SOLUTION SPOTLIGHT

Next Generation Endpoint Strategy

Rafal Los, Director, Solutions Research

1
 Introduction
Enterprises continue to suffer from the growing cost of breaches,
many of which originate at the endpoint, despite the compounding
deployment of security tools to these corporate assets. According
to the 2015 Ponemon Cost of Data Breach Study, the average cost
of a data breach is now $3.79 million USD thats a 23 percent
increase since 2013. Adversaries evolve and adapt even as security
tools continue to remain static, causing significant challenges for
defenders. The signature-focused, alert-centric reactive model for
endpoint security tools must evolve beyond currently deployed
capabilities to meet the growing productivity needs of the
enterprise in an increasingly hostile environment.

2
 $3.79 million USD
Average cost of a data breach

3
2015 Ponemon Cost of Data Breach Study
 Identifying the
Challenges
Business Perspective
The topic of corporate endpoint security
is commonplace in the board rooms of
enterprises large and small as the seemingly
never-ending arms race with adversaries
whether they are activist, hacktivist or
corporate or nation-state sponsored yields
breach after breach. Business leaders look
to security executives to define security
strategies that are operationally mature
while continuing to allow the business to
be agile and cost-effective, and to empower
their workforce for maximum utility in
increasingly hostile environments. As more
security executives and professionals push
their endpoint strategies into tighter alignment
with business objectives, the delicate balance
between productivity, cost and security benefit
remain a challenge.
Even more frustrating for business executives
is that as security spending increases, it never
seems to be enough. Executives are continually
frustrated that, no matter how much money
and how many people they invest in security,
they can always be doing more. Adversaries
are always a step ahead and a second faster
meaning breaches continue to make headlines
in spite of the rise in security budgets.
4
Endpoint security programs, which are key
components of a holistic enterprise security
strategy, are struggling to adapt to the rapid
escalation in adversary activity and to protect
the corporate endpoint in a more meaningful
and effective way.
Adversaries are winning
Furthermore, from anecdotal evidence,
business leaders are increasingly pushing back
against the additive security model hesitating
to add more obstacles to end user productivity
while loading down endpoints with yet another
agent. As specialized tools are deployed by
security for prevention, detection, response and
recovery tasks, it is inevitable that endpoints
slow down and system overhead increase. Even
with the additions of new tools, endpoint
systems continue to be compromised because
there is a general lack of holistic integration
between network, endpoint and various
other security tools. Deployed technologies
are inadequate and fail to address continually
changing threats as adversaries evolve tactics
and adapt quickly to static, pattern-based
defenses. An evolution in endpoint security
coupling actionable threat intelligence with
pro-active attack detection is required.
 An Evolution on the Endpoints
In the course of engaging with clients on
security strategy engagements, the Office of
the CISO has discovered that a vast majority
of Fortune 1000 clients do not have adequate
endpoint protection against even moderately
advanced adversaries. Nearly all strategy
roadmaps of these clients include a refresh of
endpoint security tools with a heavy focus on
advanced threats and mitigations.
Overall, enterprises are looking to an evolution
on the endpoints to provide better tools to
decrease the impact of an infiltration or breach,
decrease the dwell time of their attackers and
improve response and remediation capabilities.
Security Perspective
The rise in high profile breaches come as no
surprise to enterprise security professionals.
As adversaries evolve and adapt, defenses have
largely remained static even though more tools
are added on a regular basis, especially to the
endpoint. Security still depends on signatures
and patterns, and continues to focus on
malware, which is responsible for a mere 40
percent of all breaches according to the 2013
Verizon Data Breach Investigations Report
(DBIR).
The evolving adversary continues to be a
problem for signature-based detection tools.
Over the last decade these tools have attempted
to keep pace with adversaries by writing more
signatures faster, and broadening detection
capabilities. This approach has created multiple
problems. First, an adversary can adapt and
evolve their attack patterns faster than tools
providers can update signatures. Second,
alerts from even a well-tuned detection
platform can quickly overwhelm a security
teams ability to respond effectively. Finally,
many security tools still focus on network-
based defenses while corporate assets become
ever more mobile.
5
Detection Methods
Static indicators as a detection method
of malicious activity continue to deliver
diminishing results as complex adversaries
move beyond malware. To repeat, according
to the 2013 Verizon DBIR, only 40 percent
of successful breaches were the result
of malware. Adversaries are moving from
dropping packaged malware as the primary
method of attack to directly attacking browsers
and operating systems using tools built into
the operating system. These tools can include
PowerShell or in-memory attacks which fully
execute without ever writing to disk, thus
traditional detection tools fail silently.
Network detection tools offer scale, but lack the
ability to protect the corporate assets as they
become increasingly mobile. Relying solely
on network-based defenses quickly proves
problematic because many modern malware
simply wait for the endpoint to leave the safety
of the corporate perimeter before performing
their tasks.
The inability to quickly and effectively
share critical security information puts
the enterprise security team at a severe
disadvantage. A restrictively myopic view
makes defending against previously unknown
threats extremely inefficient. To compound
the situation, hiring and retaining top-level
threat analysts continues to pose a challenge
for even some of the largest enterprises. The
result is a narrow perspective, inefficient use
of available tools, and a continued struggle
to defend against adversaries that adapt and
overcome enterprise defenses.
Only 40%
of endpoint
breaches are from
Malware
- 2013 Verizon Data Breach
Investigationd Report
 Solution Analysis
Strategy of alerts a security organization ultimately
faces and shifts the focus from detecting and
remediating known threats to hunting and
As part of a holistic, defense-in-depth strategy, finding previously unknown threats. In this
the endpoint is a logical defensive control point manner security teams can be more effective,
for organizations that have maturing network focusing their workload on the truly significant
controls and still struggle with intrusions. security threats to the organization.
Minimizing dependence on reactive, alert-based
detection where the security organization
is notified post-facto of a security event is a
necessary evolutionary step. But this evolution
Prerequisites
to a more mature model of pro-active detection
of malicious activity known as hunting for In order to make this evolutionary journey,
indicative behaviors, is out-of-reach for many enterprise security teams must meet three
due to the shift in talent, processes, data and basic criteria. The IT organization must have
tools required. As security teams further the ability to manage endpoints effectively
mature and build out their defense-in-depth while the security organization must possess
capabilities, they are creating three-fold the operational capability to triage events
endpoint strategies. and perform appropriate incident response
actions.
First, there is a strong desire to incorporate
threat intelligence purposefully into the
Manage Endpoints
endpoint security mechanism to continually
understand and detect the latest known
threats. Second is the evolution of signatures
beyond post-facto indicators of compromise
(IOCs) to a pro-active indicator model which
seek to detect and stop unknown attacks earlier
in the attack lifecycle. Finally there is a gradual
move to push strategic functions, such as the
ability to hunt, out to a center of excellence
(CoE) approach. In many cases this translates
to outsourcing this capability to a third party or
centralized Security Operations Center (SOC). Incident Triage
Response Events
Operationally this decreases the volume

