Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent 2023

30 November 2023 at 17:13

CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor.

We are also proud to be a launch partner for AWS Built-in and achieve two AWS competencies. These accomplishments demonstrate our forward-thinking approach to cloud security and commitment to ensuring CrowdStrike customers have the strongest possible protection as the cloud threat landscape continues to evolve.

Let’s get into this week’s announcements.

CrowdStrike Wins Multiple AWS Partner Awards

CrowdStrike was recognized during AWS re:Invent as a global leader with a key role in helping customers drive innovation and build solutions on AWS. This year, CrowdStrike was selected as the winner of the following AWS Partner Awards:

  • Public Sector Partner of the Year: Recognizes CrowdStrike as the top AWS Public Sector Partner with cloud-based solutions and experience supporting government, space, education and nonprofit organizations around the world.
  • State or Local Government Partner of the Year: Recognizes CrowdStrike as the top AWS Partner with the Government Competency, delivering innovative mission-based wins for state and/or local governments.
  • Non-Profit Organization Partner of the Year: Recognizes CrowdStrike as the top AWS Partner that has delivered innovative mission-based wins for non-profits.

CrowdStrike: An AWS Built-in Launch Partner with Built-In Competency

Businesses are constantly seeking ways to fortify their cloud environments to defend against adversaries increasingly targeting the cloud. They must select the right technologies to protect their cloud-based systems and workloads and deploy these solutions in a seamless, efficient and scalable manner. 

During AWS re:invent 2023, AWS officially launched its AWS Built-in Competency partner program. The goal of this initiative is to accelerate customer success by promoting AWS Independent Software Vendor (ISV) partners delivering cloud security and operational services that integrate closely with AWS native services. 

CrowdStrike achieved the AWS Built-in Competency in the security category by automating cloud security deployment and leveraging the event-driven architecture of cloud services. For example, when new workloads are provisioned — such as the launch of new Amazon EC2 instances or creation of new AWS accounts — that event can be used to trigger specific security actions. These may include automatically deploying the CrowdStrike Falcon® sensor on Amazon EC2 for CrowdStrike Falcon® Cloud Security runtime protection, or registering new accounts for Falcon Cloud Security agentless posture scanning and behavioral analysis.

Falcon Cloud Security provides complete visibility into cloud assets and uncovers risks related to misconfigurations, software package vulnerabilities, hard-coded secrets, malware, insecure identities and more. Combining agent-based and agentless detection in a unified platform empowers Falcon Cloud Security to proactively identify, prioritize and remove critical issues in cloud environments.

The integration between Falcon Cloud Security and AWS Built-In will: 

  • Automate security deployment: Falcon Cloud Security combines several key capabilities that work together to deliver unified cloud security. These include:
  • Cloud security posture management (CSPM): Falcon Cloud Security scans AWS services to uncover misconfigurations that adversaries could use to start or extend an attack, while ingesting AWS service API telemetry to hunt for anomalous activity that may indicate an attack. 
  • Cloud workload protection (CWP): Agent-based CWP provides deep insight and AI-driven adaptive protection for workloads including Amazon EC2 instances and containerized applications.
  • Pre-runtime protection: Pre-runtime container image scanning and infrastructure-as-code (IaC) scanning identify vulnerable packages and high-risk configurations before they are implemented in production. 

Individually, each of these components could require a different deployment mechanism that may delay time-to-value, especially when protecting multiple accounts across multiple regions. CrowdStrike’s built-in solution combines these capabilities in a simple and configurable CloudFormation template. It works with AWS Control Tower to establish a secure multi-account landing zone and can independently and automatically deploy individual components in response to events in the environment, such as the creation of new Amazon EC2 instances or deployment of new accounts in an AWS Control Tower or AWS Organizations landing zone. 

Accelerate the customer’s time-to-value: The need for effective, reliable and quick integration of security tools is paramount. By streamlining the integration process, CrowdStrike empowers customers to fully harness the benefits of foundational AWS-native services while achieving complete cloud security. Our objective is to deliver a unified customer experience by eliminating the complexities of combining disparate software and data sources.

Enhance reliability and efficiency: As businesses look to migrate and expand their operations on AWS, they need a security solution that can deploy at the speed of cloud. With AWS Built-in, customers can seamlessly deploy Falcon Cloud Security and consolidate disjointed point products with the most unified cloud-native application protection platform (CNAPP), built on a combined agent-based and agentless approach for complete visibility and protection.

