Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Endpoint and Identity Security: A Critical Combination to Stop Modern Attacks

✇CrowdStrike
By: Venu Shastri
17 November 2023 at 17:43

Today’s adversaries increasingly use compromised credentials to breach target environments, move laterally and cause damage. When attackers are logging in — not breaking in — legacy  endpoint security offers little help in detecting and stopping breaches.

Exacerbating the problem is an expanding attack surface, largely due to the growth of remote work and evolving supply chains. Today, nearly 25% of modern attacks start at unmanaged hosts such as contractor laptops — parts of the supply chain where organizations often lack direct control over endpoints. 

Download the CrowdStrike ebook, “Stay One Step Ahead of Identity Thieves

Legacy endpoint solutions primarily look for malicious code execution to detect attacks and are unable to detect or stop identity-based threats when the adversary uses valid credentials. Many organizations either don’t have the means to stop identity-based attacks or struggle with multiple point solutions for endpoint and identity security that drive cost and complexity while slowing down response times. 

Read on to learn how unifying endpoint and identity security under the CrowdStrike Falcon® platform can help you stop modern attacks.

Case Study: Land O’Lakes 

Land O’Lakes is an American agricultural cooperative with 9,000 employees and manufacturing operations spanning 60 countries. In the words of Dan Oase, Land O’Lakes Director of Cybersecurity, “That’s a lot of identities to secure.” 

Oase spoke on stage at Fal.Con 2023 about how the company uses CrowdStrike for identity protection: “We think of identities in terms of creating identities, managing identities and securing identities … We use Falcon Identity Protection to safeguard our Active Directory and complement our IAM.”

Watch the Fal.Con 2023 session, “Stop Modern Attacks: Extending Endpoint Security with Identity Protection,” featuring Land O’Lakes

Oase emphasized the importance of speed, citing how cracking an 8-figure password used to take years; now it takes only minutes, thanks in part to advancements in AI. With adversaries getting faster, Land O’Lakes relies on a full suite of Falcon platform modules — including CrowdStrike Falcon® Insight XDR for endpoint detection and response and Falcon Identity Protection — to outpace modern attacks and stop breaches.

“CrowdStrike provides the ‘easy button’ to add identity protection via a single agent and unified platform covering endpoint and identity. This translates into immense value to us as a customer in terms of faster responses, lower costs and better security outcomes,” said Oase.

Oase shared how Falcon Identity Protection delivers real value for Land O’Lakes, compared to before CrowdStrike:

  • 92% faster at investigating and responding to identity-related attacks and anomalies
  • 90% less time spent manually auditing identity hygiene
  • 85% less time prioritizing vulnerabilities
  • 80% reduction in accounts with excessive permissions
  • Consistent removal of stale accounts
  • Immediate and automated response to compromised passwords

As a cybersecurity veteran who’s built world-class security operations at several companies, Oase went deep into the technical aspects of the Falcon identity deployment, covering continuous monitoring, privileged accounts, conditional access policies and other topics. If you’re a security practitioner looking for identity best practices, watch the Fal.Con 2023 session

Making the Case for Unified Endpoint and Identity Security

Identity-related attacks are a serious and growing problem. Consider the numbers:  

  • Over 80% of cyber incidents in 2021 involved the misuse of valid credentials to access an organization’s network, as revealed in the CrowdStrike 2022 Global Threat Report.
  • Kerberoasting attacks, a form of identity-based threat, increased an alarming 583% year-over-year, according to the CrowdStrike 2023 Threat Hunting Report.
  • The same report reveals a 147% increase in access broker advertisements, which often sell compromised credentials, on the dark web.
  • 90% of Fortune 1000 companies rely on Microsoft Active Directory (AD) despite its constant flow of vulnerabilities. 
  • Microsoft AD is a top target due to the access and information it holds. One survey found 50% of organizations have experienced an AD attack in the last couple of years, and 40% of those attacks were successful.

