CrowdStrike

foreign

[Music]

foreign

there's way too much for us to learn you know if you want to take a day vacation your three days we have time yeah if that's if you keep your device on if you don't keep your device off um Solutions are becoming more and more complex as we all know you install one thing which then builds onto something else um technology is terrific but it gets more and more complex we're trying to keep things you know use the kiss method you figure out what each other means yourself that would be nice but you know and the attackers are not getting easier yeah I'll go on my age during the 90s it was easy we had those skirt kitties that

you know didn't get a date on a Friday night maybe start hacking computers you know the Russians did a couple things some other Farm country City to government entities they came 2000 and all that and decided they want to go to Prime Time so now they're attacking everybody yeah we don't have simple you know script Keys actually breaking into Big Time stuff we haven't ran somewhere we have actually franchises that you can go get that have your own malware I did find out that that was a very interesting business case they had a complete business plan on how to buy malware and they kept it up to date

so perhaps I thought about this the initially gone into the IR side 11 years ago and being in that they realize hey we also need a endpoint sensor because it'd be nice if we actually get the information we would like and meet so moving forward with that and we came out with our uh endpoint a lot has changed since then you know look at this this is our complete platform with service or lightweight agent okay we put on a single agent either if you're running a Windows box a Windows Server if you're running a Mac if you're writing limits for the H1 agent if you add any of these modules guess what you don't have to upgrade

okay it's something we do on the back end because everything that we do and analyze is in the cloud so by doing that in the cloud your agents do not have you don't have to keep on redeploying so it's a simple deployment it's a lightweight agent you'll use a single digit CPU usage very little uh RAM going across and very little bandwidth compared to other agents that are out there when and we can also run alongside another agent if you want to actually try this out so we can run next to the defender and stuff like that it won't kick us out or anything you can see the detection between the two but as you run

the agents you know the over 200 plus uh Telemetry points that were gathering we're sending to what we call our employ ground but the aircraft is the Big Data pool in the sky for like better terms you know that we're setting everything up to analyze that thing goes through and you plug into it with the different modules we have endpoint security which is we start off with um Falcon agreement so traffic prevent is our next Generation anti-meters it works both when you're connected and when you're not connected you know so you don't have to be connected to be protected it's still protecting you if you don't have an internet connection uh we have topic inside which is our EBR

platform which will be seen shortly you know they do the real fun crowd hunting and to actually dive in there uh so the other things will come over today device control you know whoever came up with USB was like God set because you know serial cables who are pain in the neck parallel cables are even worse they have some h of myself again uh but you know they also added you know I can throw something Universal and windows is so nice to automatically automatically Mount that for you if you happen to have an auto run I'm going to be even nicer I'm gonna actually run that for you yeah so this is a way to in your organization

drop down what you actually plug into USB no you can limit say hey I only want Samsung uh USBS so if I plug in another manufacturer that's nice I can go one doesn't do anything with it if I plug in a printer I want anybody plugging in printer so I can do that I'll be showing you a demo of that as well uh the firewall manager that is on post management we're not going out to any of the network devices and stuff like that but they say Universal way for you to keep control on your Mac and your windows firewalls so very simple way to block different ports if you see how work that comes up you can just hop over

to this module and block these they're both in.net demo although Cloud security we can go with protective containers that are out there we can also see what type of you you have on the internet but what type of a council have what do I have open you know the cloud is a wonderful thing except trying to protect it can be extremely difficult that it can't walk into your data center if something goes wrong and pull one plug and you're not connected to the internet anymore by doing that at Amazon next start intelligence you have to be a good security company got to actually know who's attacking you you know if you play any type of sports or anything like

that having any type of insight on who's coming after you it's always a good idea uh we have multiple things that don't have free time if you look at the kill chain the hardest part to figure out is actually real time because you don't know it any of your employees are putting up on Facebook Tick Tock whatever about themselves personally that the attacker can then use against you using three kind of something I've been searching the web to keep their identity clean going across also uh the Intel distribute with our adversaries you know what is uh fancy bear doing we actually come over cute animal names instead of numbers to go through all the different

major actors you know sandbox stuff like that you can throw stuff into actually happens and that work for is another way of saying hey I have this hash what do you know about it but we can give you everything I don't know about the same will happen um what a removal was is identity protection okay if you guys have checked out recently it's a lot of user to steal a car with the car keys if it is actually hotwired nowadays you know so I have an identity being able to log into a box of boxes a lot easier with using already protection we're able to now identify whose domain it's not just his IP addresses happening it's now actually

