CrowdStrike Technical Dive Webinar April 19, 2017

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right we're about three minutes and we can go ahead and get started here Jason I'm gonna kick off get things going hopefully more people join us where times going for the food here I've already started to the recording perfect all right well good afternoon everybody who has had the chance to join already we're going to do a quick intro of the team here and then we'll jump into the actual demo itself so let's just go to a quick glimpse at the agenda of what we're going to cover today when I start with introductions my name is Jose Pimentel I'm a solution architect for this channel East responsible for the technical enablement for our channel partners out in the field and my counterpart Jason out in the West I left a few things mineral let Adrian introduce himself in bone Chickasaw thank you a I'm yep I you could duplicate what Jose said for me I'm here for the channel enablement the West please feel free to drop me a line on questions concerns etc um will we definitely have a great call lineup for next month as well where we're going to feature a conversation with Splunk and a demo so we're going to have the Splunk team join us for the same call next month where we're going to demonstrate an iteration spawn platform and bounce right so want to give you that teaser for next month I'm going to turn it over to Adrian now 18 this is Adrian Diaz another solutions architect I been on now for two months my focus is the MSP and engagement partners but also working with Jason and Jose with any efforts from everyone in the channel so here to help excellent thanks gentlemen so just a quick look at the agenda here we're going to go to a platform of your CrowdStrike and some of the changes from the newer things that we've added there will be a combination of slides and demo just to kind of break up flow and what we'll cover today is the Falcon discover solution Falcon prevent solution ended with the Falcon insight solution and then we'll talk a little bit about overwatch in the Intel that comes with the product and can be blended with the crowd product and we'll leave some time at the end for the QA Jason will be sort of moderating the chat so if anybody has a question in the middle of any of this feel free to throw it in there and Jason feel free to stop get into any point and we can answer a question on this as well but world will try to leave some time aperi on Christmas you a so that people can ask some questions alright so let's go ahead and jump into it here so this is a quick look at the actual Galkin platform what you some of you may come in host platform to be as a single unit has now been broken up into a few different products on the left-hand side and they're empowered by some of our services on the right which is the mini Shenzhen in the threat Intel I talked a little bit about each here from left to right and then we'll jump into each individual components within the Falcon host platform one at a time and show a little bit of about what the FS solution piece does starting from left to right I Chi hygiene also known as the Tekken discover solution that in numerous addition to the product this is essentially going to be able to give you lay of the land as far as what's out there in the environment from assets to application and usage a little bit deeper when we get into the next slide into the solutions as well just to the right of that next gen antivirus we have had machine learning in the cloud for quite a while we've just recently had an edition of machine learning on Spencer along with the provide protection on the machine when it's online as well as offline and it also gives us a plate at going after the ad replacement piece as well and then our EDR solution which has been in the product for a while also known as Falcon insight this is what's recording all of the events all the process execution and really getting getting all the information out of a host that is running palcohol sensor to be able to do some some hunting some digging into what's in the environment what has executed in the environment from an application particular process execution perspective and just to the right of that we have our managing team also known as Falcon overwash so this is the team of hunters that is the force multiplier this allows for the operationalized station of perhaps a small saucing for an organization that can't house or afford to operationalize a song in their own the other ones out there looking at the threat intelligence and all these alerts that happen in a system and they're here to work for the customer itself last but not least is our threat intelligence that could be tied into the product and it can be bundled or sold separately as a separate solution for anybody who's just looking for threat ingestion and once Intrepid's dependent of your own solution so the falcon host platform all operates under an open API solution each bill foot is known to be that chilled source comm of security we don't necessarily want to be the single pane of glass for the customer we want to be able to easily integrate into their existing workflow whether it be feeding information into a thin or some type of orchestration tool to allow for an investigator to do their job so let's go ahead and jump into each one of these one at a time but before we do we do want to mention that the solution is as a course as many of you know as cloud delivered so time to value immediate here there's no load on the customer side from a production perspective they don't have to worry about providing additional resources like a server to run the management console which provides from overhead and cost to the customer and deployment of a single light with agent center that it's deployed to a client within a couple of clicks