CrowdStrike Automates Vulnerability Remediation Processes While Enhancing SecOps Visibility

Falcon Fusion and Falcon Spotlight accelerate vulnerability response and offer greater visibility across platforms

Adversaries are becoming more adept and sophisticated in their attacks. Taking advantage of vulnerabilities present in major software is often an attractive entry point for establishing a campaign within an enterprise environment. The CrowdStrike 2022 Global Threat Report highlights how adversaries continue to shift tradecraft and weaponize vulnerabilities to evade detection and gain access to critical applications and infrastructure. 

For security teams, stopping vulnerability exploitations is an uphill battle. According to the National Institute of Standards and Technology (NIST), more than 18,000 vulnerabilities were reported in 2021, of which more than 3,600 were rated as “high severity.” To stay ahead of the adversary, security teams need comprehensive visibility across their environment to understand where vulnerabilities exist. They also need a better way to efficiently prioritize and remediate the vulnerabilities that cause the most risk. 

To become more effective at spotting key weaknesses and vulnerabilities in their environments, SecOps teams must be as sophisticated as the adversaries they face. This requires solutions that offer comprehensive coverage to see everything within their systems, and tools to quickly pinpoint issues that pose immediate risk. Because the number of attacks is growing, staff can’t immediately see and patch everything. The volume is too great, underscoring the need for solutions that offer some relief for teams that are constantly remediating against the clock. 

The CrowdStrike Falcon® platform, together with Falcon Fusion™ — an integrated cloud-scale framework for IT and security workflow orchestration and automation — creates a powerful set of capabilities to keep organizations ahead of adversaries. Within the SecOps suite of products, CrowdStrike Falcon® Spotlight™ scanless vulnerability management harnesses Falcon Fusion to enable automated remediation workflows with two new, dynamic integrations through ServiceNow and Jira. Additionally, CrowdStrike’s suite of SecOps products has expanded across all major platforms to offer greater visibility.

Falcon Spotlight Integrations Enable Orchestrated Remediation Workflows 

Falcon Spotlight enables even greater efficiency with Falcon Fusion through dynamic integrations via ServiceNow and Jira, enabling customers to automate processes and reduce remediation time with a ticketing workflow that can be created from within Falcon Spotlight. 

Vulnerability remediation processes are then automated and orchestrated to increase efficiencies for the Falcon Spotlight user and the team tasked with remediating vulnerabilities. Once the customer creates the conditions through a Falcon Fusion workflow, the remediation process is continued either through ServiceNow or Jira. Since these integrations are dynamic, they provide even greater flexibility for security teams — the progress on remediation around a vulnerability, or group of related vulnerabilities, can be monitored directly through Spotlight. Reporting coverage is also included to simplify the resolution processes after a vulnerability has been successfully resolved.

How Falcon Fusion and Falcon Spotlight Streamline Remediation

Natively integrated into the Falcon platform, Falcon Fusion leverages the power of the CrowdStrike Security Cloud to orchestrate and automate any complex workflow. Falcon Fusion improves SOC and IT team efficiency and agility by enabling them to build real-time active response and notification capabilities with customizable triggers based on detection and incident categorizations. Falcon Fusion also dramatically reduces alert fatigue and frees up resources so analysts can focus on other critical and strategic tasks. With the Falcon Fusion framework, security teams gain the ability to create and set automated workflows based on triggers and conditions within a convenient if/then structure.

(Click to enlarge)

While Falcon Fusion has many use case applications around investigation, hunting and recovery, it’s especially useful in conjunction with Falcon Spotlight for vulnerability remediation processes. 

Watch the following overview to see how the Falcon Fusion and Falcon Spotlight work to kick off a remediation workflow through ServiceNow.

Falcon Spotlight and Falcon Fusion Orchestration Demo

Let’s examine how Falcon Spotlight and Falcon Fusion create more efficiencies for IT staff. 

Scenario: Using Falcon Fusion’s category-setting functionality, a team can kick off a workflow from Falcon Spotlight and capitalize on if/then logic to conduct a remediation process that can move from Falcon Spotlight to a third-party integration, all automatically. Falcon Fusion can specifically target conditions based on vulnerability metrics such as Falcon Spotlight’s Expert Prediction Rating Artificial Intelligence (ExPRT.AI) rating. From here, a team can:

  • Establish remediation triggers based on the most critical ExPRT.AI rating for vulnerabilities relevant to their organization.
  • Create an action or series of actions on what or how the vulnerability or sets of vulnerabilities should be handled.
  • Initiate a workflow to be handled in a third-party integration such as ServiceNow or Jira.
  • Offer relevant details around actions performed in the integration within the Spotlight console. 

This framework gives security teams the ability to create and set automated workflows based on the triggers and conditions using a simple if/then structure. For example, if the trigger was based on Falcon Spotlight’s ExPRT.AI rating, the established workflow would be automatically initiated for a team to conduct remediation processes until that vulnerability or group of vulnerabilities is patched or otherwise mitigated. 

Increased SecOps Coverage Enhances Overall Visibility 

In addition to the automation workflows and integrations, CrowdStrike’s collection of SecOps products have broadened platform coverage to ensure maximum visibility across an organization’s environments and to enhance cross-platform protection. Falcon Spotlight now supports macOS in addition to existing Windows and Linux coverage, while Falcon FileVantage™ file integrity monitoring extends support to Linux operating systems and Falcon Forensics™ now supports both macOS and Linux. Organizations with multi-platform environments can now have complete coverage from the same security vendor.

The Bottom Line for Security Operations Staff

Adversaries capitalize on weaknesses and vulnerabilities to gain access to an organization’s systems and software; it’s up to security staff to pinpoint which ones are most relevant to their enterprise and establish a remediation plan as quickly as possible. Fortunately, with the CrowdStrike Falcon® platform and SecOps products, vulnerability management, visibility and IT hygiene, file integrity monitoring and forensic investigation can be simple and efficient. 

Through the use of Falcon Spotlight integrations and coverage and Falcon Fusion, staff can orchestrate remediation workflows that are targeted and effective against highly relevant vulnerabilities affecting their systems. The first step in strong security posture is to have systems protected against any kind of exploitation, and with the Falcon suite of SecOps products, IT teams are equipped to protect against threats. 

See how Falcon Spotlight works in action — start a free trial in conjunction with Falcon Insight™ endpoint detection and response to experience for yourself the power of Falcon Fusion’s framework and streamlined vulnerability remediation. 

Additional Resources 

Related Content