CrowdStrike Achieves AWS Container Competency

The AWS Container Competency recognizes ISV partners offering software designed to operate seamlessly and cost-effectively in container environments. Container clusters such as Amazon Elastic Kubernetes Service (EKS) may host hundreds, thousands or even tens of thousands of ephemeral containers in a single cluster. They rely on IaC to define automated actions that occur throughout the container and cluster lifecycle. 

Our achievement of the AWS Container Competency marks a significant milestone in our partnership with AWS. This underscores our deep and proven expertise in managing container-based applications, a critical aspect of modern cloud environments. By attaining this competency, CrowdStrike not only demonstrates its commitment to providing robust security solutions for containerized applications but also aligns closely with AWS’ high standards for performance and security.

Falcon Cloud Security’s container environment protection uses Kubernetes-native packaging and deployment features such as Operators and Helm charts to provision cluster resources such as access roles, configuration files and self-healing pod replicas. The Kubernetes Admission Controller feature discovers new cluster objects as they’re created, inspects them for risks and vulnerabilities, and enables the creation of granular policies to block, alert or log specific cluster operations. Falcon Cloud Security is designed to protect a wide range of container environments including CSP-managed and self-managed Kubernetes, Amazon Elastic Container Service (Amazon ECS), Red Hat OpenShift on AWS (ROSA) and individual Docker hosts.

CrowdStrike’s dual achievement of the AWS Built-in Competency and Container Competency is a clear testament to our forward-thinking approach in cloud security. By aligning with AWS’s high standards, we’re both reinforcing our commitment to providing advanced security solutions and ensuring these solutions are seamlessly integrated with AWS’ leading cloud services. This synergy is pivotal in today’s landscape, where the sophistication of cyber threats targeting cloud environments continues to evolve. 

Curious about Falcon Cloud Security? Explore our free, no-obligation Cloud Security Risk Review for instant and complete visibility into your entire cloud estate, provided through agentless scanning. It deploys in minutes with zero impact to your business.

Additional Resources

5 Best Practices to Secure Azure Resources

18 March 2024 at 14:15

Cloud computing has become the backbone for modern businesses due to its scalability, flexibility and cost-efficiency. As organizations choose cloud service providers to power their technological transformations, they must also properly secure their cloud environments to protect sensitive data, maintain privacy and comply with stringent regulatory requirements. 

Today’s organizations face the complex challenge of outpacing cloud-based threats. Adversaries continue to set their sights on the expansive surface of cloud environments, as evidenced by the 75% increase in cloud intrusions in 2023 recorded in the CrowdStrike 2024 Global Threat Report. This growth in adversary activity highlights the need for organizations to understand how to protect their cloud environment and workloads. 

In light of the frequent breaches of Microsoft’s infrastructure, organizations using Microsoft Azure should take proactive steps to mitigate potential risk. Microsoft’s solutions can be complex, difficult to maintain and configure, and prone to vulnerabilities. It’s the responsibility of organizations using Azure to ensure their cloud environments are properly configured and protected. 

This blog outlines best practices for securing Azure resources to ensure that your cloud infrastructure is fortified against emerging and increasingly sophisticated cyber threats.

Best Practice #1: Require Multifactor Authentication (MFA) and Restrict Access to Source IP Addresses for Both Console and CLI Access

In traditional IT architecture, the security perimeter was clearly defined by the presence of physical network firewalls and endpoint protections, which served as the first line of defense against unauthorized access. In cloud-based environments, this traditional architecture has evolved to include identity, which encompasses user credentials and access management.

This shift amplifies the risk of brute-force attacks or the compromise of user credentials. Particularly in Microsoft environments, the complexity of the identity security framework and inability to consistently apply conditional access policies across the customer estate introduce additional risk. Navigating Microsoft’s security solutions can be daunting, with multiple agents to manage and an array of licenses offering varying levels of protection. The lack of real-time protection and inability to trigger MFA directly through a domain controller further amplify risk. 

Adversaries who manage to procure valid credentials, especially by taking advantage of weak identity security practices, can masquerade as legitimate users. This unauthorized access becomes even more dangerous if the compromised account has elevated privileges. Adversaries can use these accounts to establish persistence and perform data exfiltration, intellectual property theft or other malicious activity that can have devastating impacts on an organization’s operations, reputation and bottom line.

To avoid this, organizations should:

  • Use conditional access: Implement conditional access policies and designate trusted locations.
  • Require MFA: Enforce rules for session times, establish strong password policies and mandate periodic password changes.
  • Monitor MFA connections: Verify that MFA connections originate from a trusted source or IP range. For services that cannot utilize managed identities for Azure resources and must rely on static API keys, a critical best practice is to restrict usage to safe IP addresses when MFA is not an option. However, it’s crucial to understand that broadly trusting IPs from your data centers and offices does not constitute a safe practice. Despite the network location, MFA should always be mandated for all human users to ensure maximum security.

