Hello everybody. My name is Rob Solomon, Solution Architect at CrowdStrike with the AWS Alliance team. Before CrowdStrike, I was a Solution Architect in AWS helping customers meet their business goals in the cloud. And something that I found is that many customers, even a year or two after they migrated, started building workloads in the cloud, were still trying to solidify their security and operational strategy. So this is a real issue.
So today we're gonna talk about the cloud threat landscape, cloud security challenges and risks. And we're going to talk about cloud security solutions, how CrowdStrike simplifies cloud security by consolidating under a single platform and automating deployment in the cloud through AWS service integrations that we're gonna talk about. And then I'm gonna invite Kin, Kin TT from Roper to talk about Roper's experience with CrowdStrike, and then we'll talk about some next steps.
So just a level set on what is driving all this - why are people taking on the challenges of migrating to the cloud? First and foremost, the cloud relieves operation teams and businesses of having to deal with hardware. Everything - infrastructure, applications, everything is done through code and can be automated. And that automation drives agility. It enables companies to move quicker to deploy infrastructure in minutes instead of weeks or months. And it allows companies to experiment, to innovate, to release new products and features without having to make a huge upfront investment.
For example, for a company I worked at before AWS, we primarily worked on-prem and we had a SaaS offering. And we wanted to release our offering in a country in Europe. And we realized that it would take us north of half a million dollars just to build out a data center to start, without even knowing if it would be successful. So being able to move quickly, being able to launch infrastructure, being able to scale in response to customer demand, and then to scale back down - these are all major drivers. And that leads to cost effectiveness. So these are the drivers, I'm sure you all know.
And the reason I start with this is because any solution, any software you adopt in the cloud, it's really a different model. There are different opportunities and it's important to design solutions that accelerate those goals in the cloud and don't slow you down.
So I like to include this slide because this really represents the journey that every customer takes. Some customers may start cloud native, many customers may already be on-prem, they start a few experimental projects to see if it's right for them, to see how their workloads will perform in the cloud. If they find it works, then the next step is ideally to build a foundation that will simplify managing multiple accounts at large scale, because you never know how big things are going to grow. Like ideally, your workloads are gonna grow a lot and you need to be prepared for that from the outset.
And then once that foundation's in place, migrating workloads or again starting with cloud native, building native on the cloud, in many companies where most companies are at multiple stages simultaneously - a company can maybe acquire a subsidiary and that subsidiary may be more mature, more advanced or less. And so the security solution, this is what we're here to talk about today, needs to be able to support all of those phases simultaneously. And we'll talk more about that.
So then this next slide is designed for cloud, but it's really true for on-prem and cloud in many regards. One of the reasons companies move to the cloud is to enable innovation, enable experimentation. They want to enable developers, operators to experiment with new services and to be able to deploy them themselves. And that can lead to a lack of visibility. So that is one of the first challenges - are assets, you see two instances, whatever, are they being deployed with the right security standards? Are there security standards? Are there unpatched instances out there? Those unpatched instances are as much of a threat in the cloud as they are in on-prem environments.
Cloud complexity - cloud is not one thing. There are managed services, there are infrastructure services, storage and databases, and all of those, all of those different services may have different requirements, different best practices to secure them. And new services are being launched all the time and really no one person knows all of the best practices. So it's kind of an ongoing learning experience, operational friction - you know, what is the operating model for the cloud? Are you deploying automatically or are you deploying manually? And again, driving those consistent security guardrails across all of your accounts.
Runtime threats - it's as true in the cloud as it is on-prem. EC2 virtual compute instances are probably the biggest spend line item for most companies. All of those are running operating systems with patch packages that need to be patched. If those instances are internet facing, they can be exploited from the internet directly. So keeping on top of those vulnerabilities and patching them is as critical as it ever was in the cloud on-prem.
And finally, skills shortage - many companies are experiencing difficulty hiring security talent. Many open recs can be opened for months. So it's hard to get that traction, not just to have that security expertise, but cloud security expertise is even more rare. So what is a company to do when they can't even find the people to figure out how to secure their workloads in the cloud?
So these are the main challenges that we need to address here. So on top of these self-imposed, let's say, challenges is the fact that the cloud represents mission critical workloads, mission critical data that is a ripe target for threat actors - what we call adversaries.
