The Crowdstrike rationale
With the cyber security industry the way it is, focusing currently on detecting and stopping malware, where does that leave attacks by social engineering, stolen credentials and a myriad of other weak links in the defense chain?
According to Vice President for CrowdStrike Technology Strategy, Michael Sentonas, “We are the first in the industry that combines next-generation antivirus (AV), with an IT hygiene solution, managed hunting and endpoint detection and response (EDR).”
This combination resulted in an agent that is lightweight at 23MB, and that leverages the cloud. Sentonas said, “No solution in the industry is that lightweight.”
Sentonas added, “We are the only vendor that has this one agent delivered through a management cloud structure.”
He also pointed out that the cybersecurity industry today, is focused on stopping malware. This makes sense, if the attack used only malware. But, it does not.
Because of this focus upon malware, a lot of technology is focused on reactive-based signature technology – when a malware comes, cyber security vendors hustle to find its signature, update your AV, and protect your endpoint device.
“But by the time you get it, it’s too late. Malware works faster than signatures, and there would be a breach.”
The Crowdstrike capability
In 2014, the company had released a platform solution, which combined up to five cyber security offerings: IT hygiene, next-generation AV, EDR, managed hunting, and integrated threat intelligence.
The IT hygiene capability works by enabling visibility across the whole organisation, of all managed and unmanaged endpoints. Along with this, is also an inventory of applications allowing security admins to take required action.
Crowdstrike’s next-generation AV works to protect against both malware and malware-free attacks. It does this with multiple prevention technologies like machine learning (ML), exploit blocking, and advanced Indicator of Attack (IOA) analysis. A malware-free attack happens when the attacker bypasses copying a Portable Executable (PE) file to the disk drive. This is one of many methods to avoid detection by traditional AV. Exploit kits are another.
EDR provides continuous endpoint visibility that spans detection, response and forensics, while managed threat hunting complements and augments in-house security resources by pinpointing malicious activities at the earliest stage possible.
“With threat hunting, our focus is to expose everything the attacker does,” Sentonas said.
Traditionally, the industry looks for anything bad and tries to block it and send back a log.
According to the VP of technology strategy, Crowdstrike reverses that entire security model, by logging everything users do. “We collect all these telemetry, because they are indicators of a possible breach. There’s a lot of manual hunting, as well. There is no substitute for hand-to-hand combat.”
This is contrary to what traditional security does, which is to start recording, only when there is failure.
The icing on the cake however, may be its global cloud-based threat intelligence which includes all these telemetry information and which tracks activities around the world.
“Our telemetry is stored in the cloud. There are 51 billion telemetry events every 24 hours, in real-time.”
That’s a wealth of information that goes into providing customised and actionable reports and analysis. And Crowdstrike recognises this.
Sentonas explained, “We want to work with the end user, to complement the architecture. So, we are very API-driven, and will put our info and intelligence into any platform and even network appliances.
“We can make the rest of the ecosystem smarter, as a result of us being in there.”
The Crowdstrike business
The company’s focus is to protect the endpoint, and all their research and development goes into that, said Sentonas. “We are focused on what we do, and are not trying to build a new version of what’s out there.”
This seems to be working, as the company has gone through four rounds of funding since being set up in 2012. Founded by two former McAfee executives, George Kurtz and Dmitri Alperovitch, Crowdstrike has achieved a total funding of USD256 million, up till now.
A sister company, Crowdstrike Services focuses on proactive incident response services, and is led by former FBI exec who oversaw the Fed’s criminal and cyber divisions, Shawn Henry.
“Reception towards this is amazing, many customers have become investors,” said Sentonas. The more notable of these are Google, Telstra and Rackspace.
“I’m not exactly sure (the industry) learnt a lot in the last 15 years. People are still doing the same thing, time and time again,” Sentonas who used to be McAfee’s APAC CTO said. He explained, “WannaCry was a massive issue – we showed we are still not patching and traditional security products are not doing a good job.”
Crowdstrike was formed on the premise that traditional solutions are not working. And yet, Sentonas said that what the cyber security industry needs to do, is nothing unique.
“Organisations are not using the right solutions; it’s either too complex, or, they don’t have the skills to work it,” he pointed out.
Perhaps the variable that needs working on, are the users – they need to know the new issues, the new techniques, and keep sharing threat intelligence.