6
 As a prerequisite, the IT organization must teams. Supplantive technologies are generally
have a well-operationalized endpoint preferred with minimal impact to the
management capability to identify, deploy endpoints resources and productivity high on
and manage software components of the the requirements list.
endpoint. The security organization, while not
R
 emote supportability Endpoint security
directly responsible for these tasks, relies upon
tools must be as operational outside the
the ability to utilize this capability through an
network as they are inside. Tools which
automated, on-demand platform to provide
only function fully when inside a defined
context to security events for prioritization.
corporate perimeter risk leaving the endpoint
This collaboration highlights the necessary
exposed, as many endpoint devices are mobile
interdependency between enterprise security
and operate in increasingly diverse and
and enterprise IT, and emphasizes solid
hostile environments.
fundamentals as a baseline requirement for
any advanced capabilities. C
 omprehensive coverage The
expectation that all corporate endpoints
Additionally, enterprise security must have
will be homogenous is unrealistic in todays
or must be developing the operational
enterprise as Windows, Mac OS, Android,
capabilities including processes and human
iOS and others jockey for share of corporate
resources as necessary to triage the events.
endpoints. Endpoint tools should provide
Endpoint security monitoring will then
coverage of an enterprises full environment
identify and perform requisite actions. Without
from a single, centralized tool.
the ability to triage and properly respond, even
advanced endpoint tools are relegated to best-
guess based on a combination of signatures
and statistical models which dont take into Tactical
account an enterprises unique operational and
An endpoint security solution requires
resource constraints.
operational and tactical support to be
effective, including the following:
Operational Guidance C
 ontextual analysis Endpoint tools
which rely only on hashes and patterns
Strategic fall victim to the malware arms race that is
created as adversaries easily mutate their
Endpoint security must be considerate of
payloads to bypass detection. Endpoint
corporate endpoint operating parameters,
security tools today must use a combination
meaning strategy must take into account
of pattern detection and anomaly analysis
the way that endpoints are used to enable
while incorporating threat intelligence
and support the business.
where practical. Furthermore, tools that
M
 inimal impact during deployment, have the capabilities to leverage multiple
operation and maintenance Endpoint endpoint environments through anonymized
security must limit the impact on the information sharing or cloud services have an
productivity of the endpoint. Reboots, advantage over local only approaches.
resource utilization and compatibility
S
 ecurity Operations Center To effectively
concerns must be tested and vetted before
manage security of the enterprise holistically,
standardizing on a tool. Most endpoints are
a security operations center must be set
already overloaded with security agents (from
up to provide a clearing house for inbound
disk encryption to anti-virus and e-discovery
intelligence, tooling, analysis and response
for starters) so adding an additional agent will
for escalated security events. Endpoint
generally receive push-back from operations
security must have effective integration

