CrowdStrike Uses Proven Detection Logic for Pre-Deployment Malware Scanning

As organizations embrace DevOps practices and CI/CD pipelines to accelerate software delivery, their greater dependency on third-party components can introduce security risks. Because malware can infiltrate an environment during development, it’s important to check for it ahead of deployment. 

CrowdStrike Falcon® Cloud Security now applies its award-winning sensor detection logic to identify potential malware in serverless functions and container images pre-deployment, enabling teams to address security issues without needing to run the function or container. 

Let’s take a closer look at what’s new.

Machine Learning Malware Detections in Image Assessments

For years, CrowdStrike has meticulously collected and cataloged malicious files from a variety of sources, including adversary activity in customer environments, the dark web and security research, among others. We use this abundance of data to develop several extensive machine learning (ML) models that the CrowdStrike Falcon® sensor uses to accurately detect likely malware, without relying on hash matching. 

Customers using Falcon Cloud Security for image assessments can now take advantage of these massive ML models to identify the presence of a malicious file in container images before they are deployed in their environment. CrowdStrike’s ML models are highly tuned with a wealth of industry-leading intelligence, providing high confidence for files that are flagged as malicious, reducing false positives.

To enhance detection accuracy, our solution allows customers to opt in for automatic submission of detected files to CrowdStrike's ML detection engine. This improves the model by training it on real-world customer data so it grows more accurate over time. When this collection is enabled, files flagged as suspicious will be securely stored indefinitely for ML model training.

Malicious Script Detection in Serverless Functions Before Deployment

Serverless architectures reduce certain risks (like managing servers). However, the code itself, including dependencies and configurations, remains a potential attack vector. 

For example, because serverless functions often rely on third-party libraries or frameworks, these dependencies can inadvertently introduce vulnerabilities or malicious code if not thoroughly scanned. Ensuring serverless functions are secure is imperative because they are event-driven and can trigger chain reactions. A malicious payload in one function could spread across workflows or access sensitive data.

This brings us to another new capability in Falcon Cloud Security: Pre-runtime assessments determine whether scripts in serverless functions are likely to generate detections at runtime, without actually executing the function. 

Flexible, DevOps-Friendly Deployment

Our approach is designed to provide visibility into malicious behavior within container images and serverless functions during pre-runtime, without requiring disruptive policy changes. Additionally, our monitoring mode allows teams to review and assess findings before making decisions to block or allow builds and deployments, such that operations are not unnecessarily interrupted. 

For organizations seeking more automated control, our solution supports policies that automatically block builds or deployments containing detected malware, preventing threats from entering production environments. Our API-driven approach makes integration into existing DevOps workflows easy, ensuring security testing becomes a natural part of a CI/CD pipeline without slowing down development.

Taking Action on Detections

Security engineers can build custom policies within Falcon Cloud Security to automatically generate alerts or block the execution or build of an image within the CI/CD pipeline if it has a suspicious file. Additionally, teams can set up CrowdStrike Falcon® Fusion SOAR to automatically take actions, such as creating a PagerDuty incident or sending an email, any time a suspicious file is detected in an image, regardless of the source. 

Once security engineers are notified of possible malware, they can further investigate a possible compromise by uploading the file to CrowdStrike Falcon® Sandbox for analysis or submitting the file to the CrowdStrike support team for additional analysis. 

Shifting Left with CrowdStrike

CrowdStrike Falcon Cloud Security is a comprehensive CNAPP that delivers unified, end-to-end visibility and threat protection across cloud infrastructure, applications, data and AI models. In an era where high availability in production is critical, balancing security with optimal performance is essential for DevOps teams. By integrating proactive measures such as pre-deployment malware detection into development pipelines, organizations can mitigate risks without compromising agility or user experience. CrowdStrike Falcon Cloud Security exemplifies this approach by providing advanced pre-runtime malware detection for serverless functions and container images, empowering teams to deploy with confidence. 

Additional Resources

• Learn about more recent innovations from CrowdStrike Falcon Cloud Security announced at AWS re:Invent 2024.
• Learn about Falcon Cloud Security’s recognition as an industry leader: CrowdStrike named a Leader: 2024 Forrester Wave™ for Cloud Workload Security
• Download this solution brief: Container and Shift-Left Security
• Walk through an interactive demo.