The security world is changing rapidly and we are slowly reaching another huge milestone. Not a very happy one though: manual security operations are no longer sufficient. This is a little bit painful to admit but the fact remains: if you rely on the manual labour of CTOs, CISOs, and their teams to react to an incident, then you are in for a very rude awakening.
There are several reasons for it but the main one is simple: money. Cyber-crime has become ridiculously profitable and entry barriers have all been but removed. Anyone with basic computer literacy can anonymously run a DDoS, inject ransomware and tug away their profits in cryptocurrency.
This new World order requires a revision of the security strategy for many. But why Crowdstrike? I’ve sat down with my colleague and one of the most prominent cyber-security figures in the region, Rita Käit-Vares, to discuss this excellent endpoint protection platform.
Vladimir: Let’s start from the basics: what is CrowdStrike and what does it bring to the table?
Rita: I have been in the business of protecting computers and servers for over a decade. But now, the whole definition of an “endpoint” has changed. Almost every piece of metal and plastic with brains can be considered an endpoint. And these appear and disappear from the network and cloud at high speed. Many of our customers, both in the public and private sectors, have a hard time protecting these endpoints. Crowdstrike brings a whole lot more to the table with real usage of ML/AI, which can help automate things.
Vladimir: So, install and forget?
Rita: Well, almost. There are several components here. When we talk about “classic” installation of endpoint security products it can be a difficult process of removing/adding/rebooting etc. In today’s dynamics, it’s just not fast enough. Our team is often in a situation, where a customer “walks in” from the street and says “I had a breach, my antivirus didn’t work. Help!”
Time is critical here. So, while our emergency security incident responders (eSIRT) start the investigation, we need to get as much info about the network as possible and prepare to replace the legacy AV with a proper EDR tool. With Crowdstrike we can do it in a couple of hours and, quite critically, we can do so without charging the customer for licenses. What’s even better the initial deployment can be done in monitoring mode, e.g. Crowdstrike will run in parallel with existing EPP and gather information without getting in the way. The free start is super important as, especially for larger organizations, it allows the IT team to solve the problem before starting the investment negotiations with finance.
Vladimir: O.k., so easy install, check. What about the next steps? I can’t imagine that configuration and further steps are easy for such a beast of a platform?
Rita: 2 things here. Crowdstrike default configuration regardless of mode (monitoring, prevention etc) is quite good out of the box. Meaning that a competent admin can handle it on their own. More importantly, though, is that they have a qualified and trained partner to help. As a managed security service provider, we are offering the Crowdstrike platform as a managed service. Our engineers will tweak the required settings and the eSIRT team help with the clean-up.
The next step is connecting it to our Security Operation Centre (SOC) and letting our 24/7 SOC team take care of business. If a customer wants to “forget” then we can take an active role in mitigating incidents, if they want to stay “hands-on”, we can set up alerts/notifications the way they want.
Vladimir: But what makes Crowdstrike so smart? There are several other decent EDR platforms in our portfolio already.
Rita: For me, it was a combination of 4 things:
Crowdstrike Falcon is super lightweight and, since many companies have endpoint intensive applications running, it makes it suitable even for most demanding customers.
The platform is essentially cloud-native. E.g. no central management server and we can help customers from a central console with efficiency 2nd to none.
They have gradually built up the functionality stack, adding one of the best threat intelligence feeds, making their ThreatGraph a work of cybersecurity art.
Lastly, the machine learning and AI components work both locally and in the cloud. And those really work, rather than being flashy trendy marketing words.
Vladimir: But what is the role of a security analyst, if so much is automated?
Rita: I think it’s still quite important. Crowdstrike has some great algorithms pinning down indicators of attack (IOA) and filtering out false positives. But it is not omnipotent and we still want a security analyst to use API to map data provided by Crowdstrike against data from other tools, like SIEM and NDR. While it is possible to integrate everything, our experience shows that having a pair of human eyes in case of a critical security situation is best.
Vladimir: How does Crowdstrike fit with the rest of the security tools?
Rita: Extraordinarily well. This was also one of the reasons for us picking it up. When we talk about modern-day security, the best results are delivered by smartly integrating several best-of-breed products. And as far as efficacy goes, there 4 main components here:
- endpoint detection and response EDR
- network detection and response NDR
- email protection
- centralized log management
Crowdstrike has native integrations with our other partners – Vectra, Proofpoint and Splunk. This means that we can offer the whole stack to our customers based on our in-house expertise without extra hassle.
Vladimir: We talked a lot about security automation, why is it so important?
Rita: Crowdstrike likes to talk about a 1-10-60 rule, which follows our security ideology. 1 minute to detect, 10 minutes to investigate, 60 minutes to respond. A cyber-attack moves like an avalanche once executed. So, a company has a 2-3 hour window to mitigate before it becomes a full-blown breach with catastrophic consequences. Automation helps the incident responders move faster than that avalanche. Also, many old-school endpoint protection tools kick in when they see an indication of compromise (IOC). This may be too late, as hours have been lost. Automation and focus on potential cyberattack patterns give us an early warning. This is the predictive security analytics, which we all have been waiting for.
Vladimir: Thank you! Any last words?
Rita: I think it’s very important to change the mindset of looking at endpoint protection. Signature-based legacy antivirus is not protecting you against most attacks. Typical attacks today are 0-day exploits, custom-built malware and attacks which skip the malware phase entirely. It’s much easier to steal credentials with a phishing campaign, get into the victim’s endpoint and escalate privileges than bomb someone with virus attachments. These tactics, techniques and procedures (TTPs) are no longer a domain of government-backed ATPs. Anyone can use those. This is why you need a more intelligent, next-gen endpoint protection attitude. And CYBERS is here to help you get it.
Vladimir: Thank you!