Protecting Halodoc Endpoint through Crowdstrike EDR

Security Jun 27, 2022

Halodoc is the first Health-Tech company in Indonesia that provides complete and reliable health solutions. We are committed to protect customer data from information abuse. Therefore, to minimize the potential security risk, one of the security aspects that Halodoc does is protecting the endpoint. What is the endpoint and how to protect it? We will see more details in the article below.

Endpoints/end-user devices are one of the favourite targets for many bad actors. These endpoints are easy to find, highly vulnerable, and tend to be very challenging to manage. Referring to the case of the WannaCry attack in 2017, this attack was reported to have impacted more than 230,000 endpoints in 150 countries worldwide1.

From this incident, it is important for us to pay attention to what protections must be in place while managing these endpoints. Previously, we may be quite familiar with the term "antivirus", where the antivirus literally will check every file on the computer and notify the user if there is anything suspicious. Unfortunately, antivirus has some limitations when protecting files on endpoints. Then, a new technology comes, and it’s called EDR. What is EDR and how is it different from Antivirus? Let's move on to the next section.

What is EDR?

EDR stands for Endpoint Detection Response. EDR is a technology that has a responsibility to monitor suspicious activity on endpoints along with the computer networks. In addition, EDR can be used as a detection, response, and prevention against suspicious activities that are categorized as threats or attacks. Currently, many large companies from various industries such as automotive, electronics, fashion, and home appliances are already using EDR technology as a solution. Of course not because of trends but they need to continuously enhance their security.

Why is EDR Important?

EDR technology helps a company to analyze a threat or attack in the cyber. EDR also provides a view of the risk perspective from each related event. Considering that when an incident occurs, prevention and countermeasures must be carried out as soon as possible, so this is very important.

EDR vs Antivirus

Generally, the EDR solution has several unique features and advantages while conventional antivirus does not have. EDR is quite broad in terms of multi-layer protection capability, conversely, antivirus tends to be simpler. The following table will explain the difference between EDR and Antivirus.

How EDR Works in the Halodoc Environment

To have a better understanding, please take a look at the diagram below. This flow gives information about how EDR works in our environment

It can be seen that each endpoint has the EDR agent installed before use. Furthermore, the EDR agent will send an alert to the analyst if there is something suspicious. At this stage, the analysis will validate and determine whether the alerts belong to the category of threats or attacks. Finally, the analyst will inform the relevant stakeholders as soon as possible to confirm whether the activities are legitimate or not.

Halodoc Collaborates with Crowdstrike EDR

In terms of information security and personal data protection, Halodoc works closely with Crowdstrike to build a safe and comfortable culture. Below is a High-Level Design of how Crowdstrike EDR collaborates with Halodoc.

All alerts obtained from endpoints will be centralized in one place where the technology used is based on cloud services.

Crowdstrike Overview

Halodoc through Crowdstrike can manage the registered devices, analyze events/alerts triggered, perform cyber threat hunting, and many things. In order to provide faster handling and response services, Crowdstrike also helps Halodoc to monitor the assets 24/7. To have a better visualization, below are some of the features available in Crowdstrike:

1. Host Management Policies

Crowdstrike admin can manage all the registered endpoints with the proper policy. Admin also is able to re-group endpoints based on the type of platforms such as Windows, Linux, and Mac. For instance in Mac OS, the admin can configure the detection and prevention level in handling Adware & Potentially Unwanted Program (PUP). Also, there are configurations of quarantine and execution blocking.

2. Threat Analysis

Crowdstrike provides detection and incident as part of threat analysis. It helps the security team in Halodoc to understand who, what, when, and how the particular event happens.

Detection
Detection gives some information by sending an alert that indicates an anomaly occurred on the endpoint. The alert consists of severity, tactic and technique, detection time, host, etc, as the following picture

Incident
Incident explains more about how threats and attacks successfully exploit endpoints. Once the incident was declared, we immediately analyze the root cause and took first aid measurements. The image below is an example of an rundll32 exploit. It is very clear that every track / path traversed.

3. Handling and Response

In case of detection and incident, it’ll work automatically to remediate the systems impacted by malicious. Crowdstrike will analyze its behaviors. If the process is convicted, Crowdstrike will automatically remove the artifacts even if they have never been seen before. It will also automatically kill associated processes such as rundll32.exe as previously mentioned.

To avoid more bleeding, we are able to decide isolating the network immediately by changing the containment status as the following picture.

Conclusion

In this blog, we gave a birds eye view of the Crowdstrike as EDR Technology which helps Halodoc in order to secure the employee's endpoint. Halodoc team can continuously prevent, monitor and analyze the potential threat or attack on a real-time basis.

Join Us:

We are always looking out for top engineering talent across all roles for our tech team. If challenging problems that drive a big impact enthrall you, do reach out to us at careers.india@halodoc.com.

About Halodoc

Halodoc is the number 1 all-around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 1500+ pharmacies in 50 cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allows patients to book a doctor appointment inside our application.We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, Gojek, and many more. We recently closed our Series B round and In total have raised USD$100million for our mission.Our team work tirelessly to make sure that we create the best healthcare solution personalised for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.

Mohammad Febri Ramadlan

Sr. Engineering Manager who engages with various teams to continuously strengthen information security and data privacy at Halodoc.