CrowdStrike’s Falcon for IT bridges gap between IT, security teams


[This transcript was auto-generated.]
Welcome to DEMO, the show where companies come in and they show us off their latest products and features. Today I’m joined by Elia Zaitsev. He’s the CTO of CrowdStrike. Welcome to the show.
Thanks for having me.
And you’re gonna show us there the Falcon for IT product as well as another product within that that Sweet Charlotte AI, correct? That’s correct. All right. So who is this product for it? Give me a general overview of what the product does and who it’s aimed at? Sure. Well,
let’s start with Falcon for IT. So Falcon for IT is for both the security and the IT teams. So one of the big issues that we’ve seen at CrowdStrike, our mission ultimately is about helping companies stop the breach, right. And traditionally, we’ve been creating tools and technologies and building out a platform that’s really empowered the sock teams, the forensic teams, the incident response teams to understand if they’re under attack, figure out what the scope is, what the root cause is, and ultimately prevent or eject an adversary from their environment. But a big piece of that puzzle, often as you’re doing that investigation is realizing, Oh, the reason or the way that an attacker was able to enter the environment is because there’s a mis configuration in the operating system where there’s a vulnerability or some other technical issue that needs to be resolved later on, after the initial threat has been dealt with, to make sure that the attacker can’t just come back in, think about it, hey, we left the door open, let’s let’s go shut that door. Okay. Now historically, for most companies, that would mean, okay, let’s open up a ticket as a support ticket and send it over to the IT teams because we’ve kind of evolved as a, as enterprises to have these two different teams operating in their own silos. And the reality is, if we’re fixing all these problems for security, and the reason we’re so successful, and security is because we built this amazing platform, it handles cloud and endpoint connectivity, and scale is like nothing else. It’s easy to deploy, it’s resource efficient, customers have been consolidating their security technologies onto us. So we fixed a lot of those issues inherent with the security teams, but the IT teams have the same fundamental problems, they’re dealing with too many disparate tools that don’t scale and aren’t efficient, and they’ve got multiple agents for different operating systems, etc. So as we’ve been fixing the security problem, the security teams have run into this bottleneck where they’re just throwing over the ticket to the IT side. And the IT teams are struggling to keep up with it all. So we had this realization well, and we built this incredible architecture, this platform. And we built it to solve pretty much some of the hardest problems in an enterprise technology, right? Security, you need the most data, you need to have all the visibility, you can’t fail, you can’t go down, you have to be lightweight and quick to deploy. Well, that same capability, we can now make available to the IT teams and unify and bridge that gap between the two, right. And ultimately, not only are we going to make the IT teams lives easier, because we’re giving them a modern cloud based platform, we’re consolidating their agents, we’re actually consolidating and integrating both the security and the IT technology together. So we’re making their lives ultimately easier. But we’re also making the security teams write jobs better, right? faster, more efficient, because they’ve got a better partner now and the it? Okay,
so would this be designed for customers that are already using a CrowdStrike platform? Or is this anybody that hasn’t maybe use something from CrowdStrike yet, but
frankly, I think it’s the sweet spot is probably going to be for customers that are already using the Falcon platform for security, because we can basically tell them, hey, it’s already deployed, right? We’re cloud based, if you want to use Falcon for it, you just flip, we just flip a switch on in the cloud. And now you have that capability there. There’s no sensors to deploy, there’s no additional agents. There’s no consoles or management service to implement. It’s already there, we’re just turning on additional functionality. Now, that being said, it’s some pretty you know, I think compelling capabilities and technology. So even if you’re not an existing CrowdStrike customer, you will see value add of looking at our tools, adopting our tools and knowing that you can kind of kill a few birds with one stone by adopting the platform. Alright,
so let’s get into the demo. Go ahead, go ahead and take it away and tell me what we’re seeing. Well, we’re
actually going to start with Charlotte AI, which is our generative artificial intelligence interface, which lets you operate the entire platform through natural language interface and also have it assist you with various functions. So Charlotte is not specific to just Falcon for it. It encompasses our entire platform. But to start for the scenario that I’ve got set up for you today, we’re going to imagine we’re dealing with the x z. Library vulnerability. This is pretty big in the news a couple of weeks ago, you may have heard about it. Basically, some attackers were able to, as part of this open source project that was very prevalent in the industry, they were able to insert malicious code into this open source project. And there was a version that came out that had this backdoor implanted in it, okay, so this is pretty big people are scrambling, do we have this in our environment, right? If so, like, how do we fix it? How do we get rid of it? So that’s, that’s kind of the basic background here. Now to start, we’re going to look at Charlotte here, and our user, and user is going to start by asking a question to figure out what do they have to fix? So we’re asking Charlotte, in plain English here, you know, based on threat intelligence reports that we produce here at CrowdStrike. Which versions of that xe library are the ones that are backdoored? Okay, so you don’t want to fix all of it, we don’t want to get rid of it, why just target the specific version? So we’re