Back to Tech Center

How to Get Better Protection with Falcon Prevent

September 20, 2019

Tech Center
CrowdStrike Tech Center

Introduction

This document and video will demonstrate how CrowdStrike’s Falcon Prevent offers superior next generation AV protection against all types of attacks through a single, lightweight agent and cloud delivered console. 

Video

 

Simplified Management from the Cloud

On the main Falcon dashboard, you see an overview of the events in our environment. On the right side, where the most recent detections are listed, you will notice that the prevention events are marked with a green checkmark icon. Each event includes descriptive terminology from the MITRE ATT&CK framework to summarize the tactic and technique being used. From the dashboard, you can drill in on a specific event or view the detections pane to filter and search for specific events.

 

 prevent dashboard

 

Policy configuration is also done in the same UI under Configurations -> Prevention Policies. Falcon Prevent uses a combination of methods to protect endpoints from different types of attacks. Machine Learning, indicators of attack and exploit mitigation are just a few of the capabilities that Crowdstrike leverages to help companies prevent breaches.

prevent overview policy

 

 

Better Protection

The following two example detections provide an overview of the protection available with CrowdStrike. In the first, we see a high severity prevention as a result of exploit mitigation. The process tree shows us that the attack began in Outlook where the user clicked on a malicious web link. In the execution details, we see the suspect command that triggered this detection.

prevent exploit

 

In the second example, we see that a file called openme.exe was prevented thanks to CrowdStrike’s machine learning engine.  The process was blocked and quarantined, and the event data gives us associated information like the file hash which can also be added to the blacklist in the hash policy.

prevent machine learning

 

Integrated Intelligence

This second detection is also an example of the power of CrowdStrike’s integrated intelligence services.  This file has been attributed to a bad actor called Fancy Bear. From the detection, we can open the complete actor profile. This information gives us context on who might be targeting our organization and what tools they frequently use – including vulnerabilities and command and control servers.

Conclusion

Falcon Prevent is simple to configure and effective in recognizing and blocking different types of malicious behavior. CrowdStrike delivers proven protection while also providing your team with valuable information and context around the larger attacks and adversaries.

More resources

Related Content