Upload
crowdstrike
View
36
Download
4
Embed Size (px)
Citation preview
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE TIME HAS COME TO REPLACE YOUR LEGACY AV
DAN LARSON, TECHNICAL DIRECTOR
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CrowdStrike Intro
Legacy Anti-Virus Efficacy
How CrowdStrike Stops Malware
How CrowdStrike Goes Beyond Malware
How to Switch to CrowdStrike for AV
AV Testing and Industry Collaboration
A QUICK INTRODUCTION TO CROWDSTRIKE
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Cloud Delivered Endpoint Protection
MANAGEDHUNTING
ENDPOINT DETECTION AND RESPONSE
NEXT-GEN ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MY ANTI-VIRUS JUST DOESN’T WORK
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
This is the #1 concern raised by customers inquiring with analyst firms Gartner and Forrester about endpoint security.
…They simply are not effective in stopping modern threats.
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
INEFFECTIVE AGAINST MODERN THREATS
45%§ “Anti-Virus catches about 45 percent of attacks
these days”
- Brian Dye, former VP at Symantec (now at McAfee)
Source: https://goo.gl/hNUCdm
“COMPLEXITY IS THE ENEMY OF SECURITY”
Bruce Schneier, 2001
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
TRYING TO GET AHEAD OF THE ATTACKER
80s to90s
Signatures
00s
Heuristics
2007
Reputation
2009
AppControl
2012
Sandboxing& Isolation
2013
MachineLearning
Now
ManagedHunting
2011
IOCSharing
2014
BehavioralAnalytics
Enterprise Endpoint Security Timeline
LEGACY VENDOR ARCHITECTURE
EmailEncryption
HTTP/WEBGATEWAY
WebSecurity SMTP/EMAIL
GATEWAYMail Security
SHAREPOINTSharepoint
Security
SERVERSApp Control
MAIL SERVERS
Mail ScannerVDI
VDI Plugin
FIREWALL/ROUTERUTM GATEWAY
ENDPOINT PROTECTION
HOST SECURITY SERVICES• Web Security as a Service• Hosted Email Security• Reputation Cloud• Sandbox Service
CENTRALIZEDMANAGEMENT
• Vulnerability Protection• Host Intrusion Prevention
• AntiVirus• Endpoint Encryption• Application Control
• Web Protection
SANDBOXAPPLIANCE
“NEXT GEN”• Endpoint Activity Visibility
Even with all of this, there were 3,141 breaches in 2015.
Source: 2016 Verizon Data Breach Investigation Report
CROWDSTRIKE FALCON ARCHITECTURE
CLOUD DELIVEREDENDPOINT PROTECTION
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ANTI-MALWAWRE PREVENTION STACKCROWDSTRIKE FALCON
§ MACHINE LEARNING§ IOA PREVENTION§ EXPLOIT BLOCKING§ CUSTOM HASH BLOCKING§ CONTINUOUS MONITORING
§ KNOWN MALWARE
§ UNKNOWN MALWARE
§ BEYOND MALWARE
§ MACHINE LEARNING§ THREAT INTELLIGENCE§ MANAGED HUNTING§ THREAT GRAPH
PREVENT:
ENDPOINT PROTECTION
CLOUD PROTECTION
Machine Learning• Increases effectiveness against new, polymorphic or obfuscated malware• Works without daily updates• Works offline• Data models can be smaller than signature files (if done properly)• Performance impact less than on-demand or on-access scanning techniques
• Complements• Behavioral analytics, or IOAs• Exploit mitigation
MORE THAN JUST AV REPLACEMENT
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE REMAINING CHALLENGES
Complexity…
Ever expanding infrastructure requirements and agent footprint
Always Out of Date…
By the time your update is deployed, it is time to start another
Blind Spots…
Silent failure leads to long dwell times and false sense of security
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
COMPLEXITY
Eliminate operational burden with CrowdStrike
§ No more daily signature updates
§ Smaller footprint15MB on disk10MB in memory
§ No reboots
§ No on premise hardware
§ SaaS scalability
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ALWAYS OUT OF DATE
Outpace the attacker with CrowdStrike
§ No need to develop AV signatures
§ Machine learning and IOAs are more persistent protection mechanisms