gonna go ahead and ask that question. And immediately, Charlotte is going to access all the different reports that we’ve put together. And we’re just asking it to summarize that, right, it’s giving us the underlying reports, if we want to read it, but at the very bottom here, if you look, it’s telling us specifically that, hey, the specific version that’s been backdoored, it’s 5.65, point 6.1. Okay, so now we know the ones we have to go after, right? So with that information, we can now go over into Falcon for it and create a query. Now, just like I showed you a second ago, we could craft that query on our own, but I want to use the power of generative AI to make my life easier, maybe I’m not used to the underlying language, I’m new to CrowdStrike, I haven’t read the documentation. So I’m just going to ask in plain English, you can see I got that little Charlotte AI box at the top, create a query for me to find the names and versions of all the Debian and RPM packages, which are the two types of fundamental package managers that the Linux operating system uses. And that’s what was impacted by this XE vulnerability. And we’re saying show me any package that has the word Z in it, because maybe I don’t know exactly the name of the library. And you could see when I hit that button, it takes that natural language, you know, plain English query, without me knowing anything about the syntax of the underlying system, it’s generated that query for me automatically, which is pretty cool. Definitely a time saver, helps augment teams that don’t have those skills. And then I’m gonna go and execute that query. So now what’s going on is our cloud is reaching out to our endpoint agents that are deployed, potentially around the world, right doesn’t matter what your firewall rules are, or what site you’re located in, we can reach out from the cloud and touch all these systems, and have them actually interrogate, check if they have that xe library, right, and send the results all collected and aggregated back to our platform. And it took just a couple of seconds. But it scales to 1000s 10s of 1000s, hundreds of 1000s of systems, another big selling point for the IT teams, and here we go, we’ve got all of our systems here, we can see that, in fact, a bunch of them. It’s a demo environment. So I made sure all of them have the impacted version 56561. I couldn’t, by the way, made the query more specific and said, just show me the ones that have this version. But I wanted to give you a little bit of illustration right here, the generic abilities of this system. So that’s kind of phase one. Now, if we just stopped here, I think that this would be a pretty interesting technology, the companies, basically you can ask any question of any of your systems around the world and get immediate feedback and response. That’s pretty cool. But we want to go the whole way. Right? We want to fix that problem for security and it
do something about so this is where you say, But wait, there’s more. Yeah. Ron Popeil?
Right? Yeah, well, throw in the stick nice, too. So I can do here is I can select somewhere in this case, I’m just going to pick all of the systems that will return in this query. And you can see here I’ve got a button on the right, that’s labeled actions. Okay. So let’s go to those actions. Now we can customize it. Or we can use what’s called a quick action where we’ve got kind of out of the box functions that we built. Now, again, I want to stress that customers can pretty much take advantage of the native operating system, whether it’s like PowerShell, or bash, if you’re on Mac or Linux GUI support all that. And you can run pretty much any command, push down any program, install anything, run anything, it’s super powerful. It’s like the Swiss Army knife of you know it. But in this case, we’ve got a specific pre built function to update software packages, because remember, we’re running this XE util library. We know we’ve got an old version that has this backdoor. Yeah, so I’m just going to say, hey, run this quick action on all those machines that were impacted, update the XE utils library to a new version that doesn’t have the backdoor. And that’s it. It’s been set up. And now this is gonna go run across all the machines. And by the way, even if the machines are offline, you see that little checkbox in the bottom right corner, the offline queue this right when machine comes back on, go fix that problem for me. Okay, there we go. We’ve we’ve solved the problem in this specific case now. Okay, pretty powerful. But wait, there is one more, right, we want to set it and forget it, I’ll use the Wow, I’ll pull that one out for you. So we just fix this problem once a point in time. But you know, there could be more systems coming online, you know, the shadow IT people are spinning up things, they’re not talking to me. And it they don’t know that they have to run the newest versions, they don’t realize there’s a vulnerability, whatever the reason may be. So we want to do this on a regular basis, not just as a one off. So I’m going to first save this query, cuz I know I’m going to use it again. Now, yes, I can just go and, you know, set myself a reminder and hey, go run this every like, you know, a couple of days or whatever. But one of the really powerful capabilities of Falcon for it is that we can schedule these queries to run on a repeated interval. Okay, so that’s exactly I’m going to do. I’m going to set a recurring query here. I’m going to run it I think, let’s say You know, once a week, right, we can do daily, monthly as well, et cetera. And then I can pick an exact time and a day of the week. There’s a variety of reasons you may want to do that. Maybe you want to target something like for the weekend, or early morning or late evening, so that, you know, if you’re running an operation, that’s very resource intensive, you know, you’re not going to get in anyone’s way, right. So we’ll just say, Let’s do an 8am, every, every Monday here, and run it indefinitely, right? We’re not sending an end date, I always want this to occur. So now, every Monday at 8am, it’s going to run this for me. And
this is the idea of like, you don’t like leaving the backdoor open this. So you’re constantly checking, is that right?
