Professional Documents
Culture Documents
PROTECTION
ENDPOINT CLOUD MANAGED SECURITY & THREAT IDENTITY LOG CROWDSTRIKE
SECURITY SECURITY SERVICES IT OPERATIONS INTELLIGENCE PROTECTION MANAGEMENT STORE
FALCON FUSION
CROWDSTRIKE THREAT GRAPH HUMIO DB
LIGHTWEIGHT AGENT
Cloud Mobile
©2022
©2021
CROWDSTRIKE
KEYS TO YOUR ENTERPRISE
Initial • TA0001
Access
Discovery • TA0007
Privilege • TA0004
Escalation
Credential • TA0006
Access
Lateral • TA0008
Movement
Impact • TA0040
Initial • TA0001
Access
Discovery • TA0007
Privilege • TA0004
Escalation
Credential • TA0006
Access
Lateral • TA0008
Movement
Impact • TA0040
Initial • TA0001
Access
Discovery • TA0007
Execution
Privilege • TA0004
Escalation
Credential • TA0006
Access
Lateral
Identity Movement
• TA0008
Impact • TA0040
Port 443
Falcon Sensor
Falcon Sensor
MFA UI
eCrime Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
Targeted Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
eCrime Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
Targeted Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
Identity + Endpoint
Next Gen Antivirus Next Gen Antivirus Next Gen Antivirus Falcon Endpoint Protection
Remote Response Endpoint Detection & Response Endpoint Detection & Response Delivered as a Service
Integrated Threat Intel Integrated Threat Intel Integrated Threat Intel Breach Prevention Warranty
Device Control Managed Threat Hunting Managed Threat Hunting
Firewall Management Device Control Identity Protection
Firewall Management Device Control
Firewall Management
IT Hygiene
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FALCON ENDPOINT AND IDENTITY PROTECTION ELITE
Next Generation
Integrated Threat Antivirus & Endpoint
Intelligence & IT Hygiene Detection and Response BUSINESS VALUE
Protection that unifies
NGAV, EDR, Identity and IT
Hygiene
Enable threat hunting and
real time visibility
Speed investigation
and response
Managed Threat Real Time Identity Discover unprotected
Hunting Protection systems, risky applications
and users
BUSINESS VALUE
Stop identity-based attacks
Detection of Identity based in real-time
Identity-based Segmentation
attacks Provide deep visibility into
hybrid identity landscape
Frictionless MFA
Adoption Proactive API to MFA/SSO, SIEM,SOC,
Identity Threat SOAR architecture
Hunting
Additional Benefits
❏ Expertise to prevent identity-based attacks
❏ Surgical response to identity-based threats in minutes
❏ Backed by Breach Prevention Warranty
Stolen
Creds
80% Legacy
IDENTITY THREAT
PROTECTION
of data breaches have a connection to Systems
compromised privileged credentials Proactive
- Forrester Research CONTROL
Contractors &
Supply Chain Continuous
Breaches from stolen/compromised
credentials took the longest to detect:
VISIBILITY
250 days Unmanaged
Systems
Real Time
Service
Accounts
IT Contractor
Adversary
Host network contained Host network contained Ransomware blocked Admin account
Persistence removed. Persistence removed. RECOMMENDATION: locked by IT Ops
RECOMMENDATION: RECOMMENDATION: Reset admin password
Reset admin password Reset admin password
Server 1
Intrusion contained and remediated
within minutes
IT Contractor
Adversary
Zero disruption to business processes or
users
Host network contained
Persistence removed
Admin account BLOCKED
RECOMMENDATION: Reset
admin password
Apps everywhere,
work anywhere
Nation-state actors
Ransomware, supply
chain threats
Insider threats
PEOPLE WORKLOADS
▪ Behavioral data
▪ Segmentation & least access
▪ Security automation {tied to
AUTOMATION &
ORCHESTRATION DATA VISIBILITY
context}
▪ Continuous verification
NETWORKS DEVICES
Requestor Data
Public and
Endpoint
Private Cloud
Identity
Workload Data Center
CONTINUALLY VERIFY + BEHAVIORAL DATA + SEGMENTATION
Frictionless User Experience
Security Cloud
Requestor Data
CHALLENGE/
BLOCK
ALLOW Public and
Endpoint
Private Cloud
Identity
Workload Data Center
API
Automate Context and Integrate With Existing Tools
Increase Security Coverage/Save Cost
Security Cloud
Requestor Data
CHALLENGE/
BLOCK
ALLOW Public and
Endpoint
Private Cloud
Identity
Workload Data Center
API
CONTEXT & CONTROL RISK SCORE
SSO, AD, AZURE AD, SIEM, Identity Providers, CASB, Secure Access
SOAR
WHY CROWDSTRIKE?
MAXIMUM SECURITY
COVERAGE
+
REDUCE COMPLEXITY AND
COST
Additional Slides
Modern Attacks
MODERN ATTACKS: THE TWO PART PROBLEM
Initial
Access
Discovery
Create New
Computer
Account
Rename to DC
name (without
$)
Request TGT
for original
16 seconds computer
name.
Request TGS
for service
running on the
DC.
Complete
Domain
Compromise
Create new
computer
account with
Event Detection
random name.
Rename to
match any DC. Event Detection
Authorize new
16 seconds computer
account
Event Detection
Request
privileged
access to the MFA Challenge
DC.
Complete
Domain
Compromise PREVENTED
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
LOG4J ATTACK
▪ Environment without Falcon Platform or Falcon Zero Trust installed is the target of
skilled adversary
▪ Attacker has credentials, but has been otherwise locked out of target environment due
to perimeter defenses
▪ Attacker leverages Log4j exploit to place a web shell on vulnerable system in target
environment to break perimeter
▪ Attacker interacts with web shell and uses credentials to RDP, unchallenged, to
Exchange server
▪ Attacker dumps credential store on server
▪ Complete Domain Compromise
Adversary
• Command
Interacts with and Control
Web Shell
Adversary
• Valid
Uses Accounts
Credentials
Adversary RDP
• Lateral
to Exchange Movement
Server
Adversary
Drops • Ingress Tool
Credential Transfer
Theft Tool
Adversary
• Credential
Dumps Identity Access
Store
~24 hours
Adversary
• Command
Interacts with and Control
Web Shell
Adversary RDP
• Lateral
to Exchange Movement
Server
7 minutes
Adversary
Drops • Ingress Tool
Credential Transfer
Theft Tool
Adversary
• Credential
Dumps
Access
Identity Store
Adversary
• Command
Interacts with and Control
Web Shell
Adversary
Drops • Ingress Tool
Credential Transfer
Theft Tool
Adversary
• Credential
Dumps
Access
Identity Store