immediately starts to communicate with the Falcon host platform breakdown of all the solutions that we're going to talk about when I start with Falcon disturber we'll move on to Falcon prevent finish off with Falcon insight from a product perspective then talk about our services on the right the managing teams out there blush and then our intelligence for that we're going to start with our newest addition to the software which is VI key hiding fee also known as stop in discover this is one bangle for an administrator to really get a full picture in the lay of the land of work out in the entire providing real-time visibility into a full inventory the ability to monitor monitored your privileged accounts move your administrative accounts that have escalated privileges are fully monitored from an application regions perspective or process execution perspective a lot of the administrator to see where these admin accounts are being used now last but not least the application users helps a customer understand not only the applications that are out there but also how they're being used and whether or not some are being used at all allowing the customer to perhaps eliminate some licensing and reducing cost within the environment and we're going to see a demonstration of what the Falcon discover solution can can provide here in a second so let's go ahead and jump into a demo to kind of break up the slice a little bit so this will be a quick look at the Falcon discover solution with the IT hygiene the very first thing we're going to look at here is account monitoring so this allows an administrator to really get a full picture of what the admin account in the environment are doing or whether being used from a host perspective as well as a lot of other information like where is the last post and admit admin account has seen when they last logged on how long has it been since the password reset which is also important to security so understanding how often these passwords are being cycled in and out from an administrative perspective subsidiaries cleaning come on yeah only when you're recording and ready to apologize for the demo here so this a quick look at account monitoring and some of the information that you gather from the account monitoring perspective that I talked about a second ago as as well as how often these patterns have been reset or or you know last cycled out through an environment some of these are very aged as you can see on the right hand side the next application we're going to look at here from Falcon discovers acid in the toy so this really allows you to get a picture of what's out there from an acid perspective and you're going to get two different views on the left hand side you'll get a view of all the machines that would cover that don't necessarily have a falcon hold sensor listed on them so we can only gather so much information the IP address the MAC address associated with the machine and the adapter that the machine is running on the right hand side as you can see however once the sensor is deployed you're going to get a lot more information back from the host hostname the operating system the running patient version from from a falcon sensor perspective the IP address the MAC address whether they're part of the epitome a nor a particular site within an environment as well there's a lot of great information here from a protection perspective in the concept understanding whether we are covered fully from a host perspective and a security point of view the next thing we're going to look at here is application inventories that give you a full list of all the applications that were seen in an environment then we're going to pivot over application users in this case we're going to do a search for a vendor Microsoft and we're going to get a full list of all the applications that will launch set up the vendor Microsoft medic case the operating system it really gives you a quick look at what the users are out there executing or using and understand whether they're using production applications or they're just wasting time another type of application that they shouldn't be on so you get the application information the product name the version when it was last seen or use in what hosts that actual application was used at the next piece here is going to be again application the usage but from a different perspective in this case we're going to do a search against a particular hosting quickly allowing you to see the applications that we used under a particular host over a certain period of time you can see all the vendor names product names and software versions down on the bottom right there this has a similar field but in this case we're actually doing an application usage report based on a particular user an admin for example or supervised privileged account speculation and get an understanding of how they're using things that's IP hygiene it's just a quick look at what IT hygiene is bringing to the table or helping the customer fix from a business value perspective as we saw from the demo you get a quick look at all of the applications that are out there that are use or perhaps not being new is allowing the customer to reduce some licensing cost you optimize operation by getting an understanding of what the users are out there doing are they using product productivity applications or are they using applications that should have been used in an environment quickly identify protected systems from unprotected systems so you get a feel for what else needs to be covered in an environment from security perspective and truly understand what the application usage instead of you can also satisfy some compliance requirements behind it so that's a quick look at ID hiking and some of the business values that it brings to the table and what it helps the customer fix the next thing