Vous êtes sur la page 1sur 15

CROWDS TRI KE / / WH I TE PAP ER

THE THREE ESSENTIAL


ELEMENTS OF
NEXT GENERATION
ENDPOINT
PROTECTION

W W W .CROW DSTRIK E .COM


But scratch below the surface of these new solutions and it
becomes apparent that most are simply iterations on the
old platforms that powered the first generation of endpoint
protection. While they might rely on one or two new techniques,
the majority still rely heavily on dated techniques such as
signature-based threat detection and outdated architectures
designed for on-premise delivery. As a result, even when they're
sold as Cloud solutions, they're highly segmented and lack the
scale and efficacy of purpose-built cloud solutions.

And most detrimentally, the majority of endpoint solutions are

NAVIGATING MARKET still fixated on stopping malicious executables rather than seek-
ing out indicators of attack (IOA) that can point to breach activity

CONFUSION
BUT WHAT DOES NEXT-GENERATION ENDPOINT
even when malware is not present.

CrowdStrike believes it takes more than a few new detection fea-


tures to qualify as a next-generation endpoint security platform.
PROTECTION REALLY LOOK LIKE?
True "next-gen" solutions should offer a complete package of more
advanced technology and human-powered intelligence to meet
sophisticated attacks head-on. For an endpoint security product to
be taken seriously as a next-generation solution, it needs to deliver
Vendors old and new have laid claim to the next-generation
the kind of prevention, detection, visibility, and intelligence that
moniker. The field has become crowded with dozens of endpoint
can beat a determined attacker time and time again.
security products marketed as game-changers. Some may
include behavioral detection elements. Others might offer some In order to find those capabilities, we believe decision-makers
degree of machine learning. Still others might claim to offer should look for three crucial elements in a next-generation
cloud-based protection. endpoint security solution.
Despite the shortcomings of traditional AV, this does not make
it a worthless tool. In the past, some analysts have posited
that the death of AV was imminent, but the fact is that AV adds
a tremendous amount of value in weeding out the obvious.
However, it can't be the only answer to the endpoint security
problem. It must be improved upon to provide an adequate
level of protection.

Element 1: Next-generation AV expands beyond simply identifying and


addressing known malware, leaving vulnerability gaps that are

NEXT-GENERATION
commonly exploited by attackers. Hence, a true next-generation
AV solution needs to block exploits that leverage vulnerabilities,

ANTIVIRUS
providing an additional line of defense.

In addition, next-generation AV should be able to fully leverage


behavioral analytics and machine learning to identify unknown
malicious files, and step beyond the focus on malware to look
for signs of attack as they are occurring, rather than after the
Traditional antivirus has coasted a long way in the market fact. This approach entails seeking out Indicators of Attack
by touting 97 to 99 percent effectiveness rates. But as most (IOA) to identify active attacks, rather than solely relying on
security professionals have learned the hard way, this seemingly Indicators of Compromise (IOC), which are only present after an
small gap actually provides a huge window of opportunity for attack has taken place. To achieve this, the solution must gather
adversaries using either known or unknown malware. In addition, enough endpoint activity data throughout the environment to
that dated AV approach does nothing to address increasingly contextualize each IOA with other pieces of information, in order
sophisticated malware-free methods. In fact, according to to form the most complete picture of activity possible.
some studies, 60 percent of today's breaches are not caused by
malware at all, and are carried out through techniques such as
social engineering or credential theft from other sources.
IOA
INDICATOR OF
IT decision-makers evaluating so-called Individually, any one of these behaviors may not indicate
ATTACK next-generation AV products also should a threat, but when they're examined in context of one another
look closely at those that claim to offer it becomes apparent an attack is in progress.
behavioral analytics or machine learning.
In order to collect this amount of data and analyze it swiftly
IOC
INDICATOR OF
The litmus test should be the quality and
relevance of the data being analyzed. If
and accurately, next-generation AV requires a level of
COMPROMISE computational power and scalability that cannot be
the data is limited to a few seconds of
accomplished using old-school on-premise architecture
execution or only looking at questionable
and conventional database methods. Such feats can only be
files to extract information, there won't be enough context to
achieved by means of a purpose-built Cloud platform capable of
determine if an activity in progress is malicious.
supporting cutting-edge database technology, such as a graph
Next-generation AV solutions should be able to look across both database. To that end, CrowdStrike created the cloud-based
legitimate activity and malicious activity, and make use of Falcon Host platform, which is capable of collecting and storing
algorithms that do not overwhelm analysts with false positives, billions of discrete endpoint execution events, and examining
while at the same time detecting a chain of activities that them in real time using the CrowdStrike ThreatGraph™ data
indicate attacks. For example, the solution should look not only model. Built on a graph database, CrowdStrike ThreatGraph
at the code being executed and at files to determine if they are can analyze and correlate data collected from endpoint sensors
malicious, but it should also look for behaviors that reveal located in over 170 countries in seconds, spotting patterns
IOAs such as: to determine if an attack is underway.

