Cybersecurity: Amplified And Intensified

Episode 23 - Stopping breaches with Crowdstrike’s Cameron Buriani.

August 02, 2021 Shiva Maharaj/Eric Taylor/Cameron Buriani
Cybersecurity: Amplified And Intensified
Episode 23 - Stopping breaches with Crowdstrike’s Cameron Buriani.
Chapters
0:00
Intro
2:05
Crowdstrike Defense in Depth (SeriousSAM & HiveNightmare w/VSS delete all)
3:58
Stopping the breach
5:28
Protected workload types
7:50
Crowdstrike Overwatch & Threat Intelligence
11:41
Kaseya, SolarWinds, Supply Chain & Incident Response
19:37
How did Crowdstrike prevent the Kaseya incident?
21:01
Closing remarks
22:15
Updating agents, threat intelligence & the 1/10/60 framework
24:55
Crowdstrike Incident Response Programs & Falcon Forensics
33:35
Perpetual learning
36:29
Offline protection
40:12
Mobile devices
43:23
Printer vulnerabilities
44:43
Crowdstrike Spotlight, Overwatch and Pen-testers
51:01
Closing remarks
Cybersecurity: Amplified And Intensified
Episode 23 - Stopping breaches with Crowdstrike’s Cameron Buriani.
Aug 02, 2021
Shiva Maharaj/Eric Taylor/Cameron Buriani

The best way to stop an encryption incident is by stopping the breach.

Cameron Buriani is a cyber security professional who works as a Senior Solutions Architect at Crowdstrike over 3 years now. Over the last two years , he’s dedicated his efforts to building out the Crowdstrike MSSP offering from the ground up to the full blown solution it is today. 

In his spare time, he works on his land in Texas raising livestock, growing annual crops, and working the peach orchard with his Wife and Daughter. 
 
Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript Chapter Markers

The best way to stop an encryption incident is by stopping the breach.

Cameron Buriani is a cyber security professional who works as a Senior Solutions Architect at Crowdstrike over 3 years now. Over the last two years , he’s dedicated his efforts to building out the Crowdstrike MSSP offering from the ground up to the full blown solution it is today. 

In his spare time, he works on his land in Texas raising livestock, growing annual crops, and working the peach orchard with his Wife and Daughter. 
 
Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. Today we are joined by Cameron from CrowdStrike.

Cameron Buriani:

Howdy, Cameron Buriani, from CrowdStrike.

Shiva Maharaj:

So I guess the impetus for having you on the show today is last week, we had the Sam nightwave nightmare debacle. And Eric and I decided we wanted to attempt the mitigation,

Eric Taylor:

we were going through a lot of the Microsoft recommendations of how to mitigate this how to, there was three or four different ones from bleeping computer and the hacker hypose and several other ones. But a lot of the ones that were out there, were doing the blanket delete of VSS admin, delete everything. And we started thinking about this a little bit. And you know, after especially, because we are CrowdStrike partners, and we leverage CrowdStrike technology for as part of our security stack, just before disclosure, that's when we're having them. We seen that CrowdStrike was actually blocking this. And I was like, this is actually pretty good idea, because this is a threat model that a lot of ransomware folks use. So me and him started going down the whole rabbit hole. And that's what I was going to communicate with you a little bit the well I've through it, because I'm still a partner with defenders with their EDR. And we use some other third party tools or third party vendors out there, we won't name any, because I just don't have the I'm not a vendor, and I'm just not going to throw those guys under the bus. But they were not including bitdefender was not locking those Shadow Copy deletion.

Shiva Maharaj:

What's more concerning is that they weren't even notifying. And CrowdStrike was the only one that came to alert, much less disabling.

Cameron Buriani:

Yeah, so and we talked a little bit about that. And, you know, you know, before we set the stage, there's vendors for every place in the space. So you know, everybody needs to find a vendor that's appropriate for them. So they all perform a great functionality. What CrowdStrike seeks to do is CrowdStrike seeks to actually get full visibility into the endpoint. So it's all about seeing every single action that's taken. So when you touch something like the volume shadow copies, a lot of people will come to us and say, Hey, does CrowdStrike do rollbacks? Right? So if there's a lock up like a ransomware event, can we roll it back? Well, the answer is no. Because we want to go on in and proactively stopped threats prior to the need for there to even be a rollback, which then manifests itself in the sense of what's called behavioral based prevention, where an adversary or even an internal user will attempt to take a series of potentially benign actions such as touching the shadow copies, but then they actually pivot to a malicious action such as going on in and attempting to delete them. And those behavior based actions is where we want to stop it. So because we're seeing all actions taken on the endpoint, we can proactively enter check at any stage in the kill chain to block and sever actions, thus impeding on actors from accomplishing their objectives. So with that volume, shadow copy one, obviously, we're starting halfway through the kill chain. But what we really want to do a CrowdStrike is give you holistic protection the entire way through. So this test is an excellent example of how you can even start with, you know, you were already a user you had an rights, you were able to have some form of access to that workload. And then you just tried to invoke the deletion of the shadow copies, which we were able to stop. So it's a concept of defense in depth as it were with the behavior based prevention. Now, I

Shiva Maharaj:

have a thought on this, as I'm sure you're well aware, ransomware is the hot topic in our community. And for end customers for the last six months, maybe a year, give or take, everyone seems to want to talk about stopping the encryption, whereas CrowdStrike seems to want to have that holistic conversation about stopping the breach preventing the incident. Is that a fair assessment?

