how to replace your legacy antivirus solution with crowdstrike

2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

THE TIME HAS COME TO REPLACE YOUR LEGACY AV

DAN LARSON, TECHNICAL DIRECTOR


CrowdStrike Intro

Legacy Anti-Virus Efficacy

How CrowdStrike Stops Malware

How CrowdStrike Goes Beyond Malware

How to Switch to CrowdStrike for AV

AV Testing and Industry Collaboration

A QUICK INTRODUCTION TO CROWDSTRIKE


Cloud Delivered Endpoint Protection

MANAGEDHUNTING

ENDPOINT DETECTION AND RESPONSE

NEXT-GEN ANTIVIRUS

CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered in via the cloud


MY ANTI-VIRUS JUST DOESN’T WORK


This is the #1 concern raised by customers inquiring with analyst firms Gartner and Forrester about endpoint security.

…They simply are not effective in stopping modern threats.


INEFFECTIVE AGAINST MODERN THREATS

45%§ “Anti-Virus catches about 45 percent of attacks

these days”

- Brian Dye, former VP at Symantec (now at McAfee)

Source: https://goo.gl/hNUCdm

“COMPLEXITY IS THE ENEMY OF SECURITY”

Bruce Schneier, 2001



TRYING TO GET AHEAD OF THE ATTACKER

80s to90s

Signatures

00s

Heuristics

2007

Reputation

2009

AppControl

2012

Sandboxing& Isolation

2013

MachineLearning

Now

ManagedHunting

2011

IOCSharing

2014

BehavioralAnalytics

Enterprise Endpoint Security Timeline

LEGACY VENDOR ARCHITECTURE

EmailEncryption

HTTP/WEBGATEWAY

WebSecurity SMTP/EMAIL

GATEWAYMail Security

SHAREPOINTSharepoint

Security

SERVERSApp Control

MAIL SERVERS

Mail ScannerVDI

VDI Plugin

FIREWALL/ROUTERUTM GATEWAY

ENDPOINT PROTECTION

HOST SECURITY SERVICES• Web Security as a Service• Hosted Email Security• Reputation Cloud• Sandbox Service

CENTRALIZEDMANAGEMENT

• Vulnerability Protection• Host Intrusion Prevention

• AntiVirus• Endpoint Encryption• Application Control

• Web Protection

SANDBOXAPPLIANCE

“NEXT GEN”• Endpoint Activity Visibility

Even with all of this, there were 3,141 breaches in 2015.

Source: 2016 Verizon Data Breach Investigation Report

CROWDSTRIKE FALCON ARCHITECTURE

CLOUD DELIVEREDENDPOINT PROTECTION


ANTI-MALWAWRE PREVENTION STACKCROWDSTRIKE FALCON

§ MACHINE LEARNING§ IOA PREVENTION§ EXPLOIT BLOCKING§ CUSTOM HASH BLOCKING§ CONTINUOUS MONITORING

§ KNOWN MALWARE

§ UNKNOWN MALWARE

§ BEYOND MALWARE

§ MACHINE LEARNING§ THREAT INTELLIGENCE§ MANAGED HUNTING§ THREAT GRAPH

PREVENT:

ENDPOINT PROTECTION

CLOUD PROTECTION

Machine Learning• Increases effectiveness against new, polymorphic or obfuscated malware• Works without daily updates• Works offline• Data models can be smaller than signature files (if done properly)• Performance impact less than on-demand or on-access scanning techniques

• Complements• Behavioral analytics, or IOAs• Exploit mitigation

MORE THAN JUST AV REPLACEMENT



THE REMAINING CHALLENGES

Complexity…

Ever expanding infrastructure requirements and agent footprint

Always Out of Date…

By the time your update is deployed, it is time to start another

Blind Spots…

Silent failure leads to long dwell times and false sense of security


COMPLEXITY

Eliminate operational burden with CrowdStrike

§ No more daily signature updates

§ Smaller footprint15MB on disk10MB in memory

§ No reboots

§ No on premise hardware

§ SaaS scalability


ALWAYS OUT OF DATE

Outpace the attacker with CrowdStrike

§ No need to develop AV signatures

§ Machine learning and IOAs are more persistent protection mechanisms

§ CrowdStrike only requires 15MB on disk§ 70MB-150MB typical for AV signatures

§ Some ML models balloon to 300MB

§ Single-sensor design eliminates dependency issues

§ SaaS delivery ensures real-time updates when necessary


EXAMPLE3 Month Old Machine Learning Model Immediately Blocks Shamoon 2

§ ML model delivered to VirusTotal on Aug 25th

§ Blocked Shamoon 2 on its first appearance in VT on Nov 22nd

§ CrowdStrike was one of only five vendors to identify it correctly

Source: https://goo.gl/nK0VmO


BLIND SPOTS

Eliminate dwell time with CrowdStrike

§ AV can only see what it stops

§ No prevention solution can be 100% effective, not even next-gen solutions

§ Average dwell time still near 200 days

§ Go beyond malware to detect and block modern attacker techniques

§ CrowdStrike’s EDR offers automatic detections, eliminating the need for manual search

§ CrowdStrike’s Overwatch delivers proactive threat hunting in your environment, 24x7x365


NO MORE BLIND SPOTS100% Exploit Detection in AV-Comparatives Test

90

63

100

57

86

90

63

70

28

82

0 20 40 60 80 100

Symantec*

Cylance*

CrowdStrike

SentinelOne

Palo Alto

Blocked Detected

Source: AV-Comparatives and AV-Comparatives

§ CrowdStrike is only product with 100% detection efficacy

§ All other solutions suffered from silent failure

§ In reality, this leads to long dwell times


Privilege Escalation from Command LineEXAMPLE


Privilege Escalation from Command LineEXAMPLE

• AV signatures, IOCs and Application Control are ineffective against this kind of threat

• Even machine learning can’t stop this because it is a trusted executable

• Would you know how to search for this?

• Even if you knew how, do you have the bandwidth to search?

• CrowdStrike IOAs operate in real time and automate the detection process so that you don’t have to search


THINGS TO LOOK OUT FOR

If you’re not 100% effective at prevention, then you need strong detection

Even some next-gen players have bloated endpoint agents

Unverified efficacy claims

“Bake in” periods are like HIPS all over again

Telemetry without intelligence is worthless

Over-emphasis on malware and/or forgetting the rest of the kill chain


CAN YOU TRUST US TO REPLACE YOUR AV?

98.2% Malware Block Rate100% Exploit Detection

0 False Positives

Vendor MemberCommitted to Standards

Contribute Leadership

First Pure ML EngineOpen to Public Scrutiny

Contribute to Community

SourceSource Source

Also certified for PCI, HIPAA, NIST, FFIEC and more…

Largest global companies by revenue

Largest global banks by revenue

Top Credit card payment processors

Top oil and gas companies

3 OF THE 102 OF THE 45 OF THE 103 OF THE 10

CrowdStrike Falcon Deployed in 170 Countries

BACKED BY ELITE

INVESTORS:


START NOW

[email protected]

1.888.512.8906 (US)

+44(0)118.453.0400 (UK)

(+61) 1300.792.402 (Australia & New Zealand) / APAC

how to replace your legacy antivirus solution with crowdstrike

Technology