Benjamin Franklin wisely stated that, “An ounce of prevention is worth a pound of cure.” In keeping with this timeless principle, one can’t help wondering what is required to provide appropriate prevention against today’s highly sophisticated and ever-evolving attacks.
The first and most obvious area of prevention centers around malware. A variety of techniques can be used for malware prevention, such as traditional signature-based detection, sandboxing and more recently Machine Learning (ML). ML is one of the techniques used by CrowdStrike and others to provide pre-execution protection against malware. In the case of CrowdStrike Falcon Host, ML allows us to effectively determine the presence of malicious code without solely relying on signatures. This helps with the detection of both known and unknown, or zero-day malware. This also removes the need for frequent and resource-intensive virus signature updates. CrowdStrike ML technology has been independently tested and was selected by VirusTotal to benefit the entire security community. For more information about CrowdStrike ML, read the blog, “CrowdStrike Machine Learning and VirusTotal.”
While safeguarding against malware is an important aspect of prevention, that alone is not enough to keep organizations safe. That’s because malware is present in fewer than half of the attacks adversaries use to compromise their victims. For this reason, effective prevention must also include solid defenses against malware-free attacks.
One of the best-known malware-free techniques is vulnerability exploitation. To be protected against exploits, customers should ensure that their systems are appropriately patched and protected by an endpoint solution that includes thorough exploit mitigation capabilities. Falcon Host, for instance, includes broad capabilities in pre-execution exploit mitigation techniques, to stop vulnerability exploit attempts before hosts are compromised. Falcon Host also includes heap spray mitigation techniques, and forced data execution prevention. These features enable Falcon Host to look at the exploitation of vulnerabilities, rather than just the use of specific exploits, to protect against both known and zero-day attacks.
But exploits are not the only techniques adversaries use. The newest malware-free tricks used by attackers include what we call “living off the land.” That consists of using legitimate tools, such as administration tools available in the operating systems, to perform malicious actions. That allows adversaries to bypass traditional security controls and move beyond malware to compromise organizations. The utilization of valid applications makes this type of attack extremely difficult to detect, and preventing them is beyond the capabilities of many — if not most — endpoint protection solutions. In the case of Falcon Host, however, Indicators of Attack (IOAs) are built to identify the intent of actions based on multiple elements, such as behavior, context, relationships and events history. To accomplish that task, IOAs take advantage of the position of Falcon Host at the kernel level. This provides the unique visibility required to see events as they transpire and gain the context necessary to accurately detect attacks. IOAs, combined with Falcon Host’s exceptional visibility, allow us to detect attacks regardless of the tools used by the attacker. But the beauty of IOA methodology does not stop there. IOAs can also be used to complement ML and provide additional protection against malware — and even ransomware — variants that do not use files to compromise or encrypt users’ systems.
When it comes to cybersecurity, what an ounce of prevention really entails is multiple complementary functions to address the complexity of the attacks that we are facing today. To address these imperatives, CrowdStrike Falcon Host focuses on more than just one or two aspects of prevention by covering the gamut of prevention capabilities, offering prevention against malware as well as advanced targeted attacks – and even against attacks that do not use malware – filling the gap left by solutions that primarily focus on malware. In summary, Falcon Host is designed to stop not just malware, but to stop breaches.
To learn more about the important role of prevention in endpoint protection, check out the recent Crowdcast, “You Can’t Stop the Breach Without Prevention and Detection.” At this event, CrowdStrike VP, Product Management Rod Murchison and guest speaker Forrester Research Analyst Chris Sherman discussed how modern approaches must balance prevention with detection capabilities in the context of an overall security strategy.