CrowdStrike

foreign [Music] foreign there's way too much for us to learn you know if you want to take a day vacation your three days we have time yeah if that's if you keep your device on if you don't keep your device off um Solutions are becoming more and more complex as we all know you install one thing which then builds onto something else um technology is terrific but it gets more and more complex we're trying to keep things you know use the kiss method you figure out what each other means yourself that would be nice but you know and the attackers are not getting easier yeah I'll go on my age during the 90s it was easy we had those skirt kitties that you know didn't get a date on a Friday night maybe start hacking computers you know the Russians did a couple things some other Farm country City to government entities they came 2000 and all that and decided they want to go to Prime Time so now they're attacking everybody yeah we don't have simple you know script Keys actually breaking into Big Time stuff we haven't ran somewhere we have actually franchises that you can go get that have your own malware I did find out that that was a very interesting business case they had a complete business plan on how to buy malware and they kept it up to date so perhaps I thought about this the initially gone into the IR side 11 years ago and being in that they realize hey we also need a endpoint sensor because it'd be nice if we actually get the information we would like and meet so moving forward with that and we came out with our uh endpoint a lot has changed since then you know look at this this is our complete platform with service or lightweight agent okay we put on a single agent either if you're running a Windows box a Windows Server if you're running a Mac if you're writing limits for the H1 agent if you add any of these modules guess what you don't have to upgrade okay it's something we do on the back end because everything that we do and analyze is in the cloud so by doing that in the cloud your agents do not have you don't have to keep on redeploying so it's a simple deployment it's a lightweight agent you'll use a single digit CPU usage very little uh RAM going across and very little bandwidth compared to other agents that are out there when and we can also run alongside another agent if you want to actually try this out so we can run next to the defender and stuff like that it won't kick us out or anything you can see the detection between the two but as you run the agents you know the over 200 plus uh Telemetry points that were gathering we're sending to what we call our employ ground but the aircraft is the Big Data pool in the sky for like better terms you know that we're setting everything up to analyze that thing goes through and you plug into it with the different modules we have endpoint security which is we start off with um Falcon agreement so traffic prevent is our next Generation anti-meters it works both when you're connected and when you're not connected you know so you don't have to be connected to be protected it's still protecting you if you don't have an internet connection uh we have topic inside which is our EBR platform which will be seen shortly you know they do the real fun crowd hunting and to actually dive in there uh so the other things will come over today device control you know whoever came up with USB was like God set because you know serial cables who are pain in the neck parallel cables are even worse they have some h of myself again uh but you know they also added you know I can throw something Universal and windows is so nice to automatically automatically Mount that for you if you happen to have an auto run I'm going to be even nicer I'm gonna actually run that for you yeah so this is a way to in your organization drop down what you actually plug into USB no you can limit say hey I only want Samsung uh USBS so if I plug in another manufacturer that's nice I can go one doesn't do anything with it if I plug in a printer I want anybody plugging in printer so I can do that I'll be showing you a demo of that as well uh the firewall manager that is on post management we're not going out to any of the network devices and stuff like that but they say Universal way for you to keep control on your Mac and your windows firewalls so very simple way to block different ports if you see how work that comes up you can just hop over to this module and block these they're both in.net demo although Cloud security we can go with protective containers that are out there we can also see what type of you you have on the internet but what type of a council have what do I have open you know the cloud is a wonderful thing except trying to protect it can be extremely difficult that it can't walk into your data center if something goes wrong and pull one plug and you're not connected to the internet anymore by doing that at Amazon next start intelligence you have to be a good security company got to actually know who's attacking you you know if you play any type of sports or anything like that having any type of insight on who's coming after you it's always a good idea uh we have multiple things that don't have free time if you look at the kill chain the hardest part to figure out is actually real time because you don't know it any of your employees are putting up on Facebook Tick Tock whatever about themselves personally that the attacker can then use against you using three kind of something I've been searching the web to keep their identity clean going across also uh the Intel distribute with our adversaries you know what is uh fancy bear doing we actually come over cute animal names instead of numbers to go through all the different major actors you know sandbox stuff like that you can throw stuff into actually happens and that work for is another way of saying hey I have this hash what do you know about it but we can give you everything I don't know about the same will happen um what a removal was is identity protection okay if you guys have checked out recently it's a lot of user to steal a car with the car keys if it is actually hotwired nowadays you know so I have an identity being able to log into a box of boxes a lot easier with using already protection we're able to now identify whose domain it's not just his IP addresses happening it's now actually Joe will not became a friend on that IP that's happening and we can also add in other layers to stop and possibly lateral movement we'll put the two factors simply gets along into another box and then some of the elements we have is uh on the it outside you know Discovery find out