Cameron Buriani:

That's 100% a fair assessment? Because primarily when we do go into these conversations, yes, stop the encryption, right? Well, let's see the roll back, well, let's talk about actually stopping the breach, you need to start to think about cybersecurity in the sense of a holistic assault. It's not just as if like, I have access to a machine one day, and then I upload a big bad, you know, ransomware Boogeyman attack, you have to start to think about well, how do we even get to that point, where CrowdStrike wants to do is we want to actually keep the adversaries out at the perimeter. So when you start to look at the notion of are you familiar with and your listeners familiar with the idea of the mitre attack Kill Chain for their sake? I hope they are. Okay. So what CrowdStrike wants to do is we want to build in behavior based prevention from every layer from reconnaissance, initial entry vector, act on objectives, privilege escalation, obfuscation, and then of course, when you go into a monetization events, so yes, what we want to do is we want to stop them before they even get some form of let's just say reverse TCP shell session on that endpoint with a meta square meterpreter server so they can even upload it. So stop them at the perimeter, prevent the breach, so we don't even have to get to the encryption phase. So it's shifting the conversation from saying, Well, you know, I don't want them to kill The chickens in the coop, let's just keep them out of the farm in general. That's the kind of philosophy as it were.

Shiva Maharaj:

And what kind of workloads is CrowdStrike protecting, because I'll be quite honest, we had a little conversation, pre go live. And you started talking about some of the cloud stuff you guys are doing, if

Cameron Buriani:

you want to get into that. So for listeners, CrowdStrike can protect workloads from Windows, Linux, and Macintosh. So windows seven and above, Mac 1012. and above, and then variety of Linux flavors, of course. And then with our cloud workloads, we're now protecting Google GCP, and Azure based workloads. So you can actually put CrowdStrike in the cloud, which is allowing you to get holistic threat coverage, as well as protection on those cloud based workloads. And what we're doing now is a notion of identities of misconfigurations. And most important thing with cloud workloads, it's more about making sure that you're bringing your cloud workloads stances to add net neutral stance to for example, if you have user access roles, which may be a little bit, let's just say, expansive, you want to own it down and have open ports that are accessible to certain cloud workloads, we want to lock those down. Those are called the identities of misconfigurations. And we'll give you full visibility into them. And then you can go in and lock it down for your customers. So your workloads are hardened, as it were in the cloud.

Shiva Maharaj:

are you guys doing anything in terms of Microsoft 365 security, meaning the Azure AD tenant?

Cameron Buriani:

Yeah, so we will get some visibility to Azure AD, we have what's called the identity analyzer, which actually gives you visibility into your users on Azur. But that's something that we're working on building out in a more expansive manner. Right now, what we seek to do is we bring to market what's called a minimally viable product methodology, as I'm sure a lot of your listeners are aware of us just a product based development philosophy, where we bring a minimally viable product to market and we iterate based on the feedback. So MSSP is like yourself, they come to us and say, Hey, it'd be important if you did something like x. That's where we have weekly and bi weekly meetings with products actually bring insights from the market, and then iterate based on that. It's a bit hubristic for us to go and say, market wants this, right. But if we bring a minimally viable product to market, and then we start to source for user feedback that is more valuable than us just assuming what the market will actually want. Oh, it makes perfect sense.

Shiva Maharaj:

What about Overwatch? I know that threat hunting has become even more prevalent in the MSSP MSP world. How does Overwatch help and what exactly do they do and what's off limits for them?

Cameron Buriani:

Yeah, so Overwatch is basically our managed SOC offering. And Overwatch is actually another excellent example of where we want to stop the breach. Right? So we talked a little bit about deleting the shadow copies, but what Overwatch essentially does is Overwatch is going to be actually threat hunting through all that EDR data. And because we are a visibility tool, first and foremost, in order to stop those breaches, Reggie taking all that EDR data, and we're feeding it up to our Overwatch what's called our threat graph. And the threat graph is basically a proprietary graph solution where we're able to see into every action across all your customer portfolio. And whenever we see in consistencies manifest themselves, what essentially does, it'll raise it to the Overwatch team. And those are real analysts with you know, 1015 years of experience of whom dive through that data, sift, and determine if there's a targeted intrusion, a relevant advanced persistent threat actor, or even just an internal adversary operating within there. So it's constant threat hunting, looking for those type of assaults. And this really acts as the final blanket from the zero day threats. I'm sure your listeners are aware of it. Nothing in software is going to provide you protection from a zero day threat by virtue of the fact that it has not been seen. Therefore, we will always need to have some type of human eyes and professionalism on that data in order to kind of sift through the nuggets, and then raise it to situational awareness. So that's going to be the 24 seven coverage now that can be done also in our cloud workloads, as well as your standard based workloads like the Windows, Linux and Macs, the most important thing about Overwatch is they're going to do all the triage thing. So if you're a customer or you're an MSP Overwatch is going to provide you with a PDF printout of the entire chain of custody leading up to that attack, and they're going to have basic remediation instructions. So if you're getting off the ground with your msps if you're getting off the ground with your standard security offerings, you don't have to be the world's pro or the world's expert in this. Overwatch is going to essentially offload some of that intellectual concern for you and give you general remediation advice towards the end. And again, whomever owns that contact will be responsible for cleaning it up. But this approach has enabled us to have a rather bulletproof effect. And then specifically within the MSSP segment, it's enabled us to keep our clients and our partners holistically secure. Gotcha. And I mean,

Eric Taylor:

just to give CrowdStrike kudos. CrowdStrike is one of the few players in the space that will actually start sharing their IOC, their threat Intel with other vendors in a space like Sumo logic as many other ones out there. So you're the position CrowdStrike are really taken with the threat Intel and everything and trying to make everybody stronger is really impressive, though, definitely want to give that shout out to CrowdStrike on that, as we had that conversation last week on another podcast about, you know, people like recorded futures and things like that trying to do what CrowdStrike is doing.

