Crowdstrike CTO Dmitri Alperovitch is no stranger to the world of malware, having worked for years at McAfee prior to co-founding Crowdstrike. Yet despite his familiarity with the nasty stuff, at Crowdstrike he's not looking for malware; he's looking for evidence of malware-free intrusions.
Crowdstrike recently launched its next generation Falcon platform, which includes host, end point monitoring, intelligence, DNS and managed protection capabilities. Alperovitch explained to eSecurityPlanet that Falcon doesn't rely on Indicators of Compromise (IoC) to detect security incidents. Instead it looks for indicators of attack (IoA).
"We're really looking for what attackers are trying to do, instead of looking for the exact tool that that the attacker is using," Alpervoitch explained.
Indicators of Attack
Alpervoitch said that an IoC search for an attacker who is looking to steal something from a museum, might include a description of what the attacker is wearing or the car he drives. In contrast, with the IoA approach, the museum doesn't care what the attacker is wearing or what car he drives. Instead the focus is on detecting the activities that indicate a theft.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Mapping that analogy to the cyber-world, an IoA would be an indication that an attacker is executing code, trying to be stealthy, trying to steal credentials or exfiltrating data.
"If you're measuring the effect of an action, as opposed to looking for specific actions, then you actually have more comprehensive detection across all stages of the kill chain," Alpervoitch said.
Prevention and Remediation
The most notable feature of the new Falcon platform release is the addition of prevention and remediation capabilities, to complement the detection capabilities.
If a known bad actor attempts to access a system, it can be stopped from running. During an attack stage, the system can be leveraged to block exploitation. In the post-exploitation stage, the new Falcon platform can contain the damage and limit the risk of it spreading, as well as enable some form of rollback.
"We believe you need to look at the prevention techniques across the entire spectrum of attacks," Alpervoitch said.
The Falcon system also has an intelligence component that leverages Crowdstrike's research to help attribute an attack and provide additional context. The intelligence piece is intended to help organizations deal with the high volume of alerts that can be generated by IT security and monitoring systems.
"Providing context and prioritization is really critical to helping customers deal with alerts and understanding what they need to do," Alpervoitch said.
Falcon utilizes a hybrid approach that leverages the cloud as well as sensors on user devices.
"We don't care if the user is on a VPN or behind the firewall. You will always be protected, since as long as you have an Internet connection, we have visibility and can apply policy," Alpervoitch said.
The focus on endpoint devices is a key part of Crowdstrike's strategy to help enterprises defend against attack.
"We're seeing a shift where customers realize that valuable information is on the endpoint and that's where adversaries are trying to get to," Alpervoitch said. "You need the ability to take action on the endpoint because at the end of the day, a network appliance is not going to be able to provide comprehensive protection."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.