Best Practice #2: Use Caution When Provisioning Elevated Privileges

Privileged accounts have elevated permissions, allowing them to perform tasks or operations that a standard user would not be able to perform. These may include accessing sensitive resources or making critical changes to a system or network. Accounts provisioned with more privileges than needed are appealing to adversaries, driving both the likelihood of compromise and the risk of damage. 

Adversaries often target privileged Azure identities to establish persistence, move laterally and steal data. While high privileges are necessary for IT and systems administrators to accomplish routine tasks, weak security policies on account provisioning can dramatically overexpose an organization to risk. These privileges should be tightly controlled and monitored, and only provisioned when strictly necessary after a security process has been defined and implemented. 

Service accounts add to these challenges. Their limitations represent a troublesome area for Microsoft — for example, the difficulty in discovering and tracking Active Directory-based service accounts and poor visibility into these accounts’ behavior. CrowdStrike automatically differentiates between service accounts and human users to deliver the most appropriate configurations and responses. Further, Microsoft Defender for Identity lacks pre-built detections designed for service accounts — such as identifying stale service accounts or detecting interactive logins by stale accounts — something CrowdStrike customers can easily address. 

To help prevent adversaries’ abuse of privileged accounts, organizations should:

  • Reduce the quantity of privileged users: Only grant privileged role assignments to a limited number of users. Overprovisioning is common and is often done by default by the application.
  • Follow the principle of least privilege: Individuals should only be granted the minimum permissions necessary to perform their required tasks. Regular reviews should be scheduled with a view to downgrading privileges where the need no longer exists.
  • Control access: Restrict cloud access to only trusted IP addresses and services that are genuinely required.
  • Ensure that privileged accounts are cloud-only: Azure privileged accounts should be cloud-only (not synced to a domain), they should require MFA and they should not be used for daily tasks such as email or web browsing.

Best Practice #3: Utilize Key Vaults or a Secrets Management Solution to Store Sensitive Credentials

A surprising amount of digital information is unintentionally stored in public-facing locations that can be accessed by adversaries and then weaponized against an organization. Public code repositories, version control systems or other repositories used by developers can have a high risk of exposing live access keys, which authenticate a trusted user into a cloud service. Exposed access keys allow adversaries to pose as legitimate users and bypass authentication mechanisms into cloud services. 

Adversaries can use access keys, along with metadata and formatting clues, to identify specifics about an environment. Exposed access keys can also be acquired from code snippets, copied from a repository where they are exposed or pulled from compromised systems or logs. Private source code repositories can be compromised, leading to theft of these API keys.

Stolen credentials, whether they’re console usernames and passwords or API key IDs and secret IDs, play an essential role in many incidents. This is evident in the latest Microsoft breach by Russian state actors, which stole cryptographic secrets such as passwords, certificates and authentication keys during the attack. This incident raises a significant concern: If Microsoft, using its own technology and expertise in the environment it owns, struggles to remain secure, how can Microsoft customers confidently protect their own assets? 

To protect against this, security teams should ask themselves:

  • Where do we store access keys?
  • Where are our access keys embedded?
  • How often do we rotate our access keys? 

Having a dedicated secrets management solution to protect and enforce granular access to specific secrets makes it difficult for an adversary or insider threat to steal credentials.

Important note: Proceed with extreme caution when tying administrative or highly privileged access to the key vaults to SSO. If your SSO is subverted through weak MFA management, all of your credentials could be instantly stolen by a threat actor impersonating an existing or new/newly privileged user. Hardware tokens and strong credential reset management is a must for these applications.

Best Practice #4: Don’t Allow Unrestricted Outbound Access to the Internet

One of the most common cloud misconfigurations we see is unrestricted outbound access. This allows for unrestricted communications from internal assets, opening the door for outbound adversary communications and data exfiltration.

Also described as free network egress, unrestricted outbound access is a misconfiguration in which Azure cloud resources like containers, hosts and functions are allowed to communicate externally to any server on the internet with limited controls or oversight. This can be a default misconfiguration, and security teams often have to collaborate with IT or DevOps teams to address it. Because developers or system owners don’t always have full knowledge of the various external services that a workload might depend on — and because they might be accustomed to having unrestricted outbound access in their other work environments — some organizations battle with trying to close this loophole.