Cameron Buriani:

Yeah, and that's that's an excellent point. And, you know, for us, it's not about, you know, we obviously want to be the best at endpoint security. But we're under no illusions that we are the only tool and we want a concept of defense in depth sharing things with Sumo logic, sharing things with DLP solutions, network layer levels, we're stronger as a company, when the entire cybersecurity industry is thriving as a whole, which is exactly why with that Kaseya and snake Kaseya responded to adequate professionalism, rapid response time, and they dealt with the Kaseya on premise incident in an exceptionally professional manner. And that's something that we wanted to make sure that we put out there and we were helping them through that process. So again, it's about making sure that the industry as a whole is strong. It's not something that we want to go on in and, you know, abuse individuals, when they're down, help them up, bring them up to a better secure state, because when the industry is secure, we're all secure.

Eric Taylor:

Well, let me dive into that, because I didn't know go. So just for full disclosure, me and shivah have a completely different view on the strategy of Kaseya. And we're, if anybody wants to go that they can go to our podcast, other podcasts, and listen to that, that's we're not going to drive CrowdStrike or yourself into what we do against Kaseya. But I did not know CrowdStrike was in the mix of this entire Kaseya. incident. Can you shed some light in on that?

Cameron Buriani:

Yeah. So let's let's roll back in the sense of in the mix, what essentially was is, is say a had their on premise breaches, which I'm sure people are aware of the supply chain assault, what CrowdStrike essentially said is, hey, we understand that there's a supply chain assault, we're keeping our customers secure, effective with Kaseya, we are not kicking wallets down. If Kaseya wants any advice, we were open up and saying you're more than welcome to speak with us. So it was something that we're willing to do an intellectual exchange of ideas with that, and then work with CrowdStrike impacted Kaseya customers to ensure that no one was breached. And no one was anyone leveraging CrowdStrike, during this to say incident, remained holistically secure, to say continues to approach it with professionalism, they are a partner of ours. So we want to make sure that you know, all our partners from MSP level to a systems integrator level, that we make sure that we're doing our due diligence and helping them out in times of need. So, um, you know, I don't want to speak to it too extensively on that other than the fact that we're open in order to help, we're there to make sure that there's going to be some form of backup support. And we do share intelligence, you're right about that with the IOC is it's not as if we get this intelligence, and we keep it all proprietary, there are proprietary elements. But there's also elements where we're actually release it to the wild and make sure that the general cybersecurity community as a whole will benefit from it. Very interesting. So

Eric Taylor:

did you see or are you allowed to at least say that Crosstrek was able to see any early indicators and was able to stop that and, you know, was able to give any of those iocs to like others, like hunters and Kaseya? Or did you just not see anything across your entire landscape?

Cameron Buriani:

I'm not sure if we gave any IOC specifically to them. I can't speak to not definitively All I know is that we're working with them as a partner, whatever that means. And individuals are msps, because specifically, I work with MSP space, and msps, we're leveraging Kaseya remain holistically secure. And I got on a couple of calls and walk guys through basics to do and really there wasn't much more other than Hey, just make sure cross checks and prevention base mode. Make sure you actually apply the patches that they recommended them, you know, kind of talk them off the ledge, they said, well, should I switch from Kaseya? Well, no, you shouldn't switch from to say, this is a supply chain variability assault. That's something that, you know, unfortunately, every company is liable to supply chain vulnerability, assault, that's something that's going to be increasingly more difficult to prevent against. So again, that's why you need to make sure defense in depth with your security istat. Make sure your vendors or even your internal tools. Just make sure whomever you're going with is taking an open approach. You don't I personally wouldn't partner with any vendor whom wants to basically og and og secure. I want to have an open source idea where they're trying to improve the community because again, it is hubristic to assume that one individual vendor will never be the risk or never be the recipient of a supply chain attack. It just takes one adversary right one adversary pass the background check. One adversary is able to get on in the element cycle when adversary gets through code review, and then guess what? That's a supply chain attack. We saw that with solar winds. And, you know, to this day and you too can correct me I'm still not sure if they were able to even identify the adversary of whom put that in there.

Shiva Maharaj:

They gave attribution link to Russian SVR, but they aren't

Cameron Buriani:

actual adversary of whom actually put the update in there and development cycle though. No,

Shiva Maharaj:

they they're just saying it was the SVR, but I don't think they really, as you asked, gotten to who get it, or how it was really done. I think it's, it's more supposition. And I think the SolarWinds incident was a very, and I hate to say this, but a very beautiful type of attack, well thought out meticulous patient. And that is what we need to be aware of, and attempt to mitigate in the future. It's a really good lesson of many different because the soul ones hack where many different incidents and breaches and vulnerabilities all rolled into one in this perfect Symphony, without going too deep into giving them kudos for that. You have to you have

Cameron Buriani:

to analyze it for what it is, you know, obviously, the effects of it are rather devastating, at least from an economic standpoint. But once you start to look into it, from a technical standpoint, it was rather astute, and frankly, well executed. And something that I want to call out about the solar winds attack is, you know, from my own this isn't crowd strikes opinion. Of course, this is just my own internal opinion, you know, that could have been infected by even getting an individual employee involved in the development cycle, and then obviously, getting it approved through code review. These are things where, you know, we can get to that level, which is why you need to take a defense in depth approach, because, again, you never know when your vendor is going to hire the wrong person. And then that goes into code review.

