Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


ipo analysis of crowdstrike (2)

Posted by melchionda at 2020-02-25

As for product positioning, crowdstroke has labeled itself with three labels: SaaS based endpoint protection, Threat Intelligence and cloud security. It has been emphasizing the difference with other competing products. In this article, I will adopt crowssstrike's point of view more and bring in my personal subjective evaluation less as far as possible. As for whether everyone agrees with crowdstroke's self positioning, they have different opinions. Let's first look at what crowdstroke thinks the limitations of other products, and then look at its own specific functions and modules. Crowdstroke classifies other products into five categories.

1. Traditional signature based products. Signature based products are designed to detect previously identified threats, but cannot prevent unknown threats. This is a passive approach. When it can be found and identified, it may have caused heavy losses to the victims. If the attack code is slightly modified, the signature based method may be detected. In the past two decades, many major vulnerabilities have been found, and many traditional signature based anti-virus products cannot be detected and protected in advance.

2. Malware centric machine learning products. Traditionally, organizations have focused on protecting their networks and endpoints from malware based attacks. These attacks involve malware built to perform malicious activities, steal data, or destroy the specific purpose of the system. The defense method centered on malware will make organizations vulnerable to attacks without malware. According to the customer group data indexed by thread graph, 40% of the detection in the second quarter of fiscal year 2018 is not based on malware, but uses legal tools in the system to enable attackers to achieve the goal without writing files to the endpoint, making traditional anti-virus products more difficult to detect.

3. Apply white list products. The application whitelist product uses the always allow or always block policy on the endpoint to allow or block process execution. The white list part relies on manual creation and maintenance of complex rule lists, which brings burden to end users and it personnel. To avoid these management challenges, it organizations often create special exceptions for whitelists, which attackers use to break endpoints. In addition, file less attacks can take advantage of legitimate whitelist applications, thereby compromising the integrity of whitelist products.

4. Network centric security products. Traditional network security providers focus their products on perimeter based protection. However, as employees and workplace devices expand beyond the firewall, the relevance and effectiveness of these methods decrease, and the use of encrypted traffic increases the blind spots and vulnerabilities that attackers can exploit. With the increasing number of endpoints, this defense layer can not fully protect the information rich endpoints and workload around the enterprise.

5. Bolt on cloud products. Many on premises vendors introduce cloud products by putting their on premises products in the cloud. Such single tenant products are not designed to run in the cloud, so they are still isolated, lack integration, and have limited scalability. In addition, the deployment of these products is complex, difficult to expand, expensive to use, and ineffective in preventing damage. Any product originally designed for internal deployment and migration to the cloud cannot be a cloud native solution by definition.

Different from the above five types of end-point security products, crowdstike considers itself a SaaS based end-point protection product, integrating 10 cloud modules through SaaS subscription, covering three aspects, including end-point security, security and it operations (including vulnerability management) and Threat Intelligence. And through a single data model and Open Cloud Architecture, API is provided. In the way of application store, third-party partners can quickly innovate, build and deploy new cloud modules, so as to provide more value-added functions for customers.

In terms of endpoint security, there are mainly three modules, ngav (next generation anti-virus), EDR and device control. Combined with machine learning and behavior analysis technology, it can resist malware and non malware (malicious code injection legal software) attacks, achieve continuous and comprehensive visibility and analysis of endpoint activities, and provide administrators with visibility and fine control of USB devices. The specific functions of the three modules are as follows:

Falcon Prevent-Next-Generation Antivirus。 Falcon prevent provides next-generation anti-virus capabilities and comprehensive protection to protect customers from malware and file free attacks. Falcon prevent combines the recognition of known malware with the machine learning of unknown malware. It uses blocking and advanced behavior technology to replace its existing traditional anti-virus products.

Falcon insight - terminal detection and response. Falcon Insight provides customers with EDR capabilities that allow continuous and comprehensive visibility to inform clients in real time of what's going on at the client point. Falcon insight records and automatically analyzes activity on endpoints to provide in-depth visibility, fast and powerful search capabilities, and comprehensive context and data for active threat discovery and forensic analysis.

Equipment control. Falcon device control provides administrators with high visibility and fine control of USB peripherals.

In terms of security and it operation and maintenance, there are mainly four modules to solve the problems of it hygiene, non scanning vulnerability management, turnkey one-stop security and vulnerability management, and threat hunting based on threat chart and security team support. The specific modules are as follows:

Falcon OverWatch-Threat Hunting。 Falcon overwatch is a threat hunting solution, which is composed of a team of professional security experts who use threat map to actively identify the threat of customers. The global Falcon overwatch team seamlessly increases customers' internal security resources to identify and investigate suspicious and malicious activity.

FalconDiscover-IT Hygiene。 Falcon discover identifies malicious systems and applications in the customer's network and monitors the use of privileged user accounts anywhere in the customer's environment. The module also supports use cases beyond security, such as application license management, AWS expense analysis, and asset inventory.

Falconcomplete turnkey security solution. Falcon complete provides our customers with comprehensive monitoring, management, response and remediation solutions. It aims to provide enterprise level security for companies that may lack enterprise level resources.

Falconsspotlight - vulnerability management. Falcon spotlight can identify real-time vulnerabilities on client points. This module does not rely on the scanning system, and uses the data collected by the agent to provide real-time and accurate visibility to the risk of enterprise vulnerabilities.

In the aspect of threat intelligence, through the malware search engine and malware analysis module, the identified threats are checked in an automatic way. The specific modules are as follows:

Falcon X-Threat Intelligence。 Falcon x integrates Threat Intelligence into endpoint protection. It provides automatic analysis of detected threats to gain insight into the capabilities, motivations, and attribution of attacks. It also extends protection against detected threats and their variants to other security solutions deployed within the organization for defense in depth coverage by providing actionable intelligence and custom IOC.

Falcon search engine - malware search. Falcon search engine enables customers to search 300 TB malware collected in Falcon platform in real time, and index it with binary data indexing technology.

Falcon sandbox - malware analysis. Falcon sandbox analyzes the malicious behavior of unknown files in the virtual machine. Sandbox provides visibility into malware behavior, and automates in-depth file and memory analysis to speed up threat protection and response.

Crowdstroke store is a very interesting function of it, claiming to be the first cloud based application platform for network security, namely service platform or PAAS. Crowdstroke stores bring their customers a unified security cloud ecosystem of trusted partners and applications. The crowdstroke store allows customers to quickly and easily discover, try and buy applications from trusted partners and crowdstroke without having to deploy and manage other agents and infrastructure, or go through lengthy sales, integration or implementation processes.