what else is out there on your network and then we also have Spotlight which tells us hey what vulnerabilities do you have since we're 100 to see that point we know what you're running let me tell you which ones need to be up to date with patching any questions I didn't put anybody to sleep yet that that's my knowledge so go a single lightweight agent companies you to employ uh again you can deploy this on Windows Mac Linux in any type of VMS you can go across that's both machine learning and they'll use just accomplish something um getting some of the intelligence back to it excited um forgot about the delays no uh our next generation or prevent this is our next Generation AV so take into the next step we're not relying on signatures so signatures is a good thing to the 80s that goes longer real well without ever cassette think you got know that when you're downloading there's literally that files how many people remember that fast yes more than two people okay I don't feel that bad yeah so you're no longer getting downloads you know and also being able to have a machine learning it's very simple to take a known virus it takes one or two bits in it still one's exactly the same but has a completely different signature uh going across then also being able to unlock and lock the known and see what the people are doing we don't feel any iOS which we call indicators of attack comparative indicators and compromise you know is there a good idea that you know compromises on the passive side something that's already happened whereas an indicative impact is something about to happen thank you [Music] our topic Insight which gives us the next one this is been collecting over the 200 points of telemetry adding to this you know if we're able to see the real-time historical if I found something on one host let me see if it's on the other host it gives you a nice query language to go back we record everything okay so what did you type in electric man like we can go back and show you command line you can do those searches for them for both yes Linux and mac and on Windows really nice when you're trying to figure out who knows how to type income is and who doesn't know how to live in commence no and foreign and then we also have a real-time responsive containment so you find something bad on there well let's see I can contain it which means it can't go can't go anywhere it only talk to you being able to real-time response I can now hop onto the watch on the command line and you perform any type of action but don't want to gather from that box so I love the file that was on there do I want memory done okay there's probably about 20 different commands you can do and one of those is called Powershell so any type of Powershell script you can write you can then upload it to to this box when it's contained or when it's not contained and completely run it you got all that information so you don't have to so no matter where the person is you don't have to call them up on the phone try to hop onto it it's just as long as they have access to report thank you all right interface no being an analyst you're going to log in you're going to see this uh you know really go to and the first number you see in the upper left-hand corner is about to tell you if they're going to have a bigger okay it's a score from zero to 100. okay this is the only time you want to get zeros the higher the number the worst state you're going to have so if you have more events on your network uh next one the new detections the one might see as I close them out that it's going to disappear and as over time uh you can see where your score goes to these different techniques that were applied to it all right so from here let's go to like new detections what do we have out there what are we actually seeing so as you see detections you know you have different severity levels that you like you would expect it would have anything critical high low medium but don't want to search for what type of tactics am I looking for what type of you know how long ago did it happen what actually triggered it so let's start kind of easy here so I have a medium attack you know people want to cry yes this isn't a lab a mates actually found it I think that this thing should be dead you know you know it's been way too long uh out there in the wild but going over the different types of information we're providing back and what actually happened during it this has nothing to do with the guy who actually did the DNS request if I not have it hit the trick or kill command we just killed the command by uh seeing it run so go a little further um this one's kind of interesting you're probably thinking why would I catch on a pain command why would an attacker use a pain command to pick it down I don't have to be there I want to see if I command control centers up and running if I can pay it and see it then I know I can continue okay but also attach this you see something that we appears as a fancy error profile I talked a little earlier that our Intel and how we do is we name them after on adversaries I've seen a bunch of stickers or a bunch of statues you know with our adversaries okay fancy bear being Russia fancy is just one of the nice adjectives we had to it going so again with the intel if we actually click on uh the additional Intel with it so bring up all the information that we know about fancy guy now where is it from uh the uh All actors activity this is inside your network okay again you want to see all these numbers being zero because if not you have five adversaries in your network which again you're not going to be having a good day hopefully it's not Friday at about two but uh no pun intending yeah so going through some descriptions going across what do they do in the guild chain and we always talk about filtering is super can also look for other places in your network and then reports what type of reports have we published about this adversary they're going to list all the ones that we've previously done just by clicking on them we can completely bring up the full um now what type of actions are also related inside the Falcon platform now do I have any other detections or Advanced together is there any other reports I have no is there any vulnerabilities that fancy bear normally goes against that I know is multiple walleye Network so an easy click of just going there we'll get into vulnerabilities a little later in the next section we're going back to uh the activities [Music] so those two that I'm sure there are really good examples of how our av would work for Next Generation that's the type of information to get