Shiva Maharaj:

I want 100% agree that any type of supply chain breach like to that extent, starts with physical compromise of an employee in there. And I know many experts disagree with me, and say it came in over the wire, but you can't do some of those things over the wire. It's just near impossible, you still need someone approving something along the way

Cameron Buriani:

I Exactly. Someone approves something along the way. And you know what cybersecurity is fundamentally a human security problem. We'd like to sometimes emancipate the notion of technology from the human end user, when you look at the idea of people leveraging software and technology, it's just an extension of the human will, as it were. So at the end of the day, when you get to something like a supply chain learnability assault, there is obviously a compromised individual of whom allowed that to manifest. And it doesn't have to be as overt as the Russians got a guy hired, and he put it into code review. And it did it. It could even be as somebody, you know, maybe they were the person who approved it, and they might have had an interest in allowing it to go through, we just don't know. And that's not to spike up an atmosphere of paranoia. But I do want to shift the conversation to is making sure that we look at the concept of defense in depth, stopping a breach, and then choosing partners at every layer in your security stack to make sure okay, if partner a fails, that's human, that is life, everything in life will eventually over time deteriorate. Therefore, we want to make sure we have the most secure building blocks in the stack. So if one thing is moderately compromised, each layer has an opportunity to back up and provide that additional layer of security going

Shiva Maharaj:

back to the Kaseya incident. How if you can go into those how and what did the CrowdStrike agent do to mitigate the effects on partners who were CrowdStrike partners who were using because

Cameron Buriani:

So right off the bat, it was essentially relegated to on premise, we have very few MSSP partners who leverage on premise Kaseya. So that in of itself created it to be more of a niche for my partner base. Now what essentially was happening and a couple of them that were doing without disclosing it is that we're using it to deploy basic ransomware. So this is where we talk about when you look at zero day threats. zero days are oftentimes one step in the kill chain is a new invocation of let's say, an initial entry vector, but then they'll attempt to do the next layer like monetization with a known bad version. And what was happening is they were using to say an on premise version to deploy cryptolocker. And then a jigsaw locker Well, when they would attempt to upload them or even write on disk. CrowdStrike is able to detect on disk, hey, you wrote ransomware. And then they attempted to execute and install the ransomware. As of where we're upon, we held that action and static, our machine learning agent was actually able to extract strings from the binary and attempt to decipher the actions taken, and we proactively quarantine the ransomware each and every time they use Kaseya to push it up. And they were doing it hundreds and hundreds of times an hour with all known bad ransomware variants and they're even doing polymorphic variants which your listeners are not aware of. polymorphic essentially just means is where you take the same style assault and you tweak it slightly at the source code. level. And you can do something as easy as just rename a string value or change an integer here and there without actually, you know, disrupting the entire source code. But once you do that you save it, that's a new hash. So that's polymorphic. Right? If you have a hash based solution, and you're changing something in a source code level, it's going to go right through it, because for obvious reasons, a hash based repository will not be able to accommodate for a spot change like that. And that's where CrowdStrike was able to stop, were able to stop polymorphic variants, as well as the known bad variants, and polymorphic does not constitute a zero day. That's, of course, is a known monetization vector. So hopefully, that adds some color potential zero day entry vector, where we stopped, of course, with the manifestation via ransomware through polymorphic iterations of the jigsaw

Shiva Maharaj:

when you guys see these events unfold, and I'm assuming part of your threat Intel team is putting together whatever IOC is they can to help further stop and mitigate threats. How quickly is that Intel pushed down to a local agents?

Cameron Buriani:

It depends. CrowdStrike is partnered to do what's called the 110 60 framework, which is a framework that we set in order to be able to hit some of the mitre framework. standards, what they've done is essentially CrowdStrike wants to be able to see detect a breach within about one minute, we want you to be able to search for the entire scope of that threat within about 10 minutes. Because we want you to drive towards full remediation within an hour. If you're able to adhere to that framework, you can actually stop the breakout time of top nation state level adversaries, such as ex Soviet based adversaries, as well as the CCP, and guys like myself, you or Eric working out of their spare room. If you can hit those frameworks, you can stop those adversaries in theory. Now how does that translate over to when do we roll out intelligence CrowdStrike is seeing things within that timeframe, if then goes through our Intel team. And there's this notion of communal immunity with CrowdStrike. And what that means is across all of the endpoints we manage, and we manage north of think it's a quarter border, moon, quarter billion endpoints at this point, but I could be wrong on that. And I'm sure somebody will correct me. But we managed somewhere between a quarter and a half a billion endpoints. So whenever we see that new attack manifest, it goes immediately to our intelligence team, where they start to write out those new patterns. And they will silently update every managed CrowdStrike endpoint within a couple hour time frame. Now, that's not hard, right? It may be faster, it may be slower. There's no committed SLA that we really want to, you know, give to the audience. But we do want to make sure that it's known that we will respond within an industry standard time to make sure that we push out those updates to every customer. So you and your MSP you might not be getting hit by CCP adversaries based out of Guangzhou. But some of the top individuals that we do, they are seeing these attackers manifest in their environment daily, is we're working with financial institutions, healthcare institutions, even sensitive military environments, and you get that benefit of that communal immunity. And you'll get those patterns within a relevant time period as they push down from our Intel team. One thing I wanted to,

Shiva Maharaj:

I guess, clarify or verify these threat, Intel updates are completely independent of versioning updates like your n minus one, correct? Yes, largely they are. And what do you guys do on the incident? response side of the house, because I know that's a service you guys sell. And then as partners, we can go through the training to do that. And I guess this is more Eric's wheelhouse? So I'll let him take it from there. And you of course,

Eric Taylor:

yeah, Eric, you want to comment? Or sorry, my, my Internet's like, you know, say that one more time, I'm

Shiva Maharaj:

sorry, I was asking Cameron about their two sides of the house for incident response, the service that they have, as well as how they train their partners like you to go through incident response to perform it yourself.

