New CrowdStrike Store Apps Secure Hybrid Workforces
The impact of the ongoing global pandemic, which has resulted in organizations having to quickly transition their employees to working remotely, has not deterred cyber adversaries — in fact, it has emboldened them. CrowdStrike has observed both nation-state and eCrime actors launching phishing campaigns that use pandemic-based lures to deliver ransomware and other threats. As organizations transition to hybrid models — some workers in an office and some at home — we expect to see adversaries continue to leverage this crisis to their advantage. These new CrowdStrike Store apps provide use cases that solve specific issues for organizations and strengthen their security postures. The following offers details on these apps:
Use Case: Blocking Lateral Movement
With the 2020 CrowdStrike Global Threat Report breakout times as a backdrop, we can see how global attacks such as WannaCry and Not Petya target a Server Message Block (SMB) vulnerability to spread among endpoints. (Breakout time is the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network.) Another infamous malware, TrickBot, also exploits SMB to propagate and drop ransomware such as Ryuk. Note that SMB lets endpoints in the same network connect directly and share files.
Often we see attackers take more time with targeted attacks that move laterally as they “live off the land” and target critical assets. The attackers behind Maze exploited Remote Desktop Protocol (RDP) as part of their lateral movement. Lateral movement is what can make an isolated incident on a single endpoint turn into a large-scale attack, particularly if new ransomware has yet to be detected. Stopping an attacker’s lateral movement has become fundamental to a defender’s job to such an extent that it is a key attacker technique laid out in the MITRE ATT&CK® framework.
Illumio Edge for CrowdStrike stops ransomware propagation and attacker lateral movement by segmenting every endpoint so they gain threat containment by default, for an even stronger enterprise security posture. This ensures that if an incident occurs, the first compromised endpoint is the last compromised endpoint. This capability is delivered seamlessly through the Falcon agent with nothing additional to deploy.
Illumio Edge arms endpoints with a default deny/allowlist security posture that blocks all inbound endpoint communications, except the essential traffic needed for business. This vastly reduces the risk of ransomware or other malware spreading laterally between endpoints. This is attack surface reduction in its truest sense, bringing complete endpoint segmentation with Illumio’s easy policy creation that perfectly threads the needle between preventing lateral movement and maintaining business productivity.
Use Case: Unified Visibility and Security for SaaS Apps
SaaS adoption continues to show tremendous growth, and in many categories it has already surpassed on-premises deployment options. While SaaS delivers exceptional business value, security teams are struggling to make sure they are able to safely enable the use of SaaS across their hybrid workforces without compromising business productivity. Each SaaS application comes with a unique set of security configurations and controls that make it hard for security teams to ensure that all of these applications have been set up without exposing data, credentials and sensitive user information. In addition, security teams require consolidated, continuous visibility into what users have access to and what they are doing in SaaS applications and endpoints.
Obsidian delivers the industry’s first cloud detection and response (CDR) solution. The Obsidian solution integrates with the Falcon platform to deliver frictionless security for SaaS applications and endpoints. This integration helps security teams uncover, investigate and respond to breaches and insider threats quickly, without slowing down business operations. Security teams can seamlessly receive data about user access, privileges and activity in SaaS applications, and correlate that with rich endpoint telemetry from CrowdStrike endpoints for increased visibility and protection.