that we're going to move to here is the e falcon prevent P or next-gen a B are going fully replacing these traditional AV vendors just to backtrack here I'm gonna take a step back and talk about IT hygiene for those of you who are familiar with something similar to this but other vendors out there like silence can't provide that kind of disability the only other vendor that I can think of that will come to mind would be changing so this is kind of our goal at tinium as well and getting an edge against silence from a technology perspective so back into the next nav you falcon prevent pete's here you all know we've had machine learning in the cloud for quite a while we can block known beds you know hashes ILC domains bad IP we could also block the unknown bed using machine learning algorithms but and what we call iOS or indicators of attack the iOS are really looking at process behavior execution rather than just a hash or unknown don't bad for example I have a breakdown of another way another slide here to help break down and get an understanding of what an i/o a is what it's really looking at just process execution behavior that tends to be malicious and then last but not least the bottom right is the ability for us to look at exploit mitigations that we take a look at all of your productivity apps like your Microsoft your words and get understanding of whether there's an exploit that they currently had that it's being taken advantage of similar to Microsoft Emmett type of solution the difference being here that we're doing the same type of exploit mitigation for your non-microsoft related applications like your about your Dobies java your flash and that's something that Emmett putting pepper on the back end so here's a breakdown of that Iowa that I talked about really this is looking at the process execution behavior and all of these different points you see is a different type of behavior this is a breakdown of a simple Iowa that would relate to some type of ransomware type of attack when the infection first happens near process ops we actually keep on the system once it does that it is a Maurice the filesystem and takes a look all the information that they can take advantage of and encrypt and this next step after that is going to start looking at your shadow copies to be it will delete any information that you may have backed up that you're going to be able recover from and last but not least takes an encryption call I'm starting put the data all of these points here are behavioral points that an Iowa would be able to terminate at any point in time I'm not allowing the ransomware to perhaps enumerate the filesystem or go into your Shadow Copy and start creating backups it would terminate that type of process execution and stop the infection from happening all this information of course is under our great database called Fred graph which really where all the information is set up and all and all the metadata and that we're collecting from all of our customers supplies the deployed around the world 176 different countries we collect over 30 minutes a day actually most recently I think we're up to 40 billion events a day which is astronomical but this really helps you do a search against a database that is not on site so you're not taking the hit and it gives you about five-second searches the ability to search in real time as well as retrospective against any information that a customer has perhaps gathered like some def known hashes and you want to determine whether or not has there has been a host in the environment that has a which is it helps you find the knowns and unknowns that may have for perhaps been missed and also detection prevention forensics and of course it helps with hunting as well we have any questions as I said somebody raised their hands Jason did you see anything come up in the chat um that was retest putting the raising of the hand button sorry about that gadget all right so let's go ahead and jump in and take a quick look at our self evolution in this demo we're going to demonstrate machine learning in the cloud and then we're going to make a quick change to the actual victim machine to display machine learning on Center and Prevention when perhaps a machine is no longer connected to the Internet or off the network actually we do have a question from URI so URI drawer I wanted to see if we can let Yuri talk you might have to end even some pallet yeah time I think you have to do that if you don't mind going into the participants on your side and seeing if you can uh no and just lowers handling with si si Yuri can you ask your question in the Q&A box and I'll continue with the demo here so we don't have such a long pause Jason I'm going to interrupt me at any point sorry about Hospital nowhere nowhere is looking to jump into the skull can prevent next generation they'd be here and the first example we're going to do an execution of a piece of malware that's already been downloaded the hash is going to be executed by command prompt but in this case the machine is connected from the internet the machine learning in the cloud actually took that detection decision in prevention decision so we saw access denied we're going to jump into our falcon host solution and can quickly see that process of execution and the exploratory here showing us the detection in addition to that we're also going to look at our a/b section this case we already knew that it was a known hash we have a direct integration it's a virus little these are all the different vendors that reported that hash machine learning to learning made a decision based on an existing IOC or known hash that was already recorded the next thing we're going to do here is a couple different thing to kind of demonstrate or display machine learning on the center the first thing we're going to do is disable the