Crowdstrike CTO on securing the endpoint and responding to a breach

Where does CrowdStrike fit in the cyber security industry?

CrowdStrike was born out of a frustration that George Kurtz and I had with the fact that security solutions that were in use at the time – AntiVirus, Firewalls, Web and Email Security Solutions, SIEMs, etc. – were not effective at identifying and stopping persistent and sophisticated threat actors.

For several years prior to starting CrowdStrike, I was responsible for investigations that uncovered many groundbreaking and long-running nation-state espionage and destructive campaigns from countries such as China and North Korea. Some of these campaigns had gone on for years prior to being discovered with victims losing terabytes of valuable intellectual property and trade secrets over that time. We knew that a different approach was needed to change the game and that resulted in the creation of CrowdStrike.

>Read more on Crowdstrike CTO ‘setting the vision for innovation’

That approach was to build a cloud-based next-generation endpoint security solution — CrowdStrike Falcon — that can identify and stop breaches leveraging machine-learning and artificial intelligence, behavioral Indicators-of-Attack and a world-class threat hunting team that find the needle in the haystack and help stop a dedicated adversary dead in their tracks.

What is the most effective way to secure endpoints?

There were several key ideas and principles behind the next-endpoint technology platform that we had designed and built at CrowdStrike.

The first was that a modern security platform had to be built as a native-cloud solution. The cloud was critical not just for ease of management and rapid agent rollouts, but also for protection of off-premise assets and workloads deployed in public and hybrid clouds.

The cloud would also be used to dramatically reduce performance impact that an endpoint agent would have on a system as heavy processing work would be offloaded to an elastically scalable cloud compute. Finally, the cloud could leverage the power of crowdsourcing – collection of trillions of security-related events from endpoint agents deployed all over the world to learn from every adversary action and taking away their ability to reuse tradecraft as they launch attacks against new victims.

>Read more on A CTO guide: Cyber security best practice tips

The second principle was to leverage machine learning/artificial intelligence to predictively identify new threats by training algorithms on the largest dataset in the security industry – over a trillion events collected every single week by CrowdStrike Falcon agents protecting organisations in 176 countries. In addition, we coined and pioneered the concept of Indicator-of-Attack (IOA), a fundamentally different behavioral-based approach to threat detection that focuses on identifying the tradecraft and techniques of an attack vs. the specific and brittle signature or indicator of compromise that maps to a specific malicious tool employed.

The final key principle was to add a dedicated elite 24/7/365 threat hunting team to the platform that would continuously hunt for new intrusions on security data streamed real-time into our cloud from Falcon agents. This team would also be responsible for providing rapid and key actionable information to the customer about the attack as it is being observed and recommendations for how to respond to stop a breach.

What is the most effective way to respond to and overcome a breach?

The key to effective breach response is speed. In order to beat the adversary, you have to be faster than them and get inside their OODA decision loop, as the US military would say. There are three key outcome-driven metrics that I strongly encourage every organisation to start tracking to determine their effectiveness at breach response. These are:

• Time to detection: The time that it takes you to uncover an intrusion on your network. The best organisations try to do this within one minute (on average). This is obviously mostly driven by automated means – employing IOA and machine learning based approaches.

>Read more on Cyber security in the energy sector: A danger to society – Part 1

• Time to investigation: The length of time it takes to find out if the incident is a real intrusion, determine the impact and figure out next steps (containment, remediation, etc.). Top security teams do this within 10 minutes (on average).
• Third, and most important, is Time to remediation: The time needed to eject the intruder and clean up the network. This may involve coordination with the business owner of that asset. The best of the best try to accomplish this within 1 hour (on average).

The reason these metrics are important is due to another metric that CrowdStrike has observed in its investigation of 25,000 attempted intrusions each year. That metric is called ‘breakout time’ – the time that it takes for an attacker to breakout of a beachhead system they’ve landed on in their initial compromise of the network (via spear phishing, direct exploitation, use of stolen credentials or some other method), elevate privileges, steal credentials and move laterally to other parts of the network. That breakout time in 2017 was 1 hour and 58 minutes, which shows that if an adversary can be stopped and ejected out of the network within 1 hour, they will likely not have enough time to get to critical assets within the network and cause a major breach.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Security
Data Breach