Crowdstrike among the first publishers to have chosen the path of integration between prevention (EPP) and investigation (EDR) on the hosts of the infrastructure, workstations and servers – the famous endpoints . A trend in which are now registered more and more players , especially from the world of EPP.
Meeting on the occasion of the Assises de la Sécurité, held last week in Monaco, Jackie Castelli, Crowdstrike senior product marketing manager, talks about the editor’s choice: “Both are necessary. Prevention works very well at 99.995%. But beyond that, if something goes through the cracks, you need to have visibility to know what happened. Without BDUs, attackers can infiltrate and stay hidden for months in the environment without anyone realizing it. ”
The Crowdstrike Falcon solution is therefore based on an agent, deployed at the level of the hosts of the information system, which performs the dual function of prevention and collection of so-called telemetry data, capable of informing about what is happening on these hosts.
The prevention component is provided in several layers because “to be satisfied with one or two technologies is not enough”. Then Falcon agent relies on models established by machine learning , “a bit like what a Cylance can do, for example.” But it also monitors the behavior of what is likely to run. There, behavioral models are established from the knowledge of attacking techniques as well as the work of Crowdstrike analysts.
Jackie Castelli explains that Falcon was able to block NotPetya and WannaCry before executing their malicious charges, thanks to its models built by machine learning, but also on the basis of its behavioral models.
For the visibility component, the agent sends the Crowdstrike cloud 5 to 10 MB of telemetry data per day, on average, and especially in streaming . Except for offline machines which, in turn, transmit their telemetry to the first reconnection. These data go beyond detections and other security events: they must allow analysts to know what happened before and after such occurrences.
The Crowdstrike Administration Console is there to allow analysts to investigate detected incidents. There, the Miter ATT & CK reference framework is used to help analysts put what it observes into perceptive with the attackers’ methods, techniques and tactics: “It helps to better understand, more quickly what happens and where is the attack. In addition, this database makes it possible to establish a common language between teams, beyond security.
From there, the analyst can pivot in multiple ways, to identify the hosts also concerned, whether they are in the same phase of attack or not, but targeted with the same motivations, or by the same group presumed: “it requires a research job, but the information is there. ”
The console also allows analysts to ask local officials to quarantine a host, for example, or copy the contents of its memory, retrieve scripts or send executable sandbox ( sandbox ) for analysis. It is the technology of Payload Security, bought in November 2017, which is put to contribution. It is also available free of charge via the well-known Hybrid Analysis service .
Beyond that, Crowdstrike has equipped its platform with extended APIs for multiple integrations, including Vectra for extended visibility between hosts and network : “the more visibility you have, the better.”
This integrated approach, Crowdstrike is not the only one to find him an interest. Sophos and Palo Alto Networks too. But compared to the latter, or to others also on a functional perimeter still extended, Jackie Castelli is not tender: “it’s a bit like you’re going to get a glass of milk. We are selling you a glass of milk. They sell you a farm. “