•W
 hether the attacker is trying to hide themselves This architecture, where the heavy lifting is performed in the
and their activities cloud, allows Falcon Host to provide endpoints maximum
protection with negligible impact, keeping the endpoint safe
• I f credentials are being dumped from memory or disk
and running at optimum performance. Only Falcon’s next-

• If privileges are being escalated generation AV capabilities can offer the visibility and the
speed necessary to find and block unknown threats before
• If lateral movement is taking place within the network they cause a breach.
By way of example, let’s look at of how a criminal
would plan and carry out a bank robbery in
the physical world. A smart thief would begin
by "casing" the location. They would perform

HOW IOAs WORK: reconnaissance to identify and understand any


potential vulnerabilities. Once he determines the

A Real-World Analogy best time and tactics for success, he proceeds to


enter the bank. A stealthy robber would choose a
time when he’s unlikely to be observed, then break
in, disable the security system, find the vault, and
attempts to crack its combination. If he succeeds,
he pinches the loot, makes an uneventful getaway
and completes the mission.

In this example, IOA’s represent the series of behaviors a bank


robber must exhibit first, in order to succeed at achieving his
objective. These behaviors might include driving around the
bank (identifying the target), parking and entering the building,
disabling the security system, and so on. Of course, any of these
activities on their own would not necessarily indicate an attack
is imminent. It is only when these events are observed occurring
in specific combinations that a potential threat can
be identified and eliminated.
Such a solution can be compared to a surveillance camera that
starts recording when it detects movement: the product should
record all activities, starting when the system does anything
that might indicate the beginning of an attack, such as:

• Running an application

Element 2:
• Connecting to a network
• Visiting a website
• Writing a file to disk

ENDPOINT DETECTION This gives the system the power to proactively hunt through
large volumes of data to find malicious patterns of activity that

AND RESPONSE may not have been detected otherwise.

More importantly, the EDR system needs to also offer an easy


way to mitigate a breach that is uncovered. This could mean
containment of exposed hosts to stop the breach in its tracks,
Regardless of how advanced an organization’s defenses are,
allowing remediation to take place before damage occurs.
there is always a chance that attacks will slip through, causing
a silent failure. Silent failure happens when existing legacy The solution can only collect and keep all the necessary data
technologies miss a threat without any alarms being raised, if it takes advantage of scalability offered by the Cloud. In
allowing attackers to dwell in an environment for days, weeks addition, Cloud deployment is also crucial for protecting
or months without detection. That is why a true next-generation remote systems that may be off the network or outside the
endpoint solution needs more than just AV -- however VPN. In addition, Cloud capabilities make it possible to analyze
sophisticated -- to prevent such failures. this kind of behavior across numerous organizations, to
take advantage of the collective knowledge of a crowdsource
A fully functioning Endpoint Detection and Response (EDR)
community where threat intelligence is aggregated
system should record all activities of interest on an endpoint for
anonymously.
deeper inspection both in real-time and after the fact.
At the end of the day, attackers are people, and people are
adaptive and creative. Defenders are at a major disadvantage
if they rely on technology alone to counter every attack.

An effective next-generation endpoint solution must be


bolstered by a team of security experts hunting through the
available data and proactively looking for threats. An elite
hunting team can find things that may have been missed by
automated response systems, learning from incidents that
have taken place, leveraging the aggregated data, analyzing it
thoroughly and providing customers with response guidelines

Element 3: when malicious activity is discovered.

