CROWDSTRIKE PLATFORM

JAKAPUN TOLYASITHSEREE – SYSTEM ENGINEER

 MAZE RANSOMWARE!!!

CROWDSTRIKE
 CUSTOMER CHALLENGES ARE FACING
§ Endpoint Protection Silo… lack of visibility to understand root cause and remediate
(by endpoint types e.g. PC, Server, Cloud VM, containers)
§ Limited telemetry data from endpoint (E.g. server )
§ Cannot find root cause of problems (process tree)
§ High TCO to run EPP but still getting breached
(Management servers, signature updates, endpoint performance exhausted, admin
staff hours)
§ The vulnerability is increasing everyday both Know and Unknow(in 2021 18,xxx
vulnerabilities).
§ How to be secured from the technology silent failure
§ Don’t know who is attacking us and don’t know how to fight back.
What is CrowdStrike Mission?
 WE STOP BREACHES

2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 TOTAL NUMBER OF MALWARE AS OF 2021

§ Almost 1,236 Million known

malware today. (3.3
Million/days)
§ The sheer volume of malware
makes it impractical to
perform signature matching.

CROWDSTRIKE
 NON-MALWARE
MALWARE ATTACKS
YOU NEED COMPLETE
BREACH

40% PREVENTION
60%
HIGH

HARDER TO PREVENT
NON-MALWARE
ATTACKS
LOW

& DETECT
THREAT
SOPHISTICATION
LOW
MALWARE

TERRORISTS HACKTIVISTS/ CYBER- ORGANIZED NATION-

VIGILANTES CRIMINALS CRIMINAL GANGS STATES HIGH

2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 ALL THESE STEPS MOSTLY
HAPPEN ON WORKSTATIONS
INITIAL ESTABLISH DEFENSE DISCOVERY COLLECTION COMMAND
ACCESS PERSISTENCE EVASION RECONNAISSANCE STAGING AND CONTROL

1 3 5 7 9 11
2 4 6 8 10 12

EXECUTION PRIVILEGE CREDENTIAL LATERAL EXFILTRATION IMPACT

ESCALATION ACCESS MOVEMENT DATA LEAK

WHEN ATTACKER FINALLY

MOVE TO SERVERS, THERE ARE
FEW MALWARE, FEW EXPLOIT
 SURVIVAL OF THE FASTEST

12

11
BREAKOUT TIME
10
9
8
1 2 3 4 5 6 7

Initial Execution Persistence Privilege Defense Credential Discovery Lateral Collection Exfiltration Command Impact
Access Escalation Evasion Access Movement & Control

MITRE ATT&CK PHASE

2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 THE ADVERSARY IS SWIFT

2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 A BETTER PROTECTION NEEDS

SIGNATURELESS APPROACH
40% MALWARE 60% NON-MALWARE

BEHAVIORAL
ANALYSIS
MACHINE PROCESS
EXECUTES
LEARNING
PROCESS DELETES
AI BACKUPS

BIG DATA PROCESS CALLS

ENCRYPTION
ANALYTICS ROUTINE
PROCESS
ENUMERATES
FILE SYSTEM
 INDICATORS OF ATTACK (IOA)
LOOK AT THE DNA OF ATTACKS

PROCESS INDICATORS OF ATTACK

EXECUTES Code Execution, persistence,
stealth, command control Lateral
Movement
PROCESS DELETES
BACKUPS
PROACTIVE INDICATORS OF ATTACK
VS
PROCESS CALLS REACTIVE INDICATORS OF COMPROMISE
ENCRYPTION
ROUTINE
PROCESS
ENUMERATES IOCs
FILE SYSTEM Malware, Signatures, Exploits,
Vulnerabilities, IP Addresses

2019 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

TRAINING A MACHINE WITH HIGH FIDELITY DATA – IMPROVES THE SPEED AND ACCURACY TO DETECT ADVERSARY

7 TRILLION
EVENTS/WEEK

155
ADVERSARIES TRACKED

MACHINE
LEARNING PREVENT ZERO DAY
FALCON
AGENT

INDICATOR
OF ATTACK
 SIMPLIFIED
ARCHITECTURE
PROTECTING EVERY ENDPOINT EVERYWHERE

Public Private CrowdStrike Branch Remote Mobile

Cloud Cloud Office Worker Worker
Cloud

PC, Servers, Mobile, Virtual Machine, Container and Cloud

TO STOP LATERAL MOVEMENT
ACROSS ENTIRE NETWORK
 BETTER PERFORMANCE AND VALUE

SINGLE AGENT 2% CPU

UTILIZATION

ST
CO
F RA
IN
NO

~35 MB IN
NO RESTART
MEMORY
STOPPING BREACHES WITH TECHNOLOGY, EXPERTISE, THREAT INTEL
EPP Magic Quadrant 2021 Managed Detection and Response, Q1 2021 Threat Intelligence Service, Q1 2021

GARTNER FORRESTER WAVE

Proactive Detection & Response
 ENDPOINT SECURITY REVOLUTION
Unknown

Time & Skill gap

Analyst
THREAT CROWDSTRIKE

TIVE
HIDDE PROAC ING
N HUN T

ADVAN
CED
TTPs EDR

Machine
C1O
. 0M
Known*

0M0 .O
0D0 I0T
M
M AALLW WAARREE Y N G A Va r n i n g
& ne Le is
KNPO ER M ac h io r al A n aly s
WD NATYT P s Be h a v i

SIGNA
TU
HAS FA RE
ILED
2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 24X7 MANAGED
THREAT HUNTING

CUSTOMER SOC TEAM

PERFORMING
INVESTIGATION AND
REMEDIATION
E ITH
RIK W
D ST ON
TI
OW RA LS
CR TEG OO
IN C T
SO
SSL

SOC
SENSOR – CCTV FOR ENDPOINTS
CAPTURE ALL ACTIVITY
(ATTACKERS AND USERS)
FALCON
AGENT

WORKLOAD COVERAGE
Threat Hunting - Sample notification to inform customers threat

Where? When? What happened?

MANAGED ENDPOINT
 PRE-BREACH ADVISORY
THREAT HUNTING INVESTIGATION REMEDIATION

SOC2

SSL

MACHINE
SOC LEARNING SENSOR – CCTV FOR ENDPOINTS
CAPTURE ALL ACTIVITY
FALCON
(ATTACKERS AND USERS)
INDICATOR AGENT
OF ATTACKS

WORKLOAD COVERAGE
POST REMEDIATION
INTELLIGENCE
Remediation Actions taken

Date of Initial Compromise

Detection Information

Host/User Information

Analysis & Remediation Details

IP Address

2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Endpoint Deployment
 3 SMALL STEPS TO REPLACE YOUR AV

1 2 3

No infrastructure No fine-tuning, Install the Verify the No reboot No signatures No scan Remove legacy
setup rule writing Falcon Agent installation updates products

Financial Institution Hospitality Chain Technology Company Financial Institution

77,000 AGENTS 40,000 AGENT 55,000 AGENTS 300,000 AGENTS

1 DAY 5 DAYS 5 DAYS 90 DAYS

2021 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 SolarWinds - A supply chain attack
“The most beautiful attack in decade”

CROWDSTRIKE
 FALCON PLATFORM PROTECTS ALL WORKLOADS

2020 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.