Users and applications are moving to the cloud and putting a strain on legacy “castle-and-moat” network security. Legacy security models weren’t designed for today’s environments and threats, and don’t provide adequate monitoring, protection, or scale in a cloud and mobile-first world: You can’t enforce perimeter-dependent security when cloud-based apps and data reside outside the “castle moat.”
The new cloud-first, remote-enabled, device-agnostic way of working, however, demands a new security model. CrowdStrike and Zscaler have partnered to enhance end-to-end visibility and automating detection and remediation using both platforms. CrowdStrike and Zscaler are cloud-native security services that provide uniform security enforcement for all users, applications, endpoints, no matter the location. Together they enable better user experience and security. Their integration reduces threat dwell time and enables security professionals to do more, faster.
This article demonstrates how to integrate ZIA with CrowdStrike to provide zero-day threat detection and endpoint data correlation for faster remediation.
To see how CrowdStrike integrates with Zscaler Private Access (ZPA), please refer to this blog.
Connecting ZIA and CrowdStrike APIs
ZIA delivers sandboxing services as part of a broader enterprise SASE architecture implementation.
Through API integration with CrowdStrike, a threat detected by the Zscaler sandbox is automatically correlated with CrowdStrike telemetry data. The Zscaler Sandbox report then shows any additional infected endpoints in your environment. Zscaler can also trigger a containment response from the CrowdStrike platform.
To begin integrating CrowdStrike with ZIA, make the API level connection between Zscaler and CrowdStrike:
1. Login to the Zscaler portal.
2. Select Administration, then Partner Integration.
3. On the Partner Integration page, select the CrowdStrike tab. You are required to enter CrowdStrike client information.
4. Switch to the CrowdStrike portal. Login.
5. Select API Clients and Keys.
6. Create a new API client with specific API scopes by selecting Add New API Client.
7. Once the new client is created, copy the Client ID and Secret.
8. To obtain the CrowdStrike Customer ID, select the User Details icon in the bottom left corner of the CrowdStrike portal.
9. Copy the Customer ID.
10. Return to the Zscaler portal and enter the Client ID, Secret, and Customer ID into the appropriate fields.
11. Select Save. This verifies API connectivity between Zscaler and CrowdStrike.
The Sandbox in Action
1. From the client PC, download a file or executable from the Internet.
Since Zscaler sits inline and enforces all customer-configured security policies, Zscaler checks against its security engines to determine whether the file or executable is benign or malicious.
2. If Zscaler’s security engines cannot obtain enough information to decide, then the file is detonated in the Zscaler cloud sandbox and the file verdict is derived from the actions it attempts in this isolated environment.
While sandbox detonation is in progress, simultaneous download can be blocked or allowed as per customer policy. If the customer configured the latter, the file is allowed through and downloaded to the end host. Assuming the executable was a zero-day attack, since CrowdStrike hasn’t yet identified it as a malicious file, the file execution is allowed on the end host.
3. To review the Zscaler Sandbox assessment, select the Analytics tab, and then choose Web Insights.
4. Apply Sandbox as a filter, then from the dropdown menu select Sent for Analysis.
5. Switch to Logs at the top of the screen, then select Apply Filters.
6. In this example, the file was allowed per the applied policy, but it was sent to Zscaler’s Sandbox for further analysis and detonation.
7. At the end of the event, select the View Sandbox Detail Report.
(Note, displayed columns can be adjusted in Web Insights. Make sure that MD5 is selected for display.)
8. The Sandbox uses a scoring system to determine if files are malicious where anything above 60 is suspect. In this example, the file has a threat score of 86 and is malicious.
9. To see which customer endpoints were affected, return to the Zscaler logs and choose View CrowdStrike Endpoint Hits.
10. CrowdStrike shows the malicious file was executed on three endpoints: one host downloaded the file via the Internet and the malware spread laterally to two other endpoints.
11. To quarantine the endpoints, select Contain. This cuts off network access from that host. Once quarantined, the endpoint can only talk to CrowdStrike’s IP addresses or any other IPs specifically whitelisted by customer’s CrowdStrike policy settings.
12. The host’s status has changed to Contained.
Through just one UI screen, you can see which hosts are affected, view the timeline of the infections, and take containment action.
The integration of Zscaler and CrowdStrike enables the following benefits to improve security.
- A fuller security picture using network visibility, threat detection, and advanced endpoint analytics.
- Reduces advanced threat impact by combining inline SSL inspection, firewall, web proxy, cloud-sandboxing, CASB, and DLP protection with advanced endpoint protection and analytics.
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- White Paper on Falcon OverWatch
Content provided by Jamie Chui and Rohan Upalekar of Zscaler