This kind of managed hunting is at the heart of next-generation

MANAGED HUNTING endpoint security. Without that, customers have no one but
themselves to watch 24/7 for adversary activity, and no
guidance on how to respond to extremely sophisticated attacks.
Managed hunting pits the brainpower of expert human defense
teams against the ingenuity of determined adversaries.

The CrowdStrike Falcon platform provides an unparalleled


team of dedicated threat hunters who, when paired with the
robustness of the data collected by Falcon Host, are able to
thwart attacks that would never be detected by any other
system or technology.
The only way to effectively deliver these three essential
elements that constitute next-generation endpoint is via a
purpose-built Cloud architecture. The on-premise model is not
suited to extremely arduous tasks such as collecting a rich
data set in real time, storing it for long periods, and thoroughly
analyzing this volume of data in a timely manner to prevent
breaches. With the cloud, it is possible to store petabytes
of data for months on end, to gain historical context on any
activity running on any managed system. With the CrowdStrike

Enabling the Essential Elements: ThreatGraph™, these massive data stores can be analyzed in
seconds to allow immediate blocking of an attack in progress

THE POWER OF
as IOAs are observed, and to go back and see whether these
activities took place in an organization’s environment at any
previous point in time. The Cloud also enables aggregation of

THE CLOUD
data across environments to fully leverage the knowledge and
intelligence of the crowd.

At present, many endpoint security products claim to be


Cloud-delivered, but are actually based on architectures
developed primarily for on-premise systems. This “bolt-on”
Cloud model can never match the performance of a purpose-
built cloud system. Even when connected via the Cloud, an
isolated appliance placed in a vendor data center cannot take
advantage of the fundamental benefits of crowdsourcing.
This ability to leverage the “power of the crowd” requires a true
Cloud model capable of correlating data streams across
numerous customers.
Without all of them working together in concert, a system
can hardly be placed in the class of next-generation
endpoint protection.

Unlike the piecemeal, bolt-on approach seen among other security


vendors, only CrowdStrike’s purpose-built cloud architecture can

NEXT GENERATION deliver this powerful combination of next-generation AV, endpoint


detection and response, and 24/7 managed hunting services to

ENDPOINT SECURITY proactively search for hidden attacks.

FROM DAY ONE


In addition to offering the greatest capacity for blocking
and detecting attacks and uncovering previously undiscovered
threats, the Cloud-based Falcon platform enables lightweight
and lightning-fast deployment. Without hardware and
additional software to procure, deploy, manage and update,
rolling out endpoint security becomes quick and simple. While
on-premise systems can take up to a year to fully roll out,
Each of these three elemental components of next-generation
CrowdStrike has been successfully deployed in environments
endpoint security are being tested and rolled out in a piecemeal
with tens of thousands of hosts in a matter of hours. The nature
fashion by numerous vendors across the industry. Some
of our cloud architecture allows it to be easily deployed side-by-
companies focus solely on prevention, while others may home
side with extant protections and offer a smooth transition.
in on on machine learning. Many fixate on one or two very
specific detection techniques. But none can offer all of the CrowdStrike’s ultimate goal is to help its customers stop
elements that next-generation endpoint security breaches immediately, with minimal time, effort and impact
requires in a single solution. None except CrowdStrike. on their business. Ultimately, that is the definition of next-
generation endpoint protection.
CrowdStrike’s holistic design philosophy demonstrates
that the efficacy of next-generation endpoint security can only
be achieved when each of these elements is present.
NEXT GENERATION ENDPOINT
EVALUATION CRITERIA
To help you measure and compare different solutions, we have gathered a set of criteria that we
consider critical to the success of an effective next generation endpoint protection solution.
Evaluation Criteria for Next-Gen Endpoint Protection

PROTECTION and PREVENTIO N SOLUTION 1 SOLUTION 2 SO LUTIO N 3 PRODUCT COMPLETENESS SOLUTION 1 SOLUTION 2 S OLUT ION 3

Protects against both known and Provide abilities to handle protection before,
zero-day malware during and after attacks

