Archive for CrowdStrike

Newer Entries »

#Fail: Faulty CrowdStrike AV Update Takes Down Millions Of Windows PCs Globally

Posted in Commentary with tags on July 19, 2024 by itnerd

This is not a good look for cybersecurity company Crowdstrike.

A bad update for the CrowdStrike Falcon antivirus product installed on Windows PCs has taken down millions of PC globally. I am hearing stories of flights being grounded, Sky News being taken off air for a few hours, and retailers being unable to sell anything.

In short, this is extraordinary bad.

This is made worse by the CEO of CrowStrike who decided to Tweet. This Tweet was not a good idea:

The problem with this Tweet is that he completely failed to apologize for basically taking down the entire planet because of a screw up with his product. If I used his product, I’d be looking to move to some other antivirus product. Because this Tweet to be frank, sucks.

There is a workaround that was posted to Reddit. But it will have to be done on a PC by PC basis. Which means that companies could be down for days. Which is of course bad.

I’ll be watching this situation and posting updates when it warrants an update. But this situation is bad and likely won’t improve for a while. And when this is resolved, CrowdStrike will have a whole lot of explaining to do.

4 Comments »

Mission Cloud and CrowdStrike Announce Strategic Partnership

Posted in Commentary with tags , on April 19, 2024 by itnerd

Mission Cloud, a US-based Amazon Web Services (AWS) Premier Tier Services Partner with a focus on cloud and AI, today announced a strategic partnership with CrowdStrike (Nasdaq: CRWD) to stop cloud breaches and secure global customers building their businesses on AWS.

Cloud intrusions have grown 75% in the past year, with adversaries breaking into customer environments in as little as two minutes. The lack of cloud-native security solutions and skilled personnel to operate them puts organizations at risk. Mission Cloud One is enhancing its comprehensive managed service for AWS optimization, operations and security by standardizing on the CrowdStrike Falcon® platform for CrowdStrike Falcon® Cloud Security, the industry’s only unified agent and agentless platform for code to cloud protection. The partnership also provides customers with access to CrowdStrike Falcon Complete Cloud Detection and Response (CDR) services, delivering 24/7 protection against cloud attacks.

Learn more about Mission Cloud and CrowdStrike’s partnership here.

Leave a comment »

Crowdstrike Encourages The Use Of AI To Target Malwareless Attacks 

Posted in Commentary with tags on April 27, 2023 by itnerd

At this year’s RSA Conference, CrowdStrike’s Joshua Shaprio said this:

In short, Crowstrike has been dealing with about one malwareless cyber issue a week during the last couple quarters reaffirming data reported earlier this year that 71% of cyberattacks were carried out without malware and highlighting the challenges cybersecurity teams face trying to combat such compromises.
Using a case study, the two illustrated the “layer A problem” involving the bad actor’s in-depth reconnaissance and use of dedicated machines to hide identities and avoid detection resulting in the threat actors set up with their own users on the network, free to exfiltrate data, compromise the cloud, and add themselves as a SQL server admin.

During their RSA keynote, both CrowdStrike CEO George Kurtz and President Michael Sentonas used a case study to illustrate the “layer A problem” involving the bad actor’s in-depth reconnaissance and use of dedicated machines to hide identities and avoid detection resulting in the threat actors set up with their own users on the network, free to exfiltrate data, compromise the cloud, and add themselves as a SQL server admin. More on that in a moment.

From an Akamai report on that attack:
 
    “The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users. By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database. A ransom note is left in a table named WARNING, demanding a ransom payment of up to 0.08 BTC.”

During their RSA keynote both Kurtz and Sentonas highlighted that without the standard malicious code to detect, companies need to consider strategies with robust telemetry gathering activities from the endpoint to the cloud, and to manage identity data with greater granularity, and, with the use of AI and machine learning, find anomalous activity among that data.

CrowdStrike CEO George Kurtz spoke about this to Bloomberg:

Dave Ratner, CEO, HYAS:

   “Increasing an organization’s visibility into the real-time activities inside the network is quickly becoming critical for business resiliency against modern attacks. The ability to identify anomalous outbound communications from both the IT and OT networks can dramatically reduce the elapsed time from infection to detection and remediation and may be the only signal that allows organizations to get ahead of an attack before data exfiltration, encryption, and other actions that impact business continuity.”

Clearly the use of AI by those who defend against attacks is growing. Just look at Google and the announcement that they made at RSA. This is something that defenders need to consider in order to keep our digital assets safe.

Leave a comment »

Attack Breakout Time Drops To Just 84 Minutes

Posted in Commentary with tags on March 2, 2023 by itnerd

I have some bad news if you’re responsible for defending your organization against threat actors.

