Introducing CrowdStrike Falcon Spotlight: Vulnerability Management Comes of Age
Prior to co-founding CrowdStrike®, I was probably best known in the business world as one of the founders and CEO of Foundstone, a company that pioneered the vulnerability management space. In fact, I think we even invented the term, as it was formerly known as “vulnerability assessment.” Earlier in my career, I was leading a team at Ernst & Young and was frustrated with the state of the vulnerability assessment market. Using what I would term a “desktop scanner” to scan massive enterprises was extremely frustrating. The technology was woefully inadequate and devoid of any workflow. The big name at the time was Internet Security Systems, which I had used extensively since their inception. After many years of use and many engagements later, I thought there was a better way forward.
At that time many otherwise successful companies were having very little success protecting themselves from known vulnerabilities. Forget about zero days and unknown attacks, for which there really was no effective prevention in those days. Companies were spending millions on security and still getting taken to the cleaners. Vulnerabilities were unidentified due to long scan times, thus remaining unpatched for extended periods of time. Foundstone was started circa 1999, yet in 2017, unidentified and unpatched vulnerabilities are still the bane of many organizations’ existences. One would think the industry could have solved this problem by now. It hasn’t. But CrowdStrike has.
It is with great pride that we announce the availability of CrowdStrike Falcon® Spotlight, the latest addition to the CrowdStrike Falcon platform. The Spotlight module represents a major evolution in the field of vulnerability management (VM), which has long been near and dear to my heart. The capabilities we created as part of CrowdStrike Falcon — based on the power of the cloud and the crowd, and bolstered by advances our teams have made in the areas of artificial intelligence (AI), machine learning, behavioral analysis, integrated threat intelligence and more — have allowed us to take VM to the next level.
Let me start by explaining why existing vulnerability management solutions have failed to fix the problem. Some of these solutions have literally been around for almost two decades, and a few have gotten pretty good at discovering vulnerabilities — at least the obvious ones — but discovery is only part of the solution. Providing fast and efficient ways to mitigate those vulnerabilities is often the missing piece.
In addition, the challenge with existing vulnerability management solutions is compounded by several factors:
- Legacy VM products were not designed with protection in mind. Fundamentally, they were built to “assess” or “manage” vulnerabilities and they do not even attempt to protect you from the exploits that inevitably follow vulnerabilities.
- Vulnerability scans take too long. Scans can take days or weeks before returning results, which might be obsolete the second the results come in. We see many organizations schedule scans on a monthly basis because scan times are so slow! Does anyone think the adversary is on a 30-day schedule? Thirty days is a massive amount of time to wait on finding new vulnerabilities in your environment.
- The “failed patch” problem leaves major holes in an organization’s defenses because many legacy vulnerability management tools will mark a system as patched when it really isn’t. Since most tools only report patch information collected from checking the registry for listings of installed patches, any failures in the installation process, such as delayed reboots, may cause the scan to report incorrect patch status.
- Too many vulnerabilities are simply unmanageable. It’s not uncommon for vulnerability assessment reports to come back with thousands of vulnerabilities to fix. That huge number makes it nearly impossible to quickly patch all identified vulnerabilities. This, in turn, opens a window of opportunity for potential attackers while defenders are busy prioritizing patches.
- Compliance reporting is often inaccurate. Compliance is critical, but the bad data in most vulnerability management solutions leaves organizations with little confidence in the output of the reports or the actual state of compliance in their environments.
- Network-based vulnerability scanners have blind spots. Corporate assets are becoming increasingly fluid. Remote workers, virtualization and the cloud mean that assets are not always connected to the corporate network. As a result, assessments based on network scans miss assets that are not on the corporate network when the scan is conducted. What did you do when WannaCry came out? Scramble to figure out if you were vulnerable? What about your remote workers and cloud workloads not on your network?
- Existing endpoint vulnerability products were not natively built to handle massive amounts of data. They were afterthoughts and “bolt-on” solutions, designed to compensate for their failed model of network-based authenticated scans. They require yet another agent to install and manage on already-bloated endpoints. The performance hits affect end users directly while placing greater burdens on the security and IT teams that must manage the added infrastructure and credentials — which can be a security risk in and of themselves.
We are finally able to solve these issues, thanks to the unprecedented power of the CrowdStrike Falcon platform. Falcon Spotlight expands the platform’s comprehensive range of endpoint protection capabilities by adding vulnerability management to Falcon’s existing prevention, EDR, managed hunting, IT hygiene and threat intelligence modules. With Falcon Spotlight, we bring the following benefits to our customers:
- Prevent while you patch — With the CrowdStrike Falcon platform, we step beyond the capabilities of existing vulnerability management offerings by not just showing you where vulnerabilities exist, then leaving you to your own devices. We also provide immediate protection against those vulnerabilities, buying you precious time to patch your systems against future attacks.
- Better accuracy, faster results for compliance — CrowdStrike Falcon Spotlight delivers real-time, accurate and precise data, helping you with your compliance efforts.
- Easy deployment — As part of the Falcon Platform, Falcon Spotlight does not require the installation of additional agents or management consoles.
- Elimination of vulnerability scanning — Falcon Spotlight is an endpoint security solution that continuously monitors the system and streams data to the cloud in real time, eliminating the need for scheduled scans while still providing complete visibility into vulnerabilities. At the push of a button, you can have a “real-time” and always-updated view of your vulnerabilities across your environment.
- Seamless, cloud-based protection — Leveraging CrowdStrike’s cloud-based architecture, Falcon Spotlight gives security teams the power to protect systems on-premises and across all cloud environments.
- Accurate reporting — Vulnerability data is displayed in real time, and is more accurate than legacy solutions because Falcon Spotlight can tell if a patch has merely been deployed or if it has been fully installed and is currently running on the system.
- Prioritized remediation — Falcon Spotlight pinpoints vulnerable systems where exploitation attempts have occurred, enabling security teams to prioritize these systems for remediation and further optimize their response efforts.
- Enhancing existing vulnerability management solutions — Falcon Spotlight adds deeper visibility and provides threat context, enabling security teams to see both the presence of a vulnerability and evidence of exploitation attempts via an API or reporting.
It’s been a long road to get here, and folks who know my background in — and longtime commitment to — vulnerability management will understand why I find today’s announcement so gratifying. But there’s another reason. Falcon Spotlight is not only a critical new feature for protecting CrowdStrike customers, it’s another important demonstration of the power and extensibility of the CrowdStrike Falcon platform. It’s what we call “the power of one” — one agent, one console, one powerful solution.
With this new vulnerability management module, one of the many such modules we will be releasing in the weeks, months and years ahead, we are adding more proof points that we have created a strong and enduring foundation, a foundation that is revolutionizing the delivery of data security, stopping breaches, and ultimately allowing organizations and individuals to reach their full potential.
If you are an existing CrowdStrike Falcon customer, please contact your CrowdStrike account manager to arrange a demo of the Falcon Spotlight module. If you are not yet a customer, read more information on Falcon Spotlight. If you are interested in talking to a CrowdStrike representative to learn why so many large and small organizations have standardized on CrowdStrike Falcon, please contact CrowdStrike Sales.