Joe will not became a friend on that IP that's happening and we can also add in other layers to stop and possibly lateral movement we'll put the two factors simply gets along into another box and then some of the elements we have is uh on the it outside you know Discovery find out what else is out there on your network and then we also have Spotlight which tells us hey what vulnerabilities do you have since we're 100 to see that point we know what you're running let me tell you which ones need to be up to date with patching any questions I didn't put anybody to sleep yet that that's my knowledge so go a single lightweight agent

companies you to employ uh again you can deploy this on Windows Mac Linux in any type of VMS you can go across that's both machine learning and they'll use just accomplish something um getting some of the intelligence back to it excited

um forgot about the delays no uh our next generation or prevent this is our next Generation AV so take into the next step we're not relying on signatures so signatures is a good thing to the 80s that goes longer real well without ever cassette think you got know that when you're downloading there's literally that files how many people remember that fast yes more than two people okay I don't feel that bad yeah so you're no longer getting downloads you know and also being able to have a machine learning it's very simple to take a known virus it takes one or two bits in it still one's exactly the same but has a completely different signature uh going

across then also being able to unlock and lock the known and see what the people are doing we don't feel any iOS which we call indicators of attack comparative indicators and compromise you know is there a good idea that you know compromises on the passive side something that's already happened whereas an indicative impact is something about to happen thank you [Music]

our topic Insight which gives us the next one this is been collecting over the 200 points of telemetry adding to this you know if we're able to see the real-time historical if I found something on one host let me see if it's on the other host it gives you a nice query language to go back we record everything okay so what did you type in electric man like we can go back and show you command line you can do those searches for them for both yes Linux and mac and on Windows really nice when you're trying to figure out who knows how to type income is and who doesn't know how to live in commence

no and foreign

and then we also have a real-time responsive containment so you find something bad on there well let's see I can contain it which means it can't go can't go anywhere it only talk to you being able to real-time response I can now hop onto the watch on the command line and you perform any type of action but don't want to gather from that box so I love the file that was on there do I want memory done okay there's probably about 20 different commands you can do and one of those is called Powershell so any type of Powershell script you can write you can then upload it to to this box when it's contained or when it's not contained and

completely run it you got all that information so you don't have to so no matter where the person is you don't have to call them up on the phone try to hop onto it it's just as long as they have access to report

thank you all right

interface no being an analyst you're going to log in you're going to see this uh you know really go to and the first number you see in the upper left-hand corner is about to tell you if they're going to have a bigger okay it's a score from zero to 100. okay this is the only time you want to get zeros the higher the number the worst state you're going to have so if you have more events on your network uh next one the new detections the one might see as I close them out that it's going to disappear and as over time uh you can see where your score goes to these different techniques that were

applied to it all right so from here let's go to like new detections what do we have out there what are we actually seeing

so as you see detections you know you have different severity levels that you like you would expect it would have anything critical high low medium but don't want to search for what type of tactics am I looking for what type of you know how long ago did it happen what actually triggered it so let's start kind of easy here so I have a medium attack you know people want to cry yes this isn't a lab a mates actually found it I think that this thing should be dead you know you know it's been way too long uh out there in the wild but going over the different types of information we're providing back and what actually happened during

it this has nothing to do with the guy who actually did the DNS request if I not have it hit the trick or kill command we just killed the command by uh seeing it run so go a little further um this one's kind of interesting you're probably thinking why would I catch on a pain command why would an attacker use a pain command to pick it down I don't have to be there I want to see if I command control centers up and running if I can pay it and see it then I know I can continue okay but also attach this you see something that we appears as a fancy error profile I talked a little earlier that our Intel

and how we do is we name them after on adversaries I've seen a bunch of stickers or a bunch of statues you know with our adversaries okay fancy bear being Russia fancy is just one of the nice adjectives we had to it going so again with the intel if we actually click on uh the additional Intel with it so bring up all the information that we know about fancy guy now where is it from uh the uh All actors activity this is inside your network okay again you want to see all these numbers being zero because if not you have five adversaries in your network which again you're not going to be having a good day hopefully it's not