7
 into this core security operations function,
being able to both consume external and
internal intelligence and collaborate on event
prevention, detection, response and recovery.
Additionally, the advanced capability to move
beyond signatures and to hunt becomes a
crucial function of the SOC.
R
 esponse and remediation support
Enterprise endpoints should be expected
to experience attack on a regular basis. The
endpoint security suite must lend itself to
integration with response and remediation
support to continuously and quickly identify
and shut down incidents before they
become catastrophic a concept known
as continuous response. It is beneficial if
endpoint security tools can perform remote
data collection and remediation procedures
to minimize the amount of high-touch
interactions a security incident response
organization has with the endpoints. This
minimizes negative impact to productivity
and potentially the impact to cost of incident
response as well.
The endpoint security suite
must lend itself to integration
with response and remediation
support to continuously and
quickly identify and shut down
incidents before they become
catastrophic a concept known
as continuous response.
8
Capabilities *
D
 ecreased impact of infiltration With
the addition of external threat intelligence
and decreased reliance on signature-based
detection, it becomes possible to detect
threats earlier in the attack lifecycle. The goal
is to identify and stop attacks in progress
where possible and thereby reduce the
impact a successful infiltration may have on
the organization.
D
 ecreased dwell time of adversaries As the
security organization develops the capability
to detect malicious activity faster, it decreases
the amount of time that an adversary will
have to move around within the victims
networks after a successful infiltration. This
diminishes effectiveness of the adversary in
achieving their objectives.
I mproved response and remediation
capabilities A key result of improved
visibility and comprehensive profiling of an
adversary is being able to tell the difference
between an opportunistic malware infection
(generic) and a determined adversary
(persistent). Knowing the threat type leads
to better prioritization, more purposeful
response, and more complete remediation.
Furthermore, endpoint tools should play a
pivotal role in incident response procedures,
often being at the focus point of the incident.
Mature endpoint tools should provide
operational visibility through data and
telemetry and response capabilities through
containment, remediation and remote-
response.
*For clarity, it is necessary to note here that
what is being discussed is an evolutionary
step beyond what is commonly referred to as
traditional anti-virus endpoint tools.
 Measure and Improve
As with any undertaking, it is extremely
important to set goals and measure relative
distance to these goals. Endpoint security may
directly impact end user productivity and thus
must be carefully controlled and measured
for that business impact. Measuring impact
of a program item, such as endpoint security,
to pre-defined and business aligned goals and
objectives provides concrete evidence of such a
program.
When thinking about endpoint security, one
must consider Key Performance Indicators
(KPIs) such as workload optimization,
productivity gains, incident reduction and
proactive detection.
It is important to establish a set of goals before
embarking on an endpoint security program
or project. What are the key things that the
program should accomplish? What is the state
of those things now and can it be measured?
How much of a difference is an investment
in endpoint security tools expected to make?
These are all questions that should have
formulas for answering them as the program
progresses.
Possible Key Performance Indicators (KPIs)
include
T
 ime-to-detection A quantitative way to
demonstrate the value of a next-generation
endpoint strategy is to compare it against
existing tools in similar situations for the
detection of threats. Traditional pattern-based
solutions will have a significantly longer
time to detection, especially on previously
unknown threats versus next-generation
solutions that rely on a much richer set of
indicators.
T
 ime-to-remediation One of the key value
drivers of a next-generation endpoint solution
is the additional capabilities that serve to
decrease the time it takes to remediate a
potential issue. The ability to compare existing
remediation times using current endpoint
tools against a next-generation solution
9
can quickly help demonstrate value by
showing the positive impact of the solution
on lost productivity and cumulative times to
remediation.
M
 alware-to-incident ratio Measuring for
the deceased impact of an infiltration, this KPI
measures the number of malware catches
against the number of incident response
actions generated for those catches. We look
for a drop in the number of incidents even as
malware rates continue to rise, reaffirming
that a successful malware infiltration onto an
endpoint or system does not guarantee victory
for the adversary or a requirement for an
incident responder.
A
 ttacker dwell time This KPI measures the
time from when a piece of malware or attacker
is identified as first infiltrating a system to
when that attacker or piece of malware is
successfully removed from the endpoint.
What we are looking for is a systemic decrease
in how long an attacker has free reign on our
endpoints before they are caught and ejected.
I ncident close rate One of the most
important KPIs that endpoint tools support
is the rapid remediation and closure rate of
incidents. With better tools, responders can
more quickly get inside the attackers kill