Like we closed the door. Now let’s make sure like, the wind doesn’t come or somebody else opens the door later on and leaves it open. Let’s basically like, constantly monitor this, right. So we set up that scheduled query, and I’m going to show you here, our query logs. So we can see both the ad hoc queries that I just ran, but also any ones that we’ve scheduled on a recurring basis, we can go and actually look at when they’re running, what the results are, what the status is, etc. So that’s what I’ve done. I brought up our query log. And you can see I’ve got a bunch of queries that are run including the backdoor one now, this is a scheduled queries, right? So it could run multiple times. In fact, a will run once every week. So if I go into the query log here, I can go to any one of those historical executions, and go and see the results. Okay, fine. But you know, we know that CIOs and teams, they love metrics, they love trending, right? Am I getting better? Am I getting worse? Yeah. So one of the really cool things about this is all the information that’s being collected every single time we execute, this is actually getting sent into our back end platform. Now, the Falcon platform has some very powerful technology built into it for what we call next gen sim. And next gen logging, we’re leveraging those capabilities. So we’re actually sending all the raw results every time one of these queries runs, including the scheduled ones into this back end. That’s what you’re seeing right here on the screen. Now, besides just showing the data, we can also take advantage of all the built in capabilities around things like dashboards, and live reporting, and alerts and all sorts of pretty graphs and whatnot. So here’s the raw data for one of those execution runs. But I’m going to take this query, I’m going to modify it to instead show me all of the executions over time group by when it runs. So now you can see here, each one of these bars represents a time that this scheduled query ran, and the height of the virus how many systems met our criteria, in this case, have that vulnerable library. Now we haven’t, you know, this was all run before we just did the fix. So you can see the numbers pretty static, it’s not going down. But of course, if we were telling it to then resolve the issue, like we just did, right, you would see these numbers change over time. So I can see a visual representation of this, I can even go a step further. And actually turn this into a dashboard, a widget will update automatically in real time live. So you can imagine having something like this in your operation center right there on a big screen, or just opening it up whenever you want to get a quick refresher and see how the organization is doing see how the health of it is doing so what really excites me about this and direction where we’re heading with this product, is we take this scheduling capability and now you start you know, eventually adding on top of that the response bit right taking those actions automatically as well. And now you’re in this not too distant future. The future of tomorrow is here today, right? We have this autonomous self healing enterprise where I can set up ahead of time this is what I want my environment to look like these are the controls I want these are the settings that I want the software that I want in place and just watch it for me and if you see something has gone wrong, or is deviating from that standard, yeah, sure, you can notify me but let’s go a step further and just fix it for me put it back to that known good state and do that always and continuously on my behalf. So pretty excited about that. All right,
all right, some some really cool stuff. And I’m sure you’ve got more there’s there’s a lot more other features that you want to the you know the the customer could could learn about about Falcon for it, right. Sure.
I mean, one of the things I just want to quickly stress is I specifically picked the security use case because again, CrowdStrike people thought it was for security. But going back to that combinate made that swiss army knife for it. Think of how powerful these capabilities are anywhere in the world, ask any question take any response action store the results of that track it over time right for up to three years, think of all the different non-security use cases you could start to address with this so for example, I’ll make up one just to give you some variety Sure. Look at all of my systems tell me which programs are using the most memory do that every day every hour and then build me a chart of that so I can look and say hey, we just rolled out a new a new upgrade to some application and boom all of a sudden it’s taking up 15 More percent you know CPU or memory in our environment all that kind of observability type use cases we can start to address with this technology as well it’s very broadly applied
then with the with the Charlotte AI then you can do this with real time language rather than trying to withdrawal an
AI we just make it that much easier for everyone to use. You can start having conversations and build out these entire workflows, right so of taking existing analysts who know how to use the Falcon platform, making them 10 times more efficient, but also taking those junior analysts who maybe never worked with us before. Maybe they’re in the IoT side. They’re not used to a security tool. They’re getting given access to this. Gee, I don’t want to read all these instruction manuals. Let me just have a conversation with the technology. And I’ll tell you what I want you to do, and you go figure out how to do it for me. Very, very powerful. Cool, Ilya. Thanks again. Thanks for showing us the demo. My pleasure. Thanks for having me.


Leave a Reply

Your email address will not be published. Required fields are marked *