How to Operationalize Falcon Horizon
Introduction
Cloud Security Posture Management products help companies monitor for various human errors, misconfigurations and malicious behaviors across public cloud environments. To maximize the value of any CSPM solution, the findings need to be consumable, actionable and incorporated into daily operations.
Video
Policy Assessments
CrowdStrike’s CSPM solution, Falcon Horizon, includes easy to read dashboards that deliver visibility and policy-based assessment of multi-cloud deployments. On the left side, the dashboard reports configuration based findings. On the right side, the findings are based on indicators of attack or behavioral policies.
For each cloud provider, CrowdStrike offers a comprehensive list of policies for various services along with supporting documentation to help companies define, measure and achieve security compliance. As an example, Falcon Horizon includes a number of policies for the AWS Identity Access Management service. In addition to compliance driven policies, CrowdSrike includes a few policies designed to enforce the use of complex passwords.
For each policy, the supporting details include service subtype, description and steps for remediation.
Notification Workflows
In addition to assessments and documentation, CrowdStrike supports notification workflows to facilitate operationalized cloud security. From the Falcon menu, workflows are accessible under “Configuration”.
The “Create a workflow” option will present all of the available categories.
By choosing “Cloud Security”, the workflow is automatically associated with the assessment findings.
The next step is to “Add conditions” that should trigger the workflow.
The menus include a number of variables and operations to ensure flexibility and satisfy any number of use cases. In this example, the cloud service should equal IAM. Then, additional conditions are added requiring each of the four password complexity policy statements including the use of symbols, upper case letters, lower case letters, and numbers. This workflow will trigger an alert for any IAM password policy that does not require any of these specifications.
With the conditions defined, the next step is to select a notification action. This workflow will send an email that includes the findings to the level one response team with the subject “Simple Password” anytime all of the conditions are met. Finally, the workflow can be named and assigned a detailed description. This is just one example of how notifications can be used to ensure action is taken to resolve specific CSPM findings.
Conclusion
The use of public cloud infrastructure increases an organization’s attack surface as well as risk around human error, misconfigurations and compliance issues. Falcon Horizon not only provides mutli-cloud visibility and assessment, but also helps organizations operationalize cloud security with dashboards, granular policy options, recommended remediation steps and notification workflows.