Adversaries can exploit this wherever untrusted data is processed by a workload. For example, an adversary may attempt to compromise the underlying software processing web requests, queued messages or uploaded files using remote code execution. This is then followed by payload retrieval or establishing a reverse shell. If outbound access is not permitted, they cannot retrieve the payload and attacks cannot be completed. However, once an initial code execution attack is successful, the adversary has full execution control in the environment.

To address this, organizations can:

  • Configure rules and settings: Define cloud rules to securely control and filter outbound traffic, with provisioned security groups serving as an additional layer of protection.
  • Apply the principle of least privilege: Grant outbound access only to resources or services where it is explicitly required.
  • Control access: Limit cloud access exclusively to trusted IP addresses and services that are genuinely necessary.
  • Add security through a proxy layer: Utilize proxy server tiers to introduce an additional layer of security and depth.

Best Practice #5: Scan Continuously for Shadow IT Resources

It is common for organizations to have IT assets and processes running in Azure tenants that the security teams do not know about. There have been incidents in which threat actors have compromised Azure resources that were unauthorized or were supposed to have been decommissioned. Both nation-state and eCrime adversaries thrive in these environments, where logging and visibility are typically poor and audit/change control is often nonexistent.

Some recommendations to address shadow IT resources include:

  • Implement continuous scanning: Deploy tools and processes to continuously scan for unauthorized or unknown IT resources within Azure environments, ensuring all assets are accounted for and monitored.
  • Establish robust asset management: Adopt a comprehensive cloud asset management solution that can identify, track and manage all IT assets to prevent unauthorized access and use, enhancing overall security posture. This includes Azure enterprise applications and service principals along with their associated privileges and credentials. 
  • Enhance incident response: Strengthen incident response strategies by integrating asset management insights, enabling quick identification and remediation of compromised or rogue assets. These may include unauthorized virtual machines used for activities like crypto mining and enterprise apps and service principals used or repurposed to exfiltrate databases, file shares and internal documentation and email.

CrowdStrike Falcon Cloud Security 

CrowdStrike Falcon® Cloud Security empowers customers to meticulously assess their security posture and compliance across Azure and other cloud platforms, applications and workloads. It delivers effective protection against cloud-based threats, addresses potential misconfigurations and ensures adherence to compliance. These capabilities allow organizations to maintain an integrated, comprehensive overview of all cloud services and their compliance status, pinpointing instances of excessive permissions while proactively detecting and automating the remediation of indicators of attack (IOAs) and cloud misconfigurations. 

This strategic approach not only enhances the security framework but enables developers and security teams to deploy applications in the cloud with increased confidence, speed and efficiency, underscoring CrowdStrike’s commitment to bolstering cloud security and facilitating a safer, more secure digital transformation for businesses leveraging cloud infrastructure.

Evaluate your cloud security posture with a free Cloud Security Risk Review. During the review, you will engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment and identify misconfigurations, vulnerabilities and potential cloud threats. 

Additional Resources

CrowdStrike Enhances Cloud Detection and Response (CDR) Capabilities to Protect CI/CD Pipeline

21 March 2024 at 16:54

The increase in cloud adoption has been met with a corresponding rise in cybersecurity threats. Cloud intrusions escalated by a staggering 75% in 2023, with cloud-conscious cases increasing by 110%. Amid this surge, eCrime adversaries have become the top threat actors targeting the cloud, accounting for 84% of adversary-attributed cloud-conscious intrusions. 

For large enterprises that want to maintain the agility of the cloud, it’s often difficult to ensure DevOps teams consistently scan images for vulnerabilities before deployment. Unscanned images could potentially leave critical applications exposed to a breach. This gap in security oversight requires a solution capable of assessing containers already deployed, particularly those with unscanned images or without access to the registry information. 

Recognizing this need, cloud security leader CrowdStrike has enhanced its CrowdStrike Falcon® Cloud Security capabilities to ensure organizations can protect their cloud workloads throughout the entire software development lifecycle and effectively combat adversaries targeting the cloud. Today we’re releasing two new features to help security and DevOps teams secure everything they build in the cloud.

Assess Images for Risks Before Deployment

We have released Falcon Cloud Security Image Assessment at Runtime (IAR) along with additional policy and registry customization tools. 

While pre-deployment image scanning is essential, organizations that only focus on this aspect of application development may create a security gap for containers that are deployed without prior scanning or lack registry information. These security gaps are not uncommon and could be exploited if left unaddressed.