Friday at about two but uh no pun intending yeah so going through some descriptions going across what do they do in the guild chain and we always talk about filtering is super can also look for other places in your network and then reports what type of reports have we published about this adversary they're going to list all the ones that we've previously done just by clicking on them we can completely bring up the full um now what type of actions are also related inside the Falcon platform now do I have any other detections or Advanced together is there any other reports I have no is there any vulnerabilities that fancy bear normally goes against that I know is multiple

walleye Network so an easy click of just going there we'll get into vulnerabilities a little later in the next section we're going back to uh the activities [Music] so those two that I'm sure there are really good examples of how our av would work for Next Generation that's the type of information to get back just by having our preset module having insight gives you a little bit more and we're able to build on it so this one being critical and we got 21 different events going across and when we had this many we're able to do something called an incident so initially it's multiple events with either one or multiple hosts uh that attack can happen

um these don't come up too often because we're not always blocking things this was done in detection mode only you know for uh example purposes but we see again that we have a lateral movements Now by having the multiple agents across we're able to see how it happened from one one host to another host and you guys say Capture the Flag this might look a little familiar as well too um but you're always going into here the most is our graph and we can show you I'm hoping that it's big enough on that screen that should be nice to see you see step by step with all the different types of movements that they did and so we can see here

originally uh we got we got both on this box so it's going across here and has to go across it also finds you up first it'll hop something you know so the very simple way of seeing this graphically and then we can also click a nice report and print this all out and tell your manager here I just spent in the past you know 40 hours figuring this out you know and print it out and hand it down your manager is here and we'll come up with something upstairs Network all of it yes

yes sir for the attribution how do you do attribution for you mentioned fancy there like how did how did it come to that conclusion is it based on is it based on my page so with that one with the pain command going to um some IP address yes we know that the IP address is associated with that we've seen in other attacks either from our IR or other Intel That We Gather across or we found on the dark web something like that we also to attribute is the different techniques that they use you know if they're used to using just mini cast you know with this one paper or something like that we have recordings

of that and that's how we attribute it back to the actors so the first one makes sense the second one is where it becomes a little bit fuzzy because I've seen kind of problems with attribution uh when you're kind of focusing more on techniques rather than like infrastructure is easier on that as it's inside of equipment attribution okay we'd rather say hey here's what happened and say okay this person did it you know we let our intelligent uh agents and stuff like that who are on the dark web looking for the information from our Ira responses and stuff like that to get more attribution later on instead of hate this simple command triggered it with this one user

yes you hate pointing to oh you know this person didn't you find out later somebody else says you really don't look good you know

so next time I talked about you know we're able to uh create and manage you know oh yes those numbers

or something I don't just counts or yeah

uh the number two in the Wonder or the other one that's true dashboard dashboard yeah

talk release yeah so when I see 1200 right that does suggests you know those severity or you just accounts of you know the foreign

you know so that two out there is basically so maybe there's a medium event that happened you know and it just passed or even if we start blocking them that's where we'll actually come down so you can be on a Friday and come back Monday and feel a lot happier but I still recommend you you don't want that new detection account to keep going up it won't start closing those

a normal organization is probably between zero and five on a daily basis just because of people either going to their websites or stuff like that or maybe hesitant I'll represents across so firewall management but you're able here it was able to you can do a couple things with with this uh being into a topic one you know the real simple stuff that far I'll just walk in uh a lab then you can also monitor so if you want to see how many people are going to Port 80 and which is a fun one to do on networks I mean aren't really being directed 443 you know we can start Gathering that information how many people are sshing in your organization

