CrowdStrike Winter Release: What the !@#$ is next-generation?

What Is Next-generation

I’d love to tell you about all the cool stuff in our Falcon platform winter release. It represents a huge step forward for us across nearly every aspect of our platform: Detection, visibility, prevention, remediation and more APIs than you can shake a SIEM at.

But I can’t.

Well, I can’t start explaining the release without first addressing the confusion that is the next-generation endpoint market.  By explaining what we call next-gen endpoint here at CrowdStrike, I hope I can make things clearer and build some context for you with respects to what we’re releasing this week.

Let me to begin by stating what next-gen endpoint isn’t. It isn’t just about signatureless defenses. Behavioral antivirus and static analysis heuristics for unknown malware have been available in antivirus products going back well into last decade. And it isn’t solely about data science (machine-learning) driven protection. Machine learning-based defenses are important, but only a single piece of an effective protection strategy.  All of these are easy answers, but like most things, the truth is more complicated.

We believe next-generation endpoint has three primary components. It starts with rethinking antivirus as a cloud-driven service rather than a cloud-supported application. In an effort to keep things simple, we’re calling this next-gen AV. Given the number of malware-free intrusions (estimated as the cause of more than half of all breaches by a variety of sources), the second pillar of next-gen endpoint is EDR– endpoint detection and response capabilities. EDR solves the silent failure problem where an attacker slips past defenses and proceeds undetected for days, weeks or even months. Lastly, we believe that if you’re trying to stop people (rather than conventional malware), you need people as part of your frontline defenses. We call this managed hunting. While our technology doesn’t require someone at the steering wheel, our 24×7 team that hunts for signs of attackers in our customers’ environment is indispensable to discovering novel attacks, answering the “why” behind unusual activity, and generally picking up where the tech leaves off.

With that out of the way, let’s talk about next-gen AV.  I owe you an explanation of what I meant by cloud-supported application (“classic”) versus cloud-driven service (“next gen”).  Let’s take the scenario of a common attack using a dropper Trojan to illustrate the difference. Classic AV may catch 99 different versions of the Trojan but eventually will miss 1– no one is perfect. Especially when the attacker can test against your AV product and release the threat when they know you will miss. So classic AV missed the dropper and the callback, allowing the attacker the ability to enter the environment, delete the original malware and come back as often as they like using a conventional remote admin tool. They look like an administrator at this point and no additional malware is used so there’s nothing for classic AV to catch. Next step: phone call from a three lettered agency 87 days later.

Now it’s next-gen AV’s turn. Next-gen AV is not foolproof, though it’s harder to evade since the bulk of the detection logic is in the Cloud and cannot be as easily scrutinized by the attacker beforehand. Let’s say that next-gen AV misses the dropper Trojan too. One of the key differences here is that the process execution is recorded to the Cloud, so even when the malware is missed, the record of it happening isn’t– you just have to detect it later.  The means of doing this is called a retrospective detection where we scour our Threat Graph continuously to detect known and unknown threats whether they hit minutes, hours or days ago.  So instead of a phone call from law enforcement, you receive a retrospective detection and a full record of what happened so you can stop the breach in progress.

Retrospective detections can happen anytime a new IOC is discovered by us or a customer… and do not require us to touch a single device. No scans. No updates. Nada. It’s all in the cloud– lightning quick and light as a feather. It still works even if the infected device has already been re-imaged. As part of our winter release, we’re announcing our new retrospective detection capability which will be available for customer-supplied IOCs immediately and from other sources later this Spring.

While we’ve worked hard to deliver retrospective detections, next-gen AV is about more than any single protection method. We’re also announcing a new indicator of attack for blocking ransomware that has proven very effective and resistant to the rapid changes we see in CryptoWall. Accuracy has been superb thus far with beta customers and we’re excited to get this new behavior-based blocking capability into our customers’ hands for preventing the ceaseless waves of ransomware attacks, starting with CryptoWall.

Next-gen is also about more than a single OS. While non-Windows operating systems have been an afterthought for traditional endpoint security, anyone whose defense strategy ignores Linux does so at their peril. As part of our winter release, we’ve greatly expanded our Linux protection capabilities with 3 new techniques:

  1. Cloud antivirus for detecting and blocking Linux malware
  2. Linux-specific indicators of attack for behavioral detection of malicious activity such as webshells, system reconnaissance and threats such as the Jynx2 rootkit
  3. Custom detections from Falcon Overwatch, our hunting team

In addition to ransomware blocking, our winter release further expands on our ability to block both known and unknown exploits, a core feature we introduced back in Autumn ‘14.  The additional prevention techniques range from heap spray mitigation and forced data execution prevention to options to block all detected adware, all of which can be enabled together or individually based on customer preferences.

We’re also announcing our first remediation feature:  Network containment. This new response option allows customers to quickly remove an endpoint from the network such that it can solely communicate back to Falcon in the event of an attack. Given the large number of employees working remotely from home, Starbucks or otherwise off the cozy confines of corpnet, being able to hit the proverbial “big red button” in Falcon Host and take a device off network for investigation and cleanup no matter where they might be, is critical.  This feature will be starting as beta while we work on adding a few more key capabilities to it, such as the ability to whitelist IP addresses to assist with remediation.

Falcon Host is exceptional at endpoint visibility and our winter release builds on this strength with a series of new visualization tools focused on network activity. Imagine being able to visualize all important RDP traffic in your network and pivot down into the accounts of interest. How about seeing all network connections and detections by country on an interactive map? In addition to the new visualization features, we’ve improved our hunting capabilities with new bulk search options (i.e., for hashes, domains) and a slick new one-click powershell hunting screen modeled after our own experts’ queries.

Finally, we think next-generation means giving customers direct control over their endpoint protection, from what we detect to how and where data is used. Our new 3rd party IOC API gives customers the power to harness other intelligence sources inside Falcon Host for detecting and blocking attacks. We know we’re not your only source of security intelligence… and we also know we’re not your “single pane of glass” into your complex environment. In recognition of this, we’ve delivered Falcon Connector to allow customers to more easily leverage the longstanding Falcon Firehose API with their Security Information Event Management (SIEM) or related systems.

After a many years of incrementing on top of classic AV, the endpoint security market is finally in the midst of a much needed makeover that is often as confusing as it is exciting. Our take is straightforward — reimagine AV as a modern cloud-driven service, equip customers to handle non-malware based intrusions and complement technology with genuine, human-based expertise to counter sophisticated, people-driven attacks (managed hunting).  Our winter release highlights the full breadth of what we consider next-gen — from retrospective detections and multiple new prevention techniques to visualization and remediation with the flexibility to use Falcon Host with your existing security infrastructure.

 

Stop Breaches with CrowdStrike Falcon request a live demo