Welcome to CrowdStrike Falcon! In 2011 we set out to fix a fundamental problem. The security industry was broken and a brand new approach was needed to keep bad guys out of the networks of companies and government agencies worldwide. In this article you will get some insight into how CrowdStrike is changing security, an introduction to the Falcon Platform and an overview the other products and services available from CrowdStrike.
CrowdStrike understands that the cornerstone to any great security product is threat intelligence. Without the ability to identify the adversary and know their tools, tactics and procedures, it is not possible to deliver a security solution that can detect and stop the adversary. With this understanding, CrowdStrike has built a world class Intelligence organization that feeds information into the product. Today, Falcon Intelligence is used by some of the most security conscious organizations on the planet who rely on the latest intelligence to help them fortify their organizations against attacks from the simplest malware attacks, all the way to the sophisticated, nation state sponsored, targeted attacks.
The solution to creating more functionality while also reducing the impact on the endpoint is cloud delivery. Today this seems obvious, but in 2011 this thought was revolutionary. CrowdStrike has been committed to being a cloud security company from the very beginning, and the benefits of that decision are now evident.
Over the last couple of years CrowdStrike has added more functionality and capabilities than any other security company in the industry without dramatic changes to the sensor or noticeable impact on the user.
Many people became familiar with CrowdStrike in 2016 as an emerging leader in EDR and Intelligence products. Since that time CrowdStrike has added next-generation antivirus, device control, IT Hygiene, vulnerability management, integrated intelligence, sandboxing, and malware research capabilities. Despite all these additional capabilities, the Falcon Sensor is still approximately only 30 Mb in size and uses less than 1% CPU utilization. CrowdStrike customers appreciate that the cloud platform gives them the ability to add functionality and keep up with the rapidly changing needs of cybersecurity.
Services and Overwatch
CrowdStrike services will help you improve your incident response operations by standardizing and streamlining your processes. Our experts analyze your current plans and capabilities, then work with your team to develop standard operating procedure “playbooks” to guide your activities during incident response. Our services can also fortify your organization with table top and red teaming exercises to simulate your organization’s response capabilities during different attack scenarios.
OverWatch is a service unlike any other in the industry. While some companies might have a threat hunting organization, those services often have to come in, deploy additional sensors, and sift through the data collected to search for suspicious or anomalous behavior. OverWatch is an always watching, always on, service that doesn’t require more tools to be deployed or on-site access. OverWatch constantly sifts through the mountain of events alerting our customers of suspicious events as they happen. Last year alone, OverWatch alerted our customers more than 20,000 events!
When CrowdStrike began in 2011 it started with a simple goal: To stop breaches. Since then we’ve completely changed the industry, creating services and products that fundamentally make security better and easier so at the end of the day we stop your organization from being breached.
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- White Paper on Falcon OverWatch
How to Contain an Infected System
Hi, there. My name’s Peter Ingebrigtsen. And today, we’ve logged into the falcon.crowdstrike.com, or the Falcon User Interface.
And what we’re going to do is take a look at some of our systems and recognize that some of them are either currently under attack or recently been under attack, and may have been compromised. And we’d like to contain that system until we can further get to it, get our hands on it, and get a little bit more information out of it, or just prevent it from doing any more damage than it’s already done.
In order to do that, you need to be on your Detections app. You can do that by going to the radar here on the left-hand side. If you’re not already, or if your user interface doesn’t open that when you first log in, head there. And then just select the Recent Detections.
When that opens, you’ll notice that you can filter by any number of criteria, but we’re looking at some of the more recent events or situations that are going on. And you’ll notice that the same single machine has noticed a lot of different scenarios with privilege escalation or web exploits. And these severities are high to critical.
And we’d like to log in there, maybe do a little something, take a little closer look, and see if there’s something we should do. Obviously, we should do something. And as we start to dig through here, we see that there’s a lot of detection patterns, whether that be known malware, credential theft, or web exploits. We can see in the process tree a lot of different commands that were issued that look at that privilege escalation that we noticed earlier– or start to set that up.
So, we know that there’s something bad going on, and we’d like to take action right away. So, what we want to do is network contain this machine. But what I want to show you, as well, is that as we do this– I’m going to go to the machine itself. And I’d like to start a continuous ping so that you can watch the behavior and how long it takes to respond to this network containment.
Now, while we contain this– or take this machine off the network– we don’t kill the connection to the CrowdStrike Cloud. So, that as we get our hands on it– we clean it up, we feel comfortable putting it back on to the network– we can still operate or control that machine through the user interface that we have here.
The other thing I’d like to do is start a large download, so that we initiate with a single TCP connection– and there happens to be one in process– as opposed to the ping, where there may be multiple TCP resets or individual TCP threads going every time. So that you can see that as we contain this machine, it literally just knocks it off the network.
Forgive my screen, but I’ve changed the resolution for YouTube and for appearance purposes.
But as I come in here– and this will be right at the middle of the screen– this actually says Device Actions. And I’d like to contain it.
Now, as we do that, we have some options to make some notes. Contained by Peter. Multiple threats observed. Whatever notes you’d like to make– and then select Contain.
Now, the second we do this, on the left-hand side, you’ll see how quickly it takes for that to respond. So, immediately, almost in real time, you see a network failure on the download, and the ping test– or the continuous ping fail. So, we can close that.
Now, let’s say we’re a couple days later, this machine’s cleaned up, ready to go, and be put back in the network. You can go ahead and lift the network containment, again, from the user interface. We still have that connection to the machine, even though all the other network connections have been terminated.
So, as we do that, all good. Uncontain. And you’ll notice that almost immediately that ping starts to fire right back up again.
So, network containment is a powerful tool that we can use if we see something immediately taking action or if we see something recently in the past, and we’d like to get that machine off the network– almost quarantine it– so that it can’t do any more damage.
So, this has been network containment of network devices in the Falcon Sensor User Interface platform. Thanks again for watching.