Eric Taylor:

Yes, I can weigh in on a little bit of that. And to be full disclosure, we're still going through a ton of stuff with CrowdStrike. Because we are an as a response firm. I mean, there's other vendors out there in the space that can you can literally go in and say hey, I'm an incident response firm. And they will, you know, give you the keys to the kingdom. But CrowdStrike really is taking a much deeper, deeper stance to it. And this is why I chose CrowdStrike. So they want you to go through massive training to understand their profit their product, and really be able to do your own threat hunting and searching of things when you're starting to see some new suspicious things inside of your network. So you know, we had, you know, we have our RMM tool that's out there that's passing PowerShell code from an elevated command prompt and CrowdStrike is like, Mmm, yeah, this isn't good. We're like, yeah, we know. But the threat vector and the being able to tie it to mitre attacks and things that nature really, it was able to really see how things are going in and being able to actually see persistence inside of a network through CrowdStrike. We had a case come up over the weekend where a site that doesn't that uses full VMware has somehow or another VM, VM Tools installed on about 80% of the, the agents like CrowdStrike was able to rip that apart. And like, yes, it's labeled as Vm tools.xc. But this really is a remote shell code. So you know, was able to really dive in and see that type of information.

Cameron Buriani:

And that's step visibility that we want to be able to provide. And when you start to look at the services and responses out of the house, now we have a robust IR team. And we have what's called an LP based engagement team. So you know, we have a lot of people that partner with us not only to provide perpetual security through our endpoint security product, but there is also the incident response, which is really what CrowdStrike started off as an inception, we actually went on in as an IR based tool when we would deploy the agent for full visibility. And CrowdStrike started to become a company because people said, Hey, I'll pay you just to leave this on that endpoint give us that full visibility. So that is really our origin story, as it were, if you want to think about it that way. So with our eo, P and our IR team, we want to make sure that we go on in, get full visibility into what's occurring, set industry standard for response time, bring you and your customers to a true neutral security status, and then offer you perpetual security going forward by the CSA that's a little bit independent from what I do. What I do is obviously Solutions Architect from the MSSP side, enabling partners like yourself, in order to deploy this, keep it secure stance, walk through standard remediation practices. But the IR team is really industry best practice best breed going on in there and again, responding to most advanced threats. And there is actually a new tool that we're offering. Well, news relative, there is a newer tool, which is our Falcon forensics tool, which allows you to collect historical artifacts from a breach of that. So if you ever go on in, this is what our team does, you want to see visibility prior to CrowdStrike install, we actually deploy our Falcon forensic tools to start to bring up those historia graphic artifacts, so that we can give you an understanding of what occurred for that breach and how we're going to respond to it. And that's an offering that we can even offer our partners now. So you could work with our Incident Response Team, go through the certification, do the whole Alp engagement. And then on top of that, there's the Falcon forensic agent, which gives you similar level visibility to what our IRS doing, again, drawing historical artifacts before we've installed the agent. And that's really moving us towards making sure we have a holistic security suite. On at least the workload side,

Eric Taylor:

I tell you what, as an incident responder, you're giving me the happy chills over here. Um,

Cameron Buriani:

I do want to give a caveat. It's not a full forensic disc analysis tool, but it has all the core viable data fields for I've yet to meet a partner who said I don't get enough info with it. That's obviously me as the CrowdStrike guy saying it. But I do want listeners to know like, Oh, well, this CrowdStrike I was talking about Falcon forensic, he gives you core viable responder fields. And again, if you're a forensic analyst of whom, you know, you got 30 years under your experience, and you're used to, you know, some of the big dog tools, this might not fit your needs. But you know, for my MSP partners, they're enjoying it.

Shiva Maharaj:

One thing I wanted to ask you, just from what you said, Does CrowdStrike take position, and I use a term lightly that we really are their partners, and they want to work with us and be a part of the solution. Whereas a lot of my other vendors just sell me something and I sink or swim.

Cameron Buriani:

Is that a fair assessment? Yeah. And I mean, that that's why we're on this call, right? I mean, we are partners in that respect. So I mean, my last Friday, I got on, you know, I got on four different calls with partners, because they got Overwatch alerts. And I call them made sure that they responded to it, walk them through, it worked with their analysts to make sure that we got their clients secure. Because at the end of the day, if my partners aren't exceeding, then I'm not hitting my metrics, right? So this isn't something we're like, well, we're selling you the packet. Yeah, of course, you know, the sales guys doing that. But at the end of the day, we need you to be a professional partner, we use our MSP partners, in order to saturate the market, we're under no illusion that we can saturate the market 10 times as fast as if we went to an MSP. So if I create a good relationship with a partner, right, and they go to market, and they bring 300 or 300 clients, I mean, think about the scale, there's no way we can be doing anything like that at the scale. And so if people are interested, you know, we're working with CrowdStrike, at least from an MSP capacity, you know, you'll obviously get a sales rep. And then there'll be there's a couple of guys like myself, but it's, you know, it's a full cycle, right? So we're there to help you not only with the initial vetting phase, but post sale in that respect. So some of the things we do is we'll do an onboarding call, we'll do things and that's pretty basic, but we'll go in and set up your policies. We'll go through best practices, you get to detection, you want to talk about that detection, you'll say, hey, Cameron, I'm not sure what I'm looking at here. Let's set up a call. Let's get an hour. Let's walk through it. If you're not comfortable using that tool, and you come around a year later, Partners say, Hey, we're going with another vendor, and we could have done something to help enable you, that's a failure on our side. So it is a true partnership in that respect. And we on CrowdStrike, we do vet our partners, we tell partners, you know, they'll say we want to use you, and we'll say, this isn't gonna work. It's not something where we want everybody to be a CrowdStrike partner, we want to make sure that the relationship is beneficial, mutual partnership. So it works both ways. On that respect. We've had msps, where we told him, you know, what, intellectually, we're not going to agree on this, even though you want to use CrowdStrike, this isn't going to be a sustainable relationship. So, you know, we're just not going to be partnering. So hopefully, that adds some context. But that's how I at least address my own personal partnership book in business. And it's in general, the philosophy that is promulgated largely by CrowdStrike leadership. But of course, I don't want to speak too definitively right?