network adapter this way machine is no longer could connect to the internet simulating perhaps a laptop that's on the move doesn't have access to machine learning on the Crower so we're going to stable the network adapter we're going to take it also one step further since we know that there was a known hash with an open up hex editor we're going to mutate the hash a single octet this changes the hash of the Malheur but it doesn't necessarily change the behavior so we're still getting good headspace Prime machine learning will be now or behavior that has not actually changed let's also eliminate the fact that it's not clearing just the virus Total Information Authority cache layer so we're going to you take the hash lasting locked it and then we're going to execute the same samples in two different forms and get a little bit of a bigger process tree the first row we're going to execute it is by Windows Explorer we can quickly see the access denied window here so prevention has happened and I'm going to execute the same hash from within the command prompt just that's resource for here's our actually the nine call and then the other thing we're going to do here is we're going to re-enable the network adapter because all the prevention detection that have happened are cached on the system so the second assessment does come back online although that detection information is going to get fed up to the Falcon home management console for the administrator to be able to do their investigation so enable the network adapter jump over the Falcon house once again and we can see our process tree the two different types of detection that I launched and in addition to that we move over to our right hand side go down or ABS as we saw before in this case we have zero hit because we mutated the hash so the buyers total hash that was recorded by all the other traditional AV vendors is no longer in the play here so this is how an adversary can quickly bypass your traditional ad vendor if I simply just mutated in Hashem's and same people malware and then your traditional ad vendor would have right get a new signature get a dent at the endpoints before they could do anything about it so that's quick look at Falcon prevents we saw machine learning in the cloud and then we saw the same as that type of protection when the machine was actually offline providing full prevention and detection for a customer in either scenario Jason that you happen to get that question of the chat by any champ I it was no question there's a Sedna question all right so we saw the demo so we saw the many different things that the Falcon prevent can result for the customer and help fix a business value points are right on our right hand side here we saw protect against known as well as unknown by creating simply the hash value and which brings up the point of being able to protect against zero day attacks these tread actors out there are just going to rinse reuse repeat each type of approach when it comes to an hour so they'd be like cell knowledge each other I just changed some of the hash code but mal behaviors still the same so protecting against those they're there is definitely eliminated we saw breakdown of an i/o a so we can eliminate ransomware with not only known IOC ease machine learning but also behavioral patterns behind net no signature updates isn't huge when it comes to the sensor itself all this eliminates the bloat on the agents keeping it very very low of the agent itself takes up about 30 Meg's on disk uses 10 Meg's of memory and CPU utilization intensive thing between 0 and 2 percent because we are eliminating that that hit from the sensor way using machine learning and beer patterns so full protection even when offline is also one of the things we saw from within the demo here so that's a quick look at stuff in prevent will jump into the next piece which is our innate our boat we got to talk about a couple other things so with our machine learning on sensor we have been a be certified by Microsoft couple other vendors we're fully involved in the AV comparative test until Cyrus totals one of our partners we have a direct integration with which helps us meet some of the other compliances as well like PCI HIPAA and SD s FFIEC so the last thing we're going to do here is look at our EDR components or the Falcon insight and then we'll finish off with the overwatch team in the Intel so the EDR is our recording component is our DVR if you will it's going to monitor and record every process execution right after you log in and you can see that from the process trees we've been looking at this really gives you the ability to have some little time and historical search against data once again the data that you're searching is in the cloud is no longer an unarmed site database like a sequel or something that maybe locals locally stored on the server everything is recorded as I mentioned correctly from long on every process execution and everything that the user executes even while offline all that information that's being cached with an EDR solution this really gives the administrator or responder inside of an organization the ability to be able to quickly respond to a threat as well as being able to network contain a host so they can continue their investigation and start their remediation process from a malware perspective this eliminates the approach of just hitting the nuke button right all that was piece of malware may as well just be image that machine then you're getting rid of all the forensic evidence and the administrator never really gets an understanding of what when where or why that piece of malware came in with an IDI our component this really allows you to get that full visibility in addition to that you have the ability to un-thread hunt you can take your own hashes or debt no domains search against your