you can't stop the breach without prevention and detection

2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

YOU CAN’T STOP THE BREACH WITHOUT PREVENTION AND DETECTION

CHRIS SHERMAN, SENIOR ANALYST, FORRESTER

ROD MURCHISON, VP, PRODUCT MANAGEMENT, CROWDSTRIKE

Mastering the Endpoint: Leverage Forrester’s Targeted Attack Hierarchy Of NeedsChris Sherman, Senior Analyst

October 20th, 2016

© 2016 Forrester Research, Inc. Reproduction Prohibited 3

The 90’s called, they want their endpoint security strategy backDespite…

Anti-Virus Application patching

80%

63%48%

42% of breaches

involved a software exploit over the past year

a 19% increase in costs associated with cyberattacks Y-Y

Base: 671 IT and IT security practitioners. Source: Ponemon 2013 State of the Endpoint SurveyBase: 881 IT Security Decision Makers. Source: Forrester BT Security Survey, Q3 2015

…Many organizations still rely heavily on antivirus.A New Approach Is Needed!

48%

Application control

55% 53%

Endpoint Visibility & Control


Organizations Must Refocus Their Endpoint Security Strategies


The Targeted-Attack Hierarchy Of Needs

© 2016 Forrester Research, Inc. Reproduction Prohibited

Targeted-Attack Hierarchy Of NeedsNeed No. 1: An Actual Security Strategy


Expense in Depth


Return on Expense in Depth?


Components of a sound strategy› Adopt principals of the Zero

Trust model› Data driven security not alert

driven security› Data driven security is really

business driven security which is supported by executives


Targeted-Attack Hierarchy Of NeedsNeed No. 2: A Dedication To Recruiting And Retaining Staff


Double down on higher education› There is intense

competition between the emerging cyber programs

› Make them more competitive; join advisory board drive curriculum that produces capable graduates


Targeted-Attack Hierarchy Of NeedsNeed No. 3: A Focus On The Fundamentals


A Focus On The Fundamentals


Targeted-Attack Hierarchy Of NeedsNeed No. 4: An Integrated Portfolio That Enables Orchestration


Friction?› “Create friction for the

attacker. Slow them down and make their job more difficult.”

› What about all the friction we create for ourselves?

› Most orgs don’t have the resources to automate their InfoSec processes.


What can you do? › Invest in software

development staff › Prioritize vendors that

integrate and automate between the endpoint and network layers

› Pay attention to vendors who see the need and are developing solutions.


Targeted-Attack Hierarchy Of NeedsNeed No. 5: Prevention


Prevention is shifting› Traditional approaches to

prevention will continue › If you can prevent an

action, why not?› Prevention with threat

intelligence• Command and Control

indicators should be used to prevent communications


Prevention begins and ends with attack surface reduction

Photo credit: Jan Stromme, Bloomberg Business


Targeted-Attack Hierarchy Of NeedsNeed No. 6: Detection & Response


Detection› Detection is the only option

when dealing with higher tier adversaries

› No single control is your breach detection system

› Your aggregate controls and your people are your breach detection system


Response› Once you have

identified malicious activity, how do you respond?

› Is your remediation a reimage?

› Time to containment and remediation will never improve without automated response


To be successful, an endpoint security strategy must balance prevention with detection


Prevention

Detection

Control / Remediation

Endpoint Security Requires A Balanced Approach


Prevention

Detection

Control / Remediation • Addresses attack surface

• Limits time spent on detection/response

• Doesn’t require frequent updates



Prevention

Detection




• Endpoint visibility and integration• Catches what gets through• Threat intelligence required



Prevention

Detection




• Endpoint visibility and integration• Catches what gets through• Threat intelligence required

• Automated/assisted remediation reduces friction

• Ensures policy compliance

• Operationalizes threat intelligence



Recommendations›Choose prevention technologies based on your risk appetite and impact to user experience. › Look to expand your detection capabilities beyond malicious process identification and IOC identification›Reduce your attack surface through a balance of prevention, detection, and remediation proficiency.