IAR will address this issue by offering: 

  • Continuous security posture: By assessing images at runtime, organizations can maintain a continuous security posture throughout the software development lifecycle, identifying and mitigating threats in real time even after containers are deployed.
  • Runtime vulnerability and malware detection: IAR identifies vulnerabilities, malware and secrets, providing a holistic view of the security health of containers. This will help organizations take preventative actions on potential threats to their containers. 
  • Comprehensive coverage: If containers are launched with unscanned images, or if the registry information is unavailable, IAR provides the flexibility to fully secure containers by ensuring that none go unchecked. This enhancement widens the coverage for DevOps teams utilizing image registries, extending CrowdStrike’s robust pre-runtime security capabilities beyond the already supported 16 public registries — the most of any vendor in the market. 

Figure 1. Kubernetes and Containers Inventory Dashboard in the Falcon Cloud Security console (click to enlarge)

 

IAR is developed for organizations with specific data privacy constraints — for example, those with strict regulations around sharing customer data. Recognizing these challenges, IAR provides a local assessment that enables customers to conduct comprehensive image scans within their own environments. This addresses the critical need for privacy and efficiency by allowing organizations to bypass the limitations of cloud-based scanning solutions, which are unable to conduct scans at the local level.

Further, IAR helps boost operational efficiency at times when customers don’t want to modify or update their CI/CD pipelines to accommodate image assessment capabilities. Its runtime vulnerability scanning enhances container security and eliminates the need for direct integration with an organization’s CI/CD pipeline. This ensures organizations can perform immediate vulnerability assessments as containers start up, examining not only operating system flaws but also package and application-level vulnerabilities. This real-time scanning also enables the creation of an up-to-date software bill of materials (SBOM), a comprehensive inventory of all components along with their security posture. 

A Better Approach to Preventing Non-Compliant Containers and Images

Teams rely on the configuration of access controls within registries to effectively manage permissions for cloud resources. Without proper registry filtering, organizations cannot control who has access to specific data or services within their cloud infrastructure. 

Additionally, developer and security teams often lack the flexibility and visibility to understand where and how to find container images that fall out of security compliance when they have specific requirements like temporary exclusions. These problems can stem from using disparate tools and/or lacking customized rule-making and filtering within their cloud security tools. Security teams then must also be able to relay the relevant remediation steps to developer owners to quickly update the image. These security gaps, if left unchecked, can lead to increased risk and slow down DevSecOps productivity.

Figure 2. Image Assessment policy exclusions in the Falcon Cloud Security console (click to enlarge)

 

To that end, we are also announcing new image assessment policies and registry filters to improve the user experience, accelerate team efficiency and stop breaches. 

These enhancements will address issues by offering:

  • Greater control: Enhanced policy exclusion writing tools offer greater control over security policies, allowing organizations to more easily manage access, data and services within their cloud infrastructure while giving the owners of containers and assets the visibility to address areas most critical to them so they can focus on what matters.
  • Faster remediation for developers: Using enhanced image assessment policies, developers will be able to more quickly understand why a policy has failed a container image and be able to rapidly address issues before they can pose a greater security risk. 
  • Maintain Image Integrity: By creating new policies and rules, security administrators will be able to ensure only secure images are built or deployed.    
  • Scalability: As businesses grow and evolve, so do their security needs. CrowdStrike’s customizable cloud policies are designed to scale seamlessly, ensuring security measures remain effective and relevant regardless of organizational size or complexity.

These enhancements are designed to improve container image security, reduce the risks associated with non-compliance, and improve the collaboration and responsiveness of security and developer teams. These changes continue to build on the rapid innovations across Falcon Cloud Security to stop breaches in the cloud.  

Delivered from the AI-native CrowdStrike Falcon Platform

The release of IAR and new policy enhancements are more than just incremental updates — they represent a shift in container security. By integrating security measures throughout the entire lifecycle of a container, from its initial deployment to its active phase in cloud environments, CrowdStrike is not just responding to the needs of the modern DevSecOps landscape but anticipating them, offering a robust, efficient and seamless solution for today’s security challenges. 

Unlike other vendors that may offer disjointed security components, CrowdStrike’s approach integrates elements across the entire cloud infrastructure. From hybrid to multi-cloud environments, everything is managed through a single, intuitive console within the AI-native CrowdStrike Falcon® platform. This unified cloud-native application protection platform (CNAPP) ensures organizations achieve the highest standards of security, effectively shielding against breaches with an industry-leading cloud security solution. The IAR feature, while pivotal, is just one component of this comprehensive CNAPP approach, underscoring CrowdStrike’s commitment to delivering unparalleled security solutions that meet and anticipate the adversaries’ attacks on cloud environments.

Get a free Cloud Security Risk Review and see Falcon Cloud Security in action for yourself.  

During the review, you will engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment, and identify misconfigurations, vulnerabilities and potential cloud threats. 

Additional Resources

❌
❌