When we talk about adversaries, we're talking about nation state adversaries who are looking to disrupt governments or operations. They're looking to steal intellectual property, e-crime actors who are looking to monetize, to steal data, to steal credentials, and then sell them. So these adversaries are becoming increasingly sophisticated, they're moving faster and faster, and attacking workloads and then moving laterally very quickly.
So we see from last year a 288% increase in attacks on cloud workloads. So there is an increasing risk that we need to address - 79 minutes is the average breakout time. So breakout time is the time from initial intrusion into an environment to the time it takes to move laterally into the environment. And once the attack moves laterally, it becomes exponentially more difficult to contain. 79 minutes is not a long time. And the fastest breakout time we've observed is seven minutes. So time is of the essence - early this year, that time was 84 minutes. Last year it was 95 minutes. So that time is accelerating.
So when the attack starts, it's important, it's imperative to know that you're under attack, to determine what the attack is and how to counter it. And that has to happen before lateral breakout time.
Now, this 112% I mentioned before - one of the ways that e-crime threat actors monetize their activities is to steal credentials. And we all know, we read in the news about phishing campaigns, social networking - there are many means which adversaries use to steal credentials, and then they sell them on the black market.
So we see a 112% increase year over year of dark web access broker advertisements. What does that exactly mean? So an adversary, adversaries today will target a particular company, particular organization, particular vertical. So they know what they want from the outset and they can locate credentials for that target, for that company, often privileged credentials that enable them to just basically walk in the front door.
So there's a huge challenge for everyone. So at the scale that companies who are running their mission critical applications in the cloud, the scale is massive and the amount of telemetry that each of these systems generate is massive.
So CrowdStrike has approached this problem as a data problem. We use our lightweight sensor that is deployed on operating system workloads to collect system level telemetry - system calls, really everything we can see. We can see package versions, we can see everything that's happening as it's happening. We also collect telemetry through the cloud API control plane. We're able to pull that CloudTrail event data.
We process it all together from all of the endpoints from a given company globally. So we're talking about trillions of events per day. We're able to ingest, store, and process at scale. CrowdStrike was built natively on AWS - one of the reasons we did that was to benefit from the scalability of AWS, even as we were a startup. We were able to expand quickly. But now that scale, that scalability on AWS drives our ability to use our behavioral analytic models, our machine learning models at scale.
As that telemetry enters our system, which is located on AWS, we store that data in graph databases that expose the relationships between different assets, between different attack procedures and tactics. And then we're able to apply, as I said, we're able to apply our statistical analytic models and our machine learning models. And that is the raw material that our expert threat hunters are able to use to find the next zero day attacks.
In fact, our sensor also uses those machine learning models to decide if something that's happening at the moment is an attack. And when we positively identify, we're able to stop it in place. And this enables us to protect over a billion containers every day.
We track 200 adversaries now. Why is that adversary tracking important? As I said, the adversaries have specific goals. They have specific tools, tactics and procedures that they use. So we're able to anticipate what their next move is going to be and we're able to counter it proactively. We're able to advise customers on how they can protect against those specific attack chains. And we publish over 200,000 indicators of compromise every day - that's new malware, malicious sites, malicious domains, and different attack related behaviors.
The Falcon platform is an integrated platform and it's all built on that source of data that I just described. So we focus on the data first and the data shows us the patterns of the adversaries, they show us the patterns of attack. All of our products, all of our modules are built on top of that. And customers are able to enable those modules based upon their specific use cases - whether it's protecting endpoints on-prem, protecting cloud workloads, IoT, identity-based attacks, attack surface. All of those things start with that data, that core of data.
We have a full range of managed services or extended detection response fully managed, if you decide. We have managed threat hunting. All of that relies on that same source of data. Our latest introduction of Charlotte AI, built on AWS bedrock, to accelerate time to value when you use the Falcon platform. So that simplifies the ability to use more advanced capabilities like generating workflows, writing executive level reports, hunting for specific behaviors or patterns inside your environment.
So this is the integrated Falcon platform. So focusing in on today's topic, Falcon Cloud Security - the Falcon Cloud Security suite is focused on solving very specific problems that we see in our cloud workloads.
So starting with development and cloud chains, supply chain concerns - what are supply chain concerns? Like we all heard about the SolarWinds attack where, you know, Log4j, where the actual packages were the target packages that are deployed globally. So people didn't even know that when they patched those services, they didn't even know that they were allowing the adversary into their environment that way.