back just by having our preset module having insight gives you a little bit more and we're able to build on it so this one being critical and we got 21 different events going across and when we had this many we're able to do something called an incident so initially it's multiple events with either one or multiple hosts uh that attack can happen um these don't come up too often because we're not always blocking things this was done in detection mode only you know for uh example purposes but we see again that we have a lateral movements Now by having the multiple agents across we're able to see how it happened from one one host to another host and you guys say Capture the Flag this might look a little familiar as well too um but you're always going into here the most is our graph and we can show you I'm hoping that it's big enough on that screen that should be nice to see you see step by step with all the different types of movements that they did and so we can see here originally uh we got we got both on this box so it's going across here and has to go across it also finds you up first it'll hop something you know so the very simple way of seeing this graphically and then we can also click a nice report and print this all out and tell your manager here I just spent in the past you know 40 hours figuring this out you know and print it out and hand it down your manager is here and we'll come up with something upstairs Network all of it yes yes sir for the attribution how do you do attribution for you mentioned fancy there like how did how did it come to that conclusion is it based on is it based on my page so with that one with the pain command going to um some IP address yes we know that the IP address is associated with that we've seen in other attacks either from our IR or other Intel That We Gather across or we found on the dark web something like that we also to attribute is the different techniques that they use you know if they're used to using just mini cast you know with this one paper or something like that we have recordings of that and that's how we attribute it back to the actors so the first one makes sense the second one is where it becomes a little bit fuzzy because I've seen kind of problems with attribution uh when you're kind of focusing more on techniques rather than like infrastructure is easier on that as it's inside of equipment attribution okay we'd rather say hey here's what happened and say okay this person did it you know we let our intelligent uh agents and stuff like that who are on the dark web looking for the information from our Ira responses and stuff like that to get more attribution later on instead of hate this simple command triggered it with this one user yes you hate pointing to oh you know this person didn't you find out later somebody else says you really don't look good you know so next time I talked about you know we're able to uh create and manage you know oh yes those numbers or something I don't just counts or yeah uh the number two in the Wonder or the other one that's true dashboard dashboard yeah talk release yeah so when I see 1200 right that does suggests you know those severity or you just accounts of you know the foreign you know so that two out there is basically so maybe there's a medium event that happened you know and it just passed or even if we start blocking them that's where we'll actually come down so you can be on a Friday and come back Monday and feel a lot happier but I still recommend you you don't want that new detection account to keep going up it won't start closing those a normal organization is probably between zero and five on a daily basis just because of people either going to their websites or stuff like that or maybe hesitant I'll represents across so firewall management but you're able here it was able to you can do a couple things with with this uh being into a topic one you know the real simple stuff that far I'll just walk in uh a lab then you can also monitor so if you want to see how many people are going to Port 80 and which is a fun one to do on networks I mean aren't really being directed 443 you know we can start Gathering that information how many people are sshing in your organization how many people are using ports lower than 10 24 and stuff like that it's a very helpful take a quick look at pictures of our device control we're talking about usb they're going a little bit deeper in you know what can we see real time of this building a very easy way to take information out of your organization so plug your USB drive in copy whatever I want and walk out you want to make it even easier add that laptop in my living room I don't even have to go far I just have to take it out leave it on the coffee table and we can give you very easy reports of saying here's how many files were written to a USB drive you know do you want this so now you can start going through those files to say hey is this anything important or is the person just making a backup uh take another USB devices does somebody plug an extra Wireless in you know if you're any closed network if somebody put up a wireless speaker in your own network internal question yes how do you guys handle these secure like the fips for USB drives and things of that to make sure they're out of their own management system if you feel busy with data blocker and that sort of stuff so it's just a good question Mike I can tell you that comes under our other category uh looking across it so what do we see here are USB devices as an example you know uh you have to invoke their security thing I guess you'd have to make sure that so this is when I plug it into the Windows system yeah it will be recognized until you invoke their authentication but once it gets in both then the Windows system would activate it you still need a driver on the OS to actually recognize it obviously okay so the second that that driver got activated we would then see hey there's a USB device plugged in and maybe get the Header information and then we can see they'll manufacturer you know bios and that's serial number with those and based on what your settings aren't on the screen that you're not seeing um sorry for the eye chart but we have a lot of USB devices in this environment otherwise okay so you see the different types of classes uh through the manufacturer is and you know some different types of devices going through here we get the time big stamps and everything so going back to your questions if it's a full system on a USB interface the first thing when that USB interface got power to it it would start up you would then authenticate it to it rig