CrowdStrike has strengthened its zero-trust capabilities with the planned acquisition of Preempt Security. The deal is expected to complete in the next few months and will cost CrowdStrike US$96 million. Once complete, CrowdStrike will integrate the Preempt Platform as a new module for the CrowdStrike Falcon Platform. What is not clear is exactly when customers will see the product and what will happen with Preempt Lite.
In the press announcement, George Kurtz, co-founder and chief executive officer of CrowdStrike said: “Hybrid work environments will become the norm for many organizations which means that Zero Trust security with an identity-centric approach and detecting threats in real-time are critical for business continuity. With the addition of Preempt Security’s capabilities, the CrowdStrike Falcon platform will provide enhanced protection against identity-based attacks and insider threats.
“Combining Preempt’s technology with the CrowdStrike Falcon platform will help customers achieve end-to-end visibility and enforcement through identity, behavior and risk-based decisions to stop attacks in real-time.”
What does the Preempt Platform do?
Preempt describes its Platform as an “Identity Centric Security” platform. It targets 80% of data breaches that come from compromised credentials. The idea is to apply identity, behaviour and risk to detect a threat. Preempt says that can detect attacks in real-time even when they are protocol based. This is becoming of critical importance as attackers move away from user credentials and look for breaches deeper in the network.
Preempt also claims that it can accurately pinpoint lateral movement. This is something that security vendors have been finding hard to do. Being able to detect an attacker moving through a network makes it easier to pinpoint the point of entry. From there, an organisation can begin to establish the risk an attack poses and block access to sensitive data proactively.
Tracking lateral movement also shows where weaknesses exist in internal security. This is a significant issue for many organisations. Too little time is spent on compartmentalising corporate access. Part of this is the focus on a hard shell to stop an attacker gaining access to systems, to begin with. However, once an attacker has a set of valid user access credentials, they are already in the system.
The biggest gain here, however, will be the ability to track malicious insiders. Such individuals are notoriously hard to detect. Many steal data that they have access to through their day to day job function. Others seek to expand their access by looking for unprotected data.
A third area of prevention will be against reconnaissance tools. These tools, once inside a network, move around to detect security weaknesses. That information is used by an attacker to deploy malware or other attacks to breach systems.
What does this add to CrowdStrike Falcon?
In a blog, Kurtz provided more details on what the acquisition means for CrowdStrike Falcon. He wrote: “One of the unique features of the Preempt platform is its ability to meet the conditional access requirements of an organization without putting unnecessary burden on security staff. The technology detects identity-based attacks and unauthorized access attempts, allowing customers to block, notify, force re-authentication, or challenge the user with multi-factor authentication.
“Preempt identifies threats with a high degree of accuracy while ensuring that legitimate activities are not disrupted. This conditional access is achieved by applying machine learning on data gathered from Active Directory, cloud SSO from partners such as Okta and Ping, NTLM logs, and other sources. Combined with CrowdStrike Falcon’s industry-leading threat telemetry, that correlates over 3 trillion endpoint-related events per week in real time from across the globe, customers will receive a highly effective solution to apply advanced access controls and detect anomalous activities in real-time.”
Enterprise Times: What does this mean
The Insider Threat is notoriously hard to detect. Determining malicious behaviour from mistakes or users who have a genuine need for access to data is difficult.
A good example of this is the theft of PII by Andrew Skelton. He was a senior internal auditor at the supermarket chain Morrison’s and stole the details of 100,000 people. The problem with detecting what he did was compounded by his need to access the data for his job. Morrison’s was also charged with being vicariously liable for allowing Skelton to steal the data. It took a UK Supreme Court ruling to exonerate the company.
What was highlighted during that case was the difficulty for employers of preventing the malicious insider. It had led to many security firms focusing on point solutions to detect such activity.
It is not just the malicious insider. Even more difficult is tracking reconnaissance malware that seeks to map a network and look for weak points.
By buying Preempt, CrowdStrike is looking to bolster its Falcon platform to improve detection of both of these cases.