CrowdStrike: Defenders Must Look Beyond Malware Detection

Breach Preparedness , Data Breach , Endpoint Security

Executive Says Beware of Attack Techniques That Leave No Trace CrowdStrike: Defenders Must Look Beyond Malware Detection

The computer security firm CrowdStrike is one of a handful of data breach response and threat intelligence companies called upon by organizations when they suspect they've been hacked. Example: The company recently investigated the breach of the Democratic National Committee systems concluding that two Russian state-sponsored groups were likely responsible (See: After Russia Hacks DNC: Surprising Candor)

CrowdStrike is now moving into Asia Pacific, an expansion it signaled after it closed a $100 million funding round last year led by Google Capital. Information Security Media Group recently spoke with Michael Sentonas, vice president for technology strategy at CrowdStrike, ahead of the company's launch in the region. Before joining CrowdStrike, Sentonas was chief technology and strategy officer Asia Pacific at Intel Security. The following is an edited excerpt of the discussion.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Asia Pac's Unique Needs

Jeremy Kirk: What have you observed as far as the needs of organizations in Asia Pacific in computer security?

Michael Sentonas: The thing that has become clear to me, and I've been in the industry for a very long time now, is that organizations can't prevent 100 percent of breach attempts. A sophisticated adversary will eventually get in, and people are really starting to question the existing technologies that they use.

The big challenge is that the security industry traditionally focuses on dealing with malware. And it's a race to see who can provide the best signature or the best behavioral signature. Largely, the industry does the same thing: detect and prevent malware as quickly as possible. That's certainly really important, and prevention is always obviously an important thing to do. But you also need to see beyond malware. You need to be thinking about how you can detect and stop all attacks, even those that don't involve any malware. And I think many enterprises today don't have that awareness. They don't have that capability to proactively hunt and detect hackers on their networks. And I think this is one of the key value propositions.

Investing in the latest technology to keep pace with adversaries is not optional anymore. You have to do it to stay in business.

Beyond Malware

Kirk: It's interesting you mentioned that some of these attacks don't involve malware. I spoke the other day with Dmitri Alperovitch, who is the co-founder of CrowdStrike, and we were talking about what happened to the Democratic National Committee. He told me that there was not a lot of malware used in that attack. In fact, what was used were Windows administration tools like WMI and PowerShell, which was making the compromise difficult to detect.

Sentonas: That's a common technique. Every organization on the planet today has some form of endpoint security. People have a firewall. People have an IPS. Attackers know this. It's not rocket science to them that they're going to come up against these types of countermeasures. So they spend time to work out how to evade the countermeasures that are there, or they'll find techniques to use similar to the ones that you've talked about that don't involve malware at all, which means all of these countermeasures that an end user deploys simply are blind to these types of attacks, which we would call silent failure.

And I think that's something that we need to really talk more about. The industry has this huge argument about prevention versus detection. We're really debating the wrong things. When you can prevent and stop malware, we agree you should be doing that. But there's more to breaches than just your basic type of malware, and I think that's something that we just need to acknowledge and sort of take all the hype around it and say, end-to-end you need to understand how somebody's penetrated your network, defend where you can, and then just be aware and work out how to remove them when you don't have those tools in place.

What About Process?

Kirk: Companies use lots of different kinds of security technologies. Is it also an issue of process too? Do you advise companies about the need to know where sensitive information is kept and maybe segregating that in a stricter way?

Sentonas: That's a really great question, and for me it always starts off on the process side. I don't agree with buying technology because you went to the RSA Conference and people were excited about a particular product from a vendor. If you don't know what your valuable information is, if you don't know where it's stored, and you don't know the risks to your business if you were to lose that, how are you making decisions about how to protect it? You might be buying technology that is irrelevant given your specific environment and the architecture that you use.

So more and more, we need to pause and think about what it is that we're trying to solve. What problems are inside the organization? What could happen? Where is that information? And then start thinking about technology after the fact.

Common Mistakes

Kirk: What are some of the common weaknesses or mistakes do you see companies making when trying to defend their networks?

Sentonas: The biggest thing that I would say is pretty much everything that I see is largely the same strategy, where people are trying to put in many malware defense technologies. They're going out and buying a firewall, and the latest thing is talking about next-gen firewalls; they buy a new endpoint; they buy new sandboxes - but they're really designed to do the same thing, and that's stop malware as quickly as possible. It's a critical requirement, but we need to, as I said earlier, go beyond just that traditional 'whack-a-mole' approach of finding viruses and malware as quickly as possible and stopping them. That whole intelligence strategy to know your adversary, to know what's going on inside your network, to understand what could be going on is critically important. And a lot of people just simply don't have that skill, so that's a critically important piece of the strategy that needs to be focused on - especially in this part of the world.

The Problem with Passwords

Kirk: A traditional problem right now is just passwords. What do you see along the password front? Is that still one of the primary points of weakness for organizations?

Sentonas: I would say it certainly would be up there in the top. We saw the recent case of Mark Zuckerberg having an unfortunate incident where a couple of his accounts were taken over, and there were discussions in the media around password reuse. I'm not sure of the specifics behind that, but what we can see is that problem of password reuse is common. And, you know, people struggle with trying to maintain 20, 30 different passwords to all the different systems they use, so they just basically use one password or two or three passwords across every system. And then when there is a password breach - that's how attackers can log into other systems and other devices.

Logging into a system is a legitimate action, I should say, that your traditional security defenses aren't going to trigger on. They're not designed to alert you to that fact. But what happens after that could be very important. Somebody logs into the system and downloads a new version of Mimikatz that they customize to evade their desktop endpoint security, and then they suddenly dump all the administrative credentials off the network. That's a serious issue. As I mentioned, your traditional technologies may never see that, but we will expose that attempt and that potential compromise, and then we'll make our end users aware of that. We'll notify them. We'll work with them to solve that problem. So it's a very different approach.

Kirk: Do you see widespread use of password managers in enterprises these days?

Sentonas: I don't see widespread use, and I think there has to be widespread use. The promise over the last couple of years was that we would get to some form of platform where we used more and more hardware to solve this particular password problem, but unfortunately, for a number of reasons, we're not there yet. So I see the promise of doing away with passwords altogether. It's still a little ways out, but people need to start thinking about password managers and systems that can help them solve this particular problem. But it's a double-edged sword because as you know, password managers don't solve all problems. We've seen examples of vulnerabilities and compromises of nearly every password manager that's ever been released.

CrowdStrike in Asia Pac

Kirk: CrowdStrike is launching in Asia Pacific. Can you tell me why the company is making the move now and how your operations here are going to be structured?

Sentonas: CrowdStrike is seeing significant growth in Asia Pacific, and importantly in Australia. It's an important market for us and an important region. And what's important to say is that we're already deployed in more than 170 countries around the world, and that includes a number of countries within the Asia Pacific market. So for us we really want to maintain that growth, and we want to continue to acquire customers in this region.