CrowdStrike Falcon Shines Spotlight on Vulnerability Management

The new module aims to help identify the true state of software patching, looking beyond what an operating system registry reports.

Crowdstrike Falcon

Security vendor CrowdStrike announced its new Falcon Spotlight tool on Nov. 8, providing organizations with the ability to accurately manage security vulnerabilities.

Vulnerability management has become a particularly hot area of cyber-security in recent months, with multiple large incidents including both the WannaCry ransomware attack and the Equifax data breach being attributed in part to known, but unpatched, software vulnerabilities.

"The idea to build the Spotlight module started during the WannaCry outbreak, when we had some customers disbelieving that they were getting hit by WannaCry because they were confident they had patched their systems," Dmitri Alperovitch, co-founder and chief technology officer at CrowdStrike, told eWEEK. "The companies had run scanners that showed patches were deployed, but in fact what the vulnerability scanners were only doing was looking at a system registry to see if a patch was installed."

The WannaCry ransomware outbreak first struck organizations on May 12 by abusing the MS17-010 vulnerability that Microsoft had patched in March. Alperovitch explained that there are multiple reasons why a patch deployment might fail. He noted that in some cases, a patch installation can get to the point where the system registry is changed, indicating that the patch has been installed and then fail to complete the installation of the patch.

"We realized when we started looking at customer systems where were stopping WannaCry attacks, is that in certain occasions the Microsoft patch failed for different reasons, " Alperovitch said. "So there was a failed patch problem where organizations thought they had patched, but they really hadn't."

The Falcon Spotlight module is an attempt to help solve the challenge of failed patches by making use of data that CrowdStrike is already collecting in customer environments. Falcon is CrowdStrike's endpoint protection platform that comprises multiple modules that perform different functions. The overall Falcon platform combines an endpoint agent with CrowdStrike's cloud service, providing analytics and dashboard capabilities.

"We already have information about everything that is going on in system memory, including every process and every driver," Alperovitch said. "So we decided to combine that knowledge with vulnerability information to provide a real-time view into the true state of systems."

Another challenge with traditional vulnerability scanning is that many organizations only run the scans periodically, according to Alperovitch. In contrast, with Falcon Spotlight the scanning is continuous.

While Falcon Spotlight is able to help organizations detect and identify vulnerabilities that have not been patched, CrowdStrike itself is not a patch management vendor. The company is in the vulnerability management space and is not deploying patches for customers, Alperovitch said. Instead, CrowdStrike partners with systems management vendors that are more focused on patch management.

Although Falcon Spotlight doesn't handle patch deployment, Alperovitch said the system can prioritize vulnerabilities, so organizations will know what to patch first. Going a step further, even if an organization has not fully patched, the Falcon platform has threat prevention capabilities built-in to help reduce risk, he said.

"So even if a patch is not installed, we can prevent an infection, thanks to our machine learning-based approach, which provides mitigating controls to rely on while an organization is figuring out how to patch," Alperovitch said.

Vulnerability management is a highly competitive area of the cyber-security market, with multiple vendors, including Tenable, Qualys, Tanium and others, aiming to grow share. Alperovitch said CrowdStrike defines itself as an endpoint security platform, and that takes the company into different areas, including endpoint detection and response, threat hunting, antivirus and IT hygiene.

"As we move forward, you'll see us move into a bunch of different areas related to endpoint security, and that will expand the number of competitors that we have and also the total addressable market we can serve," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.