Embed Size (px)
Citation preview
V E R I ZO N C A S E S TU D Y
OPERATIONALIZING THE CROWDSTRIKE PLATFORM
SPEAKER
© 2019 CROWDSTRIKE
GLENN HELLRIEGEL
§ Dedicated IT Professional with 16+ years experience in the telecommunications industry managing computer systems, endpoint security, help desk support and networking technology.
§ Demonstrated ability to manage complex projects and perform new technology implementations focusing on endpoint security applications.
§ Recognized for leveraging of existing technology and resources to alleviate problems and reduce cost, while maintaining a strong security posture.
DMTS - Verizon
© 2019 CROWDSTRIKE
AGENDA
§ C H O O S I N G A P R O D U C T
§ R F I T O P O C
§ D E P L O Y M E N T
§ O P E R AT I O N A L D E S I G N
( S U P P O R T )
§ M A I N T E N A N C E
CHOOSING THE PRODUCT
Scope of the Environment:Operating Systems:§ 155,000 Windows workstations
§ Includes over 20,000 VM’s (Citrix and VMWare)§ All supported Windows Operating systems
§ 28000 Windows Servers (Physical/Virtual)§ 5000 MAC’s§ Linux: ~30,000 of supported kernel’s (RHEL, CentOS, Ubuntu)Platforms:
§ AWS/Physical/VMLocations:
§ Domestic/International
CHOOSING THE PRODUCT
© 2019 CROWDSTRIKE
§ When choosing the product at Verizon, teams came together between security and operations to determine what was trying to be solved with a new platform
§ Understanding Pain Points (what problems need to be solved)§ Heavy weight agents
§ Lack of true EDR
§ Reliance on pattern based traditional AV
§ Time to protection
§ Architecture and Management
§ Performance issues
§ What are needed Features?§ Flight Data Recorder functionality
§ Containment
§ Better protection
§ Cost
CHOOSING THE PRODUCT
© 2019 CROWDSTRIKE
§ Required Functionality (Higher weight)§ No Performance Degradation§ Flight Data Recorder capability§ Zero day Threat Protection§ Splunk/Syslog integration§ Better Prevention Capabilities§ MAC, Windows, and Linux Supportability§ Upgrades/Rollbacks§ Ease of Management
EXAMPLES
§ Value Adds (Less weight)§ Application Inventory§ Rogue Device Detection§ Device Control§ Architecture and Management§ Performance increases
© 2019 CROWDSTRIKE
RFI TO POC
§ Identify all teams needed to participate in the process§ Security Engineering, Threat Management Center, Operations, Analytics, Legal, Network, etc.
§ If this is not done, then there might be criteria that is needed, but missed!
§ Develop RFI questionnaire with specific capabilities required for the new security agent (application)§ Separate out the questionnaire based on teams providing the input so that scoring can be easily done by the appropriate team
who provided the input
§ Have a scoring system that not only rates vendor responses on a scale of 1-5, but assigns a weight to the score based on need orrequirement
§ Make the RFI questionnaire generic enough so that all vendors can have the same opportunity to respond.
