CrowdStrike Falcon Prevent FAQ Learn More About Next-Generation Endpoint Protection What is Falcon Prevent? As the name implies, Falcon Prevent™ is the prevention module of the Falcon endpoint protection platform. Falcon Prevent provides comprehensive and proven prevention against malware and malware-free attacks, whether endpoints are online or offline. Its extensive next-generation antivirus (NGAV) capabilities include the ability to identify known malware; machine learning for unknown malware; exploit blocking; and exclusive indicator of attack (IOA) behavioral techniques. Falcon Prevent allows organizations to confidently replace their existing legacy AV solution with a comprehensive solution that includes real-time visibility and provides the context for all threat activity. What is the difference between an IOC (Indicator of Compromise) and an IOA (Indicator of Attack)? An IOC is a piece of evidence or artifact left behind after something has happened. An IOA is a series of actions or behaviors that an adversary employs to achieve his goal. The use of IOCs has been the traditional focus of endpoint detection, but modern adversaries have adapted to more easily evade IOC sweeps. In a forensics investigation, IOCs are the evidence that proves a network’s security has been breached. Unfortunately, by the time the IOC is discovered, the network likely has been compromised. Conversely, IOAs reflect a series of actions the attacker must perform in order to be successful. They are a set of actions that are required for any tool or technique to accomplish common attacker behaviors like code execution, persistence, command and control (C&C), and lateral movement. An effective IOA approach not only collects and analyzes exactly what is happening on the organization’s systems and networks, it does so in real time, preventing the malicious activity from being successful. Can CrowdStrike Falcon protect endpoints if they are not connected to the cloud? Yes, the lightweight Falcon agent that runs on each endpoint includes all the prevention technologies required to protect the endpoint, whether it is online or offline. Those technologies include machine learning to protect against known and zero-day malware, exploit blocking, hash blocking and CrowdStrike’s behavioral artificial intelligence heuristic algorithms, known as Indicators of Attack (IOAs). Can I replace my current AV with Falcon Prevent? Absolutely, customers can and have replaced their AV with Falcon Prevent. CrowdStrike Falcon had been named a “visionary” in the 2017 Gartner’s Magic Quadrant for Endpoint Protection Platforms and was declared a “strong performer” in the 2016 Forrester Wave report for endpoint security suites. In addition, the Falcon platform meets the compliance standards of PCI DSS Requirement No. 5 (“Protect all systems against malware and regularly update antivirus software or programs”). It is also AV Comparatives approved, with a 99.2 percent malware block rate,100 percent exploit detection rate and zero false positives. What makes Falcon Prevent better than what I currently have? Falcon Prevent is better than legacy anti-malware products in three ways. First, it provides better protection against all threat vectors, not just malware — even when endpoints aren’t connected to the internet. Second, Falcon Prevent is fully operational in seconds, with no need for signatures, no fine-tuning, and no infrastructure costs. Falcon Prevent delivers immediate time-to-value and unmatched prevention from the get-go. And finally, Falcon Prevent offers improved performance with virtually zero impact on the endpoint — from initial installation through ongoing daily use. What prevention features does Falcon Prevent offer? Signature-less malware protection: Falcon Prevent does not rely on signatures. This frees security teams from having to deploy virus definition update files to all endpoints on a daily basis. Machine learning: Falcon Prevent leverages machine learning to identify and block malware. Machine learning is particularly effective at stopping new, polymorphic or obfuscated malware, which is often missed by legacy AV solutions. Indicators of Attack (IOAs): Falcon Prevent uses IOAs to identify threats based on behavior. Understanding the sequences of malicious behavior allows Falcon Prevent to stop attacks that go beyond malware. Examples include protection against lateral movement, webshell attacks and fileless ransomware variants. Exploit protection: Falcon Prevent includes exploitation protection to harden systems against attempts to exploit vulnerable applications (e.g. Adobe Flash, Java and Microsoft Silverlight). Threat intelligence integration: Events can be contextualized by integrated threat intelligence, providing details on the attributed adversary and any other information known about the attack. What is a fileless or malware-free attack? Malware-free attacks are attacks that evade detection by eliminating, or drastically limiting, storing binaries on disk. In the past, malware attacks typically involved use of malicious program files that can do harm when executed. As a result, security programs were built to scan files and detect if they were malware or not. But in order to evade such scans, adversaries created attack techniques that don’t use files on disk. They can, for example, hijack a perfectly non-malicious program and get it to send malicious commands directly into the memory of the system. These techniques evade legacy security solutions and any security products focused solely on detecting malware. How much can you prevent? What do you stop? Do you need to let something run before you can stop it? Falcon Prevent uses Machine Learning to immediately block both known and unknown malware. In addition, Falcon Prevent can stop other threats, such as malware-free attacks, or malicious activities that start further down the attack chain by using Indicators of Attacks (IOAs) and other techniques. For example, Falcon Prevent can see and stop attackers that use legitimate applications to perform malicious actions, which is a widespread attack technique. In such cases, there is no file execution to stop before the attack starts. Malware-focused solutions would miss that. That’s why attackers employ these techniques. The key is to stop the adversary before he achieves his objectives, such as stealing data or encrypting drives. Falcon works before the attack starts and on-the-fly in real time. Does Falcon Prevent protect against ransomware? Yes, Falcon Prevent uses an array of complementary prevention and detection methods to protect against ransomware, including the following: Blocking of known ransomware Exploit blocking to stop the execution and spread of ransomware via unpatched vulnerabilities Machine learning for detection of previously unknown zero-day ransomware Indicators of Attack (IOAs) to identify and block additional unknown ransomware, and also new categories of ransomware that don’t use files to encrypt victims’ data Can I run Falcon Prevent with my current AV simultaneously? Falcon Prevent provides great flexibility for such use cases. Falcon can run side-by-side with the customer’s current AV, as long as only one is chosen to handle malware blocking so they don’t compete for file access. Falcon Prevent makes it easy by allowing the customer to configure machine learning, CrowdStrike’s anti-malware technology, in detection mode only. One useful feature of Falcon in this scenario is that it will still show the malware it detects, and allow the user to see if another solution missed it. If the other solution includes a detection-only mode, the user can choose to put it in detection mode, while allowing Falcon to detect and prevent. What kind of infrastructure do I need to implement Falcon Prevent? Customers do not need to deploy any infrastructure for Falcon Prevent. Falcon Prevent uses the Falcon Platform, which is built on 100 percent cloud architecture. This allows customers to be protected faster and drives down total cost of ownership (TCO) by eliminating on-premises hardware acquisition, deployment and maintenance. Cloud-based security also makes it impossible for the attacker to acquire the CrowdStrike technology in an attempt to tamper with or discover bypasses for it. Any time the attacker tries to defeat Falcon Endpoint, those attempts are seen by CrowdStrike. This also allows CrowdStrike to see more of the threat landscape. This broader vision gives Falcon more data to analyze and this, in turn, improves CrowdStrike’s overall protection capabilities.