chain and stop the attack. One good way of
identifying improvement is the number of
incidents a responder can close in a shift.
Measuring and Improving
Time-to-detection
Incident close rate
Time-to-remediation
Attacker dwell time
Malware-to-
incident ratio
 Case Study in
Next Gen Endpoint
Organizational Profile
The organization featured in this case study
is a global financial services provider with
a diversity in assets, products and global
presence. In order to adapt to a growing threat
climate, the organization sought to provide
additional layers of security beyond traditional
security tools such as endpoint anti-virus.
The move to a next-generation endpoint
was seen as strategic and necessary to detect
sophisticated adversaries inside the perimeter
to globally reduce risk to the enterprise.
The globally diverse corporate endpoint
infrastructure necessitated a solution that can
enable the security team to identify previously
unknown threats faster before the adversary
can achieve their objectives.
Challenges
Business Perspective
Businesses have developed mathematical
10
and risk-based models for dealing with
attackers. Even though malware continues
to be a problem for the enterprise, it is the
adversary that is proving truly worrisome.
The determined attackers that take the time
to understand the enterprise often better
than it understands itself and custom-craft
attacks that bypass existing signature-based
threats force the system to fail silently. In
these scenarios, attacks are missed and the
enterprise often finds out about a high-profile
breach and exfiltration of critical assets from a
third party or worse, the media.
At the same time, business leadership is
pushing hard to keep the enterprise safe
from both known and unknown threats.
Threats that are currently unknown such as
nation-state adversaries, organized crime or
industrial espionage are both well-funded and
persistent and adapt their attacks to the target.
Business leadership needs accountability, cost-
containment and certainty in the tools the
security organization is utilizing.
 Technology Perspective
As adversaries evolve, traditional endpoint
security approaches are simply not keeping
pace. Making the assumption that determined
adversaries will eventually gain access into the
network, it becomes important to understand
their methods, movements and actions to
effectively determine a course of action.
Existing tools were inadequate for this task, so
an alternative was sought.
At the core of the problem was the inability to
detect lateral movement from compromised
endpoints. As a result, adversary dwell time
was unknown but assumed high and
the enterprise security teams visibility was
extremely limited. When a compromised
endpoint was discovered, there were no
immediately available tools to aide in
determining what actions that compromised
endpoint may have taken, where an attack
originated (if not at that endpoint), and the
scope of the resultant breach. Furthermore,
adversaries that did not utilize malware for the
attack were not being detected at all.
Solution Approach
Solution Chosen
To alleviate the enterprise security teams
challenges, CrowdStrike Falcon Host was
chosen. Selected for its ability to detect
unknown unknowns as well as pattern-defined
threats, Falcon was utilized on both servers
and workstation endpoint systems. Falcon
was selected for its unified visibility on both
workstation and server endpoints, and because
it directly incorporated CrowdStrikes extensive
threat intelligence knowledgebase into the
product.
Desired Capabilities
There were five key factors in the selection of
CrowdStrike Falcon Host.
1. Unified server and workstation visibility
from a single agent and management
console
11
2. Forensic insight (hunting capabilities)
3. Ease of deployment throughout the
environment
4. Superior user interface of the management
console
5. Lightweight nature of the endpoint agent
The capability to deploy a single, unified
agent across servers and workstations
decreases the amount of work an operations
team would need to do to package the tool
for deployment thus making this feature
incredibly underrated and critical to successful
deployment. Because the agent is lightweight,
deployment was refreshingly low-stress across
a diverse environment, primarily based on
Linux and Windows endpoints and does not
consume memory, CPU or disk resources
to cause end user productivity issues. In
large environments where endpoints are in
what feels like a continuous update cycle,
the lightweight nature of the Falcon agent
definitely aided its deployment success.
Security tools, not unlike most other IT tools,
can succeed or fail based on the management
console or dashboard. Management consoles
that are designed with product use cases
in mind streamline workflow and optimize
use of precious human resources. When
investigating a potentially critical security
issue within the environment, a clean, simple,
well-designed user interface can mean the
difference between stopping an adversary and
spending an afternoon trying to find the right
information to make the decision.
Additionally, the advanced ability to hunt
or query system parameters and data in near
real-time becomes pivotal when looking
beyond pattern detection. As adversaries
evolve it will continue to be more and more
critical that enterprise security organizations
move beyond pattern-based threat recognition
and malware signatures. Malware-free
intrusions which use custom-crafted attack
vectors are likely to continue to increase,
thereby making tools that aid the human
analyst in detecting system-based anomalies
that are indicators of compromise that much
more indispensable.
 Solution Components
CrowdStrike Falcon Host for servers and
workstations