§ Send out RFI’s to the chosen vendors with a reasonable timeframe for response
§ Scoring the RFI§ Allow the team leads involved to score their focus area
§ Meet to understand the team’s scoring and agree on scoring. Sometimes questions are misinterpreted and need insight from others to arrive at a consensus
§ Calculate the scores and arrive at top 3 to POC
RFI TO POC
© 2019 CROWDSTRIKE
§ POC the top 3 based on application scoring § This is important to hold the vendors feet to the fire and make sure all answers provided match up to
functionality§ Test as thoroughly as possible all functions of the product with live Pilot groups representative of your client
base while making sure to include sensitive applications such as retail and customer facing so there is no identified impact to the business
§ Potential Operational Support Scenarios§ Client deployment and management of agents§ Scalability (i.e. client grouping for policy deployment, exceptions, etc.)§ Policy management§ User management including RBAC§ Analytics for threat ingestion/event data –capabilities§ Rollback, upgrade, white/black list§ Containment§ Network performance§ Overall threat prevention
POC
© 2019 CROWDSTRIKE
DEPLOYMENT
§ Identify all internal Proxy/FW (possible external –internet proxies)
§ GDPR and other regulatory compliance
§ Identify OS’s to pilot in the environment for supportability
§ Have a way to quantify deployments and provide metrics (% complete)
§ Air Gapped Networks
§ Define the UAT/Pilot/Production process (new sensor builds and policy updates)
§ Identify the UAT/Pilot Groups (machines, POC’s, additional contacts)
§ Develop communication method for rollout and subsequently used for maintenance
§ Use precedence in policies to scale rollouts
§ Incorporate the Change Control process
§ Establish roles in the support of the product
§ Who really needs access?
§ What level of access is needed?
§ Operations Model Manuals
§ Have a shell of an OPS model built detailing procedures, processes and roles. This was a “living” manual throughout the deployment, as adjustments had to be made. At the end of the major deployment, this was solidified and signed off at executive levels
§ Make sure to include processes for onboarding new teams/groups, image builds, software repository for packaging teams, support channels, etc.
KEY DISCUSSION ITEMS TO CONSIDER PRIOR TO ROLLOUT
© 2019 CROWDSTRIKE
§ Phase 1 = Deployed with existing Antivirus in audit only mode§ Phase 2 = Turn up Prevention policies (less NGEN AV)§ Phase 3 = Turn up NGEN AV using Moderate Detect/Prevent
settings§ Phase 4 = Remove legacy Antivirus agent (All used functions
of the existing agent must have compensating controls)
© 2019 CROWDSTRIKE
OUTLINE 4 PHASES FOR DEPLOYMENT
Initial rollout is staged alongside Symantec Endpoint Protection version 12 and 14, however, first phase was in audit mode only
§ CrowdStrike agent is distributed as a single EXE using our software delivery tools to all Mac and Windows agents over a 6 month period. Included with the agent are agent specific configurations such as CID, Proxy and settings for VDI where needed
§ This was done to evaluate how the agent performs, as well as to see what kind of activity is the SEP agent missing or not flagging
§ Most activity flagged were outside of the SEP agents scope, however did alert on lateral movement(use of net.exe), unsigned suspicious executables, and utilities like ipscan.exe that can be used in our environment, however, can be used for malicious intent
§ At this point of the process, we were able to take the time to audit the findings, clean out where necessary (pup), develop any needed exceptions, and educate the developer user base on the practice of signing applications
§ Once the comfort level was gained that there would be minimal unwanted preventions with Prevention policies turned up, we moved forward with ratcheting up the policy a few controls at a time
PHASE 1
© 2019 CROWDSTRIKE
Prevention Policies Turned Up§ Phase 2, using the same Pilot/Production rollout
approach, turned up Prevention settings for all categories EXCEPT for NGEN AV
§ Monitoring continued with focus on any preventions that occurred. The team would be responsible for follow-up and mark FP or TP
© 2019 CROWDSTRIKE
PHASE 2
NGEN Antivirus turned on with Moderate/Moderate settings applied
§ With NGEN AV turned up and in place, at this point, same validation procedures are used to evaluate and verify no negative impact
§ Again, this was done using the same Pilot/Production deployment approach
PHASE 3
© 2019 CROWDSTRIKE
Removal of existing (legacy) AV agent§ A key note here is to understand that there may be functions
of the existing AV agent that need to have compensating controls in another product prior to removal (i.e. Firewall, Device Control, etc.)