Shiva Maharaj:

Now, of course, that is, you're probably the only vendor I've come across that honestly admitted to market saturation using partners. Right, that's what it is, it makes perfect sense. But no one wants to talk about it, they all want to talk the talk and say you're our partner, but they don't really enable us to do things. Whereas you guys, it's perpetual learning, for lack of better words. And I know that if I'm stuck, I can reach out to you guys. And I get really good response, which gives me the confidence to say I'm putting CrowdStrike here. And you know, remember finances,

Cameron Buriani:

what you need is we're learning. I mean, I'm constantly learning to you know, everybody should be in a state of constantly evolving. I mean, once you stagnant, you freeze something, you stagnant it, that's where a dies, there's a notion, I mean, this is a basic physical notion where things are either growing as entropy or its expansion, you're either growing and expanding, or you're deteriorating. Now, maybe my new, you know, obviously, being like 30 years old, I guess I'm technically still growing, but you're not really going to notice that, you know, there is your partnership, or your business is either growing or deteriorating little by little or, of course, rapidly. And we want to make sure it's the former as opposed to ladder. And

Eric Taylor:

that's like an old movie, the the name of the movie escapes me now. But you know, there was like a one off of Steve Jobs where it pretty much said, either you're a one or a zero, you're alive or dead. Yeah, so you got to be expanding. You know, I mean, I went from MSP to a cybersecurity firm, and I'm always advancing, you know, our stuff. I know, she was doing the same thing. You know, there's, if you're not learning, if you're not, no, no, take certifications and all that other stuff. But if you're not bettering yourself and your business, you're just stagnant, and you're gonna get left behind you were gonna get left behind.

Cameron Buriani:

You're slowly dying. I mean, you just have to, it's, it's it's a hard philosophy, because but it's reality. Right? You know, some people just want to live in the state of perpetual comfort. Well, I'm good. Now. I got it. It's easy. Yeah, well, guess what's not going to be easy, where you didn't maintain those skills, and you didn't maintain yourself five years from now. And now you're outdated in the market. And, you know, that's obviously a bit of a heartless way to look at it. But it is the reality, right. And that's why you have to stay on top of things. And cybersecurity is paramount to stay on top of with your tools. Find a partner who philosophically aligns to that, because if you find individuals of whom are saying, you know, rockin we're rolling, the boats, cruising, I can just kind of sit and Coast. Well, they're gonna get hit, because you sit and Coast. And guess what? Great, right goes right onto the boat pops it I'm sorry, but stagnation

Shiva Maharaj:

is death to me. So that is, yeah, I want to go full force, I want to go full bore, or die going down or whatever, either. Oh, sorry, God,

Cameron Buriani:

no, I was just gonna say keep expanding till you get too close to the sun. And then you know, your wings burn off. And that's it. Hopefully, you're eating by them. But

Shiva Maharaj:

hopefully, you can pick back up if you survive. But one thing I wanted to talk about with the proliferation of the cloud, and a lot of the CrowdStrike agent depends on the cloud, what happens if the connection is disconnected? What kind of protection is left in place in a scenario like that by the agent?

Cameron Buriani:

Yeah, so CrowdStrike obviously gives you port protection, regardless of your network connectivity status. So it is agnostic in that respect, you're gonna get full protection, regardless of that. So you know, you can be online offline CrowdStrike raw for up to a couple of weeks, cash data stored from that offline EDR usage. But we'll give you perpetual protection offline. So whether or not you have that, let's say, you know, I'm working on my laptop, and I go on a business trip to Arizona, right, and I lose network connectivity in the cloud in the sky, work and lose network connectivity, a lot of ransomware. Now, lastly, embed itself in the registry, where it attempts to detonate once you lose that network connectivity status, because there's a lot of legacy vendors of whom have to have that connectivity in order to check to a hash based or a hash repository or CrowdStrike doesn't need that. We have the on sensor agent which provides full telemetry data, as well as machine learning protection which proactively stops the threat And quarantines and the moment that you reestablish continuity with the cloud will show you what occurred while I was offline as well as the blocks. And what happens when you're offline. What kind of blocking is that just

Shiva Maharaj:

relying on heuristics, historical data,

Cameron Buriani:

it's going to be for behavior based prevention, as well as machine learning based Prevention's on that it's everything that's stored within the agent, CrowdStrike. ECI, has two agents, there's an agent that lives within the cloud. And there's an agent that lives on sensor. There's proprietary names for that. But essentially, what happens is there's a race condition variable. So we even when you're online, right, you're on sensor agent may convict something before the cloud, and it'll take that, but the cloud for obvious reason is always going to be the most up to date, we want to make sure that the uncensor is as synced to the cloud as possible. But we have both of those as a failsafe check, right. So you are going to get her mystics, you are going to get behavior based prevention, and you are going to get machine learning capabilities with an offline as well, the only thing that might occur is if you have too much telemetry usage, we may start purging some of that EDR data. If you've been offline for, you know, weeks on end, you may not get full telemetry capabilities. When you re establish continuity the cloud simply because we can't cache that much offline, what we need to do is we need to provide minimally viable protection. So we'll start to purge that cache a little bit to make room for the ability to prevent

Shiva Maharaj:

threats. What's the sweet spot for that timeframe? Probably a week or two. So it's not that likelihood of you going offline for more than a week is slim. I had hope.

Cameron Buriani:

Yeah. I mean, what people take, I've been taking a two week vacation is seen as like a power move, who's taking a three week vacation and working offline the entire time, like, when you really think about it, like Who's that? Okay, two weeks of offline usage? And, I mean, there are machines, which are, you know, air gapped as it were, where they're offline, and those are machines that we fully support as well. But yeah, I mean, when you think about it, and actual usage, what's the use case behind that? And I'm sure there will be somebody in the comments who will tell me the use case?