entire environment within seconds because you're spitting out against the cloud database really get a full understanding of whether you should be looking at airports that perhaps I've executed a that known hashed or have visited some domains but they shouldn't be visiting going to kill everybody that once we jump into the demo here of Kalkan insight and then oh I'll give it to the next point so let's go ahead and take a look at a quick look at the Falcon insight solution before I jump into that make sure there's no questions does not appear to be okay all right so during this demo we're going to do two different things the very first thing we're going to do is do a bulk domain search we're going to gather some information as far as malicious domains from some websites that have malware samples malware code that sort of information to gather this information from the page what we're going to do is use our browser API plug-in called crowd scraped this is going to help us scan the page for indicators and get our list of domains that we want to look for in an environment crash Craig gives us the results we're going to copy all of the information bring it back to our Falcon host platform and dump it all in at the same time so we can search against multiple domains over a certain period of time this immediately brings us back the results of the host that have hit one of those domains you were doing a search for we had the host name information when it was first looked at when I was last seen last check date etc the next search we're going to do here is bulk ash this is once again for somebody who wants to look at an environment for a hash that they got a window of a new thread is out there in this case we're going to pull it off of a web page that has known malware on it we're going to use crab scrape to pull the hash information quickly dump that hash info into our search good for a 30-day period and the results immediately come back let you know that the hash has been T here's the file name here's the sha here's the md5 here's the host that executed it first scene laughing it also gives me ability for the administrator to take action from within this first screen and be able to network contain that machine that has been infected not only to continue the investigation but perhaps also stop the spreading of anything that may potentially use a drag die or try to reach out to the network that's put these bad hashes within the environment so that's a quick look at Falcon insight there's a couple other searches that can be done there I will do have a back-end Qi there that's very similar to on exploited built into the product you can do your own searches your own custom queries against any of the data the important thing to know here typically does search quickly the really do scale to a lot of data the ability to not have to have additional resources come about from a customer perspective they don't have to have a server that has this database that they want to search guess searches are within 5 seconds talking from the demo here so we have the ability to especially across the entire environment very very quickly it also helps you to prevent against silence failure this means if an infection has already hit a system and it has been compromised was still recording every other event that happened after that we're not a hundred percent we don't claim to be and maybe there's any other vendor the ability to have a full picture and a history behind what happened after that infection really helps against preventing that silent failure should take another thing here this is something that one of our competitors silence does not provide they are strictly focused on the prevention but it's really beyond that in this a lot is about a lot more than just prevention need to be able to have the history and the forensic capability to get an understanding as to why how that machine of it got infected why and what else were they using during that time that needs to be taken care of from an administrative perspective it helps you with the reduce the time to remediation as well as the time to response because you have the full history and you know what you're looking for when you have to eliminate and it eliminates hardware stores cost scalability is key here we can scale to very large enterprises very very well just taking another twist that another vendor here covered Black is a vendor that does a little bit of everything that we do but they're doing this with a different agent each time and it's also the overhead cost of having to have on-premise patch solutions and manage it from a scalability perspective we can end of the very large enterprises without any additional cost carbon black for example can only handle 5,000 those people you have to have more additional costs on the server branch to be able to manage and host a database as well as a management console for those additional endpoints that come in and put into the environment all right two more pizza's here manage hunting or our Falcon overwatch team they're the ones looking at all of the alert they're the ones prioritizing the alerts to help eliminate alert fatigue for those environments that have a small IT staff and perhaps can't spend the time to do this type of work hunting alerting prioritizing and responding they're the force multiplier to help bring a lot more leverage to a team that perhaps doesn't have this kind of capability and they help you stop the mega breach who these guys are and they're looking at things that are important it's not just monitoring red or green lights and telling you there was an alert an infection they're going to look at behaviors and patterns and whether or not a threat actors in and what they're doing and then they're going to take that information put it into a report provided to the client and also provide them