CrowdStrike’s Spring Release: The Core Four of Next-Generation Endpoint Security

Spring 2016 Release

When you’re the first company to deliver endpoint security from the cloud, you need to build the product on a platform that is truly cloud native. Four years back, CrowdStrike started on this cloud-delivered endpoint security mission, at a time when cloud was not mainstream in the endpoint security domain, and we pretty much wrote the book truly defining next-generation endpoint security.

Next-generation endpoint security has to be cloud native. You can’t have one without the other. Not when you look at today’s threat landscape, how quickly new threats appear and evolve, and how distributed the enterprise workforce is. The term “cloud native” means different things in different contexts. In the context of endpoint security, it means building a solution that can be deployed to hundreds of thousands of endpoints in a matter of hours. It means creating a lightweight sensor running in the kernel that can updated from the cloud without requiring human intervention or reboots. It means a linearly scalable cloud platform that ingests more than 12B events/day and does not a skip a beat when processing 500,000 events/second and over 15TB/day. It means receiving, analyzing, processing and connecting all events into a massively scalable Threat GraphTM that leverages the power of the crowd to prevent attacks and provide actionable alerts. It means building micro services in a true DevOps culture that enables rapid iteration and incremental feature delivery. It means doing all this in a cost efficient manner so that the total cost of ownership is significantly lower for a next-gen endpoint security solution that truly works. And last but not the least, it means a platform that is designed with an API-first strategy.

This is what CrowdStrike offers its customers, and with today’s announcement of our platform expansion along with new and updated solutions and services, we continue to set the bar for endpoint security.

The API First strategy is deeply ingrained in every cloud service that we build at CrowdStrike. These APIs start as internal first, driving our UI and dogfooded by our CrowdStrike Falcon Overwatch team and Intelligence analysts. After some rapid internal iteration, we make them public. Today we announced five new and updated APIs as part of the CrowdStrike Falcon Platform:

    • CrowdStrike Threat Graph API (new)
    • CrowdStrike Falcon Respond API (new)
    • CrowdStrike Falcon Management API
    • CrowdStrike Falcon Streaming API
    • CrowdStrike Falcon Intel API

More information about each API can be found here, but specifically, I’d like to call out our Threat Graph API, which allows security professionals to query and traverse the contents of the CrowdStrike Threat Graph. The contents can also be visualized using Maltego and other security data visualization tools. The Threat Graph API enables unprecedented investigation, response and proactive hunting capabilities for partners and customers. Customers can access the wisdom of the CrowdStrike Cloud to stop an attack while it is happening, as opposed to only analyzing information afterwards during forensics.

These APIs form one of the three pillars of CrowdStrike’s Falcon Connect, which provides a rich set of resources to leverage the power of the CrowdStrike Falcon Platform. The second pillar is a set of powerful applications that integrate with the APIs. Today we are launching the first two applications in this suite.

While we collect and correlate data from all of our sensors in our cloud, there are many other data sources in a customer’s environment which provide additional context for correlation and gaining valuable insights. CrowdStrike’s Falcon SIEM Connector enables this scenario by allowing customers to digest insights from the Threat Graph via Falcon Streaming API into their existing SIEM infrastructure such as HP Arcsight, IBM QRadar, Splunk and Intel Security SIEM.

CrowdStrike Falcon Host UI provides rich insights with ease of access and usability for security professionals and IT professionals. But we never designed the UI to be the single pane of glass for two reasons:  First, a cloud based portal is by design limited to accessing data and services that are part of the CrowdStrike platform which means it cannot perform actions like disabling a compromised account in on premise active directory; and secondly, a single, common design will never fully satisfy all scenarios and workflows for all customers. This second limitation also applies to any common on premise tool. The CrowdStrike Falcon Orchestrator announced today is a step towards solving this problem. It is our first attempt at creating an extensible, on-premise tool that is open source based. It enables customers to use and integrate our APIs along with extensible Powershell scripts that interact with on-premise software and third party services to build powerful workflow automation and case management features. At CrowdStrike, we are striving to build a bottoms-up innovation culture where anyone can come up with an idea or a solution and see it shipped as a product or tool. Falcon Orchestrator, developed by one of our sales engineers, is an example of such bottoms-up innovation. Among other features, Falcon Orchestrator enables a wide range of features from file retrieval to user containment, as well as extensive forensics collection capabilities that augment and optimize existing workflows with CrowdStrike Falcon Host data and intelligence. But most importantly, as an open source tool, it allows customers to customize, adapt or use parts of the tool either as-is or in their existing tools.

The true value of all this platform is in the protection it provides. Indicators of attack (IOA) and machine learning are essential elements for next-generation endpoint security.  Using a signature-based, indicator-of-compromise based approach to security is simply outdated and obsolete. No other cyber threat highlights this fact than today’s ransomware attacks, which evolve literally on a daily basis.  As a result, CrowdStrike announced today the combination of both features as part of its enhanced next-generation antivirus (AV) capabilities added to its  CrowdStrike Falcon Platform™. With machine learning algorithms and IOAs, customers have the type of threat prevention that can identify and block not only previously unknown ransomware families, but also new and emerging script-based ransomware that do not use executable binaries to encrypt the systems of victims. Customers will now be able to identify and block popular ransomware families such as CryptoWall, Locky, and Teerac, among others.

An API-first, cloud native platform for delivering endpoint security, based on an indicators of attack approach, augmented with open source tools, all form the true core elements of next-generation endpoint protection.  Only CrowdStrike can deliver all of it, right now.  I encourage you to set up a demo with our team and find out for yourself what “next generation” really is.

Amol Kulkarni

Amol Kulkarni is a seasoned engineering executive with extensive experience building large-scale big data enterprise cloud platforms, consumer cloud services and enterprise products while knitting together world class, high performing global engineering teams. Amol is currently the Vice President Engineering for CrowdStrike overseeing the company’s engineering organization and customer facing technology infrastructure.

 

Stop Breaches with CrowdStrike Falcon request a live demo