Protects against ransomware Provides 24/7 managed hunting and actionable


alerting by security experts
Protects beyond malware:
Is self sufficient (does not require additional
P
 rotects against malware-less attacks product, agents or modules to offer full
(attacks that do not use PE (portable next-gen capabilities)
executable) and/or files)
Supports Windows, Mac and Linux
P
 rotects against known and
unknown exploits
DEPLOYMENT, MANAGEABILITY and USABILITY
D
 ynamically stops attacks in progress
(stop attacker activity, such as privilege Supports at least Windows, Mac and Linux
escalation, lateral movement, credential
theft... if the attacker succeeds in earlier Offers a fully cloud based (management
steps of the Attack Chain) and deployment) option

Protects on line, off line, on premise Installation and updates do not require reboots
and off premise
Fully deployed and operational in days vs.
DETECTION and RESPONSE weeks or months

Operates in Kernel mode for complete visibility No tuning or expert level configuration required

Network containment of compromised systems Imperceptible footprint on endpoint


(Less than 1% CPU usage at all times, even
when queries are performed)
Provide 24/7 monitoring and proactive hunting

Provides instant search capabilities


(Query results in 5 seconds or less)
INTELLIGENCE and INTEGRATION
Automatic IOC ingestion from third parties
FORENSICS SIEM integration
Captures the data necessary to conduct
efficient and fast forensic activities Vendor supplies its own intelligence
(does not depend on others for intelligence)
Can tell what data was exfiltrated
Offer APIs for integration and expansion
Offer long term data retention

Provides attackers attribution

Forensics data still available if the


compromised system is inaccessible
1. Can the product help me before, during and after attacks?

2.  hat can the product do if we are already breached and it is


W
deployed after the breach?

3.  an the product tell me how attackers are accessing my


C
environment? How?

4. Can the product tell me who is attacking me? How?

5. How does the product help me protect against, detect and


manage future breaches?

QUESTIONS
6. How long does it take for the product to be fully operational?

7.  ill I be alerted and will I get your help if my team misses


W
something important?

8. Can the product tell me what files have been exfiltrated?

TO ASKTo Gain more Insight


9. For attacks that do not leverage malware, how do you
detect the attack?

10.  How many technologies do you use to detect malware?

11. Can the product detect if someone is using stolen credentials,


or abusing privileges?

We have compiled a list of questions to ask to 12.  ow many distinct products/modules/agents/appliance do


H
gain more insight on how the the next generation I need to cover all prevention, detection and response needs?

endpoint protection solution works, and assess the 13. What additional hardware and software (servers, appliance,
database licenses, components on the endpoints) are required
type of experience you can expect from it. to implement the product? Are they provided as part of the
next generation endpoint protection solution, or is there an
additional cost?

14. What is the impact of the solution on the endpoints?


Footprint on disk, memory, CPU?

15. What security controls does the solution use to protect itself?

16. Does the solution integrate with other security and


enterprise tools?
PROTECTING AGAINST BREACHES IS AN ONGOING BATTLE.
To be truly effective, a next-generation endpoint protection solution must provide
continuous breach protection. This means providing constant prevention, detection,
visibility and intelligence, so you can be protected before, during and even after a breach.
CrowdStrike Next Generation Endpoint Protection integrates all those elements in a
tiny sensor, supported by the Cloud, that can be deployed in hours with no impact on
your endpoints and their users. Its ability to continuously stop breaches makes it
the true and proven next-generation endpoint protection solution.
A B O U T C R OW D ST R I K E
CrowdStrike™ is a leading provider of next-generation
endpoint protection, threat intelligence, and pre- and post
incident response services. CrowdStrike Falcon is the first
true Software as a Service (SaaS) based platform for next-
generation endpoint protection that detects, prevents,
and responds to attacks, at any stage - even malware-free
intrusions. Falcon’s patented lightweight endpoint sensor
can be deployed to over 100,000 endpoints in hours providing
visibility into billions of events in real-time. CrowdStrike
operates on a highly scalable subscription-based business
model that allows customers the flexibility to use
Falcon Overwatch to multiply their security team’s
effectiveness and expertise with 24/7 endpoint visibility,
monitoring, and response.

REQUEST A DEMO OF CROWDSTRIKE FALCON


Learn how to detect, prevent, and respond to attacks at
any stage - even malware-free intrusions.
www.crowdstrike.com/request-a-demo
www.crowdstrike.com
15440 Laguna Canyon Road, Suite 250, Irvine, CA 92618

VE R. 0 4 .2 1.16