guidance on the approach that they should take the VM will eliminate disparate actor out of the environment there's two different tiers here first here that they're going to just provide reports and tell you the actions second tier that overwatch scan can even take action for the customer if it happens to be you know during non production hours on a Saturday or Sunday when the actual customer Kendra's can't respond the overwatch team can take that immediate action it stop the bleeding if you will so what are some of the business value what the Falcon overwatch team breaking and bringing to the table for a customer they can stop the mega breach right they're going to look at a lot more than just read and write type of monitoring the force multiplier they bring that additional power to an environment that perhaps kit you know manage or afford to have a team of this caliber community immunity so they're looking at all different alerts all the compressed throughout the world not just my single environment and it's something that is discovered everybody takes advantage of that same Intel instinct tag and we reduce alert fatigue by eliminating that from the customer side and really focus on what matters not just malware infections but is there recognizance happening in their lateral movement as they're a threat actor they are planning this deal you know perpetual information whether it be IP or PCI whatever type of information they're looking for last but not least threat intelligence to Falcon Intel we have from the best built out there they provide full analysis reports they can be used to strictly corporate fees like I mentioned this can be sold as a separate product to the solution it can also be bundled with anything that we have get expert access and really threat data search across the entire environment the Intel team really provides a lot of information not only from an adversary perspective but what that adversary target what the organization is that they tend to target what kind of applications are going to weaponize to their advantage that customers using any productivity apps your Adobe's your words your outlooks that's it the type of information is all in the intro threat intelligence report I'm actually going to make a quick pivot here before I do finish these slides or just jump into the stock in host platform so we can take a quick look at our intelligence information hey we do have up come on so I thought we had a question we do dot all right one second here just plugging into my system has a time up of a short period all right really what I wanted to do here is give you guys a little bit of a better look into our intelligence and the type of information that the intelligence has behind it and all threat actors have their own sort of name we separate these names and animals based on geographical location you have your hound spider would be Russian Federation for those of you who are familiar with the Busey hack your fancy beer in the cozy Bears those are also Russian pandas would be China etc but if you dig in for one of these intelligence report here's a quick look at all the information that the customer is going to be able to take advantage of that I mentioned right what the thread actor name is where the origins is last known activity with some of the other vendors out there maybe calling them and a quick look at the entire kill chain of how these people are are working right whether they use or in somewhere where they weaponize regular applications are they doing this just to monetize do they strictly use ransomware to just take advantage of people and get bitcoins essentially and then you get full reports down here by our friends houses teams that are being fed as well that's just the basic information on the right-hand side so there is two different levels of intelligence that come into play here a basic Intel subscription will give you the you know the accurate quick-acting report as well as the kill chamber don't see the working for course would not be available unless you went to the the higher level of Intel subscription I'm going to jump back into the deck here you all right so just to cap off the intelligence piece a is necessarily we are a lot of intelligence from our side and while the other intelligence that we gather from third-party vendors that is all curated subs predict that attack prioritize and response alert context c-level type of reporting with the full report of the threaded actors that may be inside of our organization and why they're there and what their objectives are and really helps you drive security automation from an intelligence perspective I know that this is a lot of information if you guys I'm going to just recap what we've covered from a solution perspective and I'll talk a little bit about how these can be purchased it can be bundled or they can be bought separately so we talked about IP hygiene which is our Falcon discovered piece really getting an understanding and a lay of the land of what's out there from an application perspective that's being utilized not utilized application monitoring allowing you to monitor those accounts with escalated privileges whether being used how what they're executing etc Falcon prevents about the next generating peaks machine learning loss sensor and then we demonstrated machine learning in the cloud as well the machine learning uncensored provides us the ability to have that full ad replacement play as well as providing protection to a host even when they're offline which is one of the challenges that we had in the past and is actually one of the things that sort of part us a little bit when competing against styling and silence had a machine learning on sensor for a while and now we've kind of taken out that positive from silence and matched it that's not really a enough shell for them anymore