THE YING & YANG OF ENDPOINT PROTECTION

§ You need to see Prevention & Detection in a holistic way

§ There needs to be a virtuous approach - one feeds the other and vice-versa

§ You need to have a vision, from the outset to build this, you can’t just make this up as you go along

PREVENTIONDETECTION

Cloud Delivered Endpoint Protection

MANAGEDHUNTING

ENDPOINT DETECTION AND RESPONSE

NEXT-GEN ANTIVIRUS

CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered via the cloud


PREVENTIONBENEFITS

PREVENTS ALL TYPES OF ATTACKSProtect against Known/Unknown Malware

Protect Against Zero-Day Attacks

Eliminate Ransomware

No Signature Updates

No User Impact—Less than 1% CPU overhead

Reduce re-imaging time and costs

BUSINESS VALUE

MachineLearning

IOABehavioral

Blocking

Block Known Bad

ExploitMitigation


CLASSIC EDR JUSTIFICATION: THERE IS NO SUCH THING AS 100% PREVENTION

§ Attacks will always get through

§ Even with 99% efficacy you still need something to deal with the 1%

§ So, you need EDR to deal with this and solve the ‘silent failure’ problem

1% missed

99%stopped


WHAT 99% CAN MEAN…

33

Cha

nce

of a

t lea

st o

ne su

cces

s fo

r adv

ersa

ry

Number of attempts

1%

>99%

500

Bottom line: change the binary 500 times and with 99% detection efficacy -you will get one file thru

PREVENT AGAINST

SILENT FAILURE

DVR FOR ENDPOINT

BUSINESS VALUE

5 Second Enterprise Search

No Hardware or Storage Costs

Full Spectrum Visibility

ReducedTime to Remediation

BENEFITS


DETECTION AND RESPONSE

FINDING THE ADVERSARYSo You Don’t Have To

BREACH PREVENTION SERVICES

Team of Hunters Working for You

24 x 7

BUSINESS VALUE

Force Multiplier

Community Immunity

BENEFITS

Reduce Alert Fatigue:Focus on What Matters!

Stop the “Mega” Breach


MANAGED HUNTING

SO YOU GOT DETECTION AND PREVENTION, WHY ARE YOU STILL DISAPPOINTED?

§ You can’t just slam two things together - detection & prevention

§ You can’t just tick a list of features where you check-off features

§ This is tough stuff, you need to be thoughtful and considered in how you architect a prevention and detection solution

§ You can’t see prevention and EDR as two separate things


SO, WHERE DOES PREVENTION END & DETECTION START?


PREVENTIONDETECTION

OVERVIEW OF WHAT’S REQUIRED TO PROPERLY UNIFY NEXT-GEN AV AND EDR


Complete and accurate

visibility

Analysis capacity

1 2 3

Ability to turn data into information and insight

COMPLETE AND ACCURATE VISIBILITY

§ Data: Need lot’s of it

§ Scalability: In the Cloud

§ Power: Storage, throughput and compute power

§ Integrity: High fidelity

§ Usefulness: Insightful

§ Flexible Capture: distributed/mobile/BYOD and or on/off network


ANALYSIS CAPACITY

§ Organize and analyze big data

§ You need to analyze this at massive scale

§ You need to ‘glue’ all this data together

§ That’s why a ‘Graph’ is the answer


ABILITY TO TURN DATA INTO INFORMATION AND INSIGHT

§ Piecing data together and establishing the relationships between drives ‘Context’ - the more data you have the ‘richer the context’

§ Understanding context let’s you understand behavior and that allows you to get to IOA

THREAT GRAPHIndicators of Attack

EDR


WHICH IN TURN MAKES BOTH PREVENTION AND EDR BETTER

§ IOA’s = better ‘prevention’

§ IOA’s = defeat attackers who are ‘living of the land’

§ Traditional malware and security approaches inadequate

§ IOA’s = better EDR and better EDR = better IOA’s

SUMMARY

§ You need to see Prevention & Detection in a holistic way

§ There needs to be a virtuous approach - one feeds the other and vice-versa

§ You need to have a vision, from the outset to build this, you can’t just make this up as you go along

NEW FORRESTER WAVE

The Forrester Wave™: Endpoint Security, Q4 2016 The 15 Providers That Matter Most And How They Stack Up

§ CrowdStrike will be sending a copy to ALL webcast registrants


you can't stop the breach without prevention and detection

Technology