So finding the vulnerabilities before they're released into production - so scanning container images, scanning infrastructure's code is the pre-runtime protection component of Falcon Cloud Security.
Runtime security events - so I mentioned before, vulnerabilities, direct attacks on internet facing web applications. That accounts for about 20% of attacks on cloud workloads. So if you have a web application that's internet facing and you're not managing the vulnerabilities on that, that is a potential target of attack.
So providing that runtime security, being able to deploy the Falcon sensor at scale in response to events like automatically deploying a new EC2 instance from an auto scaling group or automatically deploying in a containerized environment - we'll talk about that in a minute. These are critical to be able to cover your entire environment with runtime protection.
And then finally, and that's sort of the inside-out view. The outside view, the agentless API security is also important. And that combination of protection is critical to have that full range of visibility into your workloads.
So the agentless component really unlocks a lot of really important capabilities. So on AWS, sometimes people say that identity is the new attack surface. So every service in AWS is associated with a set of rules and policies that enable what it's able to do. And in order to protect against using those privileges in a malicious way, it's important as ever to observe the principle of least privilege and make sure that those roles are only using the policies that are absolutely required.
So part of our agentless security is cloud infrastructure entitlement management that surfaces whether particular roles and policies are administrative privileged or scoped down to what is required. So everything really to provide that visibility into your environment, we scan services for misconfiguration. So any service that might be allowing too much traffic...
Karin: Hi, I'm Karin. I am the VP of Cybersecurity for Roper Technologies. Roper operates leading businesses that make software and technology solutions in niche markets. We currently manage 28 companies and counting - we're constantly doing acquisition activities.
What's unique about our businesses is that we're doing different things across the board. Each of our companies is doing slightly different software solutions. The markets they operate in are vastly different from one another. So it's definitely an interesting solution to manage across the board.
Rob: What do you do at Roper?
Karin: I'm the VP of Cybersecurity, but I also manage the cloud relationships and IT as well. So I often joke, if it can be turned on or off, I'm probably managing it. It's keeping me pretty busy!
So, um so we've seen a number of very high profile attacks in the news recently, some ransomware attacks and so on. And I wonder how your awareness of that environment has driven some of your strategic decisions at Roper.
Um well, definitely, you know, we're, we're keeping in touch with what's happening out there, right? Uh to our businesses. So the 28 businesses that we have, uh we are keeping track of what's happening in the industry. Of course, ransomware has been a huge topic of conversation for a few years now. So, um what's interesting uh about Roper and kind of overseeing cybersecurity uh is that we are managing 28 unique businesses that have their own management teams, their own technology stack.
So when we're talking about solving for cybersecurity is we're solving it 28 different times in a slightly different approach for each business, right? Because they're, they're so different from one another, they have different needs. So, so as we prepared to protect against ransomware, this was about four years ago, we really invested significantly in protecting ourselves because we, I mean, could see from the news on everyone else's attack that this could be quite destructive to, you know, Roper.
So you, you, you just hinted at this, um you have 28 different businesses. Uh your strategy is, is largely they run independently, they can manage their own infrastructure, their own but not security, not security. Can, can you talk about that transition and how difficult it was to actually change that policy and you know how the reception has been across those companies and those outcomes?
Yeah, of course. So, you know, i've been with Roper for almost 17 years. We started security from a compliance perspective. So I used to oversee our IT and security compliance department. And about six years ago, we really focused on cyber security as a stand alone department because we need, we needed something more than compliance. I mean, there's nothing wrong with compliance, but that's the founding stone of a cyber security program. Right.
So, if you're compliant with something great, but it probably doesn't mean you're secure either. Right. So, so what we did uh six years ago is we, we really started to manage cybersecurity globally at Roper and really pushed requirements to the businesses, you know, to follow. But what's also interesting about all of our teams is that we have very lean teams, right? So as i'm sure all of your companies also are dealing with no one here is probably saying, hey, i have too many resources, right?
So, so in the grand scheme of things, what was really challenging as we were approaching security at Roper is that and rent somewhere, right, in the mix of all of that is how do we achieve excellent security with limited resources, you know, on our hands. So we took the approach of going, you know, from the top down. So we strongly believe that support from management is critical to getting all of the businesses in the right direction, right.