Operationalizing
The most critical task for any piece of security
component deployed in an enterprise setting
is the operationalization of that component.
Taking a tool and integrating it into the
workflow and culture of an organization
cannot be overstated. That being the case,
the CrowdStrike solution has truly become a
partner with this organizations security team.
Executive management allocated
approximately one quarter for full rollout and
operational efficiency, and the CrowdStrike
team was able to achieve deployment and
operational stability within an amazing two
days.
The team deployed to 75,000 desktop
endpoints and 10,000 servers with minimal
operational overhead, no downtime and no
issues.
This tremendous success has led the CIO
of the organization to hold this specific
deployment as a gold standard for all future
deployments of security tools.
The full integration of the Falcon Host Next-
Generation Endpoint required deployment
into the standard images the organization was
deploying to ensure it was installed by default.
This was achieved quickly at both the desktop
and server level as success with the desktop
team was recognized and adopted quickly by
the server organization. Additionally, training,
playbook creation (operational guides)
and hunt queries were rapidly developed
and deployed through the support of the
CrowdStrike team to ensure rapid uptake.
As part of the operational strategy of the
Falcon Host NGE, the organization brought
on board new headcount to begin to leverage
the newly deployed capabilities. The new
capabilities to hunt required specialized
skills and thus a team of five new analysts
were brought on board to fulfill that
12
function. The simplicity and ease-of-use of
the management console facilitated rapid
adoption from training to finding over 200
new and previously undiscovered issues in
the environment.
Where CrowdStrike really stands apart
from the competition as a partner is in the
integration into the security operations
function.
The security team truly partnered with
CrowdStrikes Security Operations Center
(CSOC) who in addition to hunting for
unknown threats also provides direct
additional operational feedback and support
on next steps for issues encountered.
This direct relationship with CrowdStrikes
talented and knowledgeable CSOC team
provides guidance, leadership and directly
actionable information unavailable from
other next-generation endpoint providers
due to their wealth of threat intelligence
capabilities.
Strategic Benefits of
CrowdStrike Falcon Host
Addressing complex security challenges
often requires complicated implementations,
extensive deployment cycles, training and
process building. Utilizing CrowdStrike Falcon
Host, the organization in this case study was
able to not only deploy rapidly with minimal
impact, but was also able to quickly realize
value from the solution by detecting attacks
that other tools were missing. The value that
is derived from a new security tool which
requires minimal organizational friction to
operationalize should not be overlooked.
From a strategic perspective, the benefits
of the CrowdStrike Falcon Host solution
include the ability to identify sophisticated
and complex adversaries which traditional
security tools miss. Adversaries who take
the time to understand and design attacks
against your environment wont be caught
with the tools deployed today. They require an
advanced toolkit which can not only identify
previously known patterns but also assist with
 the discovery and assessment of previously to protect key enterprise endpoint assets to
unknown attacks. This ability to detect and the point where these network-based threat
identify the unknown unknowns adds value mitigation tools are unnecessary.
to organizations that have already optimized
signal-to-noise in their reporting dashboards
and require the capability to detect and respond
to complex attacks. For this organization, the
CrowdStrike Falcon Host tool is a key partner The security team believes
in their long-term strategic security program
and their continued development of advanced the Falcon Host solution
detection and response capabilities.
is sufficient to protect
key enterprise endpoint
Results and Measured assets to the point where
Improvement these network-based
threat mitigation tools are
The degree of success of any security program
or initiative can be measured as the ratio unnecessary.
of security benefit against the additional
business interference created. By this measure
the CrowdStrike deployment has been a
true success. With a two-day deployment
cycle across 75,000 workstations and 10,000
servers, including training and initial use case
creation while generating no negative end
user or operational impact, measured against This portion of the spotlight is a vendor-sponsored
the discovery of over 200 new security issues case study. Content and views set forth in this
previously undetected by other security tools, portion of the spotlight are those of the vendor
and/or the vendors customer. Optiv does not
the Falcon Host NGE achieved rapid value with
endorse, support, represent or guarantee the
minimal to no interference. These results speak
completeness, truthfulness, accuracy or reliability
for themselves. of any content or views in this portion of the
spotlight, and Optiv disclaims responsibility, and
As the security team continues to use the will not be liable for, such content and views. Optiv
toolset, they measure the amount of new does not endorse any specific software, hardware,
attacks and adversary actions that are caught services or solutions.
through the Falcon Host NGE. This net-new
discovery metric clearly shows the value that
this solution brings to the organization.

