resources
to maintain & manage, saving time and money
Provided Tier 1 Hunting, freeing up valuable SOC
resources 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

CLOUD ENABLED ENDPOINT PROTECTION
§ Goes beyond deployment
§ Uses the full power of the cloud to provide better performance and better
protection
§ Crowdstrike solutions are Cloud enabled by design

Questions?
Please submit all questions in the Q&A chat right
below the presentation slides
Contact Us
Website: crowdstrike.com
Email: crowdcasts@crowdstrike.com
Twitter: @CrowdStrike

Cloud-Enabled: The Future of Endpoint Security

More Related Content

What's hot

Viewers also liked

Similar to Cloud-Enabled: The Future of Endpoint Security

Recently uploaded

Cloud-Enabled: The Future of Endpoint Security