an insight which is the EDR PCR has been in the solution for quite a while this really gives the administrator to go beyond the alerting and now infection detection really helps them investigate hunt dig into a particular machine get the full forensics behind it and get an understanding as to how the infection that in what they were using and why within an environment and then last but not least we covered the Falcon overwatch team the force multiplier team that's there to help the customer eliminate that alert fatigue that stock that they perhaps cannot operationalize our staff and then our intelligence piece which is the last thing we recovered so the product products themselves can be bundled into suite and can also be bought separately prevent can be sold separately or it can be bundled with insight which is our ADR bundle and then we have a bundle called EPP which includes all three of the products on the left the talkin over question the intelligence are two separate products that can be coupled on top of your other solutions on the left the products so prevent an insight can be matched together with the overwatch team to get full visibility and somebody who's really going to be looking out for the customer or the bad guys that are going to be trying to hit filtrate the environment prevent is there to be sold separately as well for somebody who's just looking strictly for prevention and ad replacement of any of those traditional vendors that are out there prevent can be sold separately and it helps with the pricing point as well and so the smaller organization that perhaps are just focused on preventing won't really have staff remain power to go full EDR through the investigation and hunting on their own as well and as I mentioned before all this is driven by an open API you don't want to be the single pane of glass we want to be able to fit into the organization because this being workflow without disrupting that that type of behavior within an organization so they tend to just strictly work off the same we can quickly integrate intuitive with a streaming API get all the information over there so that the channels can continue to work as they did before with additional information on the backend from us but and then last but not least I'm going to finish it off with our technology partner ecosystem and some of the security partners that we have technology alliance and partnerships with from the analytics perspective your typical status your spunky logarithm parks that tell you platforms like anomaly correct connect we actually did an integration piece with them a couple of months ago and then tremendous researcher perspective all of our stuff runs in our AWS we have you know good relationship with Amazon of course orchestration tools the misto it's a great orchestration tool phantom we have a great partnership with in the next month just to kind of cap it off we are going to do a technology partner integration call and we are going to have a discussion and around the integration with the crushed egg platform and spunk so it's tuning with us next month for that plan type solution that is the last piece from my part we still have about 15 minutes so I did want to hopefully open it up for some QA unless there are some questions that have already come in Jason that we can run through a couple questions come in so somebody has to Alejandra Rita is the only supported platform Windows or Mac or Linux um you want to handle oh yeah good question so we do support the whole gamut as far as operating systems of concerns fully cover windows cover Mac most recently we've added prevention up neck the lextenda is strictly a EDR play so we're just looking at all the process execution and providing full visibility as to what's happening within the Linux machine there is no prevention there yet but it's in the works but we should fully support Windows as well as Mac now the next question would be is could you describe your integration with palo alto especially given that an endpoint solution that completes that compete from what ah right I don't know if we currently have a formal actual integration with palo alto certainly if palo alto wanted to use some security Defined Networking technique like adding our api intel stream into like a known bad blocked firewall rule that's probably possible but certainly i haven't seen that deployed often um etcetera so really i don't see us too much integration with palo alto unless adrian or or jose knows something different I don't have any other information besides what you provided okay I just happen to have Evan burns in front of me he says we have a integration with what Palo Alto uses a mind meld as open source and it's for Intel ingestion polling of i/o seats okay so clearly in the same thing I mentioned earlier but it definitely intelligence-related Ron does that answer your question on the palo alto networks component okay very good um perfect program um and then back to Alejandro we de versions of Mac I think we're up to the current Sierra release Linux kernels if you have access to our NFR system under the support documentation there is all of our Linux support information I believe we have significant changes coming to our Linux support I think right now a home is going to bring up the actual support information but it Jose can actually click on Linux yes where's my Edwyn gag where's it step just a little further up the mic I see the mouse just Vulcan sensor deployment guide but a lip perfect that'll show us the lid except those are the versions we support car Leandra we put those in the chat for you but we are currently working on some changes to our Linux deployment that moves the service out of us user space in the kernel space which will allow more operating system support we're definitely looking toward some support with the Amazon Linux