Shiva Maharaj:

How do you guys deal with air gapped systems and

Cameron Buriani:

updates, we actually don't support anything that is truly air gapped. Nothing can be supported. If it's truly offline, there's no touch, there's no way to even proxy it off a couple hops. We won't support that for obvious reasons. But you have to have some form of proxy. And we can do up to two hops for that.

Shiva Maharaj:

Okay. And what are you guys doing on the mobile devices?

Cameron Buriani:

Guys, direct is productive, offer faster for mobile? So you can do that for Android and iOS? Sorry, we

Shiva Maharaj:

only deal with a I only deal with iOS. Android does not exist. Even if you use it

Cameron Buriani:

doesn't exist. I have an Android. I just like that I can do more on an Android at least from like a kernel level settings. Like I can go into route, I can do anything. Like you know, you can't, there's certain things you can't like this is entirely different rent, but I just like to control things like Why can't I disable presidential alerts? Why do you get to determine that for me?

Shiva Maharaj:

So because if you give users the ability to do things, they will invariably mess it up. And that's as nicely as I can say that this is nice

Cameron Buriani:

is you can say, Well, yeah, well, you're absolutely right. So but I don't like to be constricted, right? I like freedom. So not sand, right. But I can mess with my end, right. But suffice to say CrowdStrike does cover mobile devices, we will give you telemetry data associated with mobile devices. And then of course, we're going to give you identities and misconfigurations. So we can show you when people are going on in and using applications that are not trusted. People have jailbroken phones, you can see telemetry data where people are copying string values from company slack and maybe shooting it out of text. There's things that are going to give you visibility on that now it is rather invasive. So you know, I personally would only install it on company applications and company devices. It's not something that I'd recommend putting on your personal phone unless you were comfortable with the company seeing that. But I'm a bit more of somebody that I like, I want to respect privacy within the bounds of security, right? So yes, we do offer mobile, excellent solution I recommended for company based devices. But if you're looking to put it on personal phones that people use for company devices, you could do that. I just wouldn't do.

Shiva Maharaj:

And I what kind of adoption Have you guys seen for? You know, let's deal with the corporate owned devices in terms of putting a CrowdStrike agent on there, because a lot of my clients never thought of it, or it was never brought up to them. And quite honestly, I never thought of it prior to becoming CrowdStrike. partner.

Cameron Buriani:

Yeah. adoptions? Pretty huh. I'd probably say and it's rough to spit ball. But I'd say it's a moderate level of adoption. I mean, it's not something where everyone's doing it. But it's certainly not an obscure tool. It's something that is going to be more advanced MSP is boom, have the core workloads protected. And they start to say, Where can I start to hone in on the perimeter of this farm and keep the wolves out. The next thing comes to mind is mobile, of course. I mean, basic mobile exploitation data vectors, you can access company resources on your phone, and you can text it anywhere, anywhere. And that's obviously a problem, right? That's how you're going to get supply chain vulnerabilities. And so if you can text company data that sits on your phone to any location will that If I need to put something like your Crosstrek on there, you need to get the visibility, you need to be able to actually respond to those type of attacks. And you need to be able to actually hold on and prohibit end users from taking essential actions that could compromise your company's security stance.

Shiva Maharaj:

I have a question for and it's kind of a loaded question. What are you guys doing for print nightmare? Now, I'm old enough to understand not necessarily know that printers are potentially the way that Stuxnet got in to the Iranian nuclear facility. So it's not a new TTP?

Cameron Buriani:

Yeah, no, and that's the Iranian nuclear facility. One is wild, especially the fact where they said it was spinning at 5000 cycles, but I think they were spending like six or something, and they couldn't figure it out. Another beautiful one. Yeah, that was that is, that's a great attack. But to be honest, I haven't read into the printer attack yet that happened like a week and a half ago. And I saw them post something on slack on it, I was just two heads down with bringing on new partners. So you know, I wish I could comment on that one. But I do know that we took proactive action against it. And I'm sure if you go look on LinkedIn and type in CrowdStrike, with it, you'll be able to see a bunch of people talking about it. But I'm not equipped to talk about that one. Now, unfortunately, is something like print

Shiva Maharaj:

nightmare, or the same issue a vulnerability that's exposed with your spotlight feature.

Cameron Buriani:

cresar Spotlight is going to give you visibility into all vulnerabilities associated with workloads that we cover, right. And it primarily started off as a Windows version ability tooling. So we can show you CVS and KB is associated with Windows. And then of course, now we migrated into Mac and Linux. So when you think about what spotlight does is the vulnerability associated with a host workload, if yes, CrowdStrike will give you visibility into it. And of course, spotlight will then show you how to do it. Now. Right now we're doing ad hoc based patching, where we're again, minimally viable product, what we're now able to do is we're able to patch core machines, ad hoc, one to one basis with core patches as needed. And you know, we want to expand that functionality as it goes on in but you know, when you start to think about what vulnerabilities we cover, workload base burn abilities, three core operating systems, and we're building out from there, one of the cool things about the spotlight feature add on that you guys have is when I go into new clients, and I drop that on the number one vulnerability that is never patched because you actually have to do something,

Shiva Maharaj:

Inspector.

Cameron Buriani:

Inspector is a good example of what we do. We talked way earlier about how we want to make sure the general cybersecurity community as a whole was secure, we actually rolled out a specter dashboard to every customer, regardless of what they paid us for. We wanted everybody to be secure for inspector. And that's something that if we see those critical industry level events, we're going to do what we need to regardless of financial concerns to make sure that our partners, and our customers are secure. And everybody got that spectra dashboard. And I believe it was like a 24 hour time frame so they can respond to it. Are you seeing partners still getting exploited with specter and meltdown? It's not really something that comes in my book of business, and I've been doing msps for you know, two something years now. I haven't seen Spectre be a problem since then. I mean, the only time I'll see it is where people will do like pentesting with that same with like eternal blue, right? Once you start to get these legacy attacks, it's just usually pen testers that are doing it. How are

Shiva Maharaj:

you guys able to discern? Or are you able to discern between something that's a pen test and a malicious act?