how many people are using ports lower than 10 24 and stuff like that it's a very helpful take a quick look at pictures of our device control we're talking about usb they're going a little bit deeper in you know what can we see real time of this building a very easy way to take information out of your organization so plug your USB drive in copy whatever I want and walk out you want to make it even easier add that laptop in my living room I don't even have to go far I just have to take it out leave it on the coffee table and we can give you very easy reports of saying here's how many files

were written to a USB drive you know do you want this so now you can start going through those files to say hey is this anything important or is the person just making a backup uh take another USB devices does somebody plug an extra Wireless in you know if you're any closed network if somebody put up a wireless speaker in your own network internal question yes how do you guys handle these secure like the fips for USB drives and things of that to make sure they're out of their own management system if you feel busy with data blocker and that sort of stuff so it's just a good question Mike I can tell you that comes under our

other category uh looking across it so what do we see here are USB devices as an example you know uh you have to invoke their security thing I guess you'd have to make sure that so this is when I plug it into the Windows system yeah it will be recognized until you invoke their authentication but once it gets in both then the Windows system would activate it you still need a driver on the OS to actually recognize it obviously okay so the second that that driver got activated we would then see hey there's a USB device plugged in and maybe get the Header information and then we can see they'll manufacturer you know bios and that's serial number with

those and based on what your settings aren't on the screen that you're not seeing um

sorry for the eye chart but we have a lot of USB devices in this environment otherwise okay so you see the different types of classes uh through the manufacturer is and you know some different types of devices going through here we get the time big stamps and everything so going back to your questions if it's a full system on a USB interface the first thing when that USB interface got power to it it would start up you would then authenticate it to it right which would take you to the next step which it would then try to initiate to connect to the OS or the OS would try to mount it or communicate with it which

then would get that information and then we can make that decision yeah it's been challenging in the market in specifically in law enforcement and stuff anyway okay we'll talk about online absolutely absolutely interesting ideas so you know looking at the different classes going through you know chipsets are they you know printers are they hubs are they uh why would you want to plug in a USB Wi-Fi adapter you master the right person and I'm doing Wi-Fi interrogation and pocket injection exactly you know if you don't if you have if you just have a complete wider Network there's somebody placed in a wireless device let's have fun you know let me have fun at a Starbucks and I can snip on it make

sure please don't walk away from me next time you see me at a Starbucks okay I'm not standing every Network every single time um but going through here we can then uh some of the interesting reports that we can generate off this is the one I like you know is what files are right to USB you know because most environments um yeah you plug your USB in luckily if you can plug it in because you know everybody picked up USBS in the parking garage

who's this you have to you have to have fun with those you can plug it in um working for security companies I love doing that just I never do it with my corporate laptop it's a great way to have it yeah new career changed very quickly but uh you know as an example here we're seeing yeah who did it what was the device was the name and the sample file was going across you know so you can actually trig on alerts like this if I say hey if somebody wrote something through USB and it's like my active directory or if it's a you know an HR server or something like that somebody wrote to it you know another great thing

to do with this only gives you a two-week notice first thing you do is you turn off right access [Music] and should probably do it the day before you get the devil good manager knowing that it's going to turn into the next day but you know you're able to do that so they can't take anything out you know or if somebody goes to another country you know somebody's going to a territory or something like that you can change their USB on base all of their ads as they're going any questions and this is also part of the threat hunting that we're talking about when you start worrying these are other skills you can start taking a look

at this is also fully accessible by the API go across [Music]

that way I found the discovery um as you put her as you put our agents out there you know we're seeing what's around them and what connections do they make you know everybody tries to have a complete deployment but we know we always will miss one either somebody will be on vacation you know or it won't be on the network or something like this by having Discovery we're able to find that database you know that one that's missing so the other nice things here is what else do you have out there what type of uh this can also do inventory management for you for your assets you know what type of CPUs are you using what's your average