§ In Verizon’s case, we moved Device Control and FW to GPO’s using internal MS capabilities
PHASE 4
© 2019 CROWDSTRIKE
OPERATIONAL DESIGN AND SUPPORT
§ Have a document that explains the scope of the CrowdStrike deployment, general support related items (supported OS, requirements, etc.), and processes/procedures for agent installer requests, requests for access as well as contacts for any support related issues identified in the environment
§ Within this document, list all respective teams and defined roles for support (i.e. TMC, EUS, Server and desktop support teams, and Security engineering)
§ Important to funnel all cases through a central group so that it is easy to research and socialize issues found within your environment. These might be common cases and if there is an issue that can impact other groups, having a central group to provide this information to teams is extremely beneficial
§ Have the document tailored to be socialized to all teams involved in the product deployment so that when onboarding new teams, there is a “packet” you can provide them so that all know the processes for support of the agent
§ Signed off by executive leadership
§ Reviewed periodically (our case, every 3 months), and updated as needed
OPERATIONAL MODEL AND DOCUMENTATION
© 2019 CROWDSTRIKE
§ CrowdStrike Support Team§ The CrowdStrike support team manages console, access, support of the agents and policies as well as software distribution.
Along with those duties, the team is second level support for investigations and onboarding new teams. This includes setup of any streaming or rest API’s for data ingestion
§ Threat Management Center (TMC)§ All Threat data is sent to the TMC via the streaming API. All alerts are assigned to the TMC and followed up with support teams
and owners of the applications and systems
§ Internal Splunk/Data Ingestion Teams§ Responsible for setup and maintenance of Streaming/Rest API’s as well as Data Replicator for all event data. Involved with any
new CID creation so that the TMC can receive alerts and data related to managed assets
§ Security Engineering§ Responsible for policy advisement and enforcement as well as maintaining any exception requests for or within the agent
§ End User Support and Server Management Teams§ Initial Client investigations§ 1st level support of issues§ Validation of installs
PRIMARY TEAMS AND RESPONSIBILITIES
© 2019 CROWDSTRIKE
§ Utilize existing pilot and production groups for targeting with latest sensor builds and new Prevention Policies.
§ Using an internal distribution list where members are representative of all required testing/pilot groups
§ Release Schedule§ Day 1 after sensor is released (or updated prevention policy is ready), notify Pilot testers that a new version of the
sensor/policy will be released to Pilot machines the following evening
§ 1 week for new sensors to sit along side existing applications. If no issues reported, release new sensor builds to the remaining clients
§ Upon release to Production, update repository for leads to grab latest sensor builds
§ Update image build process and software delivery packages to include latest agent
§ Socialize new builds/configuration information with the TMC (Threat management Center) so that they are aware of any new detections related to the latest agent builds and prevention policies
PREVENTION POLICY AND SENSOR UPDATEPOLICY MAINTENANCE
© 2019 CROWDSTRIKE
© 2019 CROWDSTRIKE
Support of the agent includes many things outside of packaging, imaging, policy and sensor update management
§ Client Health and using Query API’sto reconcile managed machines
§ Version Control
MAINTENANCE
Use API’s for a Client Inventory Portal to provide system admins a way to validate machines without needing console access
CLIENT INVENTORY REPORTS
© 2019 CROWDSTRIKE
§ Logon account eventsand Maintenance§Helped reduce
misconfigurations of local accounts by 95% in the first few months
USING DISCOVER FEATURES
© 2019 CROWDSTRIKE
CLIENT MAINTENANCE
© 2019 CROWDSTRIKE
§ Automated Client Remediation§ Client Health
§ Using Query API’s cross-referenced to Asset inventory to identify “broken” clients
§ Automate addition of “broken” clients to targeted groups for falcon Host removal/Install/fix scripts to remediate
§ PUP/Adware Removal§ Using the Query API’s to gather threat information not remediated by the agent, and based on
match to prohibited software, remove where needed by targeted packages and scripts
§ Rogue Device§ Using managed/unmanaged asset information within Discover to identify machines that either
belong on the VZ network and missing agents where applicable, or do not belong on the network
THANK YOU
ANY QUESTIONS?