One tremendous advantage to the CrowdStrike

solution has become the potential for cost-
savings by removal of redundant tools. As the
value of the next-generation endpoint solution
becomes fully realized, it is possible that the
dependence on network-based threat detection,
sandboxing and mitigation tools can be
reduced to the point where many of these tools
can simply be discontinued. The security team
believes the Falcon Host solution is sufficient

13
 Lessons Learned
While there is no end in sight to the arms race between attackers and
defenders, the tools at the disposal of enterprise security professionals are
dramatically improving.

I n the defenders toolbox, the Next-Generation Endpoint (NGE) category

of tools is proving that an evolution in the way that endpoint security is

handled is both necessary and available.

T
 he next-generation of endpoint tools are supporting the operational goals

of decreasing both dwell time of adversaries, and the impact of their actions
while adding to the response and remediation capabilities directly.

T
 he direct support of incident response capabilities helps scale the most

precious resource humans.

For more information about next generation endpoint strategy, please contact Optiv
Solutions Research and Development SolutionsResearch@optiv.com

14
15
 1125 17th Street, Suite 1700
Denver, CO 80202
800.574.0896
www.optiv.com

Optiv is the largest holistic pure-play cyber security

solutions provider in North America. The companys di-
verse and talented employees are committed to helping
businesses, governments and educational institutions
plan, build and run successful security programs
through the right combination of products, services
and solutions related to security program strategy,
enterprise risk and consulting, threat and vulnerability
management, enterprise incident management, securi-
ty architecture and implementation, training, identity
and access management, and managed security.
Created in 2015 as a result of the Accuvant and FishNet
Security merger, Optiv is a Blackstone (NYSE: BX) port-
folio company that has served more than 12,000 clients
of various sizes across multiple industries, offers an
extensive geographic footprint, and has premium part-
nerships with more than 300 of the leading security
product manufacturers. For more information, please
visit www.optiv.com.
2015 Optiv Security Inc. All Rights Reserved.
7.15 | F1

16