RAM on the laptop comes in handy when you're sorry if there's any laptop vendors in here I'm trying to sell you something saying hey you need 32 gigs on your laptop you're like hey my employee's been very happy with eight for the last seven years do I really need to upgrade it we also have uh applications how many applications do you have installed how many people are using those applications you know so you've got somebody as a web developer that's been dying for the Adobe Photoshop group they're like okay buying Money Talks of offensive you know given the 50 per month uh registration uses it for three days doesn't use it for the next year

you know but you know since you work in a large organization you need to just buy the white license you bought 20 licenses you know so how can I save money on that start taking a look at your application usage showing across or the other thing too uh this is a very neat use case is how many developers do it how do you define the developer on your network well you start seeing what applications they have installed how many people can actually actually exit then without doing a control C or killing the command in another terminal window s hey I really liked it though that those Bim is actually a cleaner which I find a

unique way to go through church I figured that they said so looking at it

I think I have about three followers in comedy and I have a couple couple more clients so we're taking a quick look you know and what type of assets we have what do we have across um the unmanaged is you know what though what's out there that I just don't see okay in the lab nothing because we have to run agents on all our advisor but then we have unsupported assets and our unsupport is actually what can't see it

okay sorry when you're talking to a screen that you guys haven't seen so no unsupported assets okay these are the network switches to routers and stuff like that that you just cannot put the engine on but we know that they're out there so it's a good way to start giving people what's around you to draw you know we have an asset graph that you can start seeing everything that's around it and by knowing that there's switches and routers you know kind of helps on what's connected to what we're talking about a different types of accounts you know how many local users do I have compared to you know 80 users out there out there how many people have failed logins

you know I always like putting up there you know who's the biggest person at that thing their password you know who has an average of two or three or four logins before they actually go there's some good humor to push around at your I.T directors and stuff push that out there since it's October security month you know instead of sending them to email security maybe send them to a typing class foreign [Music] who's been very successful you know if you want to have something fun on your internal web page okay we've had this many successful August today this many failure logins you know like when was the last time we had a last accident or

something like that so you can have fun with your users like that as you can tell never work in HR um you know so failball gets and what and what does this helped you with yes every person's gonna type the password in a once or twice but they have it constantly you know or if it's you know where are they coming from what different activities or what type of accounts because if you're an admin and probably some of us most of us probably are some type of admin somewhere am I having problems logging into my admin account or I'm a user account if I have a lot more on my admin account maybe I should go look at where that's coming

from questions and then you know I talked about application usage you know we can go down here and start looking who's using the last seven days who's used to owner how many different files going across okay also got another use of this if you do any internal develop development you can now start going out and seeing who has what version of your software across the network now are they up on the latest version that was compound yeah foreign

so this is our vulnerability management so we take a different approach on this okay we have an agent on your endpoint what's the advantage of that we know every single thing that's hot at that point we don't have to stand a box we don't have to drop their network with a bunch of bandwidth going across okay we don't have to trigger IDs devices because I'm doing interesting scans we know what's on the box so we're able to break it down in a couple different ways these these critical Heights medium low this is what the CDE comes out as when a brand new CDE they put some paper in and we take that you know which I'm glad that they

have that ready to give you something like that but then we have an expert rating does is okay house is actually being used in the wild is there an active exploitatory because I've seen a lot of critical of cdes come out that have been developed in University or Academia but they never hit the real world we're not immediately they don't hit the real world so why should we be trying and worrying about something that hasn't gotten an e stream yet and fire up all your you know change Management Group but I've also seen love that a lot of our people have been using as using the first step they didn't so we you see here

2.2.2.1 closed 8.2 look at this but we can also push them up based on what our IR people are seeing going out there and then also what we're seeing across our whole network from alerts coming in are they using these uh vulnerabilities out there and you're able to say okay well how bad is my number so I have a pretty pretty critical rating if I click on it what was it okay lovely Microsoft they always make our top 10 lists [Music] hey without them security people would not have most of their jobs okay um looking at you know how high is it what's the CBDs is it related to the nice thing too is now we have the

