Introduction to CrowdStrike Falcon Endpoint Security Platform

August 19, 2019 posted by

Hi, I’m Elia Zaitsev. And today, I’ll be giving
you an introduction into CrowdStrike’s Falcon Host
endpoint security platform. When you’re looking
for endpoint security, there’s usually
two things you’re interested in–
protection and visibility. Falcon Host delivers
both of those with a unique cloud-based
architecture that requires no on premise
equipment, servers, appliances, or any other infrastructure. The only thing that we
deliver into your environment is a small lightweight
sensor that can be on your desktop in
the office, your laptop, maybe at home or
in the coffee shop, your servers, which could be
living in your data center or in somebody else’s cloud. We support all the
major operating systems out today including
Windows, Mac, and Linux. The sensor continuously
observes, at the kernel level, execution events and transmit
them to our cloud in real time. This could include things
like process creation, drivers being loaded, disk
access, memory access, network connection, registry
modifications. There’s actually over
100 different events we track in total. Now, deploying the
sensor is very easy. It takes about five
seconds, requires no reboot or configuration, and can
be done completely silently. Once it’s deployed, it takes
less than three megabytes of space on your
hard drive, uses about one to five megabytes
or bandwidth per day, less than 10 megabytes of RAM,
less than 1% of CPU overhead. Now, with this architecture,
we can deliver you several different capabilities,
including real time detection and prevention of
malicious activity. We can do that in a
variety of different ways– by leveraging known signatures
or indicators of compromise or threat intelligence, hashes,
IPs, domains, anything else we’ve seen before. We can use big data analysis
and machine learning algorithms to look for unknowns. And we can also detect
things behaviorally with our indicators of attack. Now, as far as
visibility goes, we can offer you continuous
recording of everything that’s going on in your environment,
rapid search across all that data, as well as giving
you the ability to hunt inside your network. And we can do this in real
time or retroactively, or historically. And we still preserve all the
original context and detail, so you can really
understand what’s going on inside your network. But Falcon Host is
about more than just cutting edge technology. It’s also about passionate
and talented people. Our CrowdStrike Security
Operations team, or CSOC, is spread across the
globe and continuously on 24 by 7 basis hunts and
mines across all your data, leveraging the power of
our cloud and the crowd to detect and notify
you proactively of malicious activity. Our threat intelligence
analysts track dozens of different nation
state criminal, activists, and activist groups,
tracking and analyzing their tools, trade
craft, and procedures to better proactively notify
you of a targeted attack, as well as giving
you attribution. And finally, our world class
services organization– they will deliver a
variety of both pre- as well as post-incident
response capabilities, ensuring that no matter what
the security challenge you face, you’ll be prepared. So now that I’ve
described to all these different capabilities,
let me show you some of them in action. So right now, I’m logging into
CrowdStrike’s Falcon platform. The platform is
entirely cloud based in every customer’s provision
with their own unique instance. When we first login, we’re
presented with the detection user interface. The detection interface delivers
analysts real time alerts for all malicious activity
being detected via the Falcon product. Use a large screen broken up
into several different screens. We can see them based
on the accounts that are being impacted,
machines that were targeted, any suspicious files
that were involved, as well as any
targeted attackers or adversaries that we’ve
attributed this activity to. Or we can just view
all the detections that have occurred across
our entire environment. You can see these
listed at a high level with various different
fields that we can use to quickly sort
and filter through all these different detections. And we could drill into
them for additional detail, including real time
forensic information. We could also pivot into
our prevention application. Prevention application
allows us to implement various different
types of blocking techniques– both pre-attack,
during attack, and post-attack. Finally, I’m going to move
into our endpoint activity monitoring interface. Endpoint activity
monitoring, or EAM, lets Falcon users do both real
time, as well as historical searching, of all data being
collected by the Falcon sensor. They’re pre-built dashboards,
reports, and applications that allow a variety
of different hunting and general visibility
workflows and use cases. What’s the benefit
that all this brings to you and your organization? Let’s take a look at
a typical timeline in a response to an attack. The first thing that
happens is an adversary is able to breach your defenses. After the breach
occurs, there’s a period that could last
anywhere from days to weeks, months, or even
years until you finally able to detect the breach. Once you’ve detect
in the adversary, it’s time to start
your instant response process, which includes
discovery and mediation. And after all that’s
been complete, your finally back in business. Falcon Host gives you a
single tool and one platform that allows you to
dramatically compress the time from here to here. We do this by
preventing the breach from occurring in
the first place with our unique
blocking capabilities. We can minimize the
time between a breech and detect to seconds with a
variety of different detection capabilities. We can completely eliminate
the need for discovery thanks to our real time visibility and
historical search capabilities. And we could dramatically
reduce the time needed to perform a remediation
thanks to our detail, contacts, and hunting capabilities. All of this allows
you to get back to here as quick as possible,
saving yourself time and money. Thanks for joining me today. For more information, please
visit us at


4 Replies to “Introduction to CrowdStrike Falcon Endpoint Security Platform”

  1. Adam Basedow says:

    Can you do a current version? Given all the changes?

  2. chimeranzl says:

    Good stick figure skillz. You should take this down and do a new video, it's significantly improved in the past 4+ years!

  3. ALAM ZEB says:

    after 4 years the peoples should relize that you were right…..

  4. Summer Of Sam Summer Of Sam says:

    Seems like a new cyber security company pops up every year. What makes Crowdstrike better than the others? They all promise protection but the fact is hacking will still happen.

Leave a Comment

Your email address will not be published. Required fields are marked *