So it started with the board, our executive team and, you know, we basically marched on from there. So you had that air cover that board support. I'm sure made a very big difference in the success at the top is very critical, in my opinion.
Um, so you, you've now been a CrowdStrike customer for several years? Um, you know, ii, i think you've gone through a few, um, uh, renewal cycles. Um, you know, what's working for you? Why do you keep, uh, why do you stay with CrowdStrike, Rob?
Do you mind if I backtrack a little bit, you actually introduce how we started with CrowdStrike because I think it's a really cool story and, you know, i don't, i don't want to come up here and kind of pretend that nothing's ever happened to us, right? I think all of us have had cybersecurity incidents, you know, one way or another.
So it goes back four years. Um and we started from an incident response partnership perspective. So we looked at services. I wanted nothing to do with the product at the time. I was, you know, for no specific reason. Uh we didn't do anything centralized that Roper, right? So different tech stack, uh different ma management teams that are deciding what they're going to do with their cybersecurity strategy.
So, so we weren't going to push a single solution across all of Roper that was never ever. So something we were going to do. Well, fast forward about three months and we had an unfortunate cyber event and we, we were fortunate in the sense that we weren't drastically impacted, but it really shed some light as to what might have been. And we went to the board, we talked about, you know, the strategy of moving forward as in, you know, we are a decentralized company. We are diversified, but there's some level of investment that we need to make across the board to make sure that we're protected and we have the visibility, right?
So within 30 days, uh we deployed at the time to 66 different organizations. Now think about all the antivirus edr solutions, you can think of, you know, we probably had it, so we had to replace it. We had to push to the cloud. We had so many, you know, different environments that we needed to deploy to, right?
So uh we did renew last december. So for another three years, but that's really, i think, you know, an interesting way to start the relationship and i think it happens to a lot of your customers as well where, hey, this is a, it's a huge investment, right? But sometimes, you know, you, you just don't want to waste a good event and really march forward with, you know, doing the right thing. So just wanted to add that context as to, you know, how we, we started.
So you did renew, it was four years ago. Why, like why does it continue to work for your company?
So it, well, first of all, it's doing what it should. So i don't think we would be renewing if it wasn't. So, you know, what, the protection that it says that it will bring is, is absolutely there. The relationship has been tremendous. Of course, over the last four years i've observed CrowdStrike absolutely blowing up in size. Right.
So, but it's always felt like the customer is part of the family and that to me is a big differentiator as a security leader. Uh, i get calls all day long, someone's trying to sell something to me and, you know, they're always the best of the best, you know, whatever it is that they're offering at the time.
So to have that close relationship is also amazing. But really the the biggest factor for me because we, we sometimes get compared to private equity firm in the sense that, you know, we acquire companies, we manage them, but we do keep them for the long term is that we don't have visibility at the top, right. All these teams are kind of doing their own thing.
And this is my way to understand the full security risk across multiple companies, understand what we have vulnerabilities that we have real time and being able to address them from a risk perspective at the top is something that i never had before this solution, right?
And this is true of cloud, right? We talked about earlier cs pm runtime protection. Um security historically was, you know, always kind of separate from the dev side of the house, right? We pop up with new accounts all the time. So i'm really excited about getting this tied into control tower. But you know, the the the areas of risk, in my opinion is that if it's not protected by CrowdStrike order, you don't know that you have it, that's exposure, right?
So, and people create new accounts all the time. So i'm really excited about that future. You know, my next question was going to be about specific cloud risks. And it sounds like that visibility. I did not mention that our agent list protection includes resource discovery so that as people deploy as customers deploy new resources in the cloud, that that is also something that we have an awareness of. So that that's great. Are there any other cloud challenges that that you've come across or is that uh the visibility has been, has been the main one?
But also our businesses in, you know, again, the the software industry, you know, they're they're increasingly moving to the clouds. I mean, some, some are already cloud native, right? But in the end is that that transition from on prem to cloud is is different. I mean, unless you're lifting and shifting to the cloud. But really, uh you know, what this has added is the the ability to protect what we had historically on prem now in the cloud with the same again, visibility, right?
Being able to uh correlate between all of your assets, whether it's servers twos, you know, uh, you have works that out there and really understanding what's going on with your containers right in one pane of glass. I don't know about you guys, but there's so many consoles that we're constantly logging into. Uh, that's, that's been fantastic for me just being able to go to one place and seeing all my security concerns, all my mis configurations, you know, in one place.
