Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection. A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs. Download the webcast slides to learn: --How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security --Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats --How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches

1. PROACTIVE THREAT HUNTING:
GAME-CHANGING ENDPOINT
PROTECTION BEYOND ALERTING
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CHRIS WITTER – SR. DIRECTOR, HUNTING OPERATIONS
CON MALLON – SR. DIRECTOR, PRODUCT MARKETING

2. FALCON PLATFORM
CLOUD DELIVERED
API
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MANAGED
HUNTING
THREAT
INTEL
ENDPOINT DETECTION
AND RESPONSE
IT
HYGIENE
NEXT-GEN
ANTIVIRUS
ENDPOINT PROTECTION

3. A DEEPER DIVE INTO ‘HUNTING’

4. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EDR MATURITY MODEL
LEVEL OF PROTECTION
NO EDR – reliant on
‘prevention’ – but what of
the 1% that slips through?
LIMITED EDR – ‘dumb
collection’ approach
where the burden is on
the user to sift & search
to find meaningful
detections with limited
response tools
SMART EDR – ‘native
automation’ automatically
and prioritizes alerts and can
prevent for you if needed -
still struggling to find
resources to implement
hunting on the data set
MANAGED DETECTION
& RESPONSE – proactive
managed hunting,
investigation and
response activity on
emerging and advanced
threats - leveraging rich
data using advanced
analytics in the hands of
proven and experienced
team of threat hunters

5. WHY DO WE NEED HUNTING?
THE SECURITY
PROBLEM
THE PEOPLE
PROBLEM
THE DETECTION
PROBLEM
REACTIVE
POSTURE
PROACTIVE
POSTURE
Judging the intent of code Alert fatigue à False negatives
New IOC / TTP?
Detect novel threats?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

6. WHICH IS LEADING TO THIS
“By 2020, 15% of midsize and enterprise
organizations will be using services like
MDR, up from less than 1% today.”
Gartner: Market Guide for Managed
Detection and Response Services –
May, 2016

7. WHAT IS HUNTING?
A few common use cases cause us to perform “proactive” investigation:
§ Retroactive discovery → New intel, pattern matching, intrusion artifacts
§ New artifact discovery → Analysis of telemetry to discover outliers
§ Detection method discovery → Pattern/IOA hypothesis testing
DEFINITION HYPOTHESIS
“Hunting is the discovery of malicious artifacts or detection methods not
accounted for in passive monitoring capabilities.”

8. WHERE DOES HUTING FIT INTO YOUR
DETECTION PROGRAM?
ANOMALY
BEHAVIORAL
ATOMIC
HUNTING
REGIMENT
New Artifact
Discovery
Detection Method
Discovery
Retroactive Discovery
Detect the tactic you know
Detect what you don’t know
Detect what you know
HOLISTIC DETECTION PROGRAM

9. FALCON OVERWATCH MANAGED HUNTING
FINDING THE ADVERSARY
So You Don’t Have To
BREACH PREVENTION
SERVICES
Team of Hunters
Working for You
24 x 7
BUSINESS VALUE
Alert prioritization
–pinpoint urgent
threats and avoid
false positives
Guided remediation –
work with your team to
add clarity, speed and
precision to support
response efforts
Threat Hunting –
proactive 24x7 hunting
eliminating false
negatives

10. FALCON OVERWATCH 2017 OBSERVATIONS
• Powershell
• Mixed TTPs
• Advanced <-> Everyday
• Twitter à Attack

11. THE OVERWATCH MODEL

12. OUR APPROACH TO PROACTIVE HUNTING
HUNTING
STRATEGIC SOC
Retroactive discovery
New artifact discovery
Detection method discovery
24x7 coverage
Continuous investigation
Intrusion triage & scoping
+
FALCON
OVERWATCH
Hunt
Investigate
Advise
…Stop the breach

13. PLATFORM STACK
OPERATORS
TRADECRAFT
TOOLS
CYBER ACTOR CrowdStrike FALCON
MANAGED
HUNTING
EDR
NEXT-GEN
AVTechnology
Processes
People

14. Falcon
OverWatch
Strategically Focused
Hunting
Security
Operations
Regimen
CrowdStrike
Threat
Intelligence
Cloud
Analytics /
ML
CrowdStrike
Services / IR
SOC
INCIDENT
RESPONSE
HUNTING
ADVANCED
ANALYTICS
CustomerCrowdStrike

15. FALCON OVERWATCH IN DETAIL

16. FALCON OVERWATCH DATA & PROCESS FLOW
CUSTOMER
ENDPOINTS
CONTINUOUS
ENDPOINT
DATA
1 FALCON UI
• Detection details
• EAM investigation
• Intelligence/Actors
2
OVERWATCH
ANALYTICS
PLATFORM
• Falcon data streams
• Hunting triggers
• Advanced analytics
• Business logic
3
• Strategic analysis
• Atomic + Behavioral + Anomaly detection
• Rapid intrusion triage and scoping
OVERWATCH
HUNTERS
4
• Notification of intrusions/breaches
• Expert operators <--> Support channel
5
CROWDSTRIKE CLOUD
Patented Threat Graph ™

17. OVERWATCH IN-PRODUCT ALERTING

18. INVESTIGATING THE OVERWATCH ALERTS

19. INVESTIGATING THE OVERWATCH ALERTS

20. OVERWATCH EXAMPLE -SENDING RICH NOTIFICATIONS
Summary Scenario
Human
Analysis
Actionable
Information

21. TO SUMMARIZE
• Proactive managed hunting is for organizations that want an
additional layer of protection to make sure that nothing gets
missed
• Falcon OverWatch is a managed threat hunting service built
on the Falcon Platform to ensure that nothing gets missed
and ultimately prevent the mega breach

22. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?
Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
Join Weekly Demos
crowdstrike.com/productdemos
Featured Asset:
Proactive Hunting Whitepaper
Link in Resource List
Website: crowdstrike.com
Email: info@crowdstrike.com
Number: 1.888.512.8902 (US)