Endpoint Detection and Response, or EDR, has become an essential part of any endpoint security platform. While traditional antivirus products are often able to block and quarantine malware, effective security also requires context, historical visibility and response capabilities. In this demo and article, we will look at each component of EDR and how CrowdStrike’s solution delivers value at every turn.
Endpoint visibility is a critical component of an EDR solution. While blocking malicious files is important, reliance on anti-virus alone can mask larger issues and allow certain types of attacks to go undetected. Falcon Insight monitors endpoint activity and captures real time event data across all managed devices. As a cloud delivered solution, CrowdStrike collects detailed endpoint event data regardless of physical location. With support for Windows, Mac, Linux, CrowdStrike provides unparalleled EDR visibility for hosts that are on or off the corporate network across home offices, datacenters and public clouds. This ensures complete visibility and leaves attackers with no place to hide.
This cloud-based architecture also allows customers to get their answers in seconds without putting any stress on their endpoints. CrowdStrike provides real time and historical visibility into those endpoint activities through the single, easy to use cloud interface. This enables security teams to do proactive threat hunting, investigation and incident response tasks to stop potential breaches before the organization is compromised.
With this level of visibility, Falcon Insight eliminates silent failure by providing the highest level of real-time monitoring capabilities that span across detection, response, and forensics.
High Fidelity Event Data
The raw endpoint event data collected by CrowdStrike describes the processes and activities that have happened on an endpoint in great detail. This heightened level of visibility fills in all the gaps left by legacy security vendors and allows security teams to perform proactive threat hunting. Falcon Insight includes an Investigate feature that enables Splunk like search capability to quickly and efficiently hunt through your event data.
As an example, using the command below will search for usage of common recon commands in our environment. In the resulting table we can see the full context of how the recon commands were used and who it was run by.
event_simpleName=ProcessRollup2 (FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe OR FileName=ping.exe OR FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR FileName=at.exe) | table ComputerName UserName FileName CommandLine
For more example queries refer to the Hunting and Investigation Support guide.
Detections and Indicators of Attack
Pairing full endpoint visibility with indicators of attack (IOAs), CrowdStrike’s threat graph analyzes events in real time using behavioral analytics to automatically detect traces of suspicious behavior. Falcon Insight displays attacks in an easy-to-read process tree. This provides full attack details and puts them in context for faster and easier investigations. In cases where lateral movement is detected, CrowdStrike also provides a visual presentation of the original incident as well as the path to other, impacted hosts.
The example below includes an interactive process tree with full context of the events that occurred. For each execution, there are associated details including the severity and description as well as the MITRE tactic and technique.
This image focuses on the suspicious, encoded powershell execution in the same detection. Directly in the user interface, there is an option to view the complete, decoded powershell command.
Being able to take action and respond to an event is another critical component of EDR. With CrowdStrike, there are two primary tools for managing and remediating hosts.
- Network Containment – Provides the ability to limit connectivity of a host to avoid lateral movement or Internet communications. It is an important tool that allows investigations to continue while minimizing exposure.
- Real Time Response – Allows access to run commands, executables and scripts on remote hosts. Leveraging the detailed event data available in Falcon Insight, Real Time Response gives the responder the flexibility to completely remediate systems. In addition, it can also be used for a number of other use cases including registry edits, software deployments and memory dump retrievals.
Endpoint visibility, detection and response are all key aspects of EDR. CrowdStrike delivers on all of those capabilities while also correlating that information to help organizations see the big picture. Falcon Insight customers also benefit from CrowdScore – a simple metric that provides a real time assessment of the organizational threat level. Using the metric and monitoring trends can help engage responders and drive strategic decisions on resource engagement as needed.
Falcon Insight provides a level of visibility which reduces dwell time by eliminating silent failures and automatically detecting attackers which in turn accelerates time to remediation. Since the Falcon Insight event data is streamed to the cloud, complexity and management overhead is eliminated, allowing security teams to perform more thorough investigations.