George Kurtz literally wrote the book on hacking. The seminal Hacking Exposed series that Kurtz co-authored started back in 1999 and is now in its seventh edition.
Over that time period, Kurtz started off as the CEO and founder of Foundstone, which was acquired by McAfee in 2004 for $86 million. When Kurtz left McAfee in 2011, he was worldwide CTO and EVP of the company. Since 2012, Kurtz has been on a different mission, taking action against security threats as the CEO and founder of Crowdstrike.
This week, Crowdstrike launched its Falcon active defense platform. Kurtz explained to eSecurity Planet that Falcon is a cloud-based platform that fuses real-time detection of targeted attacks with actionable security intelligence.
“We want to be able to identify and attribute targeted attacks in real-time,” Kurtz said. “Legacy technologies just aren’t capable of dealing with targeted attacks.”
While Falcon runs in the cloud, end-users get their data to Crowdstrike by way of small sensors that run on Windows and Mac platforms.
The real key for Crowdstrike isn’t just the attack identification, but rather it’s about identification of who is behind the attack.
“The system doesn’t rely on signatures, it relies on what I would call ‘adversary trade craft’,” Kurtz said. “There are only a few moves the bad buys can make.”
As a metaphor, Kurtz noted that digital attacks are the equivalent to trying to rob a bank. It doesn’t matter what the getaway car is, at some point the criminal has to get the money and get away.
“What we’re looking for across the kill chain is the activity that would be indicative of adversary action,” Kurtz said. “Even if the attacker is using a 0-day flaw, that doesn’t matter to us, since our technology is about being able to link over time what is actually taking place and being able to associate it with a given group.”
While the Falcon platform is about providing actionable intelligence, in its initial iteration it doesn’t directly include threat prevention capabilities.
“Today, Falcon is about visibility and tomorrow it will be about prevention,” Kurtz said. “We sit at a pretty low level in the stack, so we do have the ability to control execution, but today it’s our view that when it comes to advanced attacks, people want to learn more.”
While Kurtz noted that obviously an enterprise will want to have good hygiene and block attacks, that’s not always the right course of action.
“In many cases, if you simply block an attack immediately, you’re going to have an adversary that will change tactics and keep trying to get in,” Kurtz said. “We have customers that want to understand what the adversary is after before they take an action.”
Overall, Kurtz stressed that in his view, it is impossible to keep a determined adversary out. As such, he figures it’s best to get as much information as you can so you can compress the time that an adversary has access.
“It doesn’t matter what vendor you talk to, there is no magic wand or bullet for security,” Kurtz said.
The idea of collecting information in an effort to better understand risk and attacks is not new one. SIEM (Security Information and Event Management) vendors have been trying to do the same kind of thing, though Kurtz stresses that Crowdstrike is different.
Kurtz explained that if, for example, a Windows 7 user turned on all the event logging capabilities, the user would likely crush the performance of the machine. And he argued that the user would not be getting a complete view of what is actually happening.
“We have created a programmable state machine where we are able to keep track of state and link it together and do that in a very performant way,” Kurtz said. “We can tell when something executed and where it came from, and we maintain state over time, even after persistent reboots.”
The Crowdstrike technology overall is an effort by Kurtz and his co-founder Dmitri Alperovitch, who had been the VP of threat research at McAfee, to solve a problem that their former employer was not able to solve.
“Dmitri and I saw the damage from targeted attacks and we saw that existing technologies weren’t doing the job,” Kurtz said. “I traveled 300,000 miles in my last year at McAfee, and it become old to a big enterprise customer and, after pleasantries, have to answer why after buying our technology they still had a targeted attack problem.”
The challenge is that the traditional view of information security is to view the problem as a malware problem.
“We view this as an adversary problem,” Kurtz said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist. #