How to Get Better Protection with Falcon Prevent
Introduction
This document and video will demonstrate how CrowdStrike’s Falcon Prevent offers superior next generation AV protection against all types of attacks through a single, lightweight agent and cloud delivered console.
Video
Simplified Management from the Cloud
On the main Falcon dashboard, you see an overview of the events in our environment. On the right side, where the most recent detections are listed, you will notice that the prevention events are marked with a green checkmark icon. Each event includes descriptive terminology from the MITRE ATT&CK framework to summarize the tactic and technique being used. From the dashboard, you can drill in on a specific event or view the detections pane to filter and search for specific events.
Policy configuration is also done in the same UI under Configurations -> Prevention Policies. Falcon Prevent uses a combination of methods to protect endpoints from different types of attacks. Machine Learning, indicators of attack and exploit mitigation are just a few of the capabilities that Crowdstrike leverages to help companies prevent breaches.
Better Protection
The following two example detections provide an overview of the protection available with CrowdStrike. In the first, we see a high severity prevention as a result of exploit mitigation. The process tree shows us that the attack began in Outlook where the user clicked on a malicious web link. In the execution details, we see the suspect command that triggered this detection.
In the second example, we see that a file called openme.exe was prevented thanks to CrowdStrike’s machine learning engine. The process was blocked and quarantined, and the event data gives us associated information like the file hash which can also be added to the blacklist in the hash policy.
Integrated Intelligence
This second detection is also an example of the power of CrowdStrike’s integrated intelligence services. This file has been attributed to a bad actor called Fancy Bear. From the detection, we can open the complete actor profile. This information gives us context on who might be targeting our organization and what tools they frequently use – including vulnerabilities and command and control servers.
Conclusion
Falcon Prevent is simple to configure and effective in recognizing and blocking different types of malicious behavior. CrowdStrike delivers proven protection while also providing your team with valuable information and context around the larger attacks and adversaries.