deployment lots of customers asking about that so if you get a chance to come back into this portal and take a look in the next couple weeks you might see some changes actually I should say next couple months great glad to help and there's a you're currently supported Mac versions hi Jenny do you have Jenny's question do you have the functionality to kill processes or ban a hash we certainly could do both hash ingestion so if you add a text file of several hashes you can ingest them via the I think we're going to bring this up for you now yeah the Thunder prevention policies prevention Hashem when I that simple interface there's an upload button in the upper right hand corner actually takes the file in during the upload process you would it would ask you how you want to utilize the ashes you want to always walk you and always a while and etc I don't know if you have an example file but we could certainly show you that we currently don't have have any capacity to kill processes with the client um I don't know if Jose or Adrian knows that if that's on the roadmap or if you want to ask Evan next to Adrian you I'm also could you send us the URLs for the EDR API with online yes it's in the roadmap of l3 okay it's in the roadmap to the field constants component and the API EDR API information is all under the support documents and I'm a far right-hand side of the page you'll see all of our API information on the Intel API and of course the crap in the screening and the query API but of course you would need to have an Intel subscription to use with Intel actors API but you certainly could use an NMR account for the query API extremely the API or the front graph API but you have to be a manager of the account to be able to configure that API key and ID I don't know if you want to display on the left-hand side to show him show them where the API key information is right there about biga less updates with the agent installed on the machine like a Windows install the service pack is there any present the caution that easy to take in mind we're on top of those things but it also means that your clients and your support teams need to be I'm looking at our release code as a deliverer GBA Els alert in this Y so it poses a brings up the support documents yes we are constantly releasing it will get the docs there and that's a doc trashing the main support news page those answer they think well the new city Quebec yep so this shows all of the current bulk and release notes and we'll definitely be publishing release notes if we require a change related to a service pack or a Patch Tuesday release so certainly um if you see something in here I highly recommend that you read it I've got answer that component of the question under awesome uh yep so who should I contact by the questions about the REST API Jenny you could certainly send those questions through us we have direct access to Hamilton Yang who is the product manager for the API as well as Evan is EPS expert he wrote our our our application orchestrators so please feel free to send those education templates at CrowdStrike calm or close a top cement L at abstract compositions or dude like gonna put those in into the system window if they drop them in the chat just so that people have them go kind of do that now okay and okay is that everybody I think we got all the questions unless somebody says I miss something but certainly I would love to help you see somebody Oh or only with one let me see this is available integration with HP arcsight we can integrate with any sim platform if you don't mind Jose's shifting over to the support downloads page and showing them the sim connector download the sim connector download allows you to install an RPM on a Linux host that will you basically plug your API ID and key into it you tell it what format you want the data in the slogs stuff and then give it the IP address of your your server so any expectation of sep or syslog or JSON um the same could take in that net feed via the sim connector on Splunk specifically they've written a direct integration via API so you if this one T is somebody might utilize that but we highly recommend using our sim connector or if you want to break out Python your spleen open create your own Python boost super-special that's definitely possible with splits trunk it's definitely there ace 3 oxide 100% you should be able to do something with the sim connector if you have any problems getting that same connector setup let me know Alejandro happy to help it's really simple it's just our p.m. - I get it installed and then adjust us a configuration file okay well no more questions today anybody well this is a really great session we really appreciate everybody taking the time to participate today as I mentioned earlier in the call we will have a terrific oh okay another little reason Alejandro we definitely would love everybody to tune in for the call next month that we're going to have Splunk as a guest actually and we're going to show an integration with the Splunk platform and we're going to have some Splunk sales engineering and a product management people on the call to answer questions so be looking for that invite for next month and we look forward to having you guys was a you want to wrap it up with a goodbye yeah thanks everybody for joining thanks for all the questions like Jason said please join us next month to get a good look at the integration piece between Splunk I saw some fun questions come up so hopefully you join us and thanks once again everybody for joining and have a great rest of your day okay and the recording now I look forward to working with you guys all if you did take a

Info

Channel: SMSAM Systems

Views: 4,445

Rating: 4.6799998 out of 5

Keywords:

Id: 9cpsRXHklBc

Channel Id: undefined

Length: 51min 13sec (3073 seconds)

Published: Wed May 31 2017