If you’re one of the nearly 75,000 organizations that use AD, combining endpoint and identity security under a single platform can help you stop breaches by providing comprehensive defense against adversaries seeking privileged company data. 

How the Falcon Platform Strengthens Defense

CrowdStrike delivers its market-leading endpoint and identity protection from the AI-native Falcon platform, which uses one lightweight agent to provide:

Comprehensive visibility

CrowdStrike Falcon® Identity Protection offers complete visibility into AD and cloud-based identity solutions, such as Microsoft Entra ID (formerly Azure Active Directory). The Falcon platform uses data collected from on-premises and cloud user directories to create a baseline for normal user behavior and detect anomalous activity across endpoints and identities, eliminating the security gaps created by siloed security tools.

Real-time protection

By deploying CrowdStrike endpoint and identity security solutions together, you can block malicious authentication at the AD level and stop adversaries from gaining access, regardless of whether the endpoint is managed. 

Risk-based response

Falcon Identity Protection continuously monitors user behavior and context based on both identity and endpoint telemetry to compute risk scores, which allows it to dynamically enforce multifactor authentication when the risk level has increased, providing an extra layer of security.

Single Agent, Unified Platform 

These capabilities are difficult to achieve with standalone tools. Organizations are looking to replace point solutions with a unified cybersecurity platform to eliminate gaps between endpoints, identity and cloud workloads, while reducing the number of agents they manage.

CrowdStrike endpoint customers can easily deploy Falcon Identity Protection with no deployment overhead. Simply enable the platform module, and the Falcon sensor immediately starts defending against identity-based attacks.

The Falcon platform is the only adversary-focused AI-powered security platform that brings together endpoint and identity telemetry and correlates it with threat intelligence and the latest adversary tradecraft. This unified platform approach not only provides better and faster detections with full attack-path visibility, it allows you to automate policy-based responses and eliminate manual correlation of threats, thereby improving SOC efficiency.

CrowdStrike endpoint and identity security solutions offer complete coverage of MITRE TTPs

 

The graphic above shows how CrowdStrike’s unified approach to endpoint and identity security fares against MITRE ATT&CK® tactics, techniques and procedures (TTPs). As a market leader in endpoint detection and response (EDR), CrowdStrike has long protected customers from execution, command and control, exfiltration and more. By adding Falcon Identity Protection to their endpoint deployment, customers can benefit from full protection against adversary tactics that leverage valid accounts, such as initial access, lateral movement and privilege escalation.

Put simply: CrowdStrike customers of endpoint and identity security can receive the strongest coverage against adversary TTPs from a single, unified platform.

Get Started with Falcon Identity Protection

Today’s attackers use legitimate credentials to bypass endpoint security solutions. By unifying endpoint and identity security on the Falcon platform, organizations can get robust protections against identity-related attacks, while realizing the other benefits of cybersecurity consolidation.

Get started with Falcon Identity Protection using our complimentary Active Directory Risk Review. This one-on-one session with a CrowdStrike identity expert will delve into your AD hygiene and expose compromised passwords, over-privileged accounts and other best practices to help you stop identity-related attacks

Additional Resources

CrowdStrike Extends Identity Security Capabilities to Stop Attacks in the Cloud

✇CrowdStrike
By: Venu Shastri
10 April 2024 at 17:00

Two recent Microsoft breaches underscore the growing problem of cloud identity attacks and why it’s critical to stop them. 

While Microsoft Active Directory (AD) remains a prime target for attackers, cloud identity stores such as Microsoft Entra ID are also a target of opportunity. The reason is simple: Threat actors increasingly seek to mimic legitimate users in the target system. They can just as easily abuse identities from cloud identity providers as they can in on-premises AD environments.

Identity providers and Zero Trust network access solutions offer some capabilities to prevent cloud identity attacks — however, they often lack visibility across the identity landscape spanning on-premises and cloud identity providers, creating gaps that adversaries can exploit.

This blog shares how the failure to secure cloud identities can result in a breach and how recently released innovations in CrowdStrike Falcon® Identity Protection can stop identity attacks in the cloud.