Cameron Buriani:

That's typically where Overwatch will come on in Overwatch has experienced, obviously looking at millions of workloads, and we're getting pen tests daily, and we're getting malicious actors daily. And there's typical signatures that we see with pen testers that'll be a little bit different than threat actors. And it's usually about understanding not only the customer profile, but also understanding the potential threat actor landscape. It's not as if these actors just emerge out of nowhere, like a mushroom, these actors will run campaigns, and there'll be flavors of the week. So if we're seeing, for example, a threat actor who's using a Java Rhino based exploit from a spear phishing entry vector typically associated with Firefox, let's say version, like whatever, right? So we know the threat actor is going through the campaign working through the area with this. And then out of nowhere, we see a pentester, who's using a reverse TCP shell session and they're trying to use I don't know, something like eternal blue to get in. And then they're using, let's just say Mimi cats for credential elevation, that might be a little bit different than what the threat landscape is dictating that day, the weather is raining, and this guy comes on in with the you know, let's just say a tornado, it's a little bit different than what's happening. So it's a bit more of a tactile thing for them. It's assessing the landscape, understanding what's manifesting, and then looking into the data. And then of course, interfacing with the partners, sometimes Overwatch can tell that's why we'll call the partners and say we're seeing a threat is this pentesting? Or is this a real actor? And based on that feedback, we'll be able to take response but, you know, Overwatch does respond to pen testers. That is something that you know, there's no way to completely tell. That's why I said it is a bit of a tactile thing, but also we need to have that conversation to be definitive about it.

Eric Taylor:

Let's talk about pen testing for saying just because that's a little bit of my work. How'd you know a lot of times when we're going with a do a pen test gives a client and it did Amazon or AWS, they always they pretty much mandate now that they want to know especially when it's not just some sort of, you know, mass and or mass gain or in map or whatever frickin scanning that you're using. If you're actually trying to do something they want to know about ahead of time, what is CrowdStrike? in a position where they say, you know, don't let us know, we'd like to respond to separate things, or do you do think CrowdStrike is one that we we would like to have notification ahead of time?

Cameron Buriani:

I mean, I can't speak for the entire organization as a whole, for obvious reasons. But I don't have my partners today. pentesting, I won't tell them to let us know, personally, and again, I'm sure someone in the comments or some point out well, you know, XYZ, but you know, if you're doing proper pen testing, it's supposed to simulate an adversary, right? You're supposed to be testing the tool, therefore, why would I go tell the tool, we're going to use a tool, right? It's just like, inspiring. If you're in a sparring match, and you're trying to prepare for a proper match, why would I tell my opponent I am going to throw a jab in three seconds, please be prepared, I'm obviously going to parry it as it were. So if you're running proper pentesting, and you're using our entire suite, I'd encourage you to just go for it right. And you know, you may want to you may want to like give your solutions architect like me a heads up just so I don't have to get up at 230 on a Sunday morning, because we're getting over watch lists. I'm I know that that's a pen test. But you know, you can keep Overwatch on their toes.

Eric Taylor:

I love it.

Shiva Maharaj:

I got a, I guess two final questions for because I do want to be mindful of your time. And I do appreciate you guys coming out. And doing this episode with us. Cameron is CrowdStrike. Again, I don't know if you can even say this, or maybe not your wheelhouse is CrowdStrike going to do anything with email protection and networks.

Cameron Buriani:

That's typically not our wheelhouse, we want to be the sole workload security provider. Again, defense in depth as we originally spoke about, we want to make sure that you find the appropriate partner for every layer in the security stack. Right now we're focused exclusively on workloads owning that workloads, but we are going to be building out partnerships that will, you know, make it more seamless to integrate with those things in the future. So find a good security or email service provider network layer, there's people of whom provide excellent services for it. And we're under no illusions that we're going to be able to build something, you know, at least in the near term for future that'll we serve those

Shiva Maharaj:

cool. Alright, any other questions for Cameron here?

Eric Taylor:

No, I mean, this has been awesome. I really do appreciate it. Like, like, Shiva said that, you know, it's really a breath of fresh air to actually talk and listen from a true partner in this space.

Cameron Buriani:

Yeah. I mean, I appreciate you having me on. Like I said, you know, probably should say all views are, you know, Cameron's views, if you want, like the official cache statement on things now always, you know, reach out to like CrowdStrike directly, but yeah, thanks for having me. Thank

Shiva Maharaj:

you so much.

Eric Taylor:

Thanks again, everybody for joining into another episode of amplified and intensified cybersecurity. Thanks again to Cameron, for tuning in. If you've made it this far, and you're on YouTube, please subscribe and leave us a comment. If you're on the audio podcast. Please do us a favor and give us a rating on your audio podcast of your choice. It really does help us grow this and please tell someone about us. help us spread the word and until next time, thank

Shiva Maharaj:

you. Thanks again for joining us for the cybersecurity amplified and intensified podcast.

Intro
Crowdstrike Defense in Depth (SeriousSAM & HiveNightmare w/VSS delete all)
Stopping the breach
Protected workload types
Crowdstrike Overwatch & Threat Intelligence
Kaseya, SolarWinds, Supply Chain & Incident Response
How did Crowdstrike prevent the Kaseya incident?
Closing remarks
Updating agents, threat intelligence & the 1/10/60 framework
Crowdstrike Incident Response Programs & Falcon Forensics
Perpetual learning
Offline protection
Mobile devices
Printer vulnerabilities
Crowdstrike Spotlight, Overwatch and Pen-testers
Closing remarks