Attackers have reduced the average time required to move laterally through systems by 14% last year, down to just 84 minutes, according to a new report out by Crowdstrike, giving defenders even less time to contain breaches after the initial breakout. 

Increasing the difficulty for defenders, a full 71% of the attacks used valid credentials for access, as opposed to malware, making detection by automated systems extremely difficult, up from 62% in 2021. Using “hands on keyboard” techniques make it harder for traditional anti-malware tools to detect activity according to CrowdStrike.

Like I said, this is bad news.

Ted Miracco, CEO of Approov Mobile Security:

   “It’s important to note that no single security measure can completely prevent all types of attacks, especially social engineering attacks. That said, mobile app attestation, runtime secrets protection, and RASP can all be highly effective measures in preventing credential access, SIM swapping, and MFA fatigue in mobile applications. 

   “Attestation techniques can help not only ensure that only genuine apps, and not tampered or cloned versions, are accessing APIs, it also uses the authorized application seamlessly as the second factor before accessing sensitive data. By verifying the integrity of the app at runtime, it both prevents attackers from injecting malicious code or accessing sensitive data. Runtime secrets protection can ensure that only valid app instances running in un-compromised environments can access the API keys and secrets stored in the cloud. This can prevent attackers from accessing these secrets even if they manage to gain control of the device. RASP can monitor, detect, and instantly block computer attacks, including new threats that were unforeseen during development. By continuously analyzing app behavior and detecting anomalies, RASP can prevent “interactive intrusions” and other types of attacks.

   “It’s best to use a combination of security measures, including those mentioned above, along with other security best practices such as proper authentication and authorization, encryption, and regular security testing and updates.”

The fact that attacks are getting faster and faster to execute means that we all have to work much harder to stop organizations from being victims. And the approach outlined above can certainly help with that… If everyone adopts that approach.

Leave a comment »

TruU & CrowdStrike Deliver Identity-First Security For True Zero Trust

Posted in Commentary with tags , on January 24, 2022 by itnerd

You can’t execute a Zero Trust model without first trusting user identities, and that means authenticating them continuously–from the time they try to login to the moment they log out.

Combining continuous identity authentication with risk assessment at the endpoint allows for intelligent real-time threat response and strikes the perfect balance between a robust security posture and a seamless user experience. 

Too often, security controls are too stringent, which results in loss of productivity, or too permissive, which increases enterprise risk. Now, TruU and CrowdStrike have teamed up to add Zero Trust assessment (ZTA) scores to the TruIdentity Cloud authentication risk engine, providing the most comprehensive and efficacious Zero Trust solution with continuous identity at its core.

Simultaneous device risk data and identity authentication allow customers to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.  

Use Case #1: Stepping up identity authentication on potentially compromised devices

  • How they do it: TruU + CrowdStrike takes the endpoint ZTA rating and feeds it into the TruU risk engine for an overall risk score. The TruU risk score is compared against the user’s policy threshold, and if the score is within bounds, the user is logged in. If the score is higher than the threshold, then another factor is required for access.
  • Why they do it: To ensure the combination of user identity and endpoint trust meets enterprise security requirements.

Use Case #2: Stopping authentication into high-value assets from compromised devices

  • How they do it: Once authenticated into a potentially compromised device, TruU stops the user from further authenticating into servers or remote machines until the local device ZTA score is mitigated.
  • Why they do it: To allow users to authenticate at the endpoint while limiting the spread of data breaches and lateral movement threats.

Use Case #3: Rewarding users with better experiences while keeping endpoints secure

  • How they do it: The authentication experience communicates and demonstrates more productive ways for users to authenticate when they follow prescribed endpoint update schedules. 
  • Why they do it: Boosts employee engagement across the enterprise employees so they care more deeply and keep their endpoints within acceptable security guidelines.

TruU combines strong identity proofing, presence, biometrics, and behavioral markers in the TruIdentity Cloud to deliver the most comprehensive passwordless solution for all physical and digital workflows. Its TruPresence capability is a groundbreaking innovation that allows individuals to authenticate into workstations, physical doors, and other sensing assets simply by being close to them and removes the zero-sum trade-off between better security and a better user experience. 

TruIdentity Cloud comes with pre-built, standards-based integrations across the entire identity stack to support full-spectrum authentication. Remote onboarding and identity proofing, workstations, apps, servers, VPNs, Windows, Mac, and privileged access are all supported, as is physical access via badge readers. To discover how TruU can help you remove the largest security risk in your organization, visit https://truu.ai/

Leave a comment »

Newer Entries »