9 Ways a CISO Uses CrowdStrike for Identity Threat Protection

Identity isn’t a security problem — it’s the security problem. 

This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.

The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.

CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.

“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area

Identity Is the New Perimeter

Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said. 

With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.

Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.

Below are nine use cases for the identity protection capability, in his own words.

1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.

2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.

3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.

“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”

4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.

5. We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.

6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.

“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”

7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.

8. We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.

9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.

“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”

CrowdStrike for Identity Threat Protection

Identity has become the security issue of our time. In speaking with this CISO and hundreds like him, it’s clear that Falcon Identity Threat Protection is an outstanding product that delivers real results for our customers.

Schedule your free Active Directory risk review from CrowdStrike

Only CrowdStrike provides an integrated approach to endpoint and identity security that gives you:

  • A single unified sensor
  • A single unified platform
  • A standard detections interface
  • Tight correlation across endpoints and identity
  • Real-time automated response
  • A fully managed option

Additional Resources

Related Content