Get a free CrowdStrike Identity Security Risk Review to get instant visibility into your current Microsoft Entra ID, Active Directory and Okta environments.

CSRB Report Shows the Importance of Identity Security

The Summer 2023 Microsoft breach deconstructed by the U.S. Cyber Safety Review Board (CSRB) in a recent landmark report of the incident shows why identity threat detection and response is critical. 

Last May, a nation-state adversary compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The threat actor accessed the accounts using authentication tokens signed by a key that Microsoft had created in 2016. “A single key’s reach can be enormous, and in this case the stolen key had extraordinary power,” said the CSRB. When combined with another flaw in Microsoft’s authentication system, the key allowed the adversary to gain full access to essentially any Exchange Online account anywhere in the world.

The CSRB found “this intrusion was preventable and should never have occurred” and offered several recommendations to ensure an intrusion of this magnitude doesn’t happen again. Two stood out:

  1. Cloud service providers should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
  2. Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.

While these CSRB recommendations are targeted toward cloud service providers (CSPs), given the Cloud Shared Responsibility Model, customers can’t rely solely on CSPs to stop breaches. Organizations need to lock down identities by layering in proactive identity protections across their hybrid identity environments. 

More recently, COZY BEAR, a Russia state-nexus adversary, conducted high-profile attacks on Microsoft’s corporate systems. This Microsoft breach involved common identity techniques like password spraying and credential scanning, and compromised corporate email accounts, including those of Microsoft’s senior leadership team.

What these two Microsoft identity breaches show is that adversaries are weaponizing identities. If you don’t have modern identity security, your organization may be at risk of a breach. 

New Identity Protections to Stop Breaches in the Cloud

CrowdStrike offers the industry’s only unified platform for identity threat protection and endpoint security, powered by rich threat intelligence and adversary tradecraft. Recent enhancements to CrowdStrike Falcon® Identity Protection help customers better protect against modern identity attacks in the cloud.

While individual IAM and identity-as-a-service (IDaaS) systems provide user authentication, they lack the visibility into hybrid lateral movement and intelligence about adversary tradecraft to detect identity attacks across cloud and on-premises environments. Falcon Identity Protection not only has direct visibility into AD through the lightweight Falcon sensor, it also has pre-configured IDaaS connectors that give customers direct visibility into identity activity across cloud identity providers such as Entra ID and Okta. 

By correlating context from the authentication event, Falcon Identity Protection can detect if a user’s web-authenticated session is maliciously hijacked or other malicious web-based activity has occurred. The solution also provides workflows to take direct action, such as disabling an account, revoking a session and refreshing tokens, and updating the access policy in Entra ID to stop the attack. 

IAM and IDaaS systems are not only blind to cloud identity attacks, but due to their siloed nature they also lack the ability to deliver response actions to stop the adversary in a different cloud identity provider. As an IAM vendor-agnostic solution, Falcon Identity Protection spans multiple cloud identity providers to comprehensively stop adversaries.  

Customers can now defend against sophisticated identity-based threats with CrowdStrike Falcon® Adversary OverWatch’s new identity threat hunting capability. This 24/7 managed service, powered by AI and human expertise, utilizes telemetry from Falcon Identity Protection to disrupt adversaries across endpoint, identity and cloud. 

Take a Free Identity Security Risk Review 

Curious about your identity security posture? CrowdStrike’s complimentary Identity Security Risk Review provides a 1:1 session with a CrowdStrike identity threat expert to help you evaluate your hybrid identity security posture and uncover any potential risks. 

The risk review can be completed quickly and gives you:

  • Instant visibility into the identity security posture across your hybrid identity environment
  • Deep insights into possible attack paths that adversaries can exploit, and expert advice on how to address them
  • An understanding of how to protect your organization from modern identity-based attacks like ransomware, account takeover, hybrid lateral movement and Pass-the-Hash. 

Additional Resources

❌
❌