Um and you do look, the, the teams are doing the best that they can from, you know, thinking about security first, but in trying to push out product capabilities, there's always, you know, the, the the chance that something will be left out. So this again, great visibility we're seeing um on average uh customers consolidating from like six separate dashboards to one when they move to CrowdStrike.
And I think that consolidation challenge, uh you know, i think, um you know, c os and uh you know, it leaders seeing that it's not just the cost of the software, but that total cost of ownership and that level of effort, that administrative effort keeping it up to date and just correlating all of the data from all of those different silo tools. I think people have gotten savvy to that problem.
I think the speed of reaction as well. I touched on the fact that we have lien teams, you know, we don't have in-house 24 7 socks that are capable of answering, you know, to, to these emergencies and to us it's really a reallocation of resources, right? Let CrowdStrike do what they do best so that we can use our resources on something that is far more important to us. Right.
So let them do the level 123 triage and then step in to really look more at the root cause of why is this happening? Right. As part of that attack, we talked about the 79 minutes, right? But there's different stages of an attack between entry point and exfiltration. There's a lot of things that go on.
So i think the focus is really, you know, for us instead of chasing alerts and logs is that we focus on how can we get better at stopping the attack earlier, focusing on addressing the root cause, you know, that's a far better investment of our time.
Do you have any stories or anecdotes? Uh you know about um how you or any of your companies worked with CrowdStrike or how we have helped protect and respond to any particular attacks or anything like that?
Yes. So i pointed out how we deployed earlier. One thing that i didn't mention as part of that deployment is that, you know, again, we had solutions across the board, of course, we were protected in some way. But as we deployed to 66 different organizations is that we found in-flight attacks that the other solutions had not identified, which was quite scary, right? Because we were still investing quite a lot uh into these other solutions.
So it was really eye opening for sure. Um and you know, to this day it's, it's served us well. Uh so we, we do stop things all the time. Yeah. No, that's a story that we hear sometimes. Thank you. Of course.
Um any other stories you'd like to share? No, i thank you, Ken.
Um so we have a couple more slides. So just some of the key takeaways from today's discussion.
Um uh to, to keep your dynamic cloud workloads at scale protected, you need to automate the deployment. Um that can't be something that your teams are manually chasing after.
Practice defense in depth and and least privilege. It's never going to be one layer. As you said, there are many stages of an of an attack, every layer of security that you have is going to slow down and make it more difficult to move laterally.
Um you know, experimentation innovation is critical to success in the cloud. So, you know, as as companies make the transition into the cloud, i think that there's a concern about sort of like giving folks free range and you know, free reign over that experimentation, which is important, developing the skills, but you know, creating an isolated sandbox environment, super helpful in helping teams gather those skills.
And there's so many training options for that choose the right tools, make sure that you're focused on total cost of ownership. It's like that the cost of the software is really just the first consideration, but really the end result in the level of effort is critical and using managed services.
So, you know, when i was talking before about the skills gap, there were a number of people in the audience that were nodding their head at the time. It is a huge challenge in, um, you know, like i said, we, we have managed services. Um and, uh, you know, i, i found when i was, um, you know, when i was an operations leader that, um, one of the, one of the easiest ways to learn those skills is to have a, you know, have a managed service, have a, have professionals who are experienced, build things, run things and then the team learns on the job and that process of learning is just much faster and more efficient. I found.
Yeah. Um so finally, we have a few next steps. There's lots of ways to learn more about CrowdStrike or to get your hands on it.
Um so i mentioned some stats from la from our cloud risk report. You can download that. We also have a global threat report and a threat hunting report. You can find those as well.
We have a cloud security challenge that we, um, that, that is a, is a joint, um, offer with aws. So for customers who want to try out Falcon Cloud Security, whether you're a new CrowdStrike or existing CrowdStrike customer, we'll give you $1000 of aws service credits just for us to deploy cloud security posture management and give you a summary report on your level of risk. Super easy, very lightweight. You can sign up right here with qr code.
And if you want to try out some of the different features and the different product modules, we have, we have a hands on lab every wednesday, so you can use this to find the schedule of our labs that cover pretty much the whole range of our product portfolio, so you can try them out.
Um we have a few more minutes if oh before i say this because i always forget, don't forget to complete your session survey, please.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
