Cyber security has clearly shifted focus in recent years from static protections such as signature-based antivirus to more proactive, real-time protections based on observed indicators of attack. As part of this shift, many exciting new innovations have emerged, including the deployment of graph database technology, machine learning algorithms, and cloud-based intelligence. Next generation endpoint security is thus becoming a more effective means for preventing attacks, as well as supporting the hunting task, should an intrusion actually occur. I had the opportunity recently to sit down and discuss these advances in endpoint cyber security protection with one of the great pioneering experts in our field, George Kurtz, CEO of CrowdStrike.
EA: George, what do you see as the definition of an endpoint today? It used to be simple, namely your PC or laptop. But today, does the definition include mobiles, IoT devices, industrial control elements, cloud workloads, and on and on?
GK: We do have enterprise customers who maintain a conventional view of endpoint definitions, where employees are mostly using Windows PC connected to perimeter-protected LANs running enterprise software tools such as the Office suite and Active Directory. In these environments, the currently evolving notion of the endpoint, including industrial control or IoT devices is interesting, but not relevant to their day-to-day world. This is true for mobile as well. Certainly, we all have our iPhones and Android devices – and I guess Blackberry too, but these are often not viewed today as being true endpoints in many companies and government agencies. At CrowdStrike, we know this will change, so we have the obligation to our customers to both serve their existing needs, and also to be helpful and ready to support evolution to a broader context. Clearly, employees of companies of all sizes will begin viewing their tablet on par with their laptop or PC, and our technology is designed to support such evolution.
EA: What is the specific role of machine learning and graph analytics in protecting endpoints? Is this the secret to replacing signatures with something more acceptable?
GK: There is certainly nothing inherently evil about signatures. As you know, for many years, the only technique we had in the protection of endpoints was the development of signatures based on deep analysis of viruses, worms, and other malware. With the development of variants, however, the work equation shifted and it became significantly easier to develop a modified version of some malware than to develop signatures. This work gap between the offense and defense required modification in the protection strategy – hence we began to use machine learning over our ThreatGraph (which handles 20B events per day of threat data) rather than signatures into our security tools. This really became a major help, because it opened all sorts of new possibilities, including the potential to stop malware at both static and runtime. More importantly, we can look at the attack kill chain and identify behaviors that do not use malware. In fact, many of the most virulent attacks don’t use malware, but instead use things like credential theft and social engineering. No antivirus is going to detect this activity. We like to say this: “Stop the breach and go beyond just stopping malware.”
EA: If a nation state figures out an APT method that is detected and reverse engineered, can they continue to make straightforward adjustments in the attack to hide from security teams? Or does the security and behavioral analytic process prevent this from working?
GK: Well, you can’t prevent nation states from figuring out and doing whatever they might decide to do. They are capable adversaries, and will, unfortunately, just get even better. And yes, they will try to develop slight variants, simply because that is so easy, and is the currently accepted offensive methodology. But our approach at CrowdStrike is to develop static and dynamic technologies, based on threat intelligence and deep understanding of both the endpoint and the operating environment, that stop broad classes of attacks, without having to pick apart the malware for a specific, easily changed identifier such as a file name. Our Falcon platform drives this type of solution to the endpoint with the goal of continuous visibility, which is a big change from early anti-virus. And of course, our threat solution is delivered via the cloud, which really does change the game, given its ubiquitous nature. Finally, our teams of expert adversary hunters are essentially watching our customers’ backs on a 24/7 basis, which has proven to be invaluable in dealing with a capable adversary who changes tactics. Put all this together, and the defensive solutions to endpoint attacks are so much better than in the previous generation.
EA: You are one of the pioneers in anti-malware techniques. What are some of the trends you see in this aspect of cyber security technology?
GK: Not only are we pioneers of anti-malware technology, but we are the only company to unify next-generation antivirus endpoint detection and response and managed threat hunting into a native cloud platform with only one agent. Yes, that is right – just one! Moreover, the new focus on cyber security hunting is a welcome trend. The image of the hunter is exactly the right one for modern enterprise cyber security. Armed with excellent tools, and we think our platform is among the best, the cyber hunter from our Falcon Overwatch team is both doing preventive work, looking for early indicators, as well as response work, and looking for indicators of ongoing or previously initiated attacks. It’s interesting that hunting combines both active and passive, preventive, and responsive, and also automated and human defenses into a common, integrated solution. At CrowdStrike, we not only support the enterprise hunter, but we backup our solution with some of the best expert adversary hunters in the business. Now, granted, a smaller organization will not have the budget or desire to hire a bunch of cyber hunters. This is obvious, and our platform and endpoint solution is designed to provide them with world class protection offering proactive support that also leverages crowd sourced knowledge to make up that gap.
EA: Do you think we’ll ever see a true Cyber 9/11? Is this inevitable given the asymmetry of the cyber security equation?
We have to be careful about how we characterize cyber risk. As much as it is a critical threat, there is no loss of life involved and we don’t like to use hardline analogies like 9/11. You’re correct about the asymmetry. We all know that it’s easier to attack than to prevent. At the core of today’s advanced defensive approaches is the belief that there is no silver bullet. New techniques like behavioral blocking, machine learning, continuous monitoring and proactive threat hunting make it significantly harder for the attacker to succeed. If we mature our defenses to match or surpass the maturity of the attacker, then we stand a much better chance of preventing mega breaches. In short, we all have to raise our game. At CrowdStrike we deliver the people, process, technology and intelligence to make it easier for organizations to do just that. We also leverage advanced techniques like machine learning and threat graph technologies that amplify security resources and scale capabilities to drive defenses that are faster, more agile, and ultimately more successful than the offense.