Cyber Essentials and Crowdstrike: What you need to know
Over the last year, I have heard about more and more enterprise based businesses who are looking to implement Crowdstrike as part of their next generation endpoint protection defence layer. If you didn’t already know, Crowdstrike say that they utilise next generation behavioural analysis and machine learning, which is based upon file attribute analysis for detection of malware and virus infection Instead of the traditional signature-based scanning that we’ve all known about since the dawn of time.
Because of the way that Crowdstrike scans for infections, their way of scanning and detecting for threats are unable to detect and/or act upon the detection of the EICAR test virus strings, which is part of the Cyber Essentials Plus testing phase as well as being used by the majority of leading AV vendors for the testing of their endpoint products.
In one of Crowdstrike’s support forum articles, which can be found at: https://supportportal.crowdstrike.com/s/article/Why-Doesn-t-Falcon-Detect-EICAR, they say the following: “we do not detect EICAR files for two reasons: First, there is absolutely nothing malicious about them – in terms of behavior or their file attributes – for our next-generation detection mechanisms to detect and trigger upon. Second, other legacy AV vendors have it intentionally programmed into their definition files to trigger for testing purposes, and definition files are not a concept that is part of the next-generation anti-virus ecosystem which CrowdStrike Falcon exists within.”
This process of detection currently goes against what the current Cyber Essentials Plus scheme is looking for and testing against.
Due to the way that Crowdstrike works, if you are using Crowdstrike as your only endpoint protection defence layer, you will not be able to achieve the Cyber Essentials Plus certification as you will fail on the browser testing for the EICAR test string as the file will not be picked up and blocked/cleaned and the user will not be notified.
What should you do?
If you are running Crowdstrike and you are going for Cyber Essentials Plus you will need to ensure that you have a second line of defence installed and configured on all your endpoints which are in scope of the test.
You need to ensure that you have a product on your endpoints which can utilise signature-based scanning and classifies EICAR as test malware, like it was intended to. For example, if you are running Microsoft Windows, you could look at utilising the built in Microsoft Windows Defender product.
If you are using a Linux based Operating System and/or MacOS you could look at using ClamAV as a solution, their website can be found here: https://www.clamav.net/
If your business has achieved Cyber Essentials Plus and were running Crowdstrike, I’d be interested to know what measures you put in place and what you thought about the scheme.
Moving forward this is probably going to become a more problematic issue as more and more next generation malware vendors start going towards AI learning and start to look at removing the reliance upon the need for signature-based files. Is this a good thing? Time will tell. Will Cyber Essentials change to adopt to new ways of detection? Again, time will tell and if anything does change regarding this type of testing, I will be sure to update this article when it happens.