§ CrowdStrike only requires 15MB on disk§ 70MB-150MB typical for AV signatures
§ Some ML models balloon to 300MB
§ Single-sensor design eliminates dependency issues
§ SaaS delivery ensures real-time updates when necessary
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXAMPLE3 Month Old Machine Learning Model Immediately Blocks Shamoon 2
§ ML model delivered to VirusTotal on Aug 25th
§ Blocked Shamoon 2 on its first appearance in VT on Nov 22nd
§ CrowdStrike was one of only five vendors to identify it correctly
Source: https://goo.gl/nK0VmO
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
BLIND SPOTS
Eliminate dwell time with CrowdStrike
§ AV can only see what it stops
§ No prevention solution can be 100% effective, not even next-gen solutions
§ Average dwell time still near 200 days
§ Go beyond malware to detect and block modern attacker techniques
§ CrowdStrike’s EDR offers automatic detections, eliminating the need for manual search
§ CrowdStrike’s Overwatch delivers proactive threat hunting in your environment, 24x7x365
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NO MORE BLIND SPOTS100% Exploit Detection in AV-Comparatives Test
90
63
100
57
86
90
63
70
28
82
0 20 40 60 80 100
Symantec*
Cylance*
CrowdStrike
SentinelOne
Palo Alto
Blocked Detected
Source: AV-Comparatives and AV-Comparatives
§ CrowdStrike is only product with 100% detection efficacy
§ All other solutions suffered from silent failure
§ In reality, this leads to long dwell times
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NO MORE BLIND SPOTS100% Exploit Detection in AV-Comparatives Test
90
63
100
57
86
90
63
70
28
82
0 20 40 60 80 100
Symantec*
Cylance*
CrowdStrike
SentinelOne
Palo Alto
Blocked Detected
Source: AV-Comparatives and AV-Comparatives
§ CrowdStrike is only product with 100% detection efficacy
§ All other solutions suffered from silent failure
§ In reality, this leads to long dwell times
2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Privilege Escalation from Command LineEXAMPLE
2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Privilege Escalation from Command LineEXAMPLE
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Privilege Escalation from Command LineEXAMPLE
• AV signatures, IOCs and Application Control are ineffective against this kind of threat
• Even machine learning can’t stop this because it is a trusted executable
• Would you know how to search for this?
• Even if you knew how, do you have the bandwidth to search?
• CrowdStrike IOAs operate in real time and automate the detection process so that you don’t have to search
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THINGS TO LOOK OUT FOR
If you’re not 100% effective at prevention, then you need strong detection
Even some next-gen players have bloated endpoint agents
Unverified efficacy claims
“Bake in” periods are like HIPS all over again
Telemetry without intelligence is worthless
Over-emphasis on malware and/or forgetting the rest of the kill chain
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CAN YOU TRUST US TO REPLACE YOUR AV?
98.2% Malware Block Rate100% Exploit Detection
0 False Positives
Vendor MemberCommitted to Standards
Contribute Leadership
First Pure ML EngineOpen to Public Scrutiny
Contribute to Community
SourceSource Source
Also certified for PCI, HIPAA, NIST, FFIEC and more…
Largest global companies by revenue
Largest global banks by revenue
Top Credit card payment processors
Top oil and gas companies
3 OF THE 102 OF THE 45 OF THE 103 OF THE 10
CrowdStrike Falcon Deployed in 170 Countries
BACKED BY ELITE
INVESTORS:
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
START NOW
1.888.512.8906 (US)
+44(0)118.453.0400 (UK)
(+61) 1300.792.402 (Australia & New Zealand) / APAC