CDE numbers and what and what type of remediation you do if you still want any of the alerts okay if there's any remediation for a patch we say hey this alert would have never have happened if you patch this so it's another way to take a look say oh why should I patch you know and now we all about Patch Tuesday or patch Wednesday because everything you're still reading on the documentation that came out and she's saying but after seeing the details no don't want to create a ticket I can send it you know so your security team can have fun now with your patch management team you can start sending them tickets going across saying hey we need to update this

but one of the fun ones here is I'm going to group by product and sorry if any of you guys work for any of these vendors opportunity for 1504 vulnerabilities again here's the lovely numbers I only have to patch one thing and I fix that many vulnerabilities and our deviation is updates the latest version we're doing

because you get one vulnerability number per host no per piece of software okay it's free for your boss saying hey I just closed a million vulnerabilities last week yeah I pushed out two patches but we won't go into those okay and then if you want to you can go all the way down to okay what type of remediation so let's group this by let's see how much work do I have to actually do to accomplish this well if I do this remediation I get this many vulnerabilities close if I agree to this version of Windows or apply you apply this I get this one close you can just start walking down these this is a great report to

pronounce and prioritize what type of pattern should I do I want to do you know how much time is it actually going to take me to look forward and we have a new thing coming out uh you guys are familiar with the known uh vulnerability list we will be connecting this to those ability list about mid next week so if you can click that it'll give you all those that are coming across to also give you another way to prioritize uh patching question yes sir sorry you said a new exploited loan correct I know it starts with a K and it was known I know there's vulnerabilities um yeah this is a nice list you know

they also have deadlines too you know going across must be applied by going across other plans for the scan or two whereas on

um I'll say not at this time um saying that we hadn't really gone past the agent I would say something now we do have a couple of products coming out that might do that but I mean uh

and then the last thing um going into is we do have a API every single screen that I just showed you walking through is generated by our ages so our developers our idea first and then our fund UI guys to make sure it all works from the front end so that means you have all the access if you want to do it remotely not being very handy you know if it alerts if you want to suck them into something else for reporting uh the capabilities this is our nice uh Swagger page that we've created and I'll walk you through how to set in every single each one of these source but for example you know if you wanted

to get alerts all the different things you have this

internet access

ories

oh yeah

that was a good example of our API calls you out in 30 minutes after you go into it okay you know and what did I get back at the different codes so if this can really help out your developers you know especially if the new Statewide programming this is a great thing to happen to you know I've never got Postman anything like that through the authentication we're going to show you what type of Json you get back if you're not too familiar then I'll also give you the curl string to send across now one thing before this is you have to do the authentication curl string and then you can start doing this going across but you know you can write simple

scripts like this original python curl uh anything like that coming across yes I aged myself with a pearl plugin questions comments anything else you want to see I'll use I don't have any additional information on here I went through all of them so you mentioned like the DAT file uh like some clients requests did not have on the cloud is there uh alternative to a cloud only so all the Telemetry that we have okay we do not have a server or an appliance that you can put on site here and and the reasons for that power it looks like how do you do these yeah xcr and uh EDR and all those things foreign

[Music]

[Music]

um as well anything you search for you're only going to see the initial process Creations you're not going to see what happened okay so using this interface okay I want to show you the Powershell because other things go off actually using the entire investigation tool and searching into it you can start cleaning up through there so in terms of locking though if I want to block certain powers

absolutely

um

sleepy time

any other questions I cannot answer about that question

okay successful nobody fell asleep uh he's yeah he's not going and if I fire one off which then fires off another Powershell command you see the same scriptures that actually hiring off another Powershell ways to do that you could actually embed emergency and you can you can actually um

[Music] military

any other software questions

okay how many questions do you have um this with the USB right block it can you only block certain files like could I say don't allow copy of exes but allow word docs or is it

that's still in

um

[Music]

I think right now we're still just all playing right but they're [Music] good and yes [Music] yes we're just we're just taking it down to like what type of devices not on we're recording but there is a thing yeah there is that level there's a coming soon that we bought a whole company working on immigration just can't talk more about that you know yeah

well friends everybody if you want the Google secure Circle pretty I think a pretty good idea

we will